Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 146728 Details for
Bug 224672
Get rid of key/cert db prefix
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
diffs
cvsdiffs (text/plain), 6.22 KB, created by
Rich Megginson
on 2007-01-26 22:59:05 UTC
(
hide
)
Description:
diffs
Filename:
MIME Type:
Creator:
Rich Megginson
Created:
2007-01-26 22:59:05 UTC
Size:
6.22 KB
patch
obsolete
>Index: ldapserver/ldap/servers/slapd/ssl.c >=================================================================== >RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/ssl.c,v >retrieving revision 1.11 >diff -u -8 -r1.11 ssl.c >--- ldapserver/ldap/servers/slapd/ssl.c 10 Nov 2006 23:45:40 -0000 1.11 >+++ ldapserver/ldap/servers/slapd/ssl.c 26 Jan 2007 22:58:30 -0000 >@@ -419,156 +419,78 @@ > } > > /* > * slapd_nss_init() is always called from main(), even if we do not > * plan to listen on a secure port. If config_available is 0, the > * config. entries from dse.ldif are NOT available (used only when > * running in referral mode). > * As of DS6.1, the init_ssl flag passed is ignored. >+ * >+ * richm 20070126 - By default now we put the key/cert db files >+ * in an instance specific directory (the certdir directory) so >+ * we do not need a prefix any more. > */ > int > slapd_nss_init(int init_ssl, int config_available) > { > SECStatus secStatus; > PRErrorCode errorCode; >- char *keyfn = NULL; >- char *certfn = NULL; >- char *val = NULL; >- char certPref[1024]; >- char keyPref[1024]; >- char path[1024]; >+ PRStatus status; > int rv = 0; > int len = 0; > PRUint32 nssFlags = 0; >- Slapi_Entry *ec = NULL; > char *certdir; > >- if (config_available) { >- getConfigEntry( configDN, &ec ); >- } >- >- if ( ec != NULL ) { >- certfn = slapi_entry_attr_get_charptr( ec, "nscertfile" ); >- keyfn = slapi_entry_attr_get_charptr( ec, "nskeyfile" ); >- slapi_entry_free (ec); >- ec = NULL; >- } >- > /* set in slapd_bootstrap_config, > thus certdir is available even if config_available is false */ > certdir = config_get_certdir(); >- PL_strncpyz(path, certdir, sizeof(path)); >- slapi_ch_free_string(&certdir); > > /* make sure path does not end in the path separator character */ >- len = strlen(path); >- if (path[len-1] == '/' || path[len-1] == '\\') { >- path[len-1] = '\0'; >- } >- >- /* get the server instance dir name from path: >- <sysconfig>/BRAND_DS/slapd-<id> */ >- val = strrchr(path, '/'); >- if (!val) { >- val = strrchr(path, '\\'); >- } >- val++; >- >- if (keyfn && certfn) { >- if (is_abspath(certfn)) { >- warn_if_no_cert_file(certfn); >- /* first, initialize path from the certfn */ >- PL_strncpyz(path, certfn, sizeof(path)); >- /* extract path from cert db filename */ >- val = strrchr(path, '/'); >- if (!val) { >- val = strrchr(path, '\\'); >- } >- *val = 0; /* path is initialized */ >- /* next, init the cert db prefix */ >- val++; >- PL_strncpyz(certPref, val, sizeof(certPref)); >- } else { >- PL_strncpyz(val, certfn, sizeof(path)-(val-path)); >- warn_if_no_cert_file(path); /* assumes certfn is relative to server root */ >- val = strrchr(path, '/'); >- if (!val) { >- val = strrchr(path, '\\'); >- } >- val++; >- PL_strncpyz(certPref, val, sizeof(certPref)); >- *val = '\0'; >- } >- /* path represents now the base directory where cert, key, pin, and module db live */ >- /* richm - use strrstr to get the last occurance of -cert in the string, in case >- the instance is named slapd-cert - the certdb name will be slapd-cert-cert7.db >- */ >- val = PL_strrstr(certPref, "-cert"); >- val++; >- *val = '\0'; >- /* certPref keeps the prefix added to the cert db, usually "slapd-myserver-" */ >- >- /* now find the key db prefix */ >- val = strrchr(keyfn, '/'); >- if (!val) { >- val = strrchr(keyfn, '\\'); >- } >- if (val != NULL) { >- val++; >- } else { >- val = keyfn; >- } >- PL_strncpyz(keyPref, val, sizeof(keyPref)); >- warn_if_no_key_file(path, keyPref); >- /* richm - use strrstr to get the last occurance of -key in the string, in case >- the instance is named slapd-key - the keydb name will be slapd-key-key3.db >- */ >- val = PL_strrstr(keyPref, "-key"); >- val++; >- *val = '\0'; >- /* keypref keeps the prefix added to the key db, usually "slapd-myserver-" */ >- } else { >- if ( config_get_security() ) { >- /* Have to have the key and cert file names to enable an SSL port */ >- errorCode = PR_GetError(); >- slapd_SSL_warn("Security Initialization: Failed to retrieve SSL " >- "configuration information (" >- SLAPI_COMPONENT_NAME_NSPR " error %d - %s): " >- "nskeyfile: %s, nscertfile: %s ", >- errorCode, slapd_pr_strerror(errorCode), >- (keyfn ? "found" : "not found"), >- (certfn ? "found" : "not found")); >- } >- PR_snprintf(certPref, sizeof(certPref), "%s-", val); >- PL_strncpyz(keyPref, certPref, sizeof(keyPref)); >+ len = strlen(certdir); >+ if (certdir[len-1] == '/' || certdir[len-1] == '\\') { >+ certdir[len-1] = '\0'; > } > >- slapi_ch_free((void **) &certfn); >- slapi_ch_free((void **) &keyfn); >+ /* we open the key/cert db in rw mode, so make sure the directory >+ is writable */ >+ if (PR_SUCCESS != (status = PR_Access(certdir, PR_ACCESS_WRITE_OK))) { >+ char *serveruser = "unknown"; >+#ifndef _WIN32 >+ serveruser = config_get_localuser(); >+#endif >+ slapi_log_error(SLAPI_LOG_FATAL, "SSL Initialization", >+ "Warning: The key/cert database directory [%s] is not writable by " >+ "the server uid [%s]: initialization likely to fail.\n", >+ certdir, serveruser); >+#ifndef _WIN32 >+ slapi_ch_free_string(&serveruser); >+#endif >+ } > > /******** Initialise NSS *********/ > > nssFlags &= (~NSS_INIT_READONLY); > slapd_pk11_configurePKCS11(NULL, NULL, tokDes, ptokDes, NULL, NULL, NULL, NULL, 0, 0 ); >- secStatus = NSS_Initialize(path, certPref, keyPref, "secmod.db", nssFlags); >+ secStatus = NSS_Initialize(certdir, NULL, NULL, "secmod.db", nssFlags); > >- dongle_file_name = PR_smprintf("%s/%spin.txt", path, certPref); >+ dongle_file_name = PR_smprintf("%s/pin.txt", certdir); > > if (secStatus != SECSuccess) { > errorCode = PR_GetError(); > slapd_SSL_warn("Security Initialization: NSS initialization failed (" > SLAPI_COMPONENT_NAME_NSPR " error %d - %s): " >- "path: %s, certdb prefix: %s, keydb prefix: %s.", >- errorCode, slapd_pr_strerror(errorCode), path, certPref, keyPref); >+ "certdir: %s", >+ errorCode, slapd_pr_strerror(errorCode), certdir); > rv = -1; > } > > /****** end of NSS Initialization ******/ > >+ slapi_ch_free_string(&certdir); > return rv; > } > > /* > * slapd_ssl_init() is called from main() if we plan to listen > * on a secure port. > */ > int
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=146728">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 224672
: 146728