From 19d70d9817a5d22d05ff990f354ddadb77cc05a6 Mon Sep 17 00:00:00 2001

From: Rob Crittenden <rcritten@redhat.com>

Date: Tue, 9 Jan 2018 22:18:58 -0500

Subject: [PATCH 4/6] Workaround NSS bug in associating private key to

 certificate

If NSS uses SQL DB storage, CERT_ImportCerts creates incomplete

internal state (the cert isn't associated with the private key,

and calling PK11_FindKeyByAnyCert returns no result).

As a workaround, we import the cert again using PK11_ImportCert

which magically fixes the issue.

See rhbz#1532188

Related: https://pagure.io/certmonger/issue/88

---

 src/certsave-n.c | 14 ++++++++++++++

 1 file changed, 14 insertions(+)

diff --git a/src/certsave-n.c b/src/certsave-n.c

index a2c97000..8e15a18a 100644

--- a/src/certsave-n.c

+++ b/src/certsave-n.c

@@ -474,6 +474,20 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,

 						 PR_FALSE,

 						 entry->cm_cert_nickname);

 			ec = PORT_GetError();

+			if (error == SECSuccess) {

+				/* If NSS uses SQL DB storage, CERT_ImportCerts creates

+				 * an incomplete internal state (the cert isn't

+				 * associated with the private key, and calling

+				 * PK11_FindKeyByAnyCert returns no result).

+				 * As a workaround, we import the cert again using 

+				 * PK11_ImportCert, which magically fixes the issue.

+				 * See rhbz#1532188 */

+				error = PK11_ImportCert(PK11_GetInternalKeySlot(),

+					returned[0],

+					CK_INVALID_HANDLE,

+					returned[0]->nickname,

+					PR_FALSE);

+			}

 			if (error == SECSuccess) {

 				cm_log(1, "Imported certificate \"%s\", got "

 				       "nickname \"%s\".\n",

-- 

2.15.1