Sanity-check loading keys and certs from PEM files

Print a debug message if we're unable to locate the matching private key
for a certificate when we've just loaded both of them from PEM files.

1 files changed, 15 insertions, 0 deletions

diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c
index 2f93a86e08..1aa5779cd5 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c
@@ -2402,6 +2402,7 @@ crypto_load_files(krb5_context context,
     CERTCertificate *cert;
     CERTCertList *before, *after;
     CERTCertListNode *anode, *bnode;
+    SECKEYPrivateKey *key;
     CK_ATTRIBUTE attrs[4];
     CK_BBOOL cktrue = CK_TRUE, cktrust;
     CK_OBJECT_CLASS keyclass = CKO_PRIVATE_KEY, certclass = CKO_CERTIFICATE;
@@ -2555,6 +2556,20 @@ crypto_load_files(krb5_context context,
         if (before != NULL) {
             CERT_DestroyCertList(before);
         }
+        if ((keyfile != NULL) && (obj->cert != NULL)) {
+            key = PK11_FindPrivateKeyFromCert(slot, obj->cert,
+                                              crypto_pwcb_prep(id_cryptoctx,
+                                                               context));
+            if (key == NULL) {
+                pkiDebug("%s: no key private found for \"%s\"(%s), "
+                         "even though we just loaded that key?\n",
+                         __FUNCTION__,
+                         obj->cert->nickname ?
+                         obj->cert->nickname : "(no name)",
+                         certfile);
+            } else
+                SECKEY_DestroyPrivateKey(req_cryptoctx->client_dh_privkey);
+        }
     }
 
     /* If we succeeded to this point, or more likely didn't do anything