summaryrefslogtreecommitdiffstats
path: root/src/p11_child
diff options
context:
space:
mode:
authorSumit Bose <sbose@redhat.com>2015-11-05 17:43:52 +0100
committerJakub Hrozek <jhrozek@redhat.com>2015-11-26 16:34:32 +0100
commitd0de7701d44c7a75210a9cb04634913ce3a94bfb (patch)
treef307bc1753646b470d77b57f1e90c692757898c9 /src/p11_child
parent5484044ea7bb632b915f706685fce509f6eacc48 (diff)
downloadsssd-d0de7701d44c7a75210a9cb04634913ce3a94bfb.tar.gz
sssd-d0de7701d44c7a75210a9cb04634913ce3a94bfb.tar.xz
sssd-d0de7701d44c7a75210a9cb04634913ce3a94bfb.zip
p11: check if cert is valid before selecting it
Currently the first certificate was selected and if it was not valid p11_child just returned an error. With this patch the validity is checked first and the first valid certificate is selected. Resolves https://fedorahosted.org/sssd/ticket/2801 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Diffstat (limited to 'src/p11_child')
-rw-r--r--src/p11_child/p11_child_nss.c22
1 files changed, 12 insertions, 10 deletions
diff --git a/src/p11_child/p11_child_nss.c b/src/p11_child/p11_child_nss.c
index 41d9fd11f..39c88d9f4 100644
--- a/src/p11_child/p11_child_nss.c
+++ b/src/p11_child/p11_child_nss.c
@@ -272,6 +272,18 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db, const char *slot_name_in,
cert_list_node->cert->nickname,
cert_list_node->cert->subjectName);
+ rv = CERT_VerifyCertificateNow(handle, cert_list_node->cert,
+ PR_TRUE, certificateUsageSSLClient,
+ NULL, NULL);
+ if (rv != SECSuccess) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Certificate [%s][%s] not valid [%d], skipping.\n",
+ cert_list_node->cert->nickname,
+ cert_list_node->cert->subjectName, PR_GetError());
+ continue;
+ }
+
+
if (found_cert == NULL) {
found_cert = cert_list_node->cert;
} else {
@@ -291,16 +303,6 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db, const char *slot_name_in,
goto done;
}
- rv = CERT_VerifyCertificateNow(handle, found_cert, PR_TRUE,
- certificateUsageSSLClient, NULL, NULL);
- if (rv != SECSuccess) {
- DEBUG(SSSDBG_OP_FAILURE,
- "CERT_VerifyCertificateNow failed [%d].\n",
- PR_GetError());
- ret = EIO;
- goto done;
- }
-
if (mode == OP_AUTH) {
rv = PK11_GenerateRandom(random_value, sizeof(random_value));
if (rv != SECSuccess) {
generated by cgit (git 2.34.1) at 2024-05-13 04:20:08 +0000