From 2fdc2d0cb7fa98992fe6c2070cb5dc34c500ac09 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabinsk@redhat.com>
Date: Nov 11 2016 11:13:56 +0000
Subject: CertDB: add API for non-destructive initialization from PKCS#12 bundle


`create_from_pkcs12` method of CertDB was re-creating NSS database files
during PKCS#12 bundle import. This may cause bugs because the file permissions
could be re-set to wrong values causing subtle bugs. Modify the class API so
that the server cert chain can be imported while preserving existing FS
attributes.

https://fedorahosted.org/freeipa/ticket/6429

Reviewed-By: Jan Cholasta <jcholast@redhat.com>

---

diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 13e66cb..9f7cad8 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -588,6 +588,14 @@ class CertDB(object):
         self.create_noise_file()
         self.create_passwd_file(passwd)
         self.create_certdbs()
+        self.init_from_pkcs12(
+            pkcs12_fname,
+            pkcs12_passwd,
+            ca_file=ca_file,
+            trust_flags=trust_flags)
+
+    def init_from_pkcs12(self, pkcs12_fname, pkcs12_passwd,
+                         ca_file=None, trust_flags=None):
         self.import_pkcs12(pkcs12_fname, pkcs12_passwd)
         server_certs = self.find_server_certs()
         if len(server_certs) == 0: