From 19d70d9817a5d22d05ff990f354ddadb77cc05a6 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Tue, 9 Jan 2018 22:18:58 -0500
Subject: [PATCH 4/6] Workaround NSS bug in associating private key to
 certificate

If NSS uses SQL DB storage, CERT_ImportCerts creates incomplete
internal state (the cert isn't associated with the private key,
and calling PK11_FindKeyByAnyCert returns no result).

As a workaround, we import the cert again using PK11_ImportCert
which magically fixes the issue.

See rhbz#1532188

Related: https://pagure.io/certmonger/issue/88
---
 src/certsave-n.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/src/certsave-n.c b/src/certsave-n.c
index a2c97000..8e15a18a 100644
--- a/src/certsave-n.c
+++ b/src/certsave-n.c
@@ -474,6 +474,20 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
 						 PR_FALSE,
 						 entry->cm_cert_nickname);
 			ec = PORT_GetError();
+			if (error == SECSuccess) {
+				/* If NSS uses SQL DB storage, CERT_ImportCerts creates
+				 * an incomplete internal state (the cert isn't
+				 * associated with the private key, and calling
+				 * PK11_FindKeyByAnyCert returns no result).
+				 * As a workaround, we import the cert again using 
+				 * PK11_ImportCert, which magically fixes the issue.
+				 * See rhbz#1532188 */
+				error = PK11_ImportCert(PK11_GetInternalKeySlot(),
+					returned[0],
+					CK_INVALID_HANDLE,
+					returned[0]->nickname,
+					PR_FALSE);
+			}
 			if (error == SECSuccess) {
 				cm_log(1, "Imported certificate \"%s\", got "
 				       "nickname \"%s\".\n",
-- 
2.15.1