Don't initialize NSS if we don't have to, clean up unused cert refs

Check to see if NSS is initialized before trying to do so again. If we are temporarily creating a certificate be sure to delete it in order to remove references to it and avoid NSS shutdown issues. In the certificate load validator shut down NSS if we end up initializing it. I'm not entirely sure why but this prevents a later shutdown issue if we are passed the --ca-cert-file option.
author: Rob Crittenden <rcritten@redhat.com> 2013-01-16 13:20:14 -0500
committer: Rob Crittenden <rcritten@redhat.com> 2013-01-23 14:26:42 -0500
commit: 31e41eea6c2322689826e6065ceba82551c565aa (patch)
tree: 602a0148d9adb7e5725b037910a71a0cccfeb7ea
parent: a1991aeac19c3fec1fdd0d184c6760c90c9f9fc9 (diff)
download: freeipa-31e41eea6c2322689826e6065ceba82551c565aa.tar.gz
freeipa-31e41eea6c2322689826e6065ceba82551c565aa.tar.xz
freeipa-31e41eea6c2322689826e6065ceba82551c565aa.zip
2 files changed, 30 insertions, 13 deletions
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index bd299f9ba..f068c9d34 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -48,6 +48,7 @@ try:
     from ipapython.dn import DN
     from ipapython.ssh import SSHPublicKey
     from ipalib.rpc import delete_persistent_client_session_data
+    import nss.nss as nss
     import SSSDConfig
     from ConfigParser import RawConfigParser
     from optparse import SUPPRESS_HELP, OptionGroup, OptionValueError
@@ -77,10 +78,15 @@ def parse_options():
         if not os.path.isabs(value):
             raise OptionValueError("%s option '%s' is not an absolute file path" % (opt, value))
 
+        initialized = nss.nss_is_initialized()
         try:
             cert = x509.load_certificate_from_file(value)
         except Exception, e:
             raise OptionValueError("%s option '%s' is not a valid certificate file" % (opt, value))
+        else:
+            del(cert)
+            if not initialized:
+                nss.nss_shutdown()
 
         parser.values.ca_cert_file = value
 
@@ -1372,6 +1378,8 @@ def get_ca_cert_from_file(url):
     except Exception, e:
         raise errors.FileError(reason =
             u"cannot write certificate file '%s': %s" % (CACERT, e))
+    else:
+        del(cert)
 
 def get_ca_cert_from_http(url, ca_file, warn=True):
     '''
@@ -1478,6 +1486,8 @@ def validate_new_ca_cert(existing_ca_cert, ca_file, ask, override=False):
         root_logger.debug(
                 "Existing CA cert and Retrieved CA cert are identical")
         os.remove(ca_file)
+        del(existing_ca_cert)
+        del(new_ca_cert)
 
 
 def get_ca_cert(fstore, options, server, basedn):
diff --git a/ipalib/x509.py b/ipalib/x509.py
index f8a13577b..4f81fb59a 100644
--- a/ipalib/x509.py
+++ b/ipalib/x509.py
@@ -91,18 +91,18 @@ def load_certificate(data, datatype=PEM, dbdir=None):
         data = strip_header(data)
         data = base64.b64decode(data)
 
-    if dbdir is None:
-        if 'in_tree' in api.env:
-            if api.env.in_tree:
-                dbdir = api.env.dot_ipa + os.sep + 'alias'
+    if not nss.nss_is_initialized():
+        if dbdir is None:
+            if 'in_tree' in api.env:
+                if api.env.in_tree:
+                    dbdir = api.env.dot_ipa + os.sep + 'alias'
+                else:
+                    dbdir = "/etc/httpd/alias"
+                nss.nss_init(dbdir)
             else:
-                dbdir = "/etc/httpd/alias"
-            nss.nss_init(dbdir)
+                nss.nss_init_nodb()
         else:
-            nss.nss_init_nodb()
-    else:
-        nss.nss_init(dbdir)
-
+            nss.nss_init(dbdir)
 
     return nss.Certificate(buffer(data))
 
@@ -139,7 +139,9 @@ def get_subject(certificate, datatype=PEM, dbdir=None):
     """
 
     nsscert = load_certificate(certificate, datatype, dbdir)
-    return nsscert.subject
+    subject = nsscert.subject
+    del(nsscert)
+    return subject
 
 def get_issuer(certificate, datatype=PEM, dbdir=None):
     """
@@ -147,14 +149,18 @@ def get_issuer(certificate, datatype=PEM, dbdir=None):
     """
 
     nsscert = load_certificate(certificate, datatype, dbdir)
-    return nsscert.issuer
+    issuer = nsscert.issuer
+    del(nsscert)
+    return issuer
 
 def get_serial_number(certificate, datatype=PEM, dbdir=None):
     """
     Return the decimal value of the serial number.
     """
     nsscert = load_certificate(certificate, datatype, dbdir)
-    return nsscert.serial_number
+    serial_number = nsscert.serial_number
+    del(nsscert)
+    return serial_number
 
 def make_pem(data):
     """
@@ -230,6 +236,7 @@ def verify_cert_subject(ldap, hostname, dercert):
     nsscert = load_certificate(dercert, datatype=DER)
     subject = str(nsscert.subject)
     issuer = str(nsscert.issuer)
+    del(nsscert)
 
     # Handle both supported forms of issuer, from selfsign and dogtag.
     if (not valid_issuer(issuer)):
author	Rob Crittenden <rcritten@redhat.com>	2013-01-16 13:20:14 -0500
committer	Rob Crittenden <rcritten@redhat.com>	2013-01-23 14:26:42 -0500
commit	31e41eea6c2322689826e6065ceba82551c565aa (patch)
tree	602a0148d9adb7e5725b037910a71a0cccfeb7ea
parent	a1991aeac19c3fec1fdd0d184c6760c90c9f9fc9 (diff)
download	freeipa-31e41eea6c2322689826e6065ceba82551c565aa.tar.gz freeipa-31e41eea6c2322689826e6065ceba82551c565aa.tar.xz freeipa-31e41eea6c2322689826e6065ceba82551c565aa.zip