certmonger

#257 Don't require an NSS database in cm_certread_n_parse
Merged by rcritten. Opened by rcritten.
rcritten/certmonger nssdb  into  master

Don't require an NSS database in cm_certread_n_parse

If CM_DEFAULT_CERT_STORAGE_LOCATION points to a non-existant
NSS database then parsing certificates will fail. This is
noticable during IPA install when the CA certificates
are tracked and the database doesn't exist.

If the NSS Init fails then certmonger thinks there is no
cert at all and tries to obtain a new one, only to fail again
and again because of the failed parsing.

This function only loads the certificate to parse out
attributes from the certificate. It already initialized with
NSS_INIT_NOCERTDB, NSS_INIT_READONLY and NSS_INIT_NOROOTINIT
which basically says only initialize the volatile certdb,
read-only and don't load root certificates. So not far from
NSS_NoDB_Init.

Adding the NSS_INIT_NOMODDB causes it to not open the
security module database and only initialize its own softoken.

This is sufficient to load a certificate from PEM and parse it.

Fixes: https://pagure.io/certmonger/issue/256

Signed-off-by: Rob Crittenden rcritten@redhat.com

rebased onto cc2aef40b3369be115b3452ce1ec82e4d42163d0

So with this Debian doesn't need a shared nssdb for certmonger to work properly? If so, I'm willing to test it on our side if you need that before landing it.

Yes, it should work.

I haven't merged this yet because I wonder if this is necessary at all. NSS is fine initializing with no database and since this is just parsing it could work fine. I'm just reluctant to strip out code from 2011 that has otherwise worked fine (assuming /etc/pki/nssdb exists).

If you could test it with certmonger configured with -d3 and look at the journal once the IPA install is done we should see a bunch of:

cm_certread_n_parse: Using NSS database

where foo is either /etc/pki/nssdb, the CA db, the 389-ds db or NoDB_Init.

I think the proposed solution looks fine - using the default database if it exists or initializing with no DB solves pretty much all issues and maintains backwards compatibility on the off chance the default DB has some contents or settings that affect certmonger's operation.

rebased onto 83cd2e9d63e4851b3ada42aba868ecbb58365831

I switched to a much simpler implementation where no DB is required at all. i think this will be far more robust than poking around the FS looking for files. The NSS initialization flags were mostly doing this already, it was just missing the flag to not initialize the PKCS#11 devices (pkcs11.txt/secmod.db). With that no physical database is required at all.

I re-read the parsing code and it already opens the database in a way it doesn't consider any existing content so there is no reason to rely on an existing database at all. Doing so also significantly simplifies the code.

Excellent :)

rebased onto e326d7054fbe5f62a3cc549a1a75ed0c67b5897c

Pull-Request has been merged by rcritten
Metadata
None
No Tags
Changes Summary 6
+11 -4
file changed
src/certread-n.c
+1 -1
file changed
src/certsave-n.c
+1 -1
file changed
src/keygen-n.c
+1 -1
file changed
src/keyiread-n.c
+1 -1
file changed
src/scepgen-n.c
+1 -1
file changed
src/submit-n.c
Static archive. pagure.io was sunset in 2026; this is a read-only snapshot.
Red Hat Logo

Fedora is sponsored by Red Hat. Learn more about the relationship between Red Hat and Fedora »

© Red Hat, Inc. and others.