From 31e41eea6c2322689826e6065ceba82551c565aa Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Wed, 16 Jan 2013 13:20:14 -0500
Subject: Don't initialize NSS if we don't have to, clean up unused cert refs

Check to see if NSS is initialized before trying to do so again.

If we are temporarily creating a certificate be sure to delete it in order
to remove references to it and avoid NSS shutdown issues.

In the certificate load validator shut down NSS if we end up initializing
it. I'm not entirely sure why but this prevents a later shutdown issue
if we are passed the --ca-cert-file option.
---
 ipalib/x509.py | 33 ++++++++++++++++++++-------------
 1 file changed, 20 insertions(+), 13 deletions(-)

(limited to 'ipalib/x509.py')

diff --git a/ipalib/x509.py b/ipalib/x509.py
index f8a13577b..4f81fb59a 100644
--- a/ipalib/x509.py
+++ b/ipalib/x509.py
@@ -91,18 +91,18 @@ def load_certificate(data, datatype=PEM, dbdir=None):
         data = strip_header(data)
         data = base64.b64decode(data)
 
-    if dbdir is None:
-        if 'in_tree' in api.env:
-            if api.env.in_tree:
-                dbdir = api.env.dot_ipa + os.sep + 'alias'
+    if not nss.nss_is_initialized():
+        if dbdir is None:
+            if 'in_tree' in api.env:
+                if api.env.in_tree:
+                    dbdir = api.env.dot_ipa + os.sep + 'alias'
+                else:
+                    dbdir = "/etc/httpd/alias"
+                nss.nss_init(dbdir)
             else:
-                dbdir = "/etc/httpd/alias"
-            nss.nss_init(dbdir)
+                nss.nss_init_nodb()
         else:
-            nss.nss_init_nodb()
-    else:
-        nss.nss_init(dbdir)
-
+            nss.nss_init(dbdir)
 
     return nss.Certificate(buffer(data))
 
@@ -139,7 +139,9 @@ def get_subject(certificate, datatype=PEM, dbdir=None):
     """
 
     nsscert = load_certificate(certificate, datatype, dbdir)
-    return nsscert.subject
+    subject = nsscert.subject
+    del(nsscert)
+    return subject
 
 def get_issuer(certificate, datatype=PEM, dbdir=None):
     """
@@ -147,14 +149,18 @@ def get_issuer(certificate, datatype=PEM, dbdir=None):
     """
 
     nsscert = load_certificate(certificate, datatype, dbdir)
-    return nsscert.issuer
+    issuer = nsscert.issuer
+    del(nsscert)
+    return issuer
 
 def get_serial_number(certificate, datatype=PEM, dbdir=None):
     """
     Return the decimal value of the serial number.
     """
     nsscert = load_certificate(certificate, datatype, dbdir)
-    return nsscert.serial_number
+    serial_number = nsscert.serial_number
+    del(nsscert)
+    return serial_number
 
 def make_pem(data):
     """
@@ -230,6 +236,7 @@ def verify_cert_subject(ldap, hostname, dercert):
     nsscert = load_certificate(dercert, datatype=DER)
     subject = str(nsscert.subject)
     issuer = str(nsscert.issuer)
+    del(nsscert)
 
     # Handle both supported forms of issuer, from selfsign and dogtag.
     if (not valid_issuer(issuer)):
-- 
cgit