96 lines
3.5 KiB
Diff
96 lines
3.5 KiB
Diff
From 15d406ee3afbb52832d5c61a1afb735724d109a2 Mon Sep 17 00:00:00 2001
|
|
From: Rob Crittenden <rcritten@redhat.com>
|
|
Date: Tue, 18 Sep 2018 10:21:28 -0400
|
|
Subject: [PATCH 7/7] Use only PK11_ImportCert to import certs, not
|
|
CERT_ImportCerts
|
|
|
|
CERT_ImportCerts always imports a given certificate into the
|
|
certificate database, whether a token is requested or not.
|
|
|
|
Using PK11_ImportCert will import the cert, associate the key
|
|
properly and will only add the certificate to the appropriate
|
|
token.
|
|
---
|
|
src/certsave-n.c | 37 +++++++++++--------------------------
|
|
1 file changed, 11 insertions(+), 26 deletions(-)
|
|
|
|
diff --git a/src/certsave-n.c b/src/certsave-n.c
|
|
index d0152cad..fcb43148 100644
|
|
--- a/src/certsave-n.c
|
|
+++ b/src/certsave-n.c
|
|
@@ -100,7 +100,7 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
|
|
NSSInitContext *ctx;
|
|
CERTCertDBHandle *certdb;
|
|
CERTCertList *certlist;
|
|
- CERTCertificate **returned, *oldcert, cert;
|
|
+ CERTCertificate *oldcert, *newcert, cert;
|
|
CERTCertTrust trust;
|
|
CERTSignedData csdata;
|
|
CERTCertListNode *node;
|
|
@@ -497,33 +497,18 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
|
|
}
|
|
}
|
|
/* Import the certificate. */
|
|
- returned = NULL;
|
|
- error = CERT_ImportCerts(certdb,
|
|
- certUsageUserCertImport,
|
|
- 1, &item, &returned,
|
|
- PR_TRUE,
|
|
- PR_FALSE,
|
|
- entry->cm_cert_nickname);
|
|
- ec = PORT_GetError();
|
|
- if (error == SECSuccess) {
|
|
- /* If NSS uses SQL DB storage, CERT_ImportCerts creates
|
|
- * an incomplete internal state (the cert isn't
|
|
- * associated with the private key, and calling
|
|
- * PK11_FindKeyByAnyCert returns no result).
|
|
- * As a workaround, we import the cert again using
|
|
- * PK11_ImportCert, which magically fixes the issue.
|
|
- * See rhbz#1532188 */
|
|
+ newcert = CERT_DecodeCertFromPackage((char *)item->data, item->len);
|
|
+ if (newcert != NULL) {
|
|
error = PK11_ImportCert(sle->slot,
|
|
- returned[0],
|
|
+ newcert,
|
|
CK_INVALID_HANDLE,
|
|
- returned[0]->nickname,
|
|
+ entry->cm_cert_nickname,
|
|
PR_FALSE);
|
|
}
|
|
if (error == SECSuccess) {
|
|
- cm_log(1, "Imported certificate \"%s\", got "
|
|
+ cm_log(1, "Imported certificate with "
|
|
"nickname \"%s\".\n",
|
|
- entry->cm_cert_nickname,
|
|
- returned[0]->nickname);
|
|
+ entry->cm_cert_nickname);
|
|
status = 0;
|
|
/* Set the trust on the new certificate,
|
|
* perhaps matching the trust on an
|
|
@@ -536,7 +521,7 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
|
|
trust.objectSigningFlags = CERTDB_USER;
|
|
}
|
|
error = CERT_ChangeCertTrust(certdb,
|
|
- returned[0],
|
|
+ newcert,
|
|
&trust);
|
|
ec = PORT_GetError();
|
|
if (error != SECSuccess) {
|
|
@@ -621,10 +606,10 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
|
|
}
|
|
/* If we managed to import the certificate, mark its
|
|
* key for having its nickname removed. */
|
|
- if ((returned != NULL) && (returned[0] != NULL)) {
|
|
- privkey = PK11_FindKeyByAnyCert(returned[0], NULL);
|
|
+ if (newcert != NULL) {
|
|
+ privkey = PK11_FindKeyByAnyCert(newcert, NULL);
|
|
privkeys = add_privkey_to_list(privkeys, privkey);
|
|
- CERT_DestroyCertArray(returned, 1);
|
|
+ CERT_DestroyCertificate(newcert);
|
|
}
|
|
/* In case we're rekeying, but failed, mark the
|
|
* candidate key for name-clearing or removal, too. */
|
|
--
|
|
2.14.4
|
|
|