From 19d70d9817a5d22d05ff990f354ddadb77cc05a6 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Tue, 9 Jan 2018 22:18:58 -0500 Subject: [PATCH 4/6] Workaround NSS bug in associating private key to certificate If NSS uses SQL DB storage, CERT_ImportCerts creates incomplete internal state (the cert isn't associated with the private key, and calling PK11_FindKeyByAnyCert returns no result). As a workaround, we import the cert again using PK11_ImportCert which magically fixes the issue. See rhbz#1532188 Related: https://pagure.io/certmonger/issue/88 --- src/certsave-n.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/src/certsave-n.c b/src/certsave-n.c index a2c97000..8e15a18a 100644 --- a/src/certsave-n.c +++ b/src/certsave-n.c @@ -474,6 +474,20 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, PR_FALSE, entry->cm_cert_nickname); ec = PORT_GetError(); + if (error == SECSuccess) { + /* If NSS uses SQL DB storage, CERT_ImportCerts creates + * an incomplete internal state (the cert isn't + * associated with the private key, and calling + * PK11_FindKeyByAnyCert returns no result). + * As a workaround, we import the cert again using + * PK11_ImportCert, which magically fixes the issue. + * See rhbz#1532188 */ + error = PK11_ImportCert(PK11_GetInternalKeySlot(), + returned[0], + CK_INVALID_HANDLE, + returned[0]->nickname, + PR_FALSE); + } if (error == SECSuccess) { cm_log(1, "Imported certificate \"%s\", got " "nickname \"%s\".\n", -- 2.15.1