certmonger/0008-Use-only-PK11_ImportCert-to-import-certs-not-CERT_Im.patch

96 lines
3.5 KiB
Diff
Raw Normal View History

From 15d406ee3afbb52832d5c61a1afb735724d109a2 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Tue, 18 Sep 2018 10:21:28 -0400
Subject: [PATCH 7/7] Use only PK11_ImportCert to import certs, not
CERT_ImportCerts
CERT_ImportCerts always imports a given certificate into the
certificate database, whether a token is requested or not.
Using PK11_ImportCert will import the cert, associate the key
properly and will only add the certificate to the appropriate
token.
---
src/certsave-n.c | 37 +++++++++++--------------------------
1 file changed, 11 insertions(+), 26 deletions(-)
diff --git a/src/certsave-n.c b/src/certsave-n.c
index d0152cad..fcb43148 100644
--- a/src/certsave-n.c
+++ b/src/certsave-n.c
@@ -100,7 +100,7 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
NSSInitContext *ctx;
CERTCertDBHandle *certdb;
CERTCertList *certlist;
- CERTCertificate **returned, *oldcert, cert;
+ CERTCertificate *oldcert, *newcert, cert;
CERTCertTrust trust;
CERTSignedData csdata;
CERTCertListNode *node;
@@ -497,33 +497,18 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
}
}
/* Import the certificate. */
- returned = NULL;
- error = CERT_ImportCerts(certdb,
- certUsageUserCertImport,
- 1, &item, &returned,
- PR_TRUE,
- PR_FALSE,
- entry->cm_cert_nickname);
- ec = PORT_GetError();
- if (error == SECSuccess) {
- /* If NSS uses SQL DB storage, CERT_ImportCerts creates
- * an incomplete internal state (the cert isn't
- * associated with the private key, and calling
- * PK11_FindKeyByAnyCert returns no result).
- * As a workaround, we import the cert again using
- * PK11_ImportCert, which magically fixes the issue.
- * See rhbz#1532188 */
+ newcert = CERT_DecodeCertFromPackage((char *)item->data, item->len);
+ if (newcert != NULL) {
error = PK11_ImportCert(sle->slot,
- returned[0],
+ newcert,
CK_INVALID_HANDLE,
- returned[0]->nickname,
+ entry->cm_cert_nickname,
PR_FALSE);
}
if (error == SECSuccess) {
- cm_log(1, "Imported certificate \"%s\", got "
+ cm_log(1, "Imported certificate with "
"nickname \"%s\".\n",
- entry->cm_cert_nickname,
- returned[0]->nickname);
+ entry->cm_cert_nickname);
status = 0;
/* Set the trust on the new certificate,
* perhaps matching the trust on an
@@ -536,7 +521,7 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
trust.objectSigningFlags = CERTDB_USER;
}
error = CERT_ChangeCertTrust(certdb,
- returned[0],
+ newcert,
&trust);
ec = PORT_GetError();
if (error != SECSuccess) {
@@ -621,10 +606,10 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
}
/* If we managed to import the certificate, mark its
* key for having its nickname removed. */
- if ((returned != NULL) && (returned[0] != NULL)) {
- privkey = PK11_FindKeyByAnyCert(returned[0], NULL);
+ if (newcert != NULL) {
+ privkey = PK11_FindKeyByAnyCert(newcert, NULL);
privkeys = add_privkey_to_list(privkeys, privkey);
- CERT_DestroyCertArray(returned, 1);
+ CERT_DestroyCertificate(newcert);
}
/* In case we're rekeying, but failed, mark the
* candidate key for name-clearing or removal, too. */
--
2.14.4