[PATCH 1 of 6] (issue86) Initialize NSS db with empty pin in case it needs it

Tue Sep 2 15:30:53 CEST 2014

# HG changeset patch
# User Andre Heinecke <andre.heinecke at intevation.de>
# Date 1409664024 -7200
# Node ID a80abef948fa2c6136c639c39d895a0ec8f9a525
# Parent  9c4543128666cef120152003792fe06026a09692
(issue86) Initialize NSS db with empty pin in case it needs it.

diff -r 9c4543128666 -r a80abef948fa cinst/mozilla.c

--- a/cinst/mozilla.c	Tue Sep 02 14:43:48 2014 +0200
+++ b/cinst/mozilla.c	Tue Sep 02 15:20:24 2014 +0200
@@ -61,6 +61,7 @@
 #include <dirent.h>
 #include <nss.h>
 #include <pk11pub.h>
+#include <secerr.h>
 #include <stdbool.h>
 #include <stdio.h>
 #include <stdlib.h>
@@ -622,16 +623,39 @@
                                     (int)dercert->len);
   trust = (CERTCertTrust *)xmalloc(sizeof(CERTCertTrust));
   CERT_DecodeTrustString(trust, "C,C,C");
-  if ((PK11_ImportCert(pk11slot, cert, CK_INVALID_HANDLE,
-                       cert_name, PR_FALSE)
-       == SECSuccess) &&
-      (CERT_ChangeCertTrust(CERT_GetDefaultCertDB(), cert, trust)
-       == SECSuccess))
+  if (PK11_ImportCert(pk11slot, cert, CK_INVALID_HANDLE,
+                       cert_name, PR_FALSE) == SECSuccess)
     {
-      log_certificate_der (pdir, dercert->data, dercert->len, true);
-      success = true;
+      if(CERT_ChangeCertTrust(CERT_GetDefaultCertDB(), cert, trust) == SECSuccess)
+        {
+          log_certificate_der (pdir, dercert->data, dercert->len, true);
+          success = true;
+        }
     }
-  else
+  /* This could have happened on either the import cert or
+     the cert change trust. If Import Cert fails with that
+     error the certificate has in fact been added but with
+     random trist bits. See NSS Bug 595861.
+     Reference code can be found in gnome evolution under
+     smime/lib/e-cert-db.c */
+  if(PORT_GetError() == SEC_ERROR_TOKEN_NOT_LOGGED_IN)
+    {
+      if (PK11_NeedUserInit (pk11slot))
+        {
+          PK11_InitPin (pk11slot, "", "");
+        }
+      if (PK11_Authenticate (pk11slot, PR_TRUE, NULL) != SECSuccess)
+        {
+          DEBUGPRINTF("Failed to authenticate.\n");
+        }
+      else if(CERT_ChangeCertTrust(CERT_GetDefaultCertDB(), cert, trust) == SECSuccess)
+        {
+          log_certificate_der (pdir, dercert->data, dercert->len, true);
+          success = true;
+        }
+    }
+
+  if (!success)
     {
       DEBUGPRINTF("Failed to install certificate '%s' to '%s'!\n", cert_name, pdir);
       ERRORPRINTF("Error installing certificate err: %i\n", PORT_GetError());
