p11: add OCSP default responder options

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
author: Sumit Bose <sbose@redhat.com> 2016-04-12 18:14:08 +0200
committer: Lukas Slebodnik <lslebodn@redhat.com> 2016-06-09 11:58:17 +0200
commit: 53ef8f81b60929a6c866efdd133627e7d7d61705 (patch)
tree: dec625c6cd01e15e73ace5d2e71054e95921e9f4 /src/util/cert/nss/cert.c
parent: aa35995ef056aa8ae052a47c62c6750b7adf065e (diff)
download: sssd-53ef8f81b60929a6c866efdd133627e7d7d61705.tar.gz
sssd-53ef8f81b60929a6c866efdd133627e7d7d61705.tar.xz
sssd-53ef8f81b60929a6c866efdd133627e7d7d61705.zip
1 files changed, 40 insertions, 3 deletions
diff --git a/src/util/cert/nss/cert.c b/src/util/cert/nss/cert.c
index 9c1c965dd..7bf9a8bfc 100644
--- a/src/util/cert/nss/cert.c
+++ b/src/util/cert/nss/cert.c
@@ -238,6 +238,7 @@ errno_t cert_to_ssh_key(TALLOC_CTX *mem_ctx, const char *ca_db,
     NSSInitParameters parameters = { 0 };
     parameters.length =  sizeof (parameters);
     SECStatus rv;
+    SECStatus rv_verify;
 
     if (der_blob == NULL || der_size == 0) {
         return EINVAL;
@@ -266,6 +267,27 @@ errno_t cert_to_ssh_key(TALLOC_CTX *mem_ctx, const char *ca_db,
                                      PR_GetError());
             return EIO;
         }
+
+        if (cert_verify_opts->ocsp_default_responder != NULL
+            && cert_verify_opts->ocsp_default_responder_signing_cert != NULL) {
+            rv = CERT_SetOCSPDefaultResponder(handle,
+                         cert_verify_opts->ocsp_default_responder,
+                         cert_verify_opts->ocsp_default_responder_signing_cert);
+            if (rv != SECSuccess) {
+                DEBUG(SSSDBG_OP_FAILURE,
+                      "CERT_SetOCSPDefaultResponder failed: [%d].\n",
+                      PR_GetError());
+                return EIO;
+            }
+
+            rv = CERT_EnableOCSPDefaultResponder(handle);
+            if (rv != SECSuccess) {
+                DEBUG(SSSDBG_OP_FAILURE,
+                      "CERT_EnableOCSPDefaultResponder failed: [%d].\n",
+                      PR_GetError());
+                return EIO;
+            }
+        }
     }
 
     der_item.len = der_size;
@@ -279,9 +301,24 @@ errno_t cert_to_ssh_key(TALLOC_CTX *mem_ctx, const char *ca_db,
     }
 
     if (cert_verify_opts->do_verification) {
-        rv = CERT_VerifyCertificateNow(handle, cert, PR_TRUE,
-                                       certificateUsageSSLClient, NULL, NULL);
-        if (rv != SECSuccess) {
+        rv_verify = CERT_VerifyCertificateNow(handle, cert, PR_TRUE,
+                                              certificateUsageSSLClient,
+                                              NULL, NULL);
+
+        /* Disable OCSP default responder so that NSS can shutdown properly */
+        if (cert_verify_opts->do_ocsp
+                && cert_verify_opts->ocsp_default_responder != NULL
+                && cert_verify_opts->ocsp_default_responder_signing_cert
+                                                                      != NULL) {
+            rv = CERT_DisableOCSPDefaultResponder(handle);
+            if (rv != SECSuccess) {
+                DEBUG(SSSDBG_OP_FAILURE,
+                      "CERT_DisableOCSPDefaultResponder failed: [%d].\n",
+                      PR_GetError());
+            }
+        }
+
+        if (rv_verify != SECSuccess) {
             DEBUG(SSSDBG_CRIT_FAILURE, "CERT_VerifyCertificateNow failed [%d].\n",
                                        PR_GetError());
             ret = EACCES;
author	Sumit Bose <sbose@redhat.com>	2016-04-12 18:14:08 +0200
committer	Lukas Slebodnik <lslebodn@redhat.com>	2016-06-09 11:58:17 +0200
commit	53ef8f81b60929a6c866efdd133627e7d7d61705 (patch)
tree	dec625c6cd01e15e73ace5d2e71054e95921e9f4 /src/util/cert/nss/cert.c
parent	aa35995ef056aa8ae052a47c62c6750b7adf065e (diff)
download	sssd-53ef8f81b60929a6c866efdd133627e7d7d61705.tar.gz sssd-53ef8f81b60929a6c866efdd133627e7d7d61705.tar.xz sssd-53ef8f81b60929a6c866efdd133627e7d7d61705.zip