From 89048ff10087701d39b0357ce83d2caada76dc6222f92e6c46c1d5814d542892 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Tue, 3 Dec 2013 02:58:26 +0000
Subject: [PATCH] Accepting request 209210 from
 home:gary_lin:branches:Base:System

Add pesign-no-db.patch to allow some commands to proceed without a NSS database.

OBS-URL: https://build.opensuse.org/request/show/209210
OBS-URL: https://build.opensuse.org/package/show/Base:System/pesign?expand=0&rev=24
---
 pesign-no-db.patch | 142 +++++++++++++++++++++++++++++++++++++++++++++
 pesign.changes     |   6 ++
 pesign.spec        |   3 +
 3 files changed, 151 insertions(+)
 create mode 100644 pesign-no-db.patch

diff --git a/pesign-no-db.patch b/pesign-no-db.patch
new file mode 100644
index 0000000..5fc52dd
--- /dev/null
+++ b/pesign-no-db.patch
@@ -0,0 +1,142 @@
+From b55ecad4b6ec280d7d17caa5e02c20a7391b8a05 Mon Sep 17 00:00:00 2001
+From: Gary Ching-Pang Lin <glin@suse.com>
+Date: Thu, 7 Nov 2013 16:58:04 +0800
+Subject: [PATCH] Allow some commands to proceed without a NSS db
+
+The NSS db is not necessary to calculate the hash, to show the
+signature or to export the signed attributes.
+
+Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
+---
+ src/pesign.c | 91 +++++++++++++++++++++++++++++++++++-------------------------
+ 1 file changed, 53 insertions(+), 38 deletions(-)
+
+diff --git a/src/pesign.c b/src/pesign.c
+index c7313a6..0cd47a8 100644
+--- a/src/pesign.c
++++ b/src/pesign.c
+@@ -405,6 +405,7 @@ main(int argc, char *argv[])
+ 	int daemon = 0;
+ 	int fork = 1;
+ 	int padding = 0;
++	int need_db = 0;
+ 
+ 	char *digest_name = "sha256";
+ 	char *tokenname = "NSS Certificate DB";
+@@ -526,8 +527,59 @@ main(int argc, char *argv[])
+ 		}
+ 	}
+ 
++	int action = 0;
++	if (daemon)
++		action |= DAEMONIZE;
++
++	if (ctxp->rawsig) {
++		action |= IMPORT_RAW_SIGNATURE;
++		need_db = 1;
++	}
++
++	if (ctxp->insattrs)
++		action |= IMPORT_SATTRS;
++
++	if (ctxp->outsattrs)
++		action |= EXPORT_SATTRS;
++
++	if (ctxp->insig)
++		action |= IMPORT_SIGNATURE;
++
++	if (ctxp->outkey) {
++		action |= EXPORT_PUBKEY;
++		need_db = 1;
++	}
++
++	if (ctxp->outcert) {
++		action |= EXPORT_CERT;
++		need_db = 1;
++	}
++
++	if (ctxp->outsig)
++		action |= EXPORT_SIGNATURE;
++
++	if (remove != 0)
++		action |= REMOVE_SIGNATURE;
++
++	if (list != 0)
++		action |= LIST_SIGNATURES;
++
++	if (ctxp->sign) {
++		action |= GENERATE_SIGNATURE;
++		if (!(action & EXPORT_SIGNATURE))
++			action |= IMPORT_SIGNATURE;
++		need_db = 1;
++	}
++
++	if (ctxp->hash)
++		action |= GENERATE_DIGEST|PRINT_DIGEST;
++
+ 	if (!daemon) {
+-		SECStatus status = NSS_Init(certdir);
++		SECStatus status;
++		if (need_db)
++			status = NSS_Init(certdir);
++		else
++			status = NSS_NoDB_Init(NULL);
+ 		if (status != SECSuccess) {
+ 			fprintf(stderr, "Could not initialize nss: %s\n",
+ 				PORT_ErrorToString(PORT_GetError()));
+@@ -571,42 +623,8 @@ main(int argc, char *argv[])
+ 	if (certname)
+ 		free(certname);
+ 
+-	int action = 0;
+-	if (daemon)
+-		action |= DAEMONIZE;
+-
+-	if (ctxp->rawsig)
+-		action |= IMPORT_RAW_SIGNATURE;
+-
+-	if (ctxp->insattrs)
+-		action |= IMPORT_SATTRS;
+-
+-	if (ctxp->outsattrs)
+-		action |= EXPORT_SATTRS;
+-
+-	if (ctxp->insig)
+-		action |= IMPORT_SIGNATURE;
+-
+-	if (ctxp->outkey)
+-		action |= EXPORT_PUBKEY;
+-
+-	if (ctxp->outcert)
+-		action |= EXPORT_CERT;
+-
+-	if (ctxp->outsig)
+-		action |= EXPORT_SIGNATURE;
+-
+-	if (remove != 0)
+-		action |= REMOVE_SIGNATURE;
+-
+-	if (list != 0)
+-		action |= LIST_SIGNATURES;
+ 
+ 	if (ctxp->sign) {
+-		action |= GENERATE_SIGNATURE;
+-		if (!(action & EXPORT_SIGNATURE))
+-			action |= IMPORT_SIGNATURE;
+-
+ 		if (!ctxp->cms_ctx->certname) {
+ 			fprintf(stderr, "pesign: signing requested but no "
+ 				"certificate nickname provided\n");
+@@ -614,9 +632,6 @@ main(int argc, char *argv[])
+ 		}
+ 	}
+ 
+-	if (ctxp->hash)
+-		action |= GENERATE_DIGEST|PRINT_DIGEST;
+-
+ 	ssize_t sigspace = 0;
+ 
+ 	switch (action) {
+-- 
+1.8.1.4
+
diff --git a/pesign.changes b/pesign.changes
index 1d1f1fa..1dc782f 100644
--- a/pesign.changes
+++ b/pesign.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Thu Nov  7 09:17:04 UTC 2013 - glin@suse.com
+
+- Add pesign-no-db.patch to allow some commands to proceed without
+  a NSS database.
+
 -------------------------------------------------------------------
 Thu Oct 24 03:14:05 UTC 2013 - glin@suse.com
 
diff --git a/pesign.spec b/pesign.spec
index 335525e..ebbbe7f 100644
--- a/pesign.spec
+++ b/pesign.spec
@@ -34,6 +34,8 @@ Patch3:         pesign-privkey_unneeded.diff
 Patch4:         pesign-clear-padding-bits.patch
 # PATCH-FIX-SUSE use-standard-pid-location.patch p.drouand@gmail.com --Use standard /run instead of /var/run for pidfile
 Patch6:         use-standard-pid-location.patch
+# PATCH-FIX-UPSTREAM pesign-no-db.patch glin@suse.com -- Allow some commands to proceed without a NSS database
+Patch7:         pesign-no-db.patch
 BuildRequires:  mozilla-nss-devel
 BuildRequires:  pkg-config
 BuildRequires:  popt-devel
@@ -59,6 +61,7 @@ Authors:
 %patch3 -p1
 %patch4 -p1
 %patch6 -p1
+%patch7 -p1
 
 %build
 make OPTFLAGS="$RPM_OPT_FLAGS"