Bug 769739 - CC: self test verifySystemCertByNickname: certain failure will not cause server to shutdown as expected

There are two issues: 1. The variable, r, returned by verifySystemCertByTag() gets overwritten by the next return value in a while loop. The problem affects both java subsystems and TPS. 2. In the TPS system, within a while loop that calls verifySystemCertByNickname(), one condition does a "continue" without advancing to the next token, causing an infinite loop under that condition. Adding a PL_strtok_r(NULL, ",", &lasts); call resolves the issue.
author: Christina Fu <cfu@redhat.com> 2012-01-19 10:11:02 -0800
committer: Christina Fu <cfu@redhat.com> 2012-01-19 10:16:28 -0800
commit: 72d5d935ac9091cb4dc7bd99875ccee48318ff25 (patch)
tree: 191f9620b67fb28c557bc4cc2817315eee0255d3
parent: 413d6cb605497b43a48772b3c234b4062f44de54 (diff)
download: pki-72d5d935ac9091cb4dc7bd99875ccee48318ff25.tar.gz
pki-72d5d935ac9091cb4dc7bd99875ccee48318ff25.tar.xz
pki-72d5d935ac9091cb4dc7bd99875ccee48318ff25.zip
2 files changed, 14 insertions, 11 deletions
diff --git a/pki/base/common/src/com/netscape/cmscore/cert/CertUtils.java b/pki/base/common/src/com/netscape/cmscore/cert/CertUtils.java
index c66d8a71d..12965a52e 100644
--- a/pki/base/common/src/com/netscape/cmscore/cert/CertUtils.java
+++ b/pki/base/common/src/com/netscape/cmscore/cert/CertUtils.java
@@ -1002,7 +1002,8 @@ public class CertUtils {
         String auditMessage = null;
         IConfigStore config = CMS.getConfigStore();
         String certlsit = "";
-        boolean r = true;
+        boolean verifyResult = true;
+        boolean r = true; /* the final return value */
         try {
             String subsysType = config.getString("cs.type", "");
             if (subsysType.equals("")) {
@@ -1014,8 +1015,7 @@ public class CertUtils {
                             "");
 
                 audit(auditMessage);
-                r = false;
-                return r;
+                return false;
             }
             subsysType = toLowerCaseSubsystemType(subsysType);
             if (subsysType == null) {
@@ -1027,8 +1027,7 @@ public class CertUtils {
                             "");
 
                 audit(auditMessage);
-                r = false;
-                return r;
+                return false;
             }
             String certlist = config.getString(subsysType + ".cert.list", "");
             if (certlist.equals("")) {
@@ -1041,15 +1040,16 @@ public class CertUtils {
                             "");
 
                 audit(auditMessage);
-                r = false;
-                return r;
+                return false;
             }
             StringTokenizer tokenizer = new StringTokenizer(certlist, ",");
             while (tokenizer.hasMoreTokens()) {
                 String tag = tokenizer.nextToken();
                 tag = tag.trim();
                 CMS.debug("CertUtils: verifySystemCerts() cert tag=" + tag);
-                r = verifySystemCertByTag(tag);
+                verifyResult = verifySystemCertByTag(tag);
+                if (verifyResult == false)
+                    r = false; //r captures the value for final return
             }
         } catch (Exception e) {
             // audit here
diff --git a/pki/base/tps/src/engine/RA.cpp b/pki/base/tps/src/engine/RA.cpp
index 7b8e7adcc..862b9e105 100644
--- a/pki/base/tps/src/engine/RA.cpp
+++ b/pki/base/tps/src/engine/RA.cpp
@@ -3399,7 +3399,8 @@ TPS_PUBLIC bool RA::verifySystemCertByNickname(const char *nickname, const char
  * tps.cert.audit_signing.certusage=ObjectSigner
  */
 TPS_PUBLIC bool RA::verifySystemCerts() {
-    bool rv = false;
+    bool verifyResult = false;
+    bool rv = false; /* final return value */
     char configname[256];
     char configname_nn[256];
     char configname_cu[256];
@@ -3434,6 +3435,7 @@ TPS_PUBLIC bool RA::verifySystemCerts() {
                     "cert nickname not found for cert tag:%s", sresult);
                 PR_snprintf(audit_msg, 512, "%s undefined in CS.cfg", configname_nn);
                 RA::Audit(EV_CIMC_CERT_VERIFICATION, AUDIT_MSG_FORMAT, "System", "Failure", audit_msg);
+                sresult = PL_strtok_r(NULL, ",", &lasts);
                 rv = false;
                 continue;
             }
@@ -3451,14 +3453,15 @@ TPS_PUBLIC bool RA::verifySystemCerts() {
                 "Verifying cert tag: %s, nickname:%s, certificate usage:%s"
                     , sresult, nn, (cu!=NULL)? cu: "");
 
-            rv = verifySystemCertByNickname(nn, cu);
-            if (rv == true) {
+            verifyResult = verifySystemCertByNickname(nn, cu);
+            if (verifyResult == true) {
                 RA::Debug(LL_PER_SERVER, "RA::verifySystemCerts", 
                     "cert verification passed on cert nickname:%s", nn);
                 PR_snprintf(audit_msg, 512, "Certificate verification succeeded:%s",
                     nn);
                 RA::Audit(EV_CIMC_CERT_VERIFICATION, AUDIT_MSG_FORMAT, "System", "Success", audit_msg);
             } else {
+                rv = false;
                 RA::Debug(LL_PER_SERVER, "RA::verifySystemCerts", 
                     "cert verification failed on cert nickname:%s", nn);
                 PR_snprintf(audit_msg, 512, "Certificate verification failed:%s",
author	Christina Fu <cfu@redhat.com>	2012-01-19 10:11:02 -0800
committer	Christina Fu <cfu@redhat.com>	2012-01-19 10:16:28 -0800
commit	72d5d935ac9091cb4dc7bd99875ccee48318ff25 (patch)
tree	191f9620b67fb28c557bc4cc2817315eee0255d3
parent	413d6cb605497b43a48772b3c234b4062f44de54 (diff)
download	pki-72d5d935ac9091cb4dc7bd99875ccee48318ff25.tar.gz pki-72d5d935ac9091cb4dc7bd99875ccee48318ff25.tar.xz pki-72d5d935ac9091cb4dc7bd99875ccee48318ff25.zip