/[smeserver]/rpms/openldap/sme9/openldap-nss-certs-from-certdb-fallback-pem.patch
ViewVC logotype

Contents of /rpms/openldap/sme9/openldap-nss-certs-from-certdb-fallback-pem.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (show annotations) (download)
Tue Nov 11 00:46:15 2014 UTC (9 years, 11 months ago) by vip-ire
Branch: MAIN
CVS Tags: openldap-2_4_39-8_el6_sme, HEAD
Import openldap

1 MozNSS: load certificates from certdb, fallback to PEM
2
3 If TLS_CACERT pointed to a PEM file and TLS_CACERTDIR was set to NSS
4 certificate database, the backend assumed that the certificate is always
5 located in the certificate database. This assumption might be wrong.
6
7 This patch makes the library to try to load the certificate from NSS
8 database and fallback to PEM file if unsuccessfull.
9
10 Author: Jan Vcelak <jvcelak@redhat.com>
11 Upstream ITS: #7389
12 Resolves: #857455
13
14 diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
15 index 6847bea..8339391 100644
16 --- a/libraries/libldap/tls_m.c
17 +++ b/libraries/libldap/tls_m.c
18 @@ -1412,7 +1412,7 @@ tlsm_ctx_load_private_key( tlsm_ctx *ctx )
19 /* prefer unlocked key, then key from opened certdb, then any other */
20 if ( unlocked_key )
21 ctx->tc_private_key = unlocked_key;
22 - else if ( ctx->tc_certdb_slot )
23 + else if ( ctx->tc_certdb_slot && !ctx->tc_using_pem )
24 ctx->tc_private_key = PK11_FindKeyByDERCert( ctx->tc_certdb_slot, ctx->tc_certificate, pin_arg );
25 else
26 ctx->tc_private_key = PK11_FindKeyByAnyCert( ctx->tc_certificate, pin_arg );
27 @@ -1909,8 +1909,6 @@ tlsm_deferred_init( void *arg )
28 }
29 return -1;
30 }
31 -
32 - ctx->tc_using_pem = PR_TRUE;
33 }
34
35 NSS_SetDomesticPolicy();
36 @@ -2363,15 +2361,9 @@ tlsm_deferred_ctx_init( void *arg )
37
38 /* set up our cert and key, if any */
39 if ( lt->lt_certfile ) {
40 - /* if using the PEM module, load the PEM file specified by lt_certfile */
41 - /* otherwise, assume this is the name of a cert already in the db */
42 - if ( ctx->tc_using_pem ) {
43 - /* this sets ctx->tc_certificate to the correct value */
44 - int rc = tlsm_add_cert_from_file( ctx, lt->lt_certfile, PR_FALSE );
45 - if ( rc ) {
46 - return rc;
47 - }
48 - } else {
49 +
50 + /* first search in certdb (lt_certfile is nickname) */
51 + if ( ctx->tc_certdb ) {
52 char *tmp_certname;
53
54 if ( tlsm_is_tokenname_certnick( lt->lt_certfile )) {
55 @@ -2391,8 +2383,31 @@ tlsm_deferred_ctx_init( void *arg )
56 Debug( LDAP_DEBUG_ANY,
57 "TLS: error: the certificate '%s' could not be found in the database - error %d:%s.\n",
58 lt->lt_certfile, errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) );
59 + }
60 + }
61 +
62 + /* fallback to PEM module (lt_certfile is filename) */
63 + if ( !ctx->tc_certificate ) {
64 + if ( !pem_module && tlsm_init_pem_module() ) {
65 + int pem_errcode = PORT_GetError();
66 + Debug( LDAP_DEBUG_ANY,
67 + "TLS: fallback to PEM impossible, module cannot be loaded - error %d:%s.\n",
68 + pem_errcode, PR_ErrorToString( pem_errcode, PR_LANGUAGE_I_DEFAULT ), 0 );
69 return -1;
70 }
71 +
72 + /* this sets ctx->tc_certificate to the correct value */
73 + if ( !tlsm_add_cert_from_file( ctx, lt->lt_certfile, PR_FALSE ) ) {
74 + ctx->tc_using_pem = PR_TRUE;
75 + }
76 + }
77 +
78 + if ( ctx->tc_certificate ) {
79 + Debug( LDAP_DEBUG_ANY,
80 + "TLS: certificate '%s' successfully loaded from %s.\n", lt->lt_certfile,
81 + ctx->tc_using_pem ? "PEM file" : "moznss database", 0);
82 + } else {
83 + return -1;
84 }
85 }
86

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed