Attachment 612876 Details for Bug 857455 – patch

[patch] patch

jvcelak-20120914-moznss-load-certs-from-certdb-fallback-to-pem.patch (text/plain), 2.93 KB, created by Jan Vcelak on 2012-09-14 13:33:34 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Jan Vcelak

Created: 2012-09-14 13:33:34 UTC

Size: 2.93 KB

patch

obsolete

>From 7cddb5b2725828920a72522f9fabe4bd37989763 Mon Sep 17 00:00:00 2001
>From: Jan Vcelak <jvcelak@redhat.com>
>Date: Fri, 14 Sep 2012 14:24:29 +0200
>Subject: [PATCH] MozNSS: load certificates from certdb, fallback to PEM
>
>If TLS_CACERT pointed to a PEM file and TLS_CACERTDIR was set to NSS
>certificate database, the backend assumed that the certificate is always
>located in the certificate database. This assumption might be wrong.
>
>This patch makes the library to try to load the certificate from NSS
>database and fallback to PEM file if unsuccessfull.
>---
> libraries/libldap/tls_m.c | 33 ++++++++++++++++++++-------------
> 1 file changed, 20 insertions(+), 13 deletions(-)
>
>diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
>index 1422ce2..2ca89e9 100644
>--- a/libraries/libldap/tls_m.c
>+++ b/libraries/libldap/tls_m.c
>@@ -1343,7 +1343,7 @@ tlsm_ctx_load_private_key( tlsm_ctx *ctx )
> 	/* prefer unlocked key, then key from opened certdb, then any other */
> 	if ( unlocked_key )
> 		ctx->tc_private_key = unlocked_key;
>-	else if ( ctx->tc_certdb_slot )
>+	else if ( ctx->tc_certdb_slot && !ctx->tc_using_pem )
> 		ctx->tc_private_key = PK11_FindKeyByDERCert( ctx->tc_certdb_slot, ctx->tc_certificate, pin_arg );
> 	else
> 		ctx->tc_private_key = PK11_FindKeyByAnyCert( ctx->tc_certificate, pin_arg );
>@@ -1819,8 +1819,6 @@ tlsm_deferred_init( void *arg )
> 				}
> 				return -1;
> 			}
>-
>-			ctx->tc_using_pem = PR_TRUE;
> 		}
> 
> 		NSS_SetDomesticPolicy();
>@@ -2273,15 +2271,9 @@ tlsm_deferred_ctx_init( void *arg )
> 
> 	/* set up our cert and key, if any */
> 	if ( lt->lt_certfile ) {
>-		/* if using the PEM module, load the PEM file specified by lt_certfile */
>-		/* otherwise, assume this is the name of a cert already in the db */
>-		if ( ctx->tc_using_pem ) {
>-			/* this sets ctx->tc_certificate to the correct value */
>-			int rc = tlsm_add_cert_from_file( ctx, lt->lt_certfile, PR_FALSE );
>-			if ( rc ) {
>-				return rc;
>-			}
>-		} else {
>+
>+		/* first search in certdb (lt_certfile is nickname) */
>+		if ( ctx->tc_certdb ) {
> 			char *tmp_certname;
> 
> 			if ( tlsm_is_tokenname_certnick( lt->lt_certfile )) {
>@@ -2301,9 +2293,24 @@ tlsm_deferred_ctx_init( void *arg )
> 				Debug( LDAP_DEBUG_ANY,
> 					   "TLS: error: the certificate '%s' could not be found in the database - error %d:%s.\n",
> 					   lt->lt_certfile, errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) );
>-				return -1;
> 			}
> 		}
>+
>+		/* fallback to PEM module (lt_certfile is filename) */
>+		if ( !ctx->tc_certificate && pem_module ) {
>+			/* this sets ctx->tc_certificate to the correct value */
>+			if ( !tlsm_add_cert_from_file( ctx, lt->lt_certfile, PR_FALSE ) ) {
>+				ctx->tc_using_pem = PR_TRUE;
>+			}
>+		}
>+
>+		if ( ctx->tc_certificate ) {
>+			Debug( LDAP_DEBUG_ANY,
>+				   "TLS: certificate '%s' successfully loaded from %s.\n", lt->lt_certfile,
>+				   ctx->tc_using_pem ? "PEM file" : "moznss database", 0);
>+		} else {
>+			return -1;
>+		}
> 	}
> 
> 	if ( lt->lt_keyfile ) {
>-- 
>1.7.11.4
>

Actions: View | Diff

Attachments on bug 857455: 612876