diff options
Diffstat (limited to 'src/p11_child/p11_child_nss.c')
-rw-r--r-- | src/p11_child/p11_child_nss.c | 25 |
1 files changed, 23 insertions, 2 deletions
diff --git a/src/p11_child/p11_child_nss.c b/src/p11_child/p11_child_nss.c index 39c88d9f4..fe092bb05 100644 --- a/src/p11_child/p11_child_nss.c +++ b/src/p11_child/p11_child_nss.c @@ -38,10 +38,12 @@ #include <keyhi.h> #include <pk11pub.h> #include <prerror.h> +#include <ocsp.h> #include "util/child_common.h" #include "providers/dp_backend.h" #include "util/crypto/sss_crypto.h" +#include "util/cert.h" enum op_mode { OP_NONE, @@ -68,7 +70,7 @@ static char *password_passthrough(PK11SlotInfo *slot, PRBool retry, void *arg) int do_work(TALLOC_CTX *mem_ctx, const char *nss_db, const char *slot_name_in, - enum op_mode mode, const char *pin, char **cert, + enum op_mode mode, const char *pin, bool do_ocsp, char **cert, char **token_name_out) { int ret; @@ -261,6 +263,14 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db, const char *slot_name_in, return EIO; } + if (do_ocsp) { + rv = CERT_EnableOCSPChecking(handle); + if (rv != SECSuccess) { + DEBUG(SSSDBG_OP_FAILURE, "CERT_EnableOCSPChecking failed: [%d].\n", + PR_GetError()); + return EIO; + } + } found_cert = NULL; DEBUG(SSSDBG_TRACE_ALL, "Filtered certificates:\n"); @@ -456,6 +466,8 @@ int main(int argc, const char *argv[]) char *slot_name_in = NULL; char *token_name_out = NULL; char *nss_db = NULL; + bool do_ocsp = true; + char *verify_opts = NULL; struct poptOption long_options[] = { POPT_AUTOHELP @@ -475,6 +487,8 @@ int main(int argc, const char *argv[]) {"pin", 0, POPT_ARG_NONE, NULL, 'i', _("Expect PIN on stdin"), NULL}, {"keypad", 0, POPT_ARG_NONE, NULL, 'k', _("Expect PIN on keypad"), NULL}, + {"verify", 0, POPT_ARG_STRING, &verify_opts, 0 , _("Tune validation"), + NULL}, {"nssdb", 0, POPT_ARG_STRING, &nss_db, 0, _("NSS DB to use"), NULL}, POPT_TABLEEND @@ -599,6 +613,13 @@ int main(int argc, const char *argv[]) } talloc_steal(main_ctx, debug_prg_name); + if (verify_opts != NULL) { + ret = parse_cert_verify_opts(verify_opts, &do_ocsp); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Failed to parse verifiy option.\n"); + goto fail; + } + } if (mode == OP_AUTH && pin_mode == PIN_STDIN) { ret = p11c_recv_data(main_ctx, STDIN_FILENO, &pin); @@ -608,7 +629,7 @@ int main(int argc, const char *argv[]) } } - ret = do_work(main_ctx, nss_db, slot_name_in, mode, pin, &cert, + ret = do_work(main_ctx, nss_db, slot_name_in, mode, pin, do_ocsp, &cert, &token_name_out); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, "do_work failed.\n"); |