| 1 |
vip-ire |
1.1 |
MozNSS: load certificates from certdb, fallback to PEM |
| 2 |
|
|
|
| 3 |
|
|
If TLS_CACERT pointed to a PEM file and TLS_CACERTDIR was set to NSS |
| 4 |
|
|
certificate database, the backend assumed that the certificate is always |
| 5 |
|
|
located in the certificate database. This assumption might be wrong. |
| 6 |
|
|
|
| 7 |
|
|
This patch makes the library to try to load the certificate from NSS |
| 8 |
|
|
database and fallback to PEM file if unsuccessfull. |
| 9 |
|
|
|
| 10 |
|
|
Author: Jan Vcelak <jvcelak@redhat.com> |
| 11 |
|
|
Upstream ITS: #7389 |
| 12 |
|
|
Resolves: #857455 |
| 13 |
|
|
|
| 14 |
|
|
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c |
| 15 |
|
|
index 6847bea..8339391 100644 |
| 16 |
|
|
--- a/libraries/libldap/tls_m.c |
| 17 |
|
|
+++ b/libraries/libldap/tls_m.c |
| 18 |
|
|
@@ -1412,7 +1412,7 @@ tlsm_ctx_load_private_key( tlsm_ctx *ctx ) |
| 19 |
|
|
/* prefer unlocked key, then key from opened certdb, then any other */ |
| 20 |
|
|
if ( unlocked_key ) |
| 21 |
|
|
ctx->tc_private_key = unlocked_key; |
| 22 |
|
|
- else if ( ctx->tc_certdb_slot ) |
| 23 |
|
|
+ else if ( ctx->tc_certdb_slot && !ctx->tc_using_pem ) |
| 24 |
|
|
ctx->tc_private_key = PK11_FindKeyByDERCert( ctx->tc_certdb_slot, ctx->tc_certificate, pin_arg ); |
| 25 |
|
|
else |
| 26 |
|
|
ctx->tc_private_key = PK11_FindKeyByAnyCert( ctx->tc_certificate, pin_arg ); |
| 27 |
|
|
@@ -1909,8 +1909,6 @@ tlsm_deferred_init( void *arg ) |
| 28 |
|
|
} |
| 29 |
|
|
return -1; |
| 30 |
|
|
} |
| 31 |
|
|
- |
| 32 |
|
|
- ctx->tc_using_pem = PR_TRUE; |
| 33 |
|
|
} |
| 34 |
|
|
|
| 35 |
|
|
NSS_SetDomesticPolicy(); |
| 36 |
|
|
@@ -2363,15 +2361,9 @@ tlsm_deferred_ctx_init( void *arg ) |
| 37 |
|
|
|
| 38 |
|
|
/* set up our cert and key, if any */ |
| 39 |
|
|
if ( lt->lt_certfile ) { |
| 40 |
|
|
- /* if using the PEM module, load the PEM file specified by lt_certfile */ |
| 41 |
|
|
- /* otherwise, assume this is the name of a cert already in the db */ |
| 42 |
|
|
- if ( ctx->tc_using_pem ) { |
| 43 |
|
|
- /* this sets ctx->tc_certificate to the correct value */ |
| 44 |
|
|
- int rc = tlsm_add_cert_from_file( ctx, lt->lt_certfile, PR_FALSE ); |
| 45 |
|
|
- if ( rc ) { |
| 46 |
|
|
- return rc; |
| 47 |
|
|
- } |
| 48 |
|
|
- } else { |
| 49 |
|
|
+ |
| 50 |
|
|
+ /* first search in certdb (lt_certfile is nickname) */ |
| 51 |
|
|
+ if ( ctx->tc_certdb ) { |
| 52 |
|
|
char *tmp_certname; |
| 53 |
|
|
|
| 54 |
|
|
if ( tlsm_is_tokenname_certnick( lt->lt_certfile )) { |
| 55 |
|
|
@@ -2391,8 +2383,31 @@ tlsm_deferred_ctx_init( void *arg ) |
| 56 |
|
|
Debug( LDAP_DEBUG_ANY, |
| 57 |
|
|
"TLS: error: the certificate '%s' could not be found in the database - error %d:%s.\n", |
| 58 |
|
|
lt->lt_certfile, errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) ); |
| 59 |
|
|
+ } |
| 60 |
|
|
+ } |
| 61 |
|
|
+ |
| 62 |
|
|
+ /* fallback to PEM module (lt_certfile is filename) */ |
| 63 |
|
|
+ if ( !ctx->tc_certificate ) { |
| 64 |
|
|
+ if ( !pem_module && tlsm_init_pem_module() ) { |
| 65 |
|
|
+ int pem_errcode = PORT_GetError(); |
| 66 |
|
|
+ Debug( LDAP_DEBUG_ANY, |
| 67 |
|
|
+ "TLS: fallback to PEM impossible, module cannot be loaded - error %d:%s.\n", |
| 68 |
|
|
+ pem_errcode, PR_ErrorToString( pem_errcode, PR_LANGUAGE_I_DEFAULT ), 0 ); |
| 69 |
|
|
return -1; |
| 70 |
|
|
} |
| 71 |
|
|
+ |
| 72 |
|
|
+ /* this sets ctx->tc_certificate to the correct value */ |
| 73 |
|
|
+ if ( !tlsm_add_cert_from_file( ctx, lt->lt_certfile, PR_FALSE ) ) { |
| 74 |
|
|
+ ctx->tc_using_pem = PR_TRUE; |
| 75 |
|
|
+ } |
| 76 |
|
|
+ } |
| 77 |
|
|
+ |
| 78 |
|
|
+ if ( ctx->tc_certificate ) { |
| 79 |
|
|
+ Debug( LDAP_DEBUG_ANY, |
| 80 |
|
|
+ "TLS: certificate '%s' successfully loaded from %s.\n", lt->lt_certfile, |
| 81 |
|
|
+ ctx->tc_using_pem ? "PEM file" : "moznss database", 0); |
| 82 |
|
|
+ } else { |
| 83 |
|
|
+ return -1; |
| 84 |
|
|
} |
| 85 |
|
|
} |
| 86 |
|
|
|
Parent Directory
| 
Revision Log
| 
Revision Graph
