diff options
author | Sumit Bose <sbose@redhat.com> | 2016-04-12 18:14:08 +0200 |
---|---|---|
committer | Lukas Slebodnik <lslebodn@redhat.com> | 2016-06-09 11:58:17 +0200 |
commit | 53ef8f81b60929a6c866efdd133627e7d7d61705 (patch) | |
tree | dec625c6cd01e15e73ace5d2e71054e95921e9f4 /src/util/cert | |
parent | aa35995ef056aa8ae052a47c62c6750b7adf065e (diff) | |
download | sssd-53ef8f81b60929a6c866efdd133627e7d7d61705.tar.gz sssd-53ef8f81b60929a6c866efdd133627e7d7d61705.tar.xz sssd-53ef8f81b60929a6c866efdd133627e7d7d61705.zip |
p11: add OCSP default responder options
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Diffstat (limited to 'src/util/cert')
-rw-r--r-- | src/util/cert/nss/cert.c | 43 |
1 files changed, 40 insertions, 3 deletions
diff --git a/src/util/cert/nss/cert.c b/src/util/cert/nss/cert.c index 9c1c965dd..7bf9a8bfc 100644 --- a/src/util/cert/nss/cert.c +++ b/src/util/cert/nss/cert.c @@ -238,6 +238,7 @@ errno_t cert_to_ssh_key(TALLOC_CTX *mem_ctx, const char *ca_db, NSSInitParameters parameters = { 0 }; parameters.length = sizeof (parameters); SECStatus rv; + SECStatus rv_verify; if (der_blob == NULL || der_size == 0) { return EINVAL; @@ -266,6 +267,27 @@ errno_t cert_to_ssh_key(TALLOC_CTX *mem_ctx, const char *ca_db, PR_GetError()); return EIO; } + + if (cert_verify_opts->ocsp_default_responder != NULL + && cert_verify_opts->ocsp_default_responder_signing_cert != NULL) { + rv = CERT_SetOCSPDefaultResponder(handle, + cert_verify_opts->ocsp_default_responder, + cert_verify_opts->ocsp_default_responder_signing_cert); + if (rv != SECSuccess) { + DEBUG(SSSDBG_OP_FAILURE, + "CERT_SetOCSPDefaultResponder failed: [%d].\n", + PR_GetError()); + return EIO; + } + + rv = CERT_EnableOCSPDefaultResponder(handle); + if (rv != SECSuccess) { + DEBUG(SSSDBG_OP_FAILURE, + "CERT_EnableOCSPDefaultResponder failed: [%d].\n", + PR_GetError()); + return EIO; + } + } } der_item.len = der_size; @@ -279,9 +301,24 @@ errno_t cert_to_ssh_key(TALLOC_CTX *mem_ctx, const char *ca_db, } if (cert_verify_opts->do_verification) { - rv = CERT_VerifyCertificateNow(handle, cert, PR_TRUE, - certificateUsageSSLClient, NULL, NULL); - if (rv != SECSuccess) { + rv_verify = CERT_VerifyCertificateNow(handle, cert, PR_TRUE, + certificateUsageSSLClient, + NULL, NULL); + + /* Disable OCSP default responder so that NSS can shutdown properly */ + if (cert_verify_opts->do_ocsp + && cert_verify_opts->ocsp_default_responder != NULL + && cert_verify_opts->ocsp_default_responder_signing_cert + != NULL) { + rv = CERT_DisableOCSPDefaultResponder(handle); + if (rv != SECSuccess) { + DEBUG(SSSDBG_OP_FAILURE, + "CERT_DisableOCSPDefaultResponder failed: [%d].\n", + PR_GetError()); + } + } + + if (rv_verify != SECSuccess) { DEBUG(SSSDBG_CRIT_FAILURE, "CERT_VerifyCertificateNow failed [%d].\n", PR_GetError()); ret = EACCES; |