diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/p11_child/p11_child_nss.c | 22 |
1 files changed, 12 insertions, 10 deletions
diff --git a/src/p11_child/p11_child_nss.c b/src/p11_child/p11_child_nss.c index 41d9fd11f..39c88d9f4 100644 --- a/src/p11_child/p11_child_nss.c +++ b/src/p11_child/p11_child_nss.c @@ -272,6 +272,18 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db, const char *slot_name_in, cert_list_node->cert->nickname, cert_list_node->cert->subjectName); + rv = CERT_VerifyCertificateNow(handle, cert_list_node->cert, + PR_TRUE, certificateUsageSSLClient, + NULL, NULL); + if (rv != SECSuccess) { + DEBUG(SSSDBG_OP_FAILURE, + "Certificate [%s][%s] not valid [%d], skipping.\n", + cert_list_node->cert->nickname, + cert_list_node->cert->subjectName, PR_GetError()); + continue; + } + + if (found_cert == NULL) { found_cert = cert_list_node->cert; } else { @@ -291,16 +303,6 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db, const char *slot_name_in, goto done; } - rv = CERT_VerifyCertificateNow(handle, found_cert, PR_TRUE, - certificateUsageSSLClient, NULL, NULL); - if (rv != SECSuccess) { - DEBUG(SSSDBG_OP_FAILURE, - "CERT_VerifyCertificateNow failed [%d].\n", - PR_GetError()); - ret = EIO; - goto done; - } - if (mode == OP_AUTH) { rv = PK11_GenerateRandom(random_value, sizeof(random_value)); if (rv != SECSuccess) { |