/[smeserver]/rpms/openldap/sme9/openldap-nss-certs-from-certdb-fallback-pem.patch
ViewVC logotype

Annotation of /rpms/openldap/sme9/openldap-nss-certs-from-certdb-fallback-pem.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (hide annotations) (download)
Tue Nov 11 00:46:15 2014 UTC (9 years, 11 months ago) by vip-ire
Branch: MAIN
CVS Tags: openldap-2_4_39-8_el6_sme, HEAD
Import openldap

1 vip-ire 1.1 MozNSS: load certificates from certdb, fallback to PEM
2    
3     If TLS_CACERT pointed to a PEM file and TLS_CACERTDIR was set to NSS
4     certificate database, the backend assumed that the certificate is always
5     located in the certificate database. This assumption might be wrong.
6    
7     This patch makes the library to try to load the certificate from NSS
8     database and fallback to PEM file if unsuccessfull.
9    
10     Author: Jan Vcelak <jvcelak@redhat.com>
11     Upstream ITS: #7389
12     Resolves: #857455
13    
14     diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
15     index 6847bea..8339391 100644
16     --- a/libraries/libldap/tls_m.c
17     +++ b/libraries/libldap/tls_m.c
18     @@ -1412,7 +1412,7 @@ tlsm_ctx_load_private_key( tlsm_ctx *ctx )
19     /* prefer unlocked key, then key from opened certdb, then any other */
20     if ( unlocked_key )
21     ctx->tc_private_key = unlocked_key;
22     - else if ( ctx->tc_certdb_slot )
23     + else if ( ctx->tc_certdb_slot && !ctx->tc_using_pem )
24     ctx->tc_private_key = PK11_FindKeyByDERCert( ctx->tc_certdb_slot, ctx->tc_certificate, pin_arg );
25     else
26     ctx->tc_private_key = PK11_FindKeyByAnyCert( ctx->tc_certificate, pin_arg );
27     @@ -1909,8 +1909,6 @@ tlsm_deferred_init( void *arg )
28     }
29     return -1;
30     }
31     -
32     - ctx->tc_using_pem = PR_TRUE;
33     }
34    
35     NSS_SetDomesticPolicy();
36     @@ -2363,15 +2361,9 @@ tlsm_deferred_ctx_init( void *arg )
37    
38     /* set up our cert and key, if any */
39     if ( lt->lt_certfile ) {
40     - /* if using the PEM module, load the PEM file specified by lt_certfile */
41     - /* otherwise, assume this is the name of a cert already in the db */
42     - if ( ctx->tc_using_pem ) {
43     - /* this sets ctx->tc_certificate to the correct value */
44     - int rc = tlsm_add_cert_from_file( ctx, lt->lt_certfile, PR_FALSE );
45     - if ( rc ) {
46     - return rc;
47     - }
48     - } else {
49     +
50     + /* first search in certdb (lt_certfile is nickname) */
51     + if ( ctx->tc_certdb ) {
52     char *tmp_certname;
53    
54     if ( tlsm_is_tokenname_certnick( lt->lt_certfile )) {
55     @@ -2391,8 +2383,31 @@ tlsm_deferred_ctx_init( void *arg )
56     Debug( LDAP_DEBUG_ANY,
57     "TLS: error: the certificate '%s' could not be found in the database - error %d:%s.\n",
58     lt->lt_certfile, errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) );
59     + }
60     + }
61     +
62     + /* fallback to PEM module (lt_certfile is filename) */
63     + if ( !ctx->tc_certificate ) {
64     + if ( !pem_module && tlsm_init_pem_module() ) {
65     + int pem_errcode = PORT_GetError();
66     + Debug( LDAP_DEBUG_ANY,
67     + "TLS: fallback to PEM impossible, module cannot be loaded - error %d:%s.\n",
68     + pem_errcode, PR_ErrorToString( pem_errcode, PR_LANGUAGE_I_DEFAULT ), 0 );
69     return -1;
70     }
71     +
72     + /* this sets ctx->tc_certificate to the correct value */
73     + if ( !tlsm_add_cert_from_file( ctx, lt->lt_certfile, PR_FALSE ) ) {
74     + ctx->tc_using_pem = PR_TRUE;
75     + }
76     + }
77     +
78     + if ( ctx->tc_certificate ) {
79     + Debug( LDAP_DEBUG_ANY,
80     + "TLS: certificate '%s' successfully loaded from %s.\n", lt->lt_certfile,
81     + ctx->tc_using_pem ? "PEM file" : "moznss database", 0);
82     + } else {
83     + return -1;
84     }
85     }
86    

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed