diff --git a/0001-Perm-issues-in-sqlite-databases-show-up-in-slightly-.patch b/0001-Perm-issues-in-sqlite-databases-show-up-in-slightly-.patch
new file mode 100644
index 0000000..ad64493
--- /dev/null
+++ b/0001-Perm-issues-in-sqlite-databases-show-up-in-slightly-.patch
@@ -0,0 +1,63 @@
+From 3cb710fbea245476a49af77d670fedb35bba16de Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Tue, 9 Jan 2018 22:07:17 -0500
+Subject: [PATCH 1/6] Perm issues in sqlite databases show up in slightly
+ different ways
+
+SQLite databases may return SEC_ERROR_READ_ONLY instead of
+SEC_ERROR_BAD_DATABASE.
+
+If a database is opened as read-write but it fails (e.g. in a
+read-only directory) it will try again to open it as read-only
+and potentially fail because it doesn't exist at all. This sets
+errno as ENOENT rather than the expected EACCES so treat that
+as a read failure as well.
+
+Related: https://pagure.io/certmonger/issue/88
+---
+ src/certsave-n.c | 5 ++++-
+ src/keygen-n.c | 6 +++++-
+ 2 files changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/src/certsave-n.c b/src/certsave-n.c
+index 67deb88b..a2c97000 100644
+--- a/src/certsave-n.c
++++ b/src/certsave-n.c
+@@ -128,10 +128,13 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
+ NSS_INIT_NOMODDB);
+ ec = PORT_GetError();
+ if (ctx == NULL) {
+- if ((ec == SEC_ERROR_BAD_DATABASE) && readwrite) {
++ if ((ec == SEC_ERROR_READ_ONLY) && readwrite) {
++ ec = PR_NO_ACCESS_RIGHTS_ERROR;
++ } else if ((ec == SEC_ERROR_BAD_DATABASE) && readwrite) {
+ switch (errno) {
+ case EACCES:
+ case EPERM:
++ case ENOENT:
+ ec = PR_NO_ACCESS_RIGHTS_ERROR;
+ break;
+ default:
+diff --git a/src/keygen-n.c b/src/keygen-n.c
+index 08f00496..8078a520 100644
+--- a/src/keygen-n.c
++++ b/src/keygen-n.c
+@@ -169,10 +169,14 @@ cm_keygen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
+ NSS_INIT_NOMODDB);
+ ec = PORT_GetError();
+ if (ctx == NULL) {
+- if ((ec == SEC_ERROR_BAD_DATABASE) && readwrite) {
++ if ((ec == SEC_ERROR_READ_ONLY) && readwrite) {
++ ec = PR_NO_ACCESS_RIGHTS_ERROR;
++ }
++ else if ((ec == SEC_ERROR_BAD_DATABASE) && readwrite) {
+ switch (errno) {
+ case EACCES:
+ case EPERM:
++ case ENOENT:
+ ec = PR_NO_ACCESS_RIGHTS_ERROR;
+ break;
+ default:
+--
+2.15.1
+
diff --git a/0002-SQLite-databases-require-a-password-to-modify-trust-.patch b/0002-SQLite-databases-require-a-password-to-modify-trust-.patch
new file mode 100644
index 0000000..6cae47d
--- /dev/null
+++ b/0002-SQLite-databases-require-a-password-to-modify-trust-.patch
@@ -0,0 +1,52 @@
+From f1b7eeceef117606c060f61542754f5556739469 Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Tue, 9 Jan 2018 22:13:49 -0500
+Subject: [PATCH 2/6] SQLite databases require a password to modify trust and
+ to sign
+
+This affects certutil -M and cmsutil -S. Need to add -f pinfile.
+
+https://pagure.io/certmonger/issue/88
+---
+ tests/030-rekey/run.sh | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/tests/030-rekey/run.sh b/tests/030-rekey/run.sh
+index 9b50da4a..07fea683 100755
+--- a/tests/030-rekey/run.sh
++++ b/tests/030-rekey/run.sh
+@@ -140,11 +140,11 @@ for preserve in 1 0 ; do
+
+ echo "This is the plaintext." > plain.txt
+ echo "NSS Signing:"
+- certutil -M -d $tmpdir -n i$size -t P,P,P
+- cmsutil -S -d $tmpdir -f pinfile -N i$size -i plain.txt -o signed
++ certutil -M -d $tmpdir -n i$size -t P,P,P -f pinfile
++ cmsutil -S -d $tmpdir -f pinfile -N i$size -i plain.txt -o signed -f pinfile
+ echo "NSS Verify:"
+- cmsutil -D -d $tmpdir -f pinfile -i signed
+- certutil -M -d $tmpdir -n i$size -t ,,
++ cmsutil -D -d $tmpdir -f pinfile -i signed -f pinfile
++ certutil -M -d $tmpdir -n i$size -t ,, -f pinfile
+
+ # Go and save the new certs and keys (NSS).
+ echo '(saving)'
+@@ -163,11 +163,11 @@ for preserve in 1 0 ; do
+
+ echo "This is the plaintext." > plain.txt
+ echo "NSS Signing:"
+- certutil -M -d $tmpdir -n i$size -t P,P,P
+- cmsutil -S -d $tmpdir -f pinfile -N i$size -i plain.txt -o signed
++ certutil -M -d $tmpdir -n i$size -t P,P,P -f pinfile
++ cmsutil -S -d $tmpdir -f pinfile -N i$size -i plain.txt -o signed -f pinfile
+ echo "NSS Verify:"
+- cmsutil -D -d $tmpdir -f pinfile -i signed
+- certutil -M -d $tmpdir -n i$size -t ,,
++ cmsutil -D -d $tmpdir -f pinfile -i signed -f pinfile
++ certutil -M -d $tmpdir -n i$size -t ,, -f pinfile
+
+ # Now generate new keys, CSRs, and certificates (OpenSSL).
+ echo "PEM keys before re-keygen (preserve=$preserve,pin=\"$pin\"):"
+--
+2.15.1
+
diff --git a/0003-NSS-in-rawhide-F28-was-switched-to-sqlite-fix-assump.patch b/0003-NSS-in-rawhide-F28-was-switched-to-sqlite-fix-assump.patch
new file mode 100644
index 0000000..401aec4
--- /dev/null
+++ b/0003-NSS-in-rawhide-F28-was-switched-to-sqlite-fix-assump.patch
@@ -0,0 +1,405 @@
+From 0cfefe50373cd5f7da5b49f1a1380ba8b5baf825 Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Tue, 9 Jan 2018 22:14:53 -0500
+Subject: [PATCH 3/6] NSS in rawhide (F28) was switched to sqlite, fix
+ assumptions
+
+Previous releases of NSS had dbm as the default storage type.
+Certain assumptions were built into the tests. Make the default
+scheme more explicit, leaving it as dbm for now.
+
+https://pagure.io/certmonger/issue/88
+---
+ tests/007-certsave-dbm/expected.out | 4 ++--
+ tests/007-certsave/expected.out | 4 ++--
+ tests/007-certsave/run.sh | 47 +++++++++++++++++++------------------
+ tests/025-casave/run.sh | 36 ++++++++++++++--------------
+ tests/034-perms/expected.out | 36 ++++++++++++++--------------
+ tests/034-perms/run.sh | 2 ++
+ 6 files changed, 66 insertions(+), 63 deletions(-)
+
+diff --git a/tests/007-certsave-dbm/expected.out b/tests/007-certsave-dbm/expected.out
+index e0978c66..ed6b4ede 100644
+--- a/tests/007-certsave-dbm/expected.out
++++ b/tests/007-certsave-dbm/expected.out
+@@ -37,7 +37,7 @@ Testing setting trust to C,c,p:
+ wrong nickname, right subject: cert ,,
+ wrong subject, right nickname: cert ,,
+ [nss:rosubdir]
+-Failed to save (NSS:${tmpdir}/rosubdir), filesystem permissions error.
++Failed to save (NSS:dbm:${tmpdir}/rosubdir), filesystem permissions error.
+ [nss:rwsubdir]
+-Failed to save (NSS:${tmpdir}/rwsubdir), filesystem permissions error.
++Failed to save (NSS:dbm:${tmpdir}/rwsubdir), filesystem permissions error.
+ Test complete.
+diff --git a/tests/007-certsave/expected.out b/tests/007-certsave/expected.out
+index e0978c66..ed6b4ede 100644
+--- a/tests/007-certsave/expected.out
++++ b/tests/007-certsave/expected.out
+@@ -37,7 +37,7 @@ Testing setting trust to C,c,p:
+ wrong nickname, right subject: cert ,,
+ wrong subject, right nickname: cert ,,
+ [nss:rosubdir]
+-Failed to save (NSS:${tmpdir}/rosubdir), filesystem permissions error.
++Failed to save (NSS:dbm:${tmpdir}/rosubdir), filesystem permissions error.
+ [nss:rwsubdir]
+-Failed to save (NSS:${tmpdir}/rwsubdir), filesystem permissions error.
++Failed to save (NSS:dbm:${tmpdir}/rwsubdir), filesystem permissions error.
+ Test complete.
+diff --git a/tests/007-certsave/run.sh b/tests/007-certsave/run.sh
+index bea8341a..29b02152 100755
+--- a/tests/007-certsave/run.sh
++++ b/tests/007-certsave/run.sh
+@@ -2,8 +2,9 @@
+
+ cd "$tmpdir"
+
++scheme="${scheme:-dbm}"
+ source "$srcdir"/functions
+-initnssdb ${scheme:+${scheme}:}$tmpdir
++initnssdb $scheme:$tmpdir
+
+ wrongcert='-----BEGIN CERTIFICATE-----
+ MIIDQTCCAimgAwIBAgIBBTANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDEwdwaWxs
+@@ -50,7 +51,7 @@ echo "$wrongcert" | sed -e 's,^$,,g' -e 's,^ ,,g' > cert.wrong
+ echo "[nss:wrongnick]"
+ cat > entry.nss << EOF
+ cert_storage_type=NSSDB
+-cert_storage_location=${scheme:+${scheme}:}$tmpdir
++cert_storage_location=$scheme:$tmpdir
+ cert_nickname=wrongnick
+ cert=$cert
+ EOF
+@@ -59,7 +60,7 @@ $toolsdir/certsave entry.nss
+ echo "[nss:wrongcert]"
+ cat > entry.nss << EOF
+ cert_storage_type=NSSDB
+-cert_storage_location=${scheme:+${scheme}:}$tmpdir
++cert_storage_location=$scheme:$tmpdir
+ cert_nickname=cert
+ cert=$wrongcert
+ EOF
+@@ -68,13 +69,13 @@ $toolsdir/certsave entry.nss
+ echo "[nss:right]"
+ cat > entry.nss << EOF
+ cert_storage_type=NSSDB
+-cert_storage_location=${scheme:+${scheme}:}$tmpdir
++cert_storage_location=$scheme:$tmpdir
+ cert_nickname=cert
+ cert=$cert
+ EOF
+ $toolsdir/certsave entry.nss
+ $toolsdir/listnicks entry.nss
+-certutil -d ${scheme:+${scheme}:}$tmpdir -L -n cert -a > cert.nss
++certutil -d $scheme:$tmpdir -L -n cert -a > cert.nss
+ # Save the wrong certificate to the PEM file.
+ echo "[openssl:wrong]"
+ cat > entry.openssl << EOF
+@@ -96,7 +97,7 @@ run_dos2unix cert.original
+ run_dos2unix cert.nss
+ run_dos2unix cert.openssl
+ if ! cmp cert.original cert.nss ; then
+- echo Original and NSS disagree "(${scheme:+${scheme}:}$tmpdir)".
++ echo Original and NSS disagree "($scheme:$tmpdir)".
+ cat cert.original cert.nss
+ exit 1
+ fi
+@@ -137,62 +138,62 @@ $toolsdir/certsave entry.openssl || true
+ for trust in ,, P,, ,P, CT,C, C,c,p ; do
+ echo Testing setting trust to "$trust":
+ # Save the right certificate to NSS's database and read it back.
+- initnssdb ${scheme:+${scheme}:}$tmpdir
++ initnssdb $scheme:$tmpdir
+ cat > entry.nss <<- EOF
+ cert_storage_type=NSSDB
+- cert_storage_location=${scheme:+${scheme}:}$tmpdir
++ cert_storage_location=$scheme:$tmpdir
+ cert_nickname=cert
+ cert=$cert
+ EOF
+ $toolsdir/certsave entry.nss
+- certutil -d ${scheme:+${scheme}:}$tmpdir -M -n cert -t $trust
++ certutil -d $scheme:$tmpdir -M -n cert -t $trust
+ echo -n " baseline: "
+- certutil -d ${scheme:+${scheme}:}$tmpdir -L | grep cert | sed -r 's,[ \t]+, ,g'
++ certutil -d $scheme:$tmpdir -L | grep cert | sed -r 's,[ \t]+, ,g'
+ $toolsdir/certsave entry.nss
+ echo -n " right nickname, right subject: "
+- certutil -d ${scheme:+${scheme}:}$tmpdir -L | grep cert | sed -r 's,[ \t]+, ,g'
++ certutil -d $scheme:$tmpdir -L | grep cert | sed -r 's,[ \t]+, ,g'
+ # Save the right certificate to NSS's database with the wrong nickname.
+- initnssdb ${scheme:+${scheme}:}$tmpdir
++ initnssdb $scheme:$tmpdir
+ $toolsdir/certsave entry.nss
+ cat > entry.nss <<- EOF
+ cert_storage_type=NSSDB
+- cert_storage_location=${scheme:+${scheme}:}$tmpdir
++ cert_storage_location=$scheme:$tmpdir
+ cert_nickname=wrongnick
+ cert=$cert
+ EOF
+ $toolsdir/certsave entry.nss
+- certutil -d ${scheme:+${scheme}:}$tmpdir -M -n wrongnick -t $trust
++ certutil -d $scheme:$tmpdir -M -n wrongnick -t $trust
+ # Save the right certificate to NSS's database and read it back.
+ cat > entry.nss <<- EOF
+ cert_storage_type=NSSDB
+- cert_storage_location=${scheme:+${scheme}:}$tmpdir
++ cert_storage_location=$scheme:$tmpdir
+ cert_nickname=cert
+ cert=$cert
+ EOF
+ $toolsdir/certsave entry.nss
+ echo -n " wrong nickname, right subject: "
+- certutil -d ${scheme:+${scheme}:}$tmpdir -L | grep cert | sed -r 's,[ \t]+, ,g'
++ certutil -d $scheme:$tmpdir -L | grep cert | sed -r 's,[ \t]+, ,g'
+ # Save the wrong certificate to NSS's database with the right nickname.
+- initnssdb ${scheme:+${scheme}:}$tmpdir
++ initnssdb $scheme:$tmpdir
+ $toolsdir/certsave entry.nss
+ cat > entry.nss <<- EOF
+ cert_storage_type=NSSDB
+- cert_storage_location=${scheme:+${scheme}:}$tmpdir
++ cert_storage_location=$scheme:$tmpdir
+ cert_nickname=cert
+ cert=$wrongcert
+ EOF
+ $toolsdir/certsave entry.nss
+- certutil -d ${scheme:+${scheme}:}$tmpdir -M -n cert -t $trust
++ certutil -d $scheme:$tmpdir -M -n cert -t $trust
+ # Save the right certificate to NSS's database and read it back.
+ cat > entry.nss <<- EOF
+ cert_storage_type=NSSDB
+- cert_storage_location=${scheme:+${scheme}:}$tmpdir
++ cert_storage_location=$scheme:$tmpdir
+ cert_nickname=cert
+ cert=$cert
+ EOF
+ $toolsdir/certsave entry.nss
+ echo -n " wrong subject, right nickname: "
+- certutil -d ${scheme:+${scheme}:}$tmpdir -L | grep cert | sed -r 's,[ \t]+, ,g'
++ certutil -d $scheme:$tmpdir -L | grep cert | sed -r 's,[ \t]+, ,g'
+ done
+
+ if test "$scheme" = sql ; then
+@@ -202,7 +203,7 @@ else
+ echo "[nss:rosubdir]"
+ cat > entry.nss <<- EOF
+ cert_storage_type=NSSDB
+- cert_storage_location=$tmpdir/rosubdir
++ cert_storage_location=$scheme:$tmpdir/rosubdir
+ cert_nickname=cert
+ cert=$cert
+ EOF
+@@ -216,7 +217,7 @@ else
+ echo "[nss:rwsubdir]"
+ cat > entry.nss <<- EOF
+ cert_storage_type=NSSDB
+- cert_storage_location=$tmpdir/rwsubdir
++ cert_storage_location=$scheme:$tmpdir/rwsubdir
+ cert_nickname=cert
+ cert=$cert
+ EOF
+diff --git a/tests/025-casave/run.sh b/tests/025-casave/run.sh
+index 44a08b06..aff1e6d9 100755
+--- a/tests/025-casave/run.sh
++++ b/tests/025-casave/run.sh
+@@ -196,7 +196,7 @@ id=EntryD1
+ root_cert_files=
+ other_root_cert_files=
+ other_cert_files=
+-root_cert_dbs=$tmpdir/db1,$tmpdir/dba
++root_cert_dbs=dbm:$tmpdir/db1,dbm:$tmpdir/dba
+ other_root_cert_dbs=
+ other_cert_dbs=
+ cert_roots=Per-certificate Signing Authority D1
+@@ -229,7 +229,7 @@ root_cert_files=
+ other_root_cert_files=
+ other_cert_files=
+ root_cert_dbs=
+-other_root_cert_dbs=$tmpdir/db2,$tmpdir/dba
++other_root_cert_dbs=dbm:$tmpdir/db2,dbm:$tmpdir/dba
+ other_cert_dbs=
+ EOF
+ cat > $tmpdir/entryd3 <<- EOF
+@@ -239,7 +239,7 @@ other_root_cert_files=
+ other_cert_files=
+ root_cert_dbs=
+ other_root_cert_dbs=
+-other_cert_dbs=$tmpdir/db3,$tmpdir/dba
++other_cert_dbs=dbm:$tmpdir/db3,dbm:$tmpdir/dba
+ cert_chain=Per-certificate Signing Authority D3
+ -----BEGIN CERTIFICATE-----
+ MIIDjjCCAnagAwIBAgIRALuVK2FuXklPuMP4qtRyQjUwDQYJKoZIhvcNAQELBQAw
+@@ -300,7 +300,7 @@ ca_name=CAD1
+ root_cert_files=
+ other_root_cert_files=
+ other_cert_files=
+-root_cert_dbs=$tmpdir/db1,$tmpdir/dba
++root_cert_dbs=dbm:$tmpdir/db1,dbm:$tmpdir/dba
+ other_root_cert_dbs=
+ other_cert_dbs=
+ EOF
+@@ -311,7 +311,7 @@ root_cert_files=
+ other_root_cert_files=
+ other_cert_files=
+ root_cert_dbs=
+-other_root_cert_dbs=$tmpdir/db2,$tmpdir/dba
++other_root_cert_dbs=dbm:$tmpdir/db2,dbm:$tmpdir/dba
+ other_cert_dbs=
+ EOF
+ cat > $tmpdir/entrycad3 <<- EOF
+@@ -322,7 +322,7 @@ other_root_cert_files=
+ other_cert_files=
+ root_cert_dbs=
+ other_root_cert_dbs=
+-other_cert_dbs=$tmpdir/db3,$tmpdir/dba
++other_cert_dbs=dbm:$tmpdir/db3,dbm:$tmpdir/dba
+ EOF
+
+ cat > $tmpdir/cab1 <<- EOF
+@@ -564,9 +564,9 @@ ca_external_helper=$tmpdir/no-such-helper.sh
+ ca_root_cert_files=
+ ca_other_root_cert_files=
+ ca_other_cert_files=
+-ca_root_cert_dbs=$tmpdir/db1,$tmpdir/dba
+-ca_other_root_cert_dbs=$tmpdir/dba
+-ca_other_cert_dbs=$tmpdir/dba
++ca_root_cert_dbs=dbm:$tmpdir/db1,dbm:$tmpdir/dba
++ca_other_root_cert_dbs=dbm:$tmpdir/dba
++ca_other_cert_dbs=dbm:$tmpdir/dba
+ ca_root_certs=Root Certificate D1
+ -----BEGIN CERTIFICATE-----
+ MIIDdzCCAl+gAwIBAgIEAgAAuTANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ
+@@ -639,9 +639,9 @@ ca_external_helper=$tmpdir/no-such-helper.sh
+ ca_root_cert_files=
+ ca_other_root_cert_files=
+ ca_other_cert_files=
+-ca_root_cert_dbs=$tmpdir/dba
+-ca_other_root_cert_dbs=$tmpdir/db2,$tmpdir/dba
+-ca_other_cert_dbs=$tmpdir/dba
++ca_root_cert_dbs=dbm:$tmpdir/dba
++ca_other_root_cert_dbs=dbm:$tmpdir/db2,dbm:$tmpdir/dba
++ca_other_cert_dbs=dbm:$tmpdir/dba
+ ca_root_certs=Root Certificate D2
+ -----BEGIN CERTIFICATE-----
+ MIIEDzCCAvegAwIBAgIBATANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJTSzET
+@@ -722,9 +722,9 @@ ca_external_helper=$tmpdir/no-such-helper.sh
+ ca_root_cert_files=
+ ca_other_root_cert_files=
+ ca_other_cert_files=
+-ca_root_cert_dbs=,$tmpdir/dba
+-ca_other_root_cert_dbs=,$tmpdir/dba,
+-ca_other_cert_dbs=$tmpdir/db3,$tmpdir/dba
++ca_root_cert_dbs=,dbm:$tmpdir/dba
++ca_other_root_cert_dbs=,dbm:$tmpdir/dba,
++ca_other_cert_dbs=dbm:$tmpdir/db3,dbm:$tmpdir/dba
+ ca_root_certs=Root Certificate D3
+ -----BEGIN CERTIFICATE-----
+ MIICiTCCAg+gAwIBAgIQH0evqmIAcFBUTAGem2OZKjAKBggqhkjOPQQDAzCBhTEL
+@@ -796,9 +796,9 @@ ca_external_helper=$tmpdir/no-such-helper.sh
+ ca_root_cert_files=$tmpdir/bundle-all
+ ca_other_root_cert_files=
+ ca_other_cert_files=
+-ca_root_cert_dbs=$tmpdir/dba
+-ca_other_root_cert_dbs=,$tmpdir/dba
+-ca_other_cert_dbs=,$tmpdir/dba
++ca_root_cert_dbs=dbm:$tmpdir/dba
++ca_other_root_cert_dbs=,dbm:$tmpdir/dba
++ca_other_cert_dbs=,dbm:$tmpdir/dba
+ ca_root_certs=Root Certificate DA
+ -----BEGIN CERTIFICATE-----
+ MIICiDCCAg2gAwIBAgIQNfwmXNmET8k9Jj1Xm67XVjAKBggqhkjOPQQDAzCBhDEL
+diff --git a/tests/034-perms/expected.out b/tests/034-perms/expected.out
+index 4e2fbd71..c062d409 100644
+--- a/tests/034-perms/expected.out
++++ b/tests/034-perms/expected.out
+@@ -41,54 +41,54 @@ $owner:$group|0755|ee.key.MARKER.key
+ $owner:$group|0662|ee.crt
+ $owner:$group|0620|ee.key
+
+-[start]
+-[keygen]
++[dbm:start]
++[dbm:keygen]
+ $owner:$group|0600|cert8.db
+ $owner:$group|0620|key3.db
+-[reset]
++[dbm:reset]
+ $owner:$group|0755|cert8.db
+ $owner:$group|0755|key3.db
+-[csrgen]
++[dbm:csrgen]
+ $owner:$group|0755|cert8.db
+ $owner:$group|0620|key3.db
+-[reset]
++[dbm:reset]
+ $owner:$group|0755|cert8.db
+ $owner:$group|0755|key3.db
+-[submit]
++[dbm:submit]
+ $owner:$group|0755|cert8.db
+ $owner:$group|0755|key3.db
+-[reset]
++[dbm:reset]
+ $owner:$group|0755|cert8.db
+ $owner:$group|0755|key3.db
+-[save]
++[dbm:save]
+ $owner:$group|0662|cert8.db
+ $owner:$group|0620|key3.db
+-[rekey:start]
+-[rekey:keygen]
++[rekey:dbm:start]
++[rekey:dbm:keygen]
+ $owner:$group|0600|cert8.db
+ $owner:$group|0620|key3.db
+-[rekey:reset]
++[rekey:dbm:reset]
+ $owner:$group|0755|cert8.db
+ $owner:$group|0755|key3.db
+-[rekey:keygen]
++[rekey:dbm:keygen]
+ $owner:$group|0755|cert8.db
+ $owner:$group|0620|key3.db
+-[rekey:reset]
++[rekey:dbm:reset]
+ $owner:$group|0755|cert8.db
+ $owner:$group|0755|key3.db
+-[rekey:csrgen]
++[rekey:dbm:csrgen]
+ $owner:$group|0755|cert8.db
+ $owner:$group|0620|key3.db
+-[rekey:reset]
++[rekey:dbm:reset]
+ $owner:$group|0755|cert8.db
+ $owner:$group|0755|key3.db
+-[rekey:submit]
++[rekey:dbm:submit]
+ $owner:$group|0755|cert8.db
+ $owner:$group|0755|key3.db
+-[rekey:reset]
++[rekey:dbm:reset]
+ $owner:$group|0755|cert8.db
+ $owner:$group|0755|key3.db
+-[rekey:save]
++[rekey:dbm:save]
+ $owner:$group|0662|cert8.db
+ $owner:$group|0620|key3.db
+ OK
+diff --git a/tests/034-perms/run.sh b/tests/034-perms/run.sh
+index 7f349d3b..88eae19f 100755
+--- a/tests/034-perms/run.sh
++++ b/tests/034-perms/run.sh
+@@ -1,6 +1,8 @@
+ #!/bin/bash
+ cd "$tmpdir"
+
++scheme="${scheme:-dbm:}"
++
+ function list() {
+ $toolsdir/ls *.* | sed -e "s~^$owner:$group|~\$owner:\$group|~g"
+ }
+--
+2.15.1
+
diff --git a/0004-Workaround-NSS-bug-in-associating-private-key-to-cer.patch b/0004-Workaround-NSS-bug-in-associating-private-key-to-cer.patch
new file mode 100644
index 0000000..a4df8db
--- /dev/null
+++ b/0004-Workaround-NSS-bug-in-associating-private-key-to-cer.patch
@@ -0,0 +1,48 @@
+From 19d70d9817a5d22d05ff990f354ddadb77cc05a6 Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Tue, 9 Jan 2018 22:18:58 -0500
+Subject: [PATCH 4/6] Workaround NSS bug in associating private key to
+ certificate
+
+If NSS uses SQL DB storage, CERT_ImportCerts creates incomplete
+internal state (the cert isn't associated with the private key,
+and calling PK11_FindKeyByAnyCert returns no result).
+
+As a workaround, we import the cert again using PK11_ImportCert
+which magically fixes the issue.
+
+See rhbz#1532188
+
+Related: https://pagure.io/certmonger/issue/88
+---
+ src/certsave-n.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/src/certsave-n.c b/src/certsave-n.c
+index a2c97000..8e15a18a 100644
+--- a/src/certsave-n.c
++++ b/src/certsave-n.c
+@@ -474,6 +474,20 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
+ PR_FALSE,
+ entry->cm_cert_nickname);
+ ec = PORT_GetError();
++ if (error == SECSuccess) {
++ /* If NSS uses SQL DB storage, CERT_ImportCerts creates
++ * an incomplete internal state (the cert isn't
++ * associated with the private key, and calling
++ * PK11_FindKeyByAnyCert returns no result).
++ * As a workaround, we import the cert again using
++ * PK11_ImportCert, which magically fixes the issue.
++ * See rhbz#1532188 */
++ error = PK11_ImportCert(PK11_GetInternalKeySlot(),
++ returned[0],
++ CK_INVALID_HANDLE,
++ returned[0]->nickname,
++ PR_FALSE);
++ }
+ if (error == SECSuccess) {
+ cm_log(1, "Imported certificate \"%s\", got "
+ "nickname \"%s\".\n",
+--
+2.15.1
+
diff --git a/0005-Run-key-generation-tests-against-both-dbm-and-sqlite.patch b/0005-Run-key-generation-tests-against-both-dbm-and-sqlite.patch
new file mode 100644
index 0000000..3ab6046
--- /dev/null
+++ b/0005-Run-key-generation-tests-against-both-dbm-and-sqlite.patch
@@ -0,0 +1,314 @@
+From 920572235f82eb3a88a3b8dd274f809baee31c67 Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Tue, 9 Jan 2018 22:54:06 -0500
+Subject: [PATCH 5/6] Run key generation tests against both dbm and sqlite
+ databases
+
+Related: https://pagure.io/certmonger/issue/88
+---
+ tests/002-keygen-dbm/expected.out | 99 +++++++++++++++++++++++++++++++++++++++
+ tests/002-keygen-dbm/run.sh | 2 +
+ tests/002-keygen-sql/expected.out | 99 +++++++++++++++++++++++++++++++++++++++
+ tests/002-keygen-sql/run.sh | 2 +
+ tests/002-keygen/expected.out | 4 +-
+ tests/002-keygen/run.sh | 12 +++--
+ 6 files changed, 211 insertions(+), 7 deletions(-)
+ create mode 100644 tests/002-keygen-dbm/expected.out
+ create mode 100755 tests/002-keygen-dbm/run.sh
+ create mode 100644 tests/002-keygen-sql/expected.out
+ create mode 100755 tests/002-keygen-sql/run.sh
+
+diff --git a/tests/002-keygen-dbm/expected.out b/tests/002-keygen-dbm/expected.out
+new file mode 100644
+index 00000000..dcd1af06
+--- /dev/null
++++ b/tests/002-keygen-dbm/expected.out
+@@ -0,0 +1,99 @@
++[nss:1024]
++OK.
++OK (RSA:1024).
++OK.
++OK (RSA:1024 after RSA:1024).
++OK.
++OK (RSA:1024 after RSA:1024).
++keyi1024
++keyi1024 (candidate (next))
++[nss:1536]
++OK.
++OK (RSA:1536).
++OK.
++OK (RSA:1536 after RSA:1536).
++OK.
++OK (RSA:1536 after RSA:1536).
++keyi1536
++keyi1536 (candidate (next))
++[nss:2048]
++OK.
++OK (RSA:2048).
++OK.
++OK (RSA:2048 after RSA:2048).
++OK.
++OK (RSA:2048 after RSA:2048).
++keyi2048
++keyi2048 (candidate (next))
++[nss:3072]
++OK.
++OK (RSA:3072).
++OK.
++OK (RSA:3072 after RSA:3072).
++OK.
++OK (RSA:3072 after RSA:3072).
++keyi3072
++keyi3072 (candidate (next))
++[nss:4096]
++OK.
++OK (RSA:4096).
++OK.
++OK (RSA:4096 after RSA:4096).
++OK.
++OK (RSA:4096 after RSA:4096).
++keyi4096
++keyi4096 (candidate (next))
++[nss:rosubdir]
++Failed to save NSS:dbm:${tmpdir}/rosubdir: need fs permissions.
++[nss:rwsubdir]
++Failed to save NSS:dbm:${tmpdir}/rwsubdir: need fs permissions.
++[openssl:1024]
++OK.
++OK (RSA:1024).
++OK.
++OK (RSA:1024 after RSA:1024).
++OK.
++OK (RSA:1024 after RSA:1024).
++${tmpdir}/sample.1024
++${tmpdir}/sample.1024.(next).key
++[openssl:1536]
++OK.
++OK (RSA:1536).
++OK.
++OK (RSA:1536 after RSA:1536).
++OK.
++OK (RSA:1536 after RSA:1536).
++${tmpdir}/sample.1536
++${tmpdir}/sample.1536.(next).key
++[openssl:2048]
++OK.
++OK (RSA:2048).
++OK.
++OK (RSA:2048 after RSA:2048).
++OK.
++OK (RSA:2048 after RSA:2048).
++${tmpdir}/sample.2048
++${tmpdir}/sample.2048.(next).key
++[openssl:3072]
++OK.
++OK (RSA:3072).
++OK.
++OK (RSA:3072 after RSA:3072).
++OK.
++OK (RSA:3072 after RSA:3072).
++${tmpdir}/sample.3072
++${tmpdir}/sample.3072.(next).key
++[openssl:4096]
++OK.
++OK (RSA:4096).
++OK.
++OK (RSA:4096 after RSA:4096).
++OK.
++OK (RSA:4096 after RSA:4096).
++${tmpdir}/sample.4096
++${tmpdir}/sample.4096.(next).key
++[openssl:rosubdir]
++Failed to save FILE:${tmpdir}/rosubdir/sample.4096: need fs permissions.
++[openssl:rwsubdir]
++Failed to save FILE:${tmpdir}/rwsubdir/sample.4096: need fs permissions.
++Test complete.
+diff --git a/tests/002-keygen-dbm/run.sh b/tests/002-keygen-dbm/run.sh
+new file mode 100755
+index 00000000..36323947
+--- /dev/null
++++ b/tests/002-keygen-dbm/run.sh
+@@ -0,0 +1,2 @@
++#!/bin/bash -e
++exec env scheme=dbm: ../002-keygen/run.sh
+diff --git a/tests/002-keygen-sql/expected.out b/tests/002-keygen-sql/expected.out
+new file mode 100644
+index 00000000..178f1b3a
+--- /dev/null
++++ b/tests/002-keygen-sql/expected.out
+@@ -0,0 +1,99 @@
++[nss:1024]
++OK.
++OK (RSA:1024).
++OK.
++OK (RSA:1024 after RSA:1024).
++OK.
++OK (RSA:1024 after RSA:1024).
++keyi1024
++keyi1024 (candidate (next))
++[nss:1536]
++OK.
++OK (RSA:1536).
++OK.
++OK (RSA:1536 after RSA:1536).
++OK.
++OK (RSA:1536 after RSA:1536).
++keyi1536
++keyi1536 (candidate (next))
++[nss:2048]
++OK.
++OK (RSA:2048).
++OK.
++OK (RSA:2048 after RSA:2048).
++OK.
++OK (RSA:2048 after RSA:2048).
++keyi2048
++keyi2048 (candidate (next))
++[nss:3072]
++OK.
++OK (RSA:3072).
++OK.
++OK (RSA:3072 after RSA:3072).
++OK.
++OK (RSA:3072 after RSA:3072).
++keyi3072
++keyi3072 (candidate (next))
++[nss:4096]
++OK.
++OK (RSA:4096).
++OK.
++OK (RSA:4096 after RSA:4096).
++OK.
++OK (RSA:4096 after RSA:4096).
++keyi4096
++keyi4096 (candidate (next))
++[nss:rosubdir]
++Failed to save NSS:sql:${tmpdir}/rosubdir: need fs permissions.
++[nss:rwsubdir]
++Failed to save NSS:sql:${tmpdir}/rwsubdir: need fs permissions.
++[openssl:1024]
++OK.
++OK (RSA:1024).
++OK.
++OK (RSA:1024 after RSA:1024).
++OK.
++OK (RSA:1024 after RSA:1024).
++${tmpdir}/sample.1024
++${tmpdir}/sample.1024.(next).key
++[openssl:1536]
++OK.
++OK (RSA:1536).
++OK.
++OK (RSA:1536 after RSA:1536).
++OK.
++OK (RSA:1536 after RSA:1536).
++${tmpdir}/sample.1536
++${tmpdir}/sample.1536.(next).key
++[openssl:2048]
++OK.
++OK (RSA:2048).
++OK.
++OK (RSA:2048 after RSA:2048).
++OK.
++OK (RSA:2048 after RSA:2048).
++${tmpdir}/sample.2048
++${tmpdir}/sample.2048.(next).key
++[openssl:3072]
++OK.
++OK (RSA:3072).
++OK.
++OK (RSA:3072 after RSA:3072).
++OK.
++OK (RSA:3072 after RSA:3072).
++${tmpdir}/sample.3072
++${tmpdir}/sample.3072.(next).key
++[openssl:4096]
++OK.
++OK (RSA:4096).
++OK.
++OK (RSA:4096 after RSA:4096).
++OK.
++OK (RSA:4096 after RSA:4096).
++${tmpdir}/sample.4096
++${tmpdir}/sample.4096.(next).key
++[openssl:rosubdir]
++Failed to save FILE:${tmpdir}/rosubdir/sample.4096: need fs permissions.
++[openssl:rwsubdir]
++Failed to save FILE:${tmpdir}/rwsubdir/sample.4096: need fs permissions.
++Test complete.
+diff --git a/tests/002-keygen-sql/run.sh b/tests/002-keygen-sql/run.sh
+new file mode 100755
+index 00000000..cd5bc978
+--- /dev/null
++++ b/tests/002-keygen-sql/run.sh
+@@ -0,0 +1,2 @@
++#!/bin/bash -e
++exec env scheme=sql: ../002-keygen/run.sh
+diff --git a/tests/002-keygen/expected.out b/tests/002-keygen/expected.out
+index ff56372a..dcd1af06 100644
+--- a/tests/002-keygen/expected.out
++++ b/tests/002-keygen/expected.out
+@@ -44,9 +44,9 @@ OK (RSA:4096 after RSA:4096).
+ keyi4096
+ keyi4096 (candidate (next))
+ [nss:rosubdir]
+-Failed to save NSS:${tmpdir}/rosubdir: need fs permissions.
++Failed to save NSS:dbm:${tmpdir}/rosubdir: need fs permissions.
+ [nss:rwsubdir]
+-Failed to save NSS:${tmpdir}/rwsubdir: need fs permissions.
++Failed to save NSS:dbm:${tmpdir}/rwsubdir: need fs permissions.
+ [openssl:1024]
+ OK.
+ OK (RSA:1024).
+diff --git a/tests/002-keygen/run.sh b/tests/002-keygen/run.sh
+index f550feeb..08af1523 100755
+--- a/tests/002-keygen/run.sh
++++ b/tests/002-keygen/run.sh
+@@ -2,15 +2,17 @@
+
+ cd "$tmpdir"
+
++scheme="${scheme:-dbm:}"
++
+ source "$srcdir"/functions
+-initnssdb "$tmpdir"
++initnssdb "$scheme$tmpdir"
+
+ for size in 1024 1536 2048 3072 4096 ; do
+ echo "[nss:$size]"
+ # Generate a key.
+ cat > entry.$size <<- EOF
+ key_storage_type=NSSDB
+- key_storage_location=$tmpdir
++ key_storage_location=$scheme$tmpdir
+ key_nickname=keyi$size
+ key_gen_size=$size
+ EOF
+@@ -28,13 +30,13 @@ for size in 1024 1536 2048 3072 4096 ; do
+ # Extract the marker.
+ marker=`grep ^key_next_marker= entry.$size | cut -f2- -d=`
+ # Make sure we're clean.
+- run_certutil -K -d "$tmpdir" | grep keyi$size | sed -e 's,.*keyi,keyi,' -e s,"${marker:-////////}","(next)",g | env LANG=C sort
++ run_certutil -K -d "$scheme$tmpdir" | grep keyi$size | sed -e 's,.*keyi,keyi,' -e s,"${marker:-////////}","(next)",g | env LANG=C sort
+ done
+
+ echo "[nss:rosubdir]"
+ cat > entry.$size <<- EOF
+ key_storage_type=NSSDB
+-key_storage_location=$tmpdir/rosubdir
++key_storage_location=$scheme$tmpdir/rosubdir
+ key_nickname=keyi$size
+ key_gen_size=$size
+ EOF
+@@ -43,7 +45,7 @@ $toolsdir/keygen entry.$size || true
+ echo "[nss:rwsubdir]"
+ cat > entry.$size <<- EOF
+ key_storage_type=NSSDB
+-key_storage_location=$tmpdir/rwsubdir
++key_storage_location=$scheme$tmpdir/rwsubdir
+ key_nickname=keyi$size
+ key_gen_size=$size
+ EOF
+--
+2.15.1
+
diff --git a/certmonger.spec b/certmonger.spec
index 15604b0..2896194 100644
--- a/certmonger.spec
+++ b/certmonger.spec
@@ -26,7 +26,7 @@
Name: certmonger
Version: 0.79.5
-Release: 2%{?dist}
+Release: 3%{?dist}
Summary: Certificate status monitor and PKI enrollment client
Group: System Environment/Daemons
@@ -51,16 +51,15 @@ BuildRequires: libcurl-devel
BuildRequires: curl-devel
%endif
BuildRequires: libxml2-devel, xmlrpc-c-devel
-%if 0%{?rhel} < 6
+%if 0%{?rhel} && 0%{?rhel} < 6
BuildRequires: bind-libbind-devel
+BuildRequires: mktemp
%endif
# Required for 'make check':
# for diff and cmp
BuildRequires: diffutils
# for expect
BuildRequires: expect
-# for mktemp, which was absorbed into coreutils at some point
-BuildRequires: mktemp
# for certutil and pk12util
BuildRequires: nss-tools
# for openssl
@@ -108,12 +107,24 @@ Requires(preun): /sbin/chkconfig, /sbin/service, dbus, sed
Conflicts: libtevent < 0.9.13
%endif
+Patch1: 0001-Perm-issues-in-sqlite-databases-show-up-in-slightly-.patch
+Patch2: 0002-SQLite-databases-require-a-password-to-modify-trust-.patch
+Patch3: 0003-NSS-in-rawhide-F28-was-switched-to-sqlite-fix-assump.patch
+Patch4: 0004-Workaround-NSS-bug-in-associating-private-key-to-cer.patch
+Patch5: 0005-Run-key-generation-tests-against-both-dbm-and-sqlite.patch
+
%description
Certmonger is a service which is primarily concerned with getting your
system enrolled with a certificate authority (CA) and keeping it enrolled.
%prep
%setup -q
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
+%patch5 -p1
+
%if 0%{?rhel} > 0
# Enabled by default for RHEL for bug #765600, still disabled by default for
# Fedora pending a similar bug report there.
@@ -243,6 +254,11 @@ exit 0
%endif
%changelog
+* Wed Jan 10 2018 Rob Crittenden <rcritten@redhat.com> 0.79.5-3
+- Remove BR on mktemp. It is now provided by coreutils.
+- Patch to fix NSS handling of keys in sqlite databases
+- Patches to fix tests now that sqlite is the NSS default.
+
* Wed Oct 4 2017 Rob Crittenden <rcritten@redhat.com> 0.79.5-2
- Switch BR from /usr/include/popt.h to popt-devel