diff options
| author | Nalin Dahyabhai <nalin@redhat.com> | 2013-01-10 15:39:15 -0500 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2013-05-10 19:04:33 -0400 |
| commit | 88fe4c49320592047ae416887f27c1d74832ddac (patch) | |
| tree | f962cb8e22351d59fcccff7b25fabf71011b4b8e /src/plugins/preauth/pkinit | |
| parent | b3efde67fc66818951d432d7e07fdc6d39b7034f (diff) | |
| download | krb5-88fe4c49320592047ae416887f27c1d74832ddac.tar.gz krb5-88fe4c49320592047ae416887f27c1d74832ddac.tar.xz krb5-88fe4c49320592047ae416887f27c1d74832ddac.zip | |
Traverse tokens like we do with OpenSSL for NSS
When PKINIT is built with NSS, change how it traverses tokens to match
the way it's done when built using OpenSSL: ignore slot names (we used
to treat the token label as a possible slot label, too), and either only
look at the token with the specified label, or the first token if a no
token label was specified.
Diffstat (limited to 'src/plugins/preauth/pkinit')
| -rw-r--r-- | src/plugins/preauth/pkinit/pkinit_crypto_nss.c | 29 |
1 files changed, 14 insertions, 15 deletions
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c index 2ef8ffdc0..f9e9b979a 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c @@ -2098,7 +2098,7 @@ crypto_load_pkcs11(krb5_context context, PK11SlotInfo *slot; char *spec; size_t spec_size; - const char *label, *id, *slotname, *tokenname; + const char *label, *id, *tokenname; SECStatus status; int i, j; @@ -2166,21 +2166,16 @@ crypto_load_pkcs11(krb5_context context, (i < module->module->slotCount) && ((slot = module->module->slots[i]) != NULL); i++) { + if (idopts->slotid != PK_NOSLOT) { + if (idopts->slotid != PK11_GetSlotID(slot)) + continue; + } + tokenname = PK11_GetTokenName(slot); + if (tokenname == NULL || strlen(tokenname) == 0) + continue; if (idopts->token_label != NULL) { - label = idopts->token_label; - slotname = PK11_GetSlotName(slot); - tokenname = PK11_GetTokenName(slot); - if ((slotname != NULL) && (tokenname != NULL)) { - if ((strcmp(label, slotname) != 0) && - (strcmp(label, tokenname) != 0)) - continue; - } else if (slotname != NULL) { - if (strcmp(label, slotname) != 0) - continue; - } else if (tokenname != NULL) { - if (strcmp(label, tokenname) != 0) - continue; - } + if (strcmp(idopts->cert_label, tokenname) != 0) + continue; } /* Load private keys and their certs from this slot. */ label = idopts->cert_label; @@ -2188,6 +2183,10 @@ crypto_load_pkcs11(krb5_context context, if (cert_load_certs_with_keys_from_slot(context, id_cryptoctx, slot, label, id) == 0) status = SECSuccess; + /* If no label was specified, then we've looked at a token, so we're + * done. */ + if (idopts->token_label == NULL) + break; } return status; } |