From bc6b8b701995479e49604a03ec40aa766ef41424 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Wed, 20 Oct 2010 16:08:43 -0400 Subject: [PATCH 058/150] - pass in the password callback when decoding CMS messages --- src/plugins/preauth/pkinit/pkinit_crypto_nss.c | 22 ++++++++++++++-------- 1 files changed, 14 insertions(+), 8 deletions(-) diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c index 471f1a2..bb5c6e8 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c @@ -1760,10 +1760,9 @@ crypto_cert_iteration_next(krb5_context context, pkinit_cert_handle *cert_handle) { PLArenaPool *pool; - CERTCertListNode *node; - node = iter_handle->node; /* Check if we're at the last node. */ - if (CERT_LIST_END(node, iter_handle->id_cryptoctx->id_certs)) { + if (CERT_LIST_END(iter_handle->node, + iter_handle->id_cryptoctx->id_certs)) { /* No more entries. */ *cert_handle = NULL; return PKINIT_ITER_NO_MORE; @@ -1782,7 +1781,7 @@ crypto_cert_iteration_next(krb5_context context, /* Return a copy of the certificate in this node, and then move on to * the next one. */ (*cert_handle)->id_cryptoctx = iter_handle->id_cryptoctx; - (*cert_handle)->cert = CERT_DupCertificate(node->cert); + (*cert_handle)->cert = CERT_DupCertificate(iter_handle->node->cert); iter_handle->node = CERT_LIST_NEXT(iter_handle->node); return 0; } @@ -3039,7 +3038,7 @@ crypto_signeddata_common_create(krb5_context context, if (signer == NULL) { return ENOMEM; } - if (NSS_CMSSignerInfo_IncludeCerts(signer, NSSCMSCM_CertChainWithRoot, + if (NSS_CMSSignerInfo_IncludeCerts(signer, NSSCMSCM_CertOnly, certUsageAnyCA) != SECSuccess) { pkiDebug("%s: error setting IncludeCerts\n", __FUNCTION__); return ENOMEM; @@ -3272,7 +3271,9 @@ crypto_signeddata_common_verify(krb5_context context, sdata = NSS_CMSContentInfo_GetContent(cinfo); if ((sdata == NULL) || (NSS_CMSSignedData_SignerInfoCount(sdata) != 1)) { - pkiDebug("%s: wrong number of signers\n", __FUNCTION__); + pkiDebug("%s: wrong number of signers (%d, not 1)\n", + __FUNCTION__, + sdata ? NSS_CMSSignedData_SignerInfoCount(sdata) : -1); return ENOENT; } if (NSS_CMSSignedData_ImportCerts(sdata, certdb, @@ -3370,11 +3371,14 @@ cms_envelopeddata_verify(krb5_context context, certdb = CERT_GetDefaultCertDB(); /* Decode the message. */ + derdump(envel_data, envel_data_len); encoded.data = envel_data; encoded.len = envel_data_len; msg = NSS_CMSMessage_CreateFromDER(&encoded, NULL, NULL, - NULL, NULL, + crypto_pwcb, + crypto_pwcb_prep(id_cryptoctx, + context), NULL, NULL); if (msg == NULL) { return ENOMEM; @@ -3625,7 +3629,9 @@ cms_signeddata_verify(krb5_context context, encoded.len = signed_data_len; msg = NSS_CMSMessage_CreateFromDER(&encoded, NULL, NULL, - NULL, NULL, + crypto_pwcb, + crypto_pwcb_prep(id_cryptoctx, + context), NULL, NULL); if (msg == NULL) { return ENOMEM; -- 1.7.6.4