[Pkg-freeipa-devel] [Git][freeipa-team/certmonger][master] 2 commits: Revert adding an internal nssdb, instead add an upstream patch that drops the requirement for one.
Timo Aaltonen (@tjaalton)
gitlab at salsa.debian.org
Sat Mar 18 12:34:36 GMT 2023
Timo Aaltonen pushed to branch master at FreeIPA packaging / certmonger
Commits:
2222ea23 by Timo Aaltonen at 2023-03-18T14:26:18+02:00
Revert adding an internal nssdb, instead add an upstream patch that drops the requirement for one.
- - - - -
f7b29c14 by Timo Aaltonen at 2023-03-18T14:33:55+02:00
releasing package certmonger version 0.79.17-2
- - - - -
8 changed files:
- debian/certmonger.install
- + debian/certmonger.maintscript
- debian/certmonger.postrm
- debian/changelog
- + debian/patches/dont-require-an-nss-database.diff
- − debian/patches/fix-nssdb-path.diff
- debian/patches/series
- debian/rules
Changes:
=====================================
debian/certmonger.install
=====================================
@@ -1,5 +1,4 @@
etc/certmonger/certmonger.conf
-etc/certmonger/nssdb
etc/dbus-1/system.d/*
lib/systemd/system/
usr/bin/*
=====================================
debian/certmonger.maintscript
=====================================
@@ -0,0 +1,5 @@
+rm_conffile /etc/certmonger/nssdb/cert9.db 0.79.17-2~
+rm_conffile /etc/certmonger/nssdb/key4.db 0.79.17-2~
+rm_conffile /etc/certmonger/nssdb/pkcs11.txt 0.79.17-2~
+rm_conffile /etc/certmonger/nssdb/ 0.79.17-2~
+
=====================================
debian/certmonger.postrm
=====================================
@@ -7,7 +7,6 @@ case "$1" in
rm -f /var/lib/certmonger/local/*
rm -f /var/lib/certmonger/lock
rm -f /var/lib/certmonger/requests/*
- rm -rf /etc/certmonger/nssdb
;;
esac
=====================================
debian/changelog
=====================================
@@ -1,9 +1,11 @@
-certmonger (0.79.17-2) UNRELEASED; urgency=medium
+certmonger (0.79.17-2) unstable; urgency=medium
* control: Respect nocheck, thanks Chris Lamb! (Closes: #1032058)
* rules: Disable DSA.
+ * Revert adding an internal nssdb, instead add an upstream patch
+ that drops the requirement for one.
- -- Timo Aaltonen <tjaalton at debian.org> Mon, 27 Feb 2023 14:38:18 +0200
+ -- Timo Aaltonen <tjaalton at debian.org> Sat, 18 Mar 2023 14:33:47 +0200
certmonger (0.79.17-1) unstable; urgency=medium
=====================================
debian/patches/dont-require-an-nss-database.diff
=====================================
@@ -0,0 +1,147 @@
+From 83cd2e9d63e4851b3ada42aba868ecbb58365831 Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten at redhat.com>
+Date: Mar 17 2023 17:39:41 +0000
+Subject: Don't require an NSS database in cm_certread_n_parse
+
+
+If CM_DEFAULT_CERT_STORAGE_LOCATION points to a non-existant
+NSS database then parsing certificates will fail. This is
+noticable during IPA install when the CA certificates
+are tracked and the database doesn't exist.
+
+If the NSS Init fails then certmonger thinks there is no
+cert at all and tries to obtain a new one, only to fail again
+and again because of the failed parsing.
+
+This function only loads the certificate to parse out
+attributes from the certificate. It already initialized with
+NSS_INIT_NOCERTDB, NSS_INIT_READONLY and NSS_INIT_NOROOTINIT
+which basically says only initialize the volatile certdb,
+read-only and don't load root certificates. So not far from
+NSS_NoDB_Init.
+
+Adding the NSS_INIT_NOMODDB causes it to not open the
+security module database and only initialize its own softoken.
+
+This is sufficient to load a certificate from PEM and parse it.
+
+Fixes: https://pagure.io/certmonger/issue/256
+
+Signed-off-by: Rob Crittenden <rcritten at redhat.com>
+
+---
+
+diff --git a/src/certread-n.c b/src/certread-n.c
+index b44420c..47617f3 100644
+--- a/src/certread-n.c
++++ b/src/certread-n.c
+@@ -19,6 +19,7 @@
+
+ #include <sys/types.h>
+ #include <sys/wait.h>
++#include <sys/stat.h>
+ #include <errno.h>
+ #include <fcntl.h>
+ #include <stdio.h>
+@@ -161,7 +162,7 @@ cm_certread_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
+ (readwrite ? 0 : NSS_INIT_READONLY) |
+ NSS_INIT_NOROOTINIT);
+ if (ctx == NULL) {
+- cm_log(0, "Unable to initialize NSS.\n");
++ cm_log(0, "Unable to initialize NSS db\n");
+ _exit(1);
+ }
+ es = util_n_fips_hook();
+@@ -296,17 +297,23 @@ cm_certread_n_parse(struct cm_store_entry *entry,
+ CERTCertificate *cert, **certs;
+ NSSInitContext *ctx;
+ char *p;
+- const char *nl, *es;
++ const char *nl, *es = NULL;
+ unsigned int i;
+
+ /* Initialize the library. */
+- ctx = NSS_InitContext(CM_DEFAULT_CERT_STORAGE_LOCATION,
++ ctx = NSS_InitContext(NULL,
+ NULL, NULL, NULL, NULL,
+ NSS_INIT_NOCERTDB |
++ NSS_INIT_NOMODDB |
+ NSS_INIT_READONLY |
+ NSS_INIT_NOROOTINIT);
+ if (ctx == NULL) {
+- cm_log(1, "Unable to initialize NSS.\n");
++ PRErrorCode ec = PR_GetError();
++ if (ec) {
++ es = PR_ErrorToName(ec);
++ }
++ cm_log(1, "Unable to initialize NSS %s\n", es ? es: "");
++
+ _exit(1);
+ }
+ es = util_n_fips_hook();
+diff --git a/src/certsave-n.c b/src/certsave-n.c
+index 5ddf7ad..92d74e3 100644
+--- a/src/certsave-n.c
++++ b/src/certsave-n.c
+@@ -267,7 +267,7 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
+ (readwrite ? 0 : NSS_INIT_READONLY) |
+ NSS_INIT_NOROOTINIT);
+ if (ctx == NULL) {
+- cm_log(0, "Unable to initialize NSS.\n");
++ cm_log(0, "Unable to initialize NSS %s.\n", entry->cm_cert_storage_location);
+ _exit(1);
+ }
+
+diff --git a/src/keygen-n.c b/src/keygen-n.c
+index 4701821..27c1efc 100644
+--- a/src/keygen-n.c
++++ b/src/keygen-n.c
+@@ -235,7 +235,7 @@ cm_keygen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
+ (readwrite ? 0 : NSS_INIT_READONLY) |
+ NSS_INIT_NOROOTINIT);
+ if (ctx == NULL) {
+- cm_log(0, "Unable to initialize NSS.\n");
++ cm_log(0, "Unable to initialize NSS %s.\n", entry->cm_key_storage_location);
+ _exit(1);
+ }
+ reason = util_n_fips_hook();
+diff --git a/src/keyiread-n.c b/src/keyiread-n.c
+index dc6648e..c2f3928 100644
+--- a/src/keyiread-n.c
++++ b/src/keyiread-n.c
+@@ -124,7 +124,7 @@ cm_keyiread_n_get_keys(struct cm_store_entry *entry, int readwrite)
+ (readwrite ? 0 : NSS_INIT_READONLY) |
+ NSS_INIT_NOROOTINIT);
+ if (ctx == NULL) {
+- cm_log(0, "Unable to initialize NSS.\n");
++ cm_log(0, "Unable to initialize NSS %s.\n", entry->cm_key_storage_location);
+ _exit(1);
+ }
+ reason = util_n_fips_hook();
+diff --git a/src/scepgen-n.c b/src/scepgen-n.c
+index 6f3c4b7..e5a0a81 100644
+--- a/src/scepgen-n.c
++++ b/src/scepgen-n.c
+@@ -194,7 +194,7 @@ cm_scepgen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
+ NSS_INIT_READONLY |
+ NSS_INIT_NOROOTINIT);
+ if (ctx == NULL) {
+- cm_log(0, "Unable to initialize NSS.\n");
++ cm_log(0, "Unable to initialize NSS %s.\n", entry->cm_key_storage_location);
+ _exit(1);
+ }
+ reason = util_n_fips_hook();
+diff --git a/src/submit-n.c b/src/submit-n.c
+index 4f763a1..2b64902 100644
+--- a/src/submit-n.c
++++ b/src/submit-n.c
+@@ -328,7 +328,7 @@ cm_submit_n_decrypt_envelope(const unsigned char *envelope,
+ NSS_INIT_READONLY |
+ NSS_INIT_NOROOTINIT);
+ if (ctx == NULL) {
+- cm_log(0, "Unable to initialize NSS.\n");
++ cm_log(0, "Unable to initialize NSS %s.\n", args->entry->cm_key_storage_location);
+ _exit(1);
+ }
+ reason = util_n_fips_hook();
+
=====================================
debian/patches/fix-nssdb-path.diff deleted
=====================================
@@ -1,16 +0,0 @@
---- a/configure.ac
-+++ b/configure.ac
-@@ -705,11 +705,11 @@ if ! ${configure_dist_target_only:-false
- AC_SUBST(NO_MAN_EC)
-
- AC_DEFINE_UNQUOTED(CM_DEFAULT_KEY_STORAGE_TYPE,cm_key_storage_nssdb,[Define to the default type of storage used for keys.])
-- AC_DEFINE_UNQUOTED(CM_DEFAULT_KEY_STORAGE_LOCATION,"/etc/pki/nssdb",[Define to the default location of storage used for keys.])
-+ AC_DEFINE_UNQUOTED(CM_DEFAULT_KEY_STORAGE_LOCATION,"/etc/certmonger/nssdb",[Define to the default location of storage used for keys.])
- AC_DEFINE_UNQUOTED(CM_DEFAULT_KEY_TOKEN,NULL,[Define to the default token used for holding keys.])
- AC_DEFINE_UNQUOTED(CM_DEFAULT_KEY_NICKNAME,"Server-Cert",[Define to the default nickname given to keys.])
- AC_DEFINE_UNQUOTED(CM_DEFAULT_CERT_STORAGE_TYPE,cm_cert_storage_nssdb,[Define to the default type of storage used for certificates.])
-- AC_DEFINE_UNQUOTED(CM_DEFAULT_CERT_STORAGE_LOCATION,"/etc/pki/nssdb",[Define to the default location of storage used for certificates.])
-+ AC_DEFINE_UNQUOTED(CM_DEFAULT_CERT_STORAGE_LOCATION,"/etc/certmonger/nssdb",[Define to the default location of storage used for certificates.])
- AC_DEFINE_UNQUOTED(CM_DEFAULT_CERT_TOKEN,NULL,[Define to the default token used to store certificates.])
- AC_DEFINE_UNQUOTED(CM_DEFAULT_CERT_NICKNAME,"Server-Cert",[Define to the default nickname given to certificates.])
- AC_DEFINE_UNQUOTED(CM_DEFAULT_PUBKEY_TYPE,cm_key_rsa,[Define to the default public key type.])
=====================================
debian/patches/series
=====================================
@@ -2,4 +2,4 @@ cross.patch
fix-keythi-h-path.diff
fix-service-environment.diff
use-dbus-run-session.diff
-fix-nssdb-path.diff
+dont-require-an-nss-database.diff
=====================================
debian/rules
=====================================
@@ -25,9 +25,6 @@ override_dh_auto_configure:
override_dh_auto_install:
dh_auto_install --destdir=debian/tmp
- mkdir -p debian/tmp/etc/certmonger/nssdb
- certutil -N -d debian/tmp/etc/certmonger/nssdb --empty-password
-
override_dh_auto_test:
ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS)))
dh_auto_test || true
View it on GitLab: https://salsa.debian.org/freeipa-team/certmonger/-/compare/79e04e247f66f8de0cda3682b1c7eb5a51afe7c2...f7b29c14538187bc2267dd3e620e3efa4463e239
--
View it on GitLab: https://salsa.debian.org/freeipa-team/certmonger/-/compare/79e04e247f66f8de0cda3682b1c7eb5a51afe7c2...f7b29c14538187bc2267dd3e620e3efa4463e239
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20230318/7e7f9f56/attachment-0001.htm>
More information about the Pkg-freeipa-devel
mailing list