Update Shibboleth-sp and its tool chain to 2.5.1.

Note that from 2.5, shibd is run as the user shibd. The port tries to fix the key file ownership but if you have changed the file name of the key from the default sp-key.pem, make sure you chown your key file(s) to user shibd. Also, take maintainership of the entire tool chain (approved by all previous maintainers). Incorporates the ideas suggested by Craig Leres [177668], making sure that the ssl key is not added to the package. PR: 177668, 178694
svn path=/head/; revision=319885
2013-06-04 17:29:21 +00:00 · 2013-06-04 17:29:21 +00:00 · 732610c736 · 2021-03-31 03:12:20 +00:00
commit 732610c736
parent 23327530f4
21 changed files with 200 additions and 85 deletions
--- a/1
+++ b/1
@ -253,5 +253,6 @@ elasticsearch:*:965:
 ossec:*:966:
 kippo:*:969:
 colord:*:970:
+shibd:*:971:
 nogroup:*:65533:
 nobody:*:65534:
--- a/1
+++ b/1
@ -260,4 +260,5 @@ ossecm:*:967:966::0:0:OSSEC mail user:/usr/local/ossec-hids:/usr/sbin/nologin
 ossecr:*:968:966::0:0:OSSEC rem user:/usr/local/ossec-hids:/usr/sbin/nologin
 kippo:*:969:969::0:0:kippo user:/nonexistent:/usr/sbin/nologin
 colord:*:970:970::0:0:colord color management daemon:/nonexistent:/usr/sbin/nologin
+shibd:*:971:971::0:0:Shibboleth SAML daemon:/nonexistent:/usr/sbin/nologin
 nobody:*:65534:65534::0:0:Unprivileged user:/nonexistent:/usr/sbin/nologin
--- a/devel/log4shib/Makefile
+++ b/devel/log4shib/Makefile
@ -7,11 +7,11 @@
 #

 PORTNAME=	log4shib
-DISTVERSION=	1.0.4
+DISTVERSION=	1.0.6
 CATEGORIES=	devel
-MASTER_SITES=	http://shibboleth.internet2.edu/downloads/${PORTNAME}/${DISTVERSION}/
+MASTER_SITES=	http://shibboleth.net/downloads/${PORTNAME}/${DISTVERSION}/

-MAINTAINER=	vanilla@FreeBSD.org
+MAINTAINER=	girgen@FreeBSD.org
 COMMENT=	A library of C++ classes for flexible logging

 USE_AUTOTOOLS=	libtool
@ -21,8 +21,8 @@ USE_GNOME=	pkgconfig gnomehack
 CONFIGURE_ARGS=	--with-pthreads --disable-html-docs --disable-doxygen
 USE_LDCONFIG=	yes

+USES=		pathfix
 post-patch:
 	@${REINPLACE_CMD} -e 's| -pedantic||g' ${WRKSRC}/configure
-	@${REINPLACE_CMD} -e 's|(libdir)/pkgconfig|(prefix)/libdata/pkgconfig|' ${WRKSRC}/Makefile.in

 .include <bsd.port.mk>
--- a/devel/log4shib/distinfo
+++ b/devel/log4shib/distinfo
@ -1,2 +1,2 @@
-SHA256 (log4shib-1.0.4.tar.gz) = 4e5f9e58f14f2498d8be15dc0a6223e83f0510a924494295329b20745cacbc38
-SIZE (log4shib-1.0.4.tar.gz) = 487529
+SHA256 (log4shib-1.0.6.tar.gz) = 060f472a085e34658f4eb19c2be56010adfcf33cf138071f8e7c953aa278d567
+SIZE (log4shib-1.0.6.tar.gz) = 571088
--- a/devel/xmltooling/Makefile
+++ b/devel/xmltooling/Makefile
@ -2,18 +2,19 @@
 # $FreeBSD$

 PORTNAME=	xmltooling
-PORTVERSION=	1.4.2
-PORTREVISION=	1
+PORTVERSION=	1.5.2
 CATEGORIES=	devel security
-MASTER_SITES=	http://www.shibboleth.net/downloads/c++-opensaml/2.4.3/
+MASTER_SITES=	http://shibboleth.net/downloads/c++-opensaml/2.5.2/

-MAINTAINER=	jmohacsi@bsd.hu
+MAINTAINER=	girgen@FreeBSD.org
 COMMENT=	Low level XML support for SAML

 LIB_DEPENDS=	curl.6:${PORTSDIR}/ftp/curl \
 		log4shib.1:${PORTSDIR}/devel/log4shib \
 		xerces-c.3:${PORTSDIR}/textproc/xerces-c3 \
-		xml-security-c.16:${PORTSDIR}/security/apache-xml-security-c
+		xml-security-c.17:${PORTSDIR}/security/apache-xml-security-c
+	
+BUILD_DEPENDS=	boost-libs>=0:${PORTSDIR}/devel/boost-libs

 GNU_CONFIGURE=	yes
 CONFIGURE_ARGS+=--with-log4shib=${LOCALBASE} --with-openssl=${OPENSSLBASE} --with-curl=${LOCALBASE} --disable-doxygen-doc
--- a/devel/xmltooling/distinfo
+++ b/devel/xmltooling/distinfo
@ -1,2 +1,2 @@
-SHA256 (xmltooling-1.4.2.tar.gz) = c32c503532cd0f2c64a71f0a7f4e63f660f1205830603b0bcd9225dc3c23445d
-SIZE (xmltooling-1.4.2.tar.gz) = 636598
+SHA256 (xmltooling-1.5.2.tar.gz) = d43719f8d742d87131ea64f2dbc8f1b366c7f216ac21015090a51693ff11df98
+SIZE (xmltooling-1.5.2.tar.gz) = 679098
--- a/devel/xmltooling/pkg-plist
+++ b/devel/xmltooling/pkg-plist
@ -48,7 +48,10 @@ include/xmltooling/security/KeyInfoCredentialContext.h
 include/xmltooling/security/KeyInfoResolver.h
 include/xmltooling/security/OpenSSLCredential.h
 include/xmltooling/security/OpenSSLCryptoX509CRL.h
+include/xmltooling/security/OpenSSLPathValidator.h
 include/xmltooling/security/OpenSSLTrustEngine.h
+include/xmltooling/security/PKIXPathValidatorParams.h
+include/xmltooling/security/PathValidator.h
 include/xmltooling/security/SecurityHelper.h
 include/xmltooling/security/SignatureTrustEngine.h
 include/xmltooling/security/TrustEngine.h
@ -84,13 +87,14 @@ include/xmltooling/validation/Validator.h
 include/xmltooling/validation/ValidatorSuite.h
 include/xmltooling/version.h
 lib/libxmltooling-lite.so
-lib/libxmltooling-lite.so.5
+lib/libxmltooling-lite.so.6
 lib/libxmltooling.so
-lib/libxmltooling.so.5
+lib/libxmltooling.so.6
 libdata/pkgconfig/xmltooling.pc
 share/xml/xmltooling/catalog.xml
 share/xml/xmltooling/soap-envelope.xsd
 share/xml/xmltooling/xenc-schema.xsd
+share/xml/xmltooling/xenc11-schema.xsd
 share/xml/xmltooling/xml.xsd
 share/xml/xmltooling/xmldsig-core-schema.xsd
 share/xml/xmltooling/xmldsig11-schema.xsd
--- a/security/apache-xml-security-c/Makefile
+++ b/security/apache-xml-security-c/Makefile
@ -2,13 +2,13 @@
 # $FreeBSD$

 PORTNAME=	xml-security-c
-PORTVERSION=	1.6.1
+PORTVERSION=	1.7.0
 CATEGORIES=	security
 MASTER_SITES=	${MASTER_SITE_APACHE}
 MASTER_SITE_SUBDIR=santuario/c-library
 PKGNAMEPREFIX=	apache-

-MAINTAINER=	jmohacsi@bsd.hu
+MAINTAINER=	girgen@FreeBSD.org
 COMMENT=	Apache XML security libraries - C++ version

 LICENSE=	AL2
--- a/security/apache-xml-security-c/distinfo
+++ b/security/apache-xml-security-c/distinfo
@ -1,2 +1,2 @@
-SHA256 (xml-security-c-1.6.1.tar.gz) = 73931a55d6925a82416ea48f8d6f1b8ed591368e1dfc30574fe43904b7c62fcd
-SIZE (xml-security-c-1.6.1.tar.gz) = 864366
+SHA256 (xml-security-c-1.7.0.tar.gz) = c8cd6ec3d3b777fcca295cb4b273b08e4cfe37e03fc27131ec079894b9dae87c
+SIZE (xml-security-c-1.7.0.tar.gz) = 874025
--- a/security/apache-xml-security-c/pkg-plist
+++ b/security/apache-xml-security-c/pkg-plist
@ -160,7 +160,7 @@ include/xsec/xkms/XKMSValidateResult.hpp
 include/xsec/xkms/XKMSValidityInterval.hpp
 lib/libxml-security-c.a
 lib/libxml-security-c.so
-lib/libxml-security-c.so.16
+lib/libxml-security-c.so.17
@dirrm include/xsec/xkms
@dirrm include/xsec/xenc
@dirrm include/xsec/utils/unixutils
--- a/security/opensaml2/Makefile
+++ b/security/opensaml2/Makefile
@ -2,19 +2,18 @@
 # $FreeBSD$

 PORTNAME=	opensaml2
-PORTVERSION=	2.4.3
-PORTREVISION=	1
+PORTVERSION=	2.5.2
 CATEGORIES=	security
-MASTER_SITES=	http://www.shibboleth.net/downloads/c++-opensaml/${PORTVERSION}/
+MASTER_SITES=	http://shibboleth.net/downloads/c++-opensaml/${PORTVERSION}/
 DISTNAME=	opensaml-${PORTVERSION}

-MAINTAINER=	jmohacsi@bsd.hu
+MAINTAINER=	girgen@FreeBSD.org
 COMMENT=	Open source implementation of SAML2

 LIB_DEPENDS=	curl.6:${PORTSDIR}/ftp/curl \
 		log4shib.1:${PORTSDIR}/devel/log4shib \
 		xerces-c.3:${PORTSDIR}/textproc/xerces-c3 \
-		xmltooling.5:${PORTSDIR}/devel/xmltooling
+		xmltooling.6:${PORTSDIR}/devel/xmltooling

 GNU_CONFIGURE=	yes
 CONFIGURE_ARGS+=--with-log4shib=${LOCALBASE} --with-openssl=${OPENSSLBASE} \
--- a/security/opensaml2/distinfo
+++ b/security/opensaml2/distinfo
@ -1,2 +1,2 @@
-SHA256 (opensaml-2.4.3.tar.gz) = 850187c7dd664f9216a387bcc9e08f36643f04ddc08d11551e33a46dd15d2539
-SIZE (opensaml-2.4.3.tar.gz) = 871693
+SHA256 (opensaml-2.5.2.tar.gz) = 5bc3fbe5e789ad7aedfc2919413131400290466ecd2b77b1c3f3dc4c37e6fe54
+SIZE (opensaml-2.5.2.tar.gz) = 707139
--- a/security/opensaml2/pkg-plist
+++ b/security/opensaml2/pkg-plist
@ -25,6 +25,7 @@ include/saml/saml2/metadata/AbstractMetadataProvider.h
 include/saml/saml2/metadata/DiscoverableMetadataProvider.h
 include/saml/saml2/metadata/DynamicMetadataProvider.h
 include/saml/saml2/metadata/EndpointManager.h
+include/saml/saml2/metadata/EntityMatcher.h
 include/saml/saml2/metadata/Metadata.h
 include/saml/saml2/metadata/MetadataCredentialContext.h
 include/saml/saml2/metadata/MetadataCredentialCriteria.h
@ -46,7 +47,7 @@ include/saml/signature/SignableObject.h
 include/saml/signature/SignatureProfileValidator.h
 include/saml/util/CommonDomainCookie.h
 include/saml/util/SAMLConstants.h
-lib/libsaml.so.7
+lib/libsaml.so.8
 lib/libsaml.so
 libdata/pkgconfig/opensaml.pc
 %%PORTDOCS%%%%DOCSDIR%%/README.txt
@ -67,6 +68,8 @@ share/xml/opensaml/cs-sstc-schema-assertion-01.xsd
 share/xml/opensaml/cs-sstc-schema-protocol-01.xsd
 share/xml/opensaml/cs-sstc-schema-assertion-1.1.xsd
 share/xml/opensaml/cs-sstc-schema-protocol-1.1.xsd
+share/xml/opensaml/saml-async-slo-v1.0.xsd
+share/xml/opensaml/saml-metadata-rpi-v1.0.xsd
 share/xml/opensaml/saml-schema-assertion-2.0.xsd
 share/xml/opensaml/saml-schema-authn-context-2.0.xsd
 share/xml/opensaml/saml-schema-authn-context-auth-telephony-2.0.xsd
--- a/security/shibboleth2-sp/Makefile
+++ b/security/shibboleth2-sp/Makefile
@ -2,53 +2,58 @@
 # $FreeBSD$

 PORTNAME=	shibboleth-sp
-PORTVERSION=	2.4.3
-PORTREVISION=	1
+PORTVERSION=	2.5.1
 CATEGORIES=	security www
-MASTER_SITES=	http://www.shibboleth.net/downloads/service-provider/${PORTVERSION}/
+MASTER_SITES=	http://shibboleth.net/downloads/service-provider/${PORTVERSION}/

-MAINTAINER=	swills@FreeBSD.org
+MAINTAINER=	girgen@FreeBSD.org
 COMMENT=	C++ Shibboleth Service Provider (Internet2) for Apache

-LIB_DEPENDS=	saml.7:${PORTSDIR}/security/opensaml2
-
-OPTIONS_DEFINE=	APACHE22
-APACHE22_DESC=	Use Apache version 2.2 instead of version 2.0
+LIB_DEPENDS=	saml.8:${PORTSDIR}/security/opensaml2

 MAKE_JOBS_SAFE=	yes
 USE_GMAKE=	yes
 GNU_CONFIGURE=	yes
+MAKE_ENV=	NOKEYGEN=YES
 USE_LDCONFIG=	yes
 USE_RC_SUBR=	shibboleth-sp
-USE_AUTOTOOLS=	autoconf automake:env libtool:env
-WRKSRC=		${WRKDIR}/shibboleth-${PORTVERSION}

 LATEST_LINK=	shibboleth2-sp

+USERS=		shibd
+GROUPS=		shibd
+
+USE_APACHE=	22-24
+USE_OPENSSL=	yes
+
 .include <bsd.port.pre.mk>

-.if ${PORT_OPTIONS:MAPACHE22}
-USE_APACHE=	22
+.if ${APACHE_VERSION} == 22
 CONFIGURE_ARGS=	--enable-apache-22 --with-apxs22=${APXS}
 PLIST_SUB+=	WITH_APACHE_22=""
-PLIST_SUB+=	WITH_APACHE_20="@comment "
+PLIST_SUB+=	WITH_APACHE_24="@comment "
 .else
-IGNORE=	apache20 is no longer available
-#USE_APACHE=	20
-#CONFIGURE_ARGS=	--enable-apache-20 --with-apxs2=${APXS} --with-apr=${PREFIX}/lib/apache2/apr-config --with-apu=${PREFIX}/lib/apache2/apu-config
+CONFIGURE_ARGS=	--enable-apache-24 --with-apxs24=${APXS}
 PLIST_SUB+=	WITH_APACHE_22="@comment "
-PLIST_SUB+=	WITH_APACHE_20=""
+PLIST_SUB+=	WITH_APACHE_24=""
 .endif
+
+SUB_LIST+=	SH=${SH}
+PLIST_SUB+=	WWWOWN=${WWWOWN} WWWGRP=${WWWGRP}
+
+SUB_LIST+=	SHIBD_USER=${USERS}
+SUB_LIST+=	SHIBD_GROUP=${GROUPS}
+PLIST_SUB+=	SHIBD_USER=${USERS}
+PLIST_SUB+=	SHIBD_GROUP=${GROUPS}
+
 CONFIGURE_ARGS+=	--localstatedir=/var --with-log4shib=${LOCALBASE}
 CONFIGURE_ARGS+=	--with-openssl=${OPENSSLBASE} --with-xmltooling=${LOCALBASE}
 CONFIGURE_ARGS+=	--disable-doxygen-doc

-pre-configure:
-	@${REINPLACE_CMD} -e 's|/run|/run/shibboleth|' ${WRKSRC}/configs/Makefile.in
-	@${REINPLACE_CMD} -e 's|/doc/@PACKAGE@-@PACKAGE_VERSION@|/doc/@PACKAGE@|' \
-		${WRKSRC}/configs/Makefile.am ${WRKSRC}/configs/Makefile.in \
-		${WRKSRC}/doc/Makefile.am ${WRKSRC}/doc/Makefile.in
-	${RM} ${WRKSRC}/aclocal.m4
-	@cd ${WRKSRC} && ${AUTORECONF} -fvi
+post-install:
+	${CHOWN} -R ${USERS}:${GROUPS} /var/cache/shibboleth ;\
+	${CHOWN} -R ${USERS}:${GROUPS} /var/log/shibboleth ;\
+       	${CHOWN} -R ${USERS}:${WWWGRP} /var/run/shibboleth ;\
+       	${CHMOD} -R u=rwx,g=rx,o= /var/run/shibboleth

 .include <bsd.port.post.mk>
--- a/security/shibboleth2-sp/distinfo
+++ b/security/shibboleth2-sp/distinfo
@ -1,2 +1,2 @@
-SHA256 (shibboleth-sp-2.4.3.tar.gz) = 9e0b219707046b55d0ca38627fb213b799ac98cf11541845b7e6b036a89dcdcf
-SIZE (shibboleth-sp-2.4.3.tar.gz) = 854326
+SHA256 (shibboleth-sp-2.5.1.tar.gz) = a697034fe56a170602a3907cde6faf822836b1ba23cdc11af315a81df6102f04
+SIZE (shibboleth-sp-2.5.1.tar.gz) = 952815
--- a/security/shibboleth2-sp/files/patch-configure.ac
+++ b/security/shibboleth2-sp/files/patch-configure.ac
@ -1,11 +0,0 @@
--- configure.ac.orig	2009-12-01 19:07:37.000000000 +0200
-+++ configure.ac	2010-01-06 19:23:05.000000000 +0200
-@@ -717,7 +717,7 @@
-         AC_MSG_CHECKING(for user-specified apu-config name/location)
-         if test "$withval" != "no" ; then
-             if test "$withval" != "yes"; then
-                APR_CONFIG=$withval
-+                APU_CONFIG=$withval
-                 AC_MSG_RESULT("$withval")
-             fi
-         fi
--- a/security/shibboleth2-sp/files/patch-makefiles-docdir
+++ b/security/shibboleth2-sp/files/patch-makefiles-docdir
@ -0,0 +1,47 @@
+--- doc/Makefile.am.orig	2012-07-23 22:08:29.000000000 +0200
+++ doc/Makefile.am	2013-02-22 10:53:42.000000000 +0100
+@@ -1,7 +1,7 @@
+ AUTOMAKE_OPTIONS = foreign
+ 
+-pkgdocdir = $(datadir)/doc/@PACKAGE_NAME@-@PACKAGE_VERSION@
+-pkgwebdir = $(datadir)/@PACKAGE_NAME@
+pkgdocdir = $(datadir)/doc/@PACKAGE_NAME@
+pkgwebdir = $(datadir)/doc/@PACKAGE_NAME@
+ 
+ install-data-hook:
+ 	if test -d api ; then \
+--- doc/Makefile.in.orig	2012-12-04 05:50:56.000000000 +0100
+++ doc/Makefile.in	2013-02-22 10:53:42.000000000 +0100
+@@ -288,8 +288,8 @@
+ top_srcdir = @top_srcdir@
+ xs = @xs@
+ AUTOMAKE_OPTIONS = foreign
+-pkgdocdir = $(datadir)/doc/@PACKAGE_NAME@-@PACKAGE_VERSION@
+-pkgwebdir = $(datadir)/@PACKAGE_NAME@
+pkgdocdir = $(datadir)/doc/@PACKAGE_NAME@
+pkgwebdir = $(datadir)/doc/@PACKAGE_NAME@
+ docfiles = \
+ 	CREDITS.txt \
+ 	LICENSE.txt \
+--- configs/Makefile.am.orig	2012-12-04 05:49:50.000000000 +0100
+++ configs/Makefile.am	2013-02-22 10:53:42.000000000 +0100
+@@ -6,7 +6,7 @@
+ pkglogdir = ${localstatedir}/log/@PACKAGE_NAME@
+ shirelogdir = ${localstatedir}/log/httpd
+ pkgxmldir = $(datadir)/xml/@PACKAGE_NAME@
+-pkgwebdir = $(datadir)/@PACKAGE_NAME@
+pkgwebdir = $(datadir)/doc/@PACKAGE_NAME@
+ pkgrundir = $(localstatedir)/run/@PACKAGE_NAME@
+ pkgcachedir = $(localstatedir)/cache/@PACKAGE_NAME@
+ pkgsysconfdir = $(sysconfdir)/@PACKAGE_NAME@
+--- configs/Makefile.in.orig	2012-12-04 05:50:56.000000000 +0100
+++ configs/Makefile.in	2013-02-22 10:53:42.000000000 +0100
+@@ -291,7 +291,7 @@
+ pkglogdir = ${localstatedir}/log/@PACKAGE_NAME@
+ shirelogdir = ${localstatedir}/log/httpd
+ pkgxmldir = $(datadir)/xml/@PACKAGE_NAME@
+-pkgwebdir = $(datadir)/@PACKAGE_NAME@
+pkgwebdir = $(datadir)/doc/@PACKAGE_NAME@
+ pkgrundir = $(localstatedir)/run/@PACKAGE_NAME@
+ pkgcachedir = $(localstatedir)/cache/@PACKAGE_NAME@
+ pkgsysconfdir = $(sysconfdir)/@PACKAGE_NAME@
--- a/security/shibboleth2-sp/files/patch-shibboleth-spec
+++ b/security/shibboleth2-sp/files/patch-shibboleth-spec
@ -0,0 +1,26 @@
+--- shibboleth.spec.in.orig	2012-12-04 05:49:49.000000000 +0100
+++ shibboleth.spec.in	2013-06-03 16:19:28.000000000 +0200
+@@ -58,7 +58,7 @@
+ %if "%{_vendor}" == "suse"
+ %define pkgdocdir %{_docdir}/shibboleth
+ %else
+-%define pkgdocdir %{_docdir}/shibboleth-%{version}
+%define pkgdocdir %{_docdir}/shibboleth
+ %endif
+ 
+ %description
+@@ -202,14 +202,6 @@
+ /sbin/ldconfig
+ %endif
+ 
+-# Key generation or ownership fix
+-cd %{_sysconfdir}/shibboleth
+-if [ -f sp-key.pem ] ; then
+-	%{__chown} %{runuser}:%{runuser} sp-key.pem sp-cert.pem 2>/dev/null || :
+-else
+-	sh ./keygen.sh -b -u %{runuser} -g %{runuser}
+-fi
+-
+ # Fix ownership of log files (even on new installs, if they're left from an older one).
+ %{__chown} %{runuser}:%{runuser} %{_localstatedir}/log/shibboleth/* 2>/dev/null || :
+ 
--- a/security/shibboleth2-sp/files/shibboleth-sp.in
+++ b/security/shibboleth2-sp/files/shibboleth-sp.in
@ -11,9 +11,43 @@
 name="shibboleth_sp"
 rcvar=shibboleth_sp_enable

+: ${shibboleth_sp_enable:='NO'}
+: ${shibboleth_sp_flags:=''}
+
 command=${shibboleth_sp_program:-%%PREFIX%%/sbin/shibd}
-pidfile="${shibboleth_sp_pidfile:-/var/run/${name}.pid}"
-command_args="-f -p ${pidfile}"
+pidfile="${shibboleth_sp_pidfile:-/var/run/shibboleth/${name}.pid}"
+start_precmd="shibboleth_sp_configtest"
+restart_precmd="shibboleth_sp_configtest"
+configtest_cmd="shibboleth_sp_configtest"
+keygen_cmd="shibboleth_sp_keygen"
+
+shibboleth_sp_user=%%SHIBD_USER%%
+shibboleth_sp_group=%%SHIBD_GROUP%%

 load_rc_config $name
+
+command_args="-f -p ${pidfile} -u ${shibboleth_sp_user} -g ${shibboleth_sp_group}"
+confdir=${SHIBSP_CFGDIR:-%%PREFIX%%/etc}/shibboleth
+cert=sp-cert.pem
+key=sp-key.pem
+
+shibboleth_sp_configtest() {
+	if [ ! -s ${confdir}/${key} -o ! -s ${confdir}/${cert} ]; then
+		run_rc_command keygen
+	else
+		# update from 2.4.x, chown %%SHIBD_USER%% the key and cert
+	       	for f in ${confdir}/${key} ${confdir}/${cert}; do
+			set X `stat ${f}`
+			test $6 != ${shibboleth_sp_user} && chown ${shibboleth_sp_user}:${shibboleth_sp_group} ${f}
+		done
+	fi
+	${command} ${shibboleth_sp_flags} -u ${shibboleth_sp_user} -g ${shibboleth_sp_group} -t
+}
+
+shibboleth_sp_keygen() {
+	%%SH%% ${confdir}/keygen.sh -o ${confdir} -u ${shibboleth_sp_user} -g ${shibboleth_sp_group}
+}
+
+extra_commands="configtest keygen"
+
 run_rc_command "$1"
--- a/security/shibboleth2-sp/pkg-descr
+++ b/security/shibboleth2-sp/pkg-descr
@ -10,4 +10,4 @@ service provider manages secured resources. User access to resources
 is based on assertions received by the service provider (SP) from
 an identity provider.

-WWW:	http://shibboleth.internet2.edu/
+WWW: http://shibboleth.internet2.edu/
--- a/security/shibboleth2-sp/pkg-plist
+++ b/security/shibboleth2-sp/pkg-plist
@ -64,11 +64,13 @@ etc/shibboleth/shibd-suse
 etc/shibboleth/shibd-osx.plist
 etc/shibboleth/apache.config
 etc/shibboleth/apache2.config
+@unexec if cmp -s %D/etc/shibboleth/attrChecker.html.dist %D/etc/shibboleth/attrChecker.html; then rm -f %D/etc/shibboleth/attrChecker.html; fi
+etc/shibboleth/attrChecker.html.dist
+@exec if [ ! -f %D/etc/shibboleth/attrChecker.html ] ; then cp -p %D/etc/shibboleth/attrChecker.html.dist %D/etc/shibboleth/attrChecker.html; fi
 etc/shibboleth/apache22.config
+etc/shibboleth/apache24.config
 etc/shibboleth/keygen.sh
 etc/shibboleth/upgrade.xsl
-etc/shibboleth/sp-key.pem
-etc/shibboleth/sp-cert.pem
@unexec if cmp -s %D/etc/shibboleth/postTemplate.html.dist %D/etc/shibboleth/postTemplate.html; then rm -f %D/etc/shibboleth/postTemplate.html; fi
 etc/shibboleth/postTemplate.html.dist
@exec if [ ! -f %D/etc/shibboleth/postTemplate.html ] ; then cp -p %D/etc/shibboleth/postTemplate.html.dist %D/etc/shibboleth/postTemplate.html; fi
@ -88,6 +90,7 @@ include/shibsp/SessionCacheEx.h
 include/shibsp/TransactionLog.h
 include/shibsp/attribute/Attribute.h
 include/shibsp/attribute/AttributeDecoder.h
+include/shibsp/attribute/BinaryAttribute.h
 include/shibsp/attribute/ExtensibleAttribute.h
 include/shibsp/attribute/NameIDAttribute.h
 include/shibsp/attribute/ScopedAttribute.h
@ -102,10 +105,10 @@ include/shibsp/attribute/resolver/AttributeExtractor.h
 include/shibsp/attribute/resolver/AttributeResolver.h
 include/shibsp/attribute/resolver/ResolutionContext.h
 include/shibsp/base.h
-include/shibsp/config_pub.h
 include/shibsp/binding/ArtifactResolver.h
 include/shibsp/binding/ProtocolProvider.h
 include/shibsp/binding/SOAPClient.h
+include/shibsp/config_pub.h
 include/shibsp/exceptions.h
 include/shibsp/handler/AbstractHandler.h
 include/shibsp/handler/AssertionConsumerService.h
@ -113,6 +116,7 @@ include/shibsp/handler/Handler.h
 include/shibsp/handler/LogoutHandler.h
 include/shibsp/handler/LogoutInitiator.h
 include/shibsp/handler/RemotedHandler.h
+include/shibsp/handler/SecuredHandler.h
 include/shibsp/handler/SessionInitiator.h
 include/shibsp/lite/CommonDomainCookie.h
 include/shibsp/lite/SAMLConstants.h
@ -126,21 +130,20 @@ include/shibsp/security/SecurityPolicy.h
 include/shibsp/security/SecurityPolicyProvider.h
 include/shibsp/util/CGIParser.h
 include/shibsp/util/DOMPropertySet.h
+include/shibsp/util/IPRange.h
 include/shibsp/util/PropertySet.h
 include/shibsp/util/SPConstants.h
 include/shibsp/util/TemplateParameters.h
 include/shibsp/version.h
-lib/libshibsp.so.5
+lib/libshibsp.so.6
 lib/libshibsp.so
 lib/shibboleth/adfs.so
-lib/shibboleth/adfs.la
 lib/shibboleth/adfs-lite.so
-lib/shibboleth/adfs-lite.la
+lib/shibboleth/plugins-lite.so
+lib/shibboleth/plugins.so
 %%WITH_APACHE_22%%lib/shibboleth/mod_shib_22.so
-%%WITH_APACHE_22%%lib/shibboleth/mod_shib_22.la
-%%WITH_APACHE_20%%lib/shibboleth/mod_shib_20.so
-%%WITH_APACHE_20%%lib/shibboleth/mod_shib_20.la
-lib/libshibsp-lite.so.5
+%%WITH_APACHE_24%%lib/shibboleth/mod_shib_24.so
+lib/libshibsp-lite.so.6
 lib/libshibsp-lite.so
 sbin/shibd
 share/xml/shibboleth/catalog.xml
@ -155,20 +158,22 @@ share/xml/shibboleth/shibboleth-metadata-1.0.xsd
 share/xml/shibboleth/shibboleth.xsd
 share/xml/shibboleth/WS-Trust.xsd
 share/doc/shibboleth/CREDITS.txt
+share/doc/shibboleth/FASTCGI.LICENSE
 share/doc/shibboleth/LICENSE.txt
+share/doc/shibboleth/LOG4CPP.LICENSE
 share/doc/shibboleth/NOTICE.txt
+share/doc/shibboleth/OPENSSL.LICENSE
 share/doc/shibboleth/README.txt
 share/doc/shibboleth/RELEASE.txt
-share/doc/shibboleth/FASTCGI.LICENSE
-share/doc/shibboleth/OPENSSL.LICENSE
-share/doc/shibboleth/LOG4CPP.LICENSE
 share/doc/shibboleth/main.css
-share/doc/shibboleth/logo.jpg
-@exec mkdir -p %D/data
+@exec mkdir -p /var/cache/shibboleth
+@exec chown -R %%SHIBD_USER%%:%%SHIBD_GROUP%% /var/cache/shibboleth
@exec mkdir -p /var/log/shibboleth
+@exec chown -R %%SHIBD_USER%%:%%SHIBD_GROUP%% /var/log/shibboleth
@exec mkdir -p /var/run/shibboleth
-@exec chown www:www /var/run/shibboleth
-@exec chmod -R ug=rwx,o= /var/run/shibboleth
+@exec chown -R %%SHIBD_USER%%:%%WWWGRP%%  /var/run/shibboleth
+@exec chmod -R u=rwx,g=rx,o= /var/run/shibboleth
+@unexec rm -rf /var/cache/shibboleth 2>&1 >/dev/null || true
@unexec rm -rf /var/run/shibboleth 2>&1 >/dev/null || true
@dirrmtry share/doc/shibboleth/api
@dirrmtry share/doc/shibboleth