|
|
6155daa |
From 19d70d9817a5d22d05ff990f354ddadb77cc05a6 Mon Sep 17 00:00:00 2001
|
|
|
6155daa |
From: Rob Crittenden <rcritten@redhat.com>
|
|
|
6155daa |
Date: Tue, 9 Jan 2018 22:18:58 -0500
|
|
|
6155daa |
Subject: [PATCH 4/6] Workaround NSS bug in associating private key to
|
|
|
6155daa |
certificate
|
|
|
6155daa |
|
|
|
6155daa |
If NSS uses SQL DB storage, CERT_ImportCerts creates incomplete
|
|
|
6155daa |
internal state (the cert isn't associated with the private key,
|
|
|
6155daa |
and calling PK11_FindKeyByAnyCert returns no result).
|
|
|
6155daa |
|
|
|
6155daa |
As a workaround, we import the cert again using PK11_ImportCert
|
|
|
6155daa |
which magically fixes the issue.
|
|
|
6155daa |
|
|
|
6155daa |
See rhbz#1532188
|
|
|
6155daa |
|
|
|
6155daa |
Related: https://pagure.io/certmonger/issue/88
|
|
|
6155daa |
---
|
|
|
6155daa |
src/certsave-n.c | 14 ++++++++++++++
|
|
|
6155daa |
1 file changed, 14 insertions(+)
|
|
|
6155daa |
|
|
|
6155daa |
diff --git a/src/certsave-n.c b/src/certsave-n.c
|
|
|
6155daa |
index a2c97000..8e15a18a 100644
|
|
|
6155daa |
--- a/src/certsave-n.c
|
|
|
6155daa |
+++ b/src/certsave-n.c
|
|
|
6155daa |
@@ -474,6 +474,20 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
|
|
|
6155daa |
PR_FALSE,
|
|
|
6155daa |
entry->cm_cert_nickname);
|
|
|
6155daa |
ec = PORT_GetError();
|
|
|
6155daa |
+ if (error == SECSuccess) {
|
|
|
6155daa |
+ /* If NSS uses SQL DB storage, CERT_ImportCerts creates
|
|
|
6155daa |
+ * an incomplete internal state (the cert isn't
|
|
|
6155daa |
+ * associated with the private key, and calling
|
|
|
6155daa |
+ * PK11_FindKeyByAnyCert returns no result).
|
|
|
6155daa |
+ * As a workaround, we import the cert again using
|
|
|
6155daa |
+ * PK11_ImportCert, which magically fixes the issue.
|
|
|
6155daa |
+ * See rhbz#1532188 */
|
|
|
6155daa |
+ error = PK11_ImportCert(PK11_GetInternalKeySlot(),
|
|
|
6155daa |
+ returned[0],
|
|
|
6155daa |
+ CK_INVALID_HANDLE,
|
|
|
6155daa |
+ returned[0]->nickname,
|
|
|
6155daa |
+ PR_FALSE);
|
|
|
6155daa |
+ }
|
|
|
6155daa |
if (error == SECSuccess) {
|
|
|
6155daa |
cm_log(1, "Imported certificate \"%s\", got "
|
|
|
6155daa |
"nickname \"%s\".\n",
|
|
|
6155daa |
--
|
|
|
6155daa |
2.15.1
|
|
|
6155daa |
|