From fb7e78e3efa527fed082f91d934e2f0d5fbf0ec3 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Tue, 26 Oct 2010 00:43:00 -0400 Subject: [PATCH 068/150] - clean up header inclusion - start on loading user-specified pkcs11 modules --- src/plugins/preauth/pkinit/pkinit_crypto_nss.c | 94 ++++++++++++++++++++---- 1 files changed, 80 insertions(+), 14 deletions(-) diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c index fa4e1be..e09fc86 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c @@ -31,12 +31,6 @@ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -/* Avoid including our local copy of "pkcs11.h" from one of the local headers, - * since the definitions we want to use are going to be the ones that NSS - * provides. */ - -#define PKCS11_H - #include #include @@ -56,6 +50,11 @@ #include #include +/* Avoid including our local copy of "pkcs11.h" from one of the local headers, + * since the definitions we want to use are going to be the ones that NSS + * provides. */ + +#define PKCS11_H #include "k5-int-pkinit.h" #include "pkinit.h" #include "pkinit_crypto.h" @@ -1699,14 +1698,18 @@ crypto_load_certs(krb5_context context, pkinit_identity_crypto_context id_cryptoctx, krb5_principal princ) { - SECMODModule **id_modules; + SECMODModule *module, **id_modules; + CERTCertDBHandle *certdb; int i, j; - return 0; /* FIXME */ + + certdb = CERT_GetDefaultCertDB(); switch (idopts->idtype) { case IDTYPE_FILE: + return 0; /* FIXME */ return ENOSYS; break; case IDTYPE_DIR: + return 0; /* FIXME */ return ENOSYS; break; case IDTYPE_PKCS11: @@ -1722,12 +1725,16 @@ crypto_load_certs(krb5_context context, for (j = 0; j < i; j++) { id_modules[j] = id_cryptoctx->id_modules[i]; } - id_modules[j++] = SECMOD_CreateModule(idopts->p11_module_name, - idopts->p11_module_name, - NULL, - NULL); + module = SECMOD_CreateModule(idopts->p11_module_name, + idopts->p11_module_name, + NULL, + NULL); + id_modules[j++] = module; id_modules[j] = NULL; id_cryptoctx->id_modules = id_modules; + /* FIXME add certs and private keys from the module's slots to + * the lists we keep in the identity context */ + return 0; break; case IDTYPE_PKCS12: return ENOSYS; @@ -2212,16 +2219,75 @@ crypto_load_cas_and_crls(krb5_context context, pkinit_identity_crypto_context id_cryptoctx, int idtype, int catype, char *id) { - return 0; /* FIXME */ + SECMODModule *module, **id_modules; + PK11SlotInfo *slot; + CERTCertDBHandle *certdb; + CERTCertificate *cert; + CERTCertList *certs; + CERTCertListNode *node; + CERTCertTrust trust; + SECStatus status; + int i, j; + + certdb = CERT_GetDefaultCertDB(); switch (idtype) { case IDTYPE_FILE: + return 0; /* FIXME */ return ENOSYS; break; case IDTYPE_DIR: + return 0; /* FIXME */ return ENOSYS; break; case IDTYPE_PKCS11: - return ENOSYS; + if (id_cryptoctx->id_modules != NULL) { + for (i = 0; id_cryptoctx->id_modules[i] != NULL; i++) { + continue; + } + } else { + i = 0; + } + id_modules = PORT_ArenaZAlloc(id_cryptoctx->pool, + sizeof(id_modules[0]) * (i + 2)); + for (j = 0; j < i; j++) { + id_modules[j] = id_cryptoctx->id_modules[i]; + } + module = SECMOD_CreateModule(idopts->p11_module_name, + idopts->p11_module_name, + NULL, + NULL); + switch (catype) { + case CATYPE_ANCHORS: + for (i = 0, + slot = SECMOD_LookupSlot(module->moduleID, i); + slot != NULL; + i++, + slot = SECMOD_LookupSlot(module->moduleID, i)) { + certs = PK11_ListCertsInSlot(slot); + for (node = CERT_LIST_HEAD(certs); + (node != NULL) && + (node->cert != NULL) && + !CERT_LIST_END(node, certs); + node = CERT_LIST_NEXT(node)) { + cert = node->cert; + status = CERT_GetCertTrust(cert, + &trust); + if (status == SECSuccess) { + /* FIXME: set trust = CA trust */ + CERT_ChangeCertTrust(certdb, + cert, + &trust); + } + } + } + break; + default: + break; + } + id_modules[j++] = module; + id_modules[j] = NULL; + id_cryptoctx->id_modules = id_modules; + return 0; break; case IDTYPE_PKCS12: return ENOSYS; -- 1.7.6.4