Bug#1033968: unblock: certmonger/0.79.17-2
Package: release.debian.org
Control: affects -1 + src:certmonger
X-Debbugs-Cc: certmonger@packages.debian.org
User: release.debian.org@packages.debian.org
Usertags: unblock
Severity: normal
Please unblock package certmonger.
[ Reason ]
This reverts a change in -1 that was done in order to work around the
fact that Debian doesn't use a shared /etc/pki/nssdb, and that turned
out to be unnecessary after upstream fixed the original issue and
doesn't need an nssdb anymore.
The other changes are minor, fixes a crossbuild issue and disables
support for insecure DSA keys.
There is one undocumented change which was due to a MR from salsa:
https://salsa.debian.org/freeipa-team/certmonger/-/merge_requests/3
but it just bumps a build-dep. Running 'gbp dch' was easy to miss, as I
usually include the dch entry in my commits.
[ Impact ]
Allows (free)ipa-server-install to succeed without racing to a failure,
this can be seen in the CI results using the package from experimental
(testing/unstable only has the client):
https://ci.debian.net/packages/f/freeipa/unstable/amd64/
Having a fixed package in bookworm would allow backporting
freeipa-server if need be.
[ Risks ]
Minimal, certmonger itself doesn't need the nssdb that was created in -1
so reverting it here shouldn't break any systems that have -1.
[ Checklist ]
[ ] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
unblock certmonger/0.79.17-2diff -Nru certmonger-0.79.17/debian/certmonger.install certmonger-0.79.17/debian/certmonger.install
--- certmonger-0.79.17/debian/certmonger.install 2023-02-25 12:18:09.000000000 +0200
+++ certmonger-0.79.17/debian/certmonger.install 2023-03-18 10:37:33.000000000 +0200
@@ -1,5 +1,4 @@
etc/certmonger/certmonger.conf
-etc/certmonger/nssdb
etc/dbus-1/system.d/*
lib/systemd/system/
usr/bin/*
diff -Nru certmonger-0.79.17/debian/certmonger.maintscript certmonger-0.79.17/debian/certmonger.maintscript
--- certmonger-0.79.17/debian/certmonger.maintscript 1970-01-01 02:00:00.000000000 +0200
+++ certmonger-0.79.17/debian/certmonger.maintscript 2023-03-18 14:26:01.000000000 +0200
@@ -0,0 +1,5 @@
+rm_conffile /etc/certmonger/nssdb/cert9.db 0.79.17-2~
+rm_conffile /etc/certmonger/nssdb/key4.db 0.79.17-2~
+rm_conffile /etc/certmonger/nssdb/pkcs11.txt 0.79.17-2~
+rm_conffile /etc/certmonger/nssdb/ 0.79.17-2~
+
diff -Nru certmonger-0.79.17/debian/certmonger.postrm certmonger-0.79.17/debian/certmonger.postrm
--- certmonger-0.79.17/debian/certmonger.postrm 2023-02-25 12:18:09.000000000 +0200
+++ certmonger-0.79.17/debian/certmonger.postrm 2023-03-18 10:45:39.000000000 +0200
@@ -7,7 +7,6 @@
rm -f /var/lib/certmonger/local/*
rm -f /var/lib/certmonger/lock
rm -f /var/lib/certmonger/requests/*
- rm -rf /etc/certmonger/nssdb
;;
esac
diff -Nru certmonger-0.79.17/debian/changelog certmonger-0.79.17/debian/changelog
--- certmonger-0.79.17/debian/changelog 2023-02-25 12:25:47.000000000 +0200
+++ certmonger-0.79.17/debian/changelog 2023-03-18 14:33:47.000000000 +0200
@@ -1,3 +1,12 @@
+certmonger (0.79.17-2) unstable; urgency=medium
+
+ * control: Respect nocheck, thanks Chris Lamb! (Closes: #1032058)
+ * rules: Disable DSA.
+ * Revert adding an internal nssdb, instead add an upstream patch
+ that drops the requirement for one.
+
+ -- Timo Aaltonen <tjaalton@debian.org> Sat, 18 Mar 2023 14:33:47 +0200
+
certmonger (0.79.17-1) unstable; urgency=medium
* New upstream release.
diff -Nru certmonger-0.79.17/debian/control certmonger-0.79.17/debian/control
--- certmonger-0.79.17/debian/control 2023-02-25 12:18:09.000000000 +0200
+++ certmonger-0.79.17/debian/control 2023-03-07 10:17:19.000000000 +0200
@@ -16,7 +16,7 @@
libldap2-dev,
libnspr4-dev,
libnss3-tools,
- libnss3-dev,
+ libnss3-dev (>= 2:3.69),
libpopt-dev,
libssl-dev,
systemd [linux-any],
diff -Nru certmonger-0.79.17/debian/patches/dont-require-an-nss-database.diff certmonger-0.79.17/debian/patches/dont-require-an-nss-database.diff
--- certmonger-0.79.17/debian/patches/dont-require-an-nss-database.diff 1970-01-01 02:00:00.000000000 +0200
+++ certmonger-0.79.17/debian/patches/dont-require-an-nss-database.diff 2023-03-18 10:46:18.000000000 +0200
@@ -0,0 +1,147 @@
+From 83cd2e9d63e4851b3ada42aba868ecbb58365831 Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Mar 17 2023 17:39:41 +0000
+Subject: Don't require an NSS database in cm_certread_n_parse
+
+
+If CM_DEFAULT_CERT_STORAGE_LOCATION points to a non-existant
+NSS database then parsing certificates will fail. This is
+noticable during IPA install when the CA certificates
+are tracked and the database doesn't exist.
+
+If the NSS Init fails then certmonger thinks there is no
+cert at all and tries to obtain a new one, only to fail again
+and again because of the failed parsing.
+
+This function only loads the certificate to parse out
+attributes from the certificate. It already initialized with
+NSS_INIT_NOCERTDB, NSS_INIT_READONLY and NSS_INIT_NOROOTINIT
+which basically says only initialize the volatile certdb,
+read-only and don't load root certificates. So not far from
+NSS_NoDB_Init.
+
+Adding the NSS_INIT_NOMODDB causes it to not open the
+security module database and only initialize its own softoken.
+
+This is sufficient to load a certificate from PEM and parse it.
+
+Fixes: https://pagure.io/certmonger/issue/256
+
+Signed-off-by: Rob Crittenden <rcritten@redhat.com>
+
+---
+
+diff --git a/src/certread-n.c b/src/certread-n.c
+index b44420c..47617f3 100644
+--- a/src/certread-n.c
++++ b/src/certread-n.c
+@@ -19,6 +19,7 @@
+
+ #include <sys/types.h>
+ #include <sys/wait.h>
++#include <sys/stat.h>
+ #include <errno.h>
+ #include <fcntl.h>
+ #include <stdio.h>
+@@ -161,7 +162,7 @@ cm_certread_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
+ (readwrite ? 0 : NSS_INIT_READONLY) |
+ NSS_INIT_NOROOTINIT);
+ if (ctx == NULL) {
+- cm_log(0, "Unable to initialize NSS.\n");
++ cm_log(0, "Unable to initialize NSS db\n");
+ _exit(1);
+ }
+ es = util_n_fips_hook();
+@@ -296,17 +297,23 @@ cm_certread_n_parse(struct cm_store_entry *entry,
+ CERTCertificate *cert, **certs;
+ NSSInitContext *ctx;
+ char *p;
+- const char *nl, *es;
++ const char *nl, *es = NULL;
+ unsigned int i;
+
+ /* Initialize the library. */
+- ctx = NSS_InitContext(CM_DEFAULT_CERT_STORAGE_LOCATION,
++ ctx = NSS_InitContext(NULL,
+ NULL, NULL, NULL, NULL,
+ NSS_INIT_NOCERTDB |
++ NSS_INIT_NOMODDB |
+ NSS_INIT_READONLY |
+ NSS_INIT_NOROOTINIT);
+ if (ctx == NULL) {
+- cm_log(1, "Unable to initialize NSS.\n");
++ PRErrorCode ec = PR_GetError();
++ if (ec) {
++ es = PR_ErrorToName(ec);
++ }
++ cm_log(1, "Unable to initialize NSS %s\n", es ? es: "");
++
+ _exit(1);
+ }
+ es = util_n_fips_hook();
+diff --git a/src/certsave-n.c b/src/certsave-n.c
+index 5ddf7ad..92d74e3 100644
+--- a/src/certsave-n.c
++++ b/src/certsave-n.c
+@@ -267,7 +267,7 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
+ (readwrite ? 0 : NSS_INIT_READONLY) |
+ NSS_INIT_NOROOTINIT);
+ if (ctx == NULL) {
+- cm_log(0, "Unable to initialize NSS.\n");
++ cm_log(0, "Unable to initialize NSS %s.\n", entry->cm_cert_storage_location);
+ _exit(1);
+ }
+
+diff --git a/src/keygen-n.c b/src/keygen-n.c
+index 4701821..27c1efc 100644
+--- a/src/keygen-n.c
++++ b/src/keygen-n.c
+@@ -235,7 +235,7 @@ cm_keygen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
+ (readwrite ? 0 : NSS_INIT_READONLY) |
+ NSS_INIT_NOROOTINIT);
+ if (ctx == NULL) {
+- cm_log(0, "Unable to initialize NSS.\n");
++ cm_log(0, "Unable to initialize NSS %s.\n", entry->cm_key_storage_location);
+ _exit(1);
+ }
+ reason = util_n_fips_hook();
+diff --git a/src/keyiread-n.c b/src/keyiread-n.c
+index dc6648e..c2f3928 100644
+--- a/src/keyiread-n.c
++++ b/src/keyiread-n.c
+@@ -124,7 +124,7 @@ cm_keyiread_n_get_keys(struct cm_store_entry *entry, int readwrite)
+ (readwrite ? 0 : NSS_INIT_READONLY) |
+ NSS_INIT_NOROOTINIT);
+ if (ctx == NULL) {
+- cm_log(0, "Unable to initialize NSS.\n");
++ cm_log(0, "Unable to initialize NSS %s.\n", entry->cm_key_storage_location);
+ _exit(1);
+ }
+ reason = util_n_fips_hook();
+diff --git a/src/scepgen-n.c b/src/scepgen-n.c
+index 6f3c4b7..e5a0a81 100644
+--- a/src/scepgen-n.c
++++ b/src/scepgen-n.c
+@@ -194,7 +194,7 @@ cm_scepgen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
+ NSS_INIT_READONLY |
+ NSS_INIT_NOROOTINIT);
+ if (ctx == NULL) {
+- cm_log(0, "Unable to initialize NSS.\n");
++ cm_log(0, "Unable to initialize NSS %s.\n", entry->cm_key_storage_location);
+ _exit(1);
+ }
+ reason = util_n_fips_hook();
+diff --git a/src/submit-n.c b/src/submit-n.c
+index 4f763a1..2b64902 100644
+--- a/src/submit-n.c
++++ b/src/submit-n.c
+@@ -328,7 +328,7 @@ cm_submit_n_decrypt_envelope(const unsigned char *envelope,
+ NSS_INIT_READONLY |
+ NSS_INIT_NOROOTINIT);
+ if (ctx == NULL) {
+- cm_log(0, "Unable to initialize NSS.\n");
++ cm_log(0, "Unable to initialize NSS %s.\n", args->entry->cm_key_storage_location);
+ _exit(1);
+ }
+ reason = util_n_fips_hook();
+
diff -Nru certmonger-0.79.17/debian/patches/fix-nssdb-path.diff certmonger-0.79.17/debian/patches/fix-nssdb-path.diff
--- certmonger-0.79.17/debian/patches/fix-nssdb-path.diff 2023-02-25 12:18:09.000000000 +0200
+++ certmonger-0.79.17/debian/patches/fix-nssdb-path.diff 1970-01-01 02:00:00.000000000 +0200
@@ -1,16 +0,0 @@
---- a/configure.ac
-+++ b/configure.ac
-@@ -705,11 +705,11 @@ if ! ${configure_dist_target_only:-false
- AC_SUBST(NO_MAN_EC)
-
- AC_DEFINE_UNQUOTED(CM_DEFAULT_KEY_STORAGE_TYPE,cm_key_storage_nssdb,[Define to the default type of storage used for keys.])
-- AC_DEFINE_UNQUOTED(CM_DEFAULT_KEY_STORAGE_LOCATION,"/etc/pki/nssdb",[Define to the default location of storage used for keys.])
-+ AC_DEFINE_UNQUOTED(CM_DEFAULT_KEY_STORAGE_LOCATION,"/etc/certmonger/nssdb",[Define to the default location of storage used for keys.])
- AC_DEFINE_UNQUOTED(CM_DEFAULT_KEY_TOKEN,NULL,[Define to the default token used for holding keys.])
- AC_DEFINE_UNQUOTED(CM_DEFAULT_KEY_NICKNAME,"Server-Cert",[Define to the default nickname given to keys.])
- AC_DEFINE_UNQUOTED(CM_DEFAULT_CERT_STORAGE_TYPE,cm_cert_storage_nssdb,[Define to the default type of storage used for certificates.])
-- AC_DEFINE_UNQUOTED(CM_DEFAULT_CERT_STORAGE_LOCATION,"/etc/pki/nssdb",[Define to the default location of storage used for certificates.])
-+ AC_DEFINE_UNQUOTED(CM_DEFAULT_CERT_STORAGE_LOCATION,"/etc/certmonger/nssdb",[Define to the default location of storage used for certificates.])
- AC_DEFINE_UNQUOTED(CM_DEFAULT_CERT_TOKEN,NULL,[Define to the default token used to store certificates.])
- AC_DEFINE_UNQUOTED(CM_DEFAULT_CERT_NICKNAME,"Server-Cert",[Define to the default nickname given to certificates.])
- AC_DEFINE_UNQUOTED(CM_DEFAULT_PUBKEY_TYPE,cm_key_rsa,[Define to the default public key type.])
diff -Nru certmonger-0.79.17/debian/patches/series certmonger-0.79.17/debian/patches/series
--- certmonger-0.79.17/debian/patches/series 2023-02-25 12:18:09.000000000 +0200
+++ certmonger-0.79.17/debian/patches/series 2023-03-18 10:46:18.000000000 +0200
@@ -2,4 +2,4 @@
fix-keythi-h-path.diff
fix-service-environment.diff
use-dbus-run-session.diff
-fix-nssdb-path.diff
+dont-require-an-nss-database.diff
diff -Nru certmonger-0.79.17/debian/rules certmonger-0.79.17/debian/rules
--- certmonger-0.79.17/debian/rules 2023-02-25 12:18:09.000000000 +0200
+++ certmonger-0.79.17/debian/rules 2023-03-18 10:37:14.000000000 +0200
@@ -14,6 +14,7 @@
--libexecdir=/usr/lib \
--with-homedir=/run/certmonger \
--with-tmpdir=/run/certmonger \
+ --disable-dsa \
--enable-systemd \
--enable-pie \
--enable-now \
@@ -24,11 +25,10 @@
override_dh_auto_install:
dh_auto_install --destdir=debian/tmp
- mkdir -p debian/tmp/etc/certmonger/nssdb
- certutil -N -d debian/tmp/etc/certmonger/nssdb --empty-password
-
override_dh_auto_test:
+ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS)))
dh_auto_test || true
+endif
override_dh_clean:
dh_clean
Reply to: