certmonger/0004-Workaround-NSS-bug-in-associating-private-key-to-cer.patch
Rob Crittenden 6155daa274 Fixes for F28 switch to sqlite as the default NSS database type
- Patch to fix NSS handling of keys in sqlite databases
- Patches to fix tests now that sqlite is the NSS default.

Also fix building in rawhide due to packaging changes

- Remove BR on mktemp. It is now provided by coreutils.
2018-01-16 16:14:56 -05:00

49 lines
1.6 KiB
Diff

From 19d70d9817a5d22d05ff990f354ddadb77cc05a6 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Tue, 9 Jan 2018 22:18:58 -0500
Subject: [PATCH 4/6] Workaround NSS bug in associating private key to
certificate
If NSS uses SQL DB storage, CERT_ImportCerts creates incomplete
internal state (the cert isn't associated with the private key,
and calling PK11_FindKeyByAnyCert returns no result).
As a workaround, we import the cert again using PK11_ImportCert
which magically fixes the issue.
See rhbz#1532188
Related: https://pagure.io/certmonger/issue/88
---
src/certsave-n.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/src/certsave-n.c b/src/certsave-n.c
index a2c97000..8e15a18a 100644
--- a/src/certsave-n.c
+++ b/src/certsave-n.c
@@ -474,6 +474,20 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
PR_FALSE,
entry->cm_cert_nickname);
ec = PORT_GetError();
+ if (error == SECSuccess) {
+ /* If NSS uses SQL DB storage, CERT_ImportCerts creates
+ * an incomplete internal state (the cert isn't
+ * associated with the private key, and calling
+ * PK11_FindKeyByAnyCert returns no result).
+ * As a workaround, we import the cert again using
+ * PK11_ImportCert, which magically fixes the issue.
+ * See rhbz#1532188 */
+ error = PK11_ImportCert(PK11_GetInternalKeySlot(),
+ returned[0],
+ CK_INVALID_HANDLE,
+ returned[0]->nickname,
+ PR_FALSE);
+ }
if (error == SECSuccess) {
cm_log(1, "Imported certificate \"%s\", got "
"nickname \"%s\".\n",
--
2.15.1