37cd032951
The updated NSS crypto-policy enables all tokens which broke requesting certificates due to the way that tokens were managed.
96 lines
3.5 KiB
Diff
96 lines
3.5 KiB
Diff
From 15d406ee3afbb52832d5c61a1afb735724d109a2 Mon Sep 17 00:00:00 2001
|
|
From: Rob Crittenden <rcritten@redhat.com>
|
|
Date: Tue, 18 Sep 2018 10:21:28 -0400
|
|
Subject: [PATCH 7/7] Use only PK11_ImportCert to import certs, not
|
|
CERT_ImportCerts
|
|
|
|
CERT_ImportCerts always imports a given certificate into the
|
|
certificate database, whether a token is requested or not.
|
|
|
|
Using PK11_ImportCert will import the cert, associate the key
|
|
properly and will only add the certificate to the appropriate
|
|
token.
|
|
---
|
|
src/certsave-n.c | 37 +++++++++++--------------------------
|
|
1 file changed, 11 insertions(+), 26 deletions(-)
|
|
|
|
diff --git a/src/certsave-n.c b/src/certsave-n.c
|
|
index d0152cad..fcb43148 100644
|
|
--- a/src/certsave-n.c
|
|
+++ b/src/certsave-n.c
|
|
@@ -100,7 +100,7 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
|
|
NSSInitContext *ctx;
|
|
CERTCertDBHandle *certdb;
|
|
CERTCertList *certlist;
|
|
- CERTCertificate **returned, *oldcert, cert;
|
|
+ CERTCertificate *oldcert, *newcert, cert;
|
|
CERTCertTrust trust;
|
|
CERTSignedData csdata;
|
|
CERTCertListNode *node;
|
|
@@ -497,33 +497,18 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
|
|
}
|
|
}
|
|
/* Import the certificate. */
|
|
- returned = NULL;
|
|
- error = CERT_ImportCerts(certdb,
|
|
- certUsageUserCertImport,
|
|
- 1, &item, &returned,
|
|
- PR_TRUE,
|
|
- PR_FALSE,
|
|
- entry->cm_cert_nickname);
|
|
- ec = PORT_GetError();
|
|
- if (error == SECSuccess) {
|
|
- /* If NSS uses SQL DB storage, CERT_ImportCerts creates
|
|
- * an incomplete internal state (the cert isn't
|
|
- * associated with the private key, and calling
|
|
- * PK11_FindKeyByAnyCert returns no result).
|
|
- * As a workaround, we import the cert again using
|
|
- * PK11_ImportCert, which magically fixes the issue.
|
|
- * See rhbz#1532188 */
|
|
+ newcert = CERT_DecodeCertFromPackage((char *)item->data, item->len);
|
|
+ if (newcert != NULL) {
|
|
error = PK11_ImportCert(sle->slot,
|
|
- returned[0],
|
|
+ newcert,
|
|
CK_INVALID_HANDLE,
|
|
- returned[0]->nickname,
|
|
+ entry->cm_cert_nickname,
|
|
PR_FALSE);
|
|
}
|
|
if (error == SECSuccess) {
|
|
- cm_log(1, "Imported certificate \"%s\", got "
|
|
+ cm_log(1, "Imported certificate with "
|
|
"nickname \"%s\".\n",
|
|
- entry->cm_cert_nickname,
|
|
- returned[0]->nickname);
|
|
+ entry->cm_cert_nickname);
|
|
status = 0;
|
|
/* Set the trust on the new certificate,
|
|
* perhaps matching the trust on an
|
|
@@ -536,7 +521,7 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
|
|
trust.objectSigningFlags = CERTDB_USER;
|
|
}
|
|
error = CERT_ChangeCertTrust(certdb,
|
|
- returned[0],
|
|
+ newcert,
|
|
&trust);
|
|
ec = PORT_GetError();
|
|
if (error != SECSuccess) {
|
|
@@ -621,10 +606,10 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
|
|
}
|
|
/* If we managed to import the certificate, mark its
|
|
* key for having its nickname removed. */
|
|
- if ((returned != NULL) && (returned[0] != NULL)) {
|
|
- privkey = PK11_FindKeyByAnyCert(returned[0], NULL);
|
|
+ if (newcert != NULL) {
|
|
+ privkey = PK11_FindKeyByAnyCert(newcert, NULL);
|
|
privkeys = add_privkey_to_list(privkeys, privkey);
|
|
- CERT_DestroyCertArray(returned, 1);
|
|
+ CERT_DestroyCertificate(newcert);
|
|
}
|
|
/* In case we're rekeying, but failed, mark the
|
|
* candidate key for name-clearing or removal, too. */
|
|
--
|
|
2.14.4
|
|
|