diff options
author | Sumit Bose <sbose@redhat.com> | 2015-11-05 17:43:52 +0100 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2015-11-26 16:34:32 +0100 |
commit | d0de7701d44c7a75210a9cb04634913ce3a94bfb (patch) | |
tree | f307bc1753646b470d77b57f1e90c692757898c9 /src/p11_child | |
parent | 5484044ea7bb632b915f706685fce509f6eacc48 (diff) | |
download | sssd-d0de7701d44c7a75210a9cb04634913ce3a94bfb.tar.gz sssd-d0de7701d44c7a75210a9cb04634913ce3a94bfb.tar.xz sssd-d0de7701d44c7a75210a9cb04634913ce3a94bfb.zip |
p11: check if cert is valid before selecting it
Currently the first certificate was selected and if it was not valid
p11_child just returned an error. With this patch the validity is
checked first and the first valid certificate is selected.
Resolves https://fedorahosted.org/sssd/ticket/2801
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Diffstat (limited to 'src/p11_child')
-rw-r--r-- | src/p11_child/p11_child_nss.c | 22 |
1 files changed, 12 insertions, 10 deletions
diff --git a/src/p11_child/p11_child_nss.c b/src/p11_child/p11_child_nss.c index 41d9fd11f..39c88d9f4 100644 --- a/src/p11_child/p11_child_nss.c +++ b/src/p11_child/p11_child_nss.c @@ -272,6 +272,18 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db, const char *slot_name_in, cert_list_node->cert->nickname, cert_list_node->cert->subjectName); + rv = CERT_VerifyCertificateNow(handle, cert_list_node->cert, + PR_TRUE, certificateUsageSSLClient, + NULL, NULL); + if (rv != SECSuccess) { + DEBUG(SSSDBG_OP_FAILURE, + "Certificate [%s][%s] not valid [%d], skipping.\n", + cert_list_node->cert->nickname, + cert_list_node->cert->subjectName, PR_GetError()); + continue; + } + + if (found_cert == NULL) { found_cert = cert_list_node->cert; } else { @@ -291,16 +303,6 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db, const char *slot_name_in, goto done; } - rv = CERT_VerifyCertificateNow(handle, found_cert, PR_TRUE, - certificateUsageSSLClient, NULL, NULL); - if (rv != SECSuccess) { - DEBUG(SSSDBG_OP_FAILURE, - "CERT_VerifyCertificateNow failed [%d].\n", - PR_GetError()); - ret = EIO; - goto done; - } - if (mode == OP_AUTH) { rv = PK11_GenerateRandom(random_value, sizeof(random_value)); if (rv != SECSuccess) { |