Bug 636859

Summary: nss: certutil not properly listing system nssdb when sysinit is enabled
Product: [Fedora] Fedora Reporter: Tomas Hoger <thoger>
Component: nssAssignee: Elio Maldonado Batiz <emaldona>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 13CC: emaldona, kdudka, kengert
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-03-03 18:13:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tomas Hoger 2010-09-23 13:57:09 UTC 
Description of problem:
When nss-sysinit is enabled, certutil -L show incorrect / incomplete info when trying to list contents of sql:/etc/pki/nssdb/ database.


I created system nssdb with the following content:
- added and later removed trusted certificate named cacert.org
- added trusted certificate named test-ca

Listing the content of it with sysinit disabled returns:

$ certutil -L -d sql:/etc/pki/nssdb/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

test-ca                                                      CT,C,C


I created user nssdb with the following content:
- added untrusted certificate named cacert.org (the same one that was added to and later removed from system nssdb)

Listing of the db is:

$ certutil -L -d sql:$HOME/.pki/nssdb

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

cacert.org                                                   ,,  


After enabling nss-sysinit, output for system nssdb changes to:

$ certutil -L -d sql:/etc/pki/nssdb/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

cacert.org                                                   CT,C,C


test-ca is not listed.  cacert.org is listed as trusted, even though it has been deleted already (this problem is already covered by bug #633043).


Version-Release number of selected component (if applicable):
nss-3.12.7-6.fc13
Comment 1 Elio Maldonado Batiz 2011-01-23 22:57:02 UTC 
I believe this is the same as Bug 633403. The reproduction/verification steps for than one are essentially the same as what's described here. See https://admin.fedoraproject.org/updates/nss-3.12.9-2.fc14
Comment 2 Elio Maldonado Batiz 2011-01-23 22:58:15 UTC 

*** This bug has been marked as a duplicate of bug 633403 ***
Comment 3 Tomas Hoger 2011-01-24 07:59:05 UTC 
(In reply to comment #2)
> *** This bug has been marked as a duplicate of bug 633403 ***

Bug #633403 seems unrelated, I suspect you wanted to dupe against bug #633043.
Comment 4 Kai Engert (:kaie) (inactive account) 2011-03-03 18:13:26 UTC 
(In reply to comment #3)
> (In reply to comment #2)
> > *** This bug has been marked as a duplicate of bug 633403 ***
> 
> Bug #633403 seems unrelated, I suspect you wanted to dupe against bug #633043.

Reopening to fix this...
Comment 5 Kai Engert (:kaie) (inactive account) 2011-03-03 18:13:49 UTC 

*** This bug has been marked as a duplicate of bug 633043 ***