From e326d7054fbe5f62a3cc549a1a75ed0c67b5897c Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mar 23 2023 21:10:29 +0000
Subject: Don't require an NSS database in cm_certread_n_parse


If CM_DEFAULT_CERT_STORAGE_LOCATION points to a non-existant
NSS database then parsing certificates will fail. This is
noticable during IPA install when the CA certificates
are tracked and the database doesn't exist.

If the NSS Init fails then certmonger thinks there is no
cert at all and tries to obtain a new one, only to fail again
and again because of the failed parsing.

This function only loads the certificate to parse out
attributes from the certificate. It already initialized with
NSS_INIT_NOCERTDB, NSS_INIT_READONLY and NSS_INIT_NOROOTINIT
which basically says only initialize the volatile certdb,
read-only and don't load root certificates. So not far from
NSS_NoDB_Init.

Adding the NSS_INIT_NOMODDB causes it to not open the
security module database and only initialize its own softoken.

This is sufficient to load a certificate from PEM and parse it.

Fixes: https://pagure.io/certmonger/issue/256

Signed-off-by: Rob Crittenden <rcritten@redhat.com>

---

diff --git a/src/certread-n.c b/src/certread-n.c
index b44420c..47617f3 100644
--- a/src/certread-n.c
+++ b/src/certread-n.c
@@ -19,6 +19,7 @@
 
 #include <sys/types.h>
 #include <sys/wait.h>
+#include <sys/stat.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <stdio.h>
@@ -161,7 +162,7 @@ cm_certread_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
 			      (readwrite ? 0 : NSS_INIT_READONLY) |
 			      NSS_INIT_NOROOTINIT);
 	if (ctx == NULL) {
-		cm_log(0, "Unable to initialize NSS.\n");
+		cm_log(0, "Unable to initialize NSS db\n");
 		_exit(1);
 	}
 	es = util_n_fips_hook();
@@ -296,17 +297,23 @@ cm_certread_n_parse(struct cm_store_entry *entry,
 	CERTCertificate *cert, **certs;
 	NSSInitContext *ctx;
 	char *p;
-	const char *nl, *es;
+	const char *nl, *es = NULL;
 	unsigned int i;
 
 	/* Initialize the library. */
-	ctx = NSS_InitContext(CM_DEFAULT_CERT_STORAGE_LOCATION,
+	ctx = NSS_InitContext(NULL,
 			      NULL, NULL, NULL, NULL,
 			      NSS_INIT_NOCERTDB |
+			      NSS_INIT_NOMODDB |
 			      NSS_INIT_READONLY |
 			      NSS_INIT_NOROOTINIT);
 	if (ctx == NULL) {
-		cm_log(1, "Unable to initialize NSS.\n");
+		PRErrorCode ec = PR_GetError();
+		if (ec) {
+			es = PR_ErrorToName(ec);
+		}
+		cm_log(1, "Unable to initialize NSS %s\n", es ? es: "");
+        
 		_exit(1);
 	}
 	es = util_n_fips_hook();
diff --git a/src/certsave-n.c b/src/certsave-n.c
index 5ddf7ad..92d74e3 100644
--- a/src/certsave-n.c
+++ b/src/certsave-n.c
@@ -267,7 +267,7 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
 				      (readwrite ? 0 : NSS_INIT_READONLY) |
 				      NSS_INIT_NOROOTINIT);
 		if (ctx == NULL) {
-			cm_log(0, "Unable to initialize NSS.\n");
+			cm_log(0, "Unable to initialize NSS %s.\n", entry->cm_cert_storage_location);
 			_exit(1);
 		}
 
diff --git a/src/keygen-n.c b/src/keygen-n.c
index 4701821..27c1efc 100644
--- a/src/keygen-n.c
+++ b/src/keygen-n.c
@@ -235,7 +235,7 @@ cm_keygen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
 			      (readwrite ? 0 : NSS_INIT_READONLY) |
 			      NSS_INIT_NOROOTINIT);
 	if (ctx == NULL) {
-		cm_log(0, "Unable to initialize NSS.\n");
+		cm_log(0, "Unable to initialize NSS %s.\n", entry->cm_key_storage_location);
 		_exit(1);
 	}
 	reason = util_n_fips_hook();
diff --git a/src/keyiread-n.c b/src/keyiread-n.c
index dc6648e..c2f3928 100644
--- a/src/keyiread-n.c
+++ b/src/keyiread-n.c
@@ -124,7 +124,7 @@ cm_keyiread_n_get_keys(struct cm_store_entry *entry, int readwrite)
 			      (readwrite ? 0 : NSS_INIT_READONLY) |
 			      NSS_INIT_NOROOTINIT);
 	if (ctx == NULL) {
-		cm_log(0, "Unable to initialize NSS.\n");
+		cm_log(0, "Unable to initialize NSS %s.\n", entry->cm_key_storage_location);
 		_exit(1);
 	}
 	reason = util_n_fips_hook();
diff --git a/src/scepgen-n.c b/src/scepgen-n.c
index 6f3c4b7..e5a0a81 100644
--- a/src/scepgen-n.c
+++ b/src/scepgen-n.c
@@ -194,7 +194,7 @@ cm_scepgen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
 			      NSS_INIT_READONLY |
 			      NSS_INIT_NOROOTINIT);
 	if (ctx == NULL) {
-		cm_log(0, "Unable to initialize NSS.\n");
+		cm_log(0, "Unable to initialize NSS %s.\n", entry->cm_key_storage_location);
 		_exit(1);
 	}
 	reason = util_n_fips_hook();
diff --git a/src/submit-n.c b/src/submit-n.c
index 4f763a1..2b64902 100644
--- a/src/submit-n.c
+++ b/src/submit-n.c
@@ -328,7 +328,7 @@ cm_submit_n_decrypt_envelope(const unsigned char *envelope,
 			      NSS_INIT_READONLY |
 			      NSS_INIT_NOROOTINIT);
 	if (ctx == NULL) {
-		cm_log(0, "Unable to initialize NSS.\n");
+		cm_log(0, "Unable to initialize NSS %s.\n", args->entry->cm_key_storage_location);
 		_exit(1);
 	}
 	reason = util_n_fips_hook();