From 1322afa84127b7938824af5b55175e1d9bc28324 Mon Sep 17 00:00:00 2001
From: Nalin Dahyabhai <nalin@redhat.com>
Date: May 12 2015 16:12:19 +0000
Subject: Let NSS's safeguards against key deletion work


Stop overriding NSS's built-in default policy of refusing to delete a
key that still has a certificate associated with it, to avoid potential
loss due to bugs.

---

diff --git a/src/certsave-n.c b/src/certsave-n.c
index 46a5224..f05c944 100644
--- a/src/certsave-n.c
+++ b/src/certsave-n.c
@@ -590,7 +590,7 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
 				if (!entry->cm_key_preserve && (oldcert == NULL)) {
 					/* We're not preserving keys, so remove
 					 * the old one. */
-					PK11_DeleteTokenPrivateKey(privkey, PR_TRUE);
+					PK11_DeleteTokenPrivateKey(privkey, PR_FALSE);
 					if (error == SECSuccess) {
 						cm_log(3, "Removed "
 						       "old key.\n");
diff --git a/src/keygen-n.c b/src/keygen-n.c
index 067d2fe..068cdc3 100644
--- a/src/keygen-n.c
+++ b/src/keygen-n.c
@@ -730,7 +730,7 @@ retry_gen:
 			}
 			SECKEY_DestroyPrivateKeyList(privkeys);
 			if (delkey != NULL) {
-				PK11_DeleteTokenPrivateKey(delkey, PR_TRUE);
+				PK11_DeleteTokenPrivateKey(delkey, PR_FALSE);
 				cm_log(1, "Removing key with nickname \"%s\".\n", nickname);
 				/* If we found at least one key before, scan again. */
 				privkeys = PK11_ListPrivKeysInSlot(slot,