From 3b34de5c4518d0b9478b3b4041e825ec19f599d4 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Wed, 27 Oct 2010 10:59:57 -0400 Subject: [PATCH 075/150] - give up on pkcs11 and pkcs12 for CAs and CRLs --- src/plugins/preauth/pkinit/pkinit_crypto_nss.c | 55 ++++------------------- 1 files changed, 10 insertions(+), 45 deletions(-) diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c index 0c314b5..191c249 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c @@ -1697,7 +1697,6 @@ crypto_load_pkcs11(krb5_context context, pkinit_plg_crypto_context plg_cryptoctx, pkinit_req_crypto_context req_cryptoctx, const char *spec, - PRBool self, PRBool mark_trusted, PRBool load_crl, pkinit_identity_crypto_context id_cryptoctx) { SECMODModule **id_modules, *module; @@ -1706,8 +1705,6 @@ crypto_load_pkcs11(krb5_context context, CERTCertificate *cert; CERTCertList *certs; CERTCertListNode *node; - CERTCertTrust trust; - SECStatus status; char *name; int i, j; @@ -1771,26 +1768,14 @@ crypto_load_pkcs11(krb5_context context, (node != NULL) && (node->cert != NULL) && !CERT_LIST_END(node, certs); node = CERT_LIST_NEXT(node)) { - cert = node->cert; - /* Add the cert to our candidate cert list? */ - if (self) { - cert = CERT_DupCertificate(node->cert); - CERT_AddCertToListTail(id_cryptoctx->id_certs, - cert); - pkiDebug("%s: loaded \"%s\" from " - "PKCS11 module \"%s\"\n", - __FUNCTION__, cert->subjectName, spec); - } - /* Mark the cert trusted as a CA? */ - if (mark_trusted) { - status = CERT_GetCertTrust(cert, &trust); - if (status == SECSuccess) { - /* FIXME: set trust = CA trust */ - CERT_ChangeCertTrust(certdb, cert, - &trust); - } - } + /* Add the cert to our candidate cert list. */ + cert = CERT_DupCertificate(node->cert); + CERT_AddCertToListTail(id_cryptoctx->id_certs, cert); + pkiDebug("%s: loaded \"%s\" from " + "PKCS11 module \"%s\"\n", + __FUNCTION__, cert->subjectName, spec); } + CERT_DestroyCertList(certs); } return SECSuccess; } @@ -1808,17 +1793,17 @@ crypto_load_files(krb5_context context, if (id_cryptoctx->pem_module == NULL) { if (certfile != NULL) { pkiDebug("%s: nsspem module not loaded, " - "not loading file \"%s\": %s\n", + "not loading file \"%s\"\n", __FUNCTION__, certfile); } if (keyfile != NULL) { pkiDebug("%s: nsspem module not loaded, " - "not loading file \"%s\": %s\n", + "not loading file \"%s\"\n", __FUNCTION__, keyfile); } if (crlfile != NULL) { pkiDebug("%s: nsspem module not loaded, " - "not loading file \"%s\": %s\n", + "not loading file \"%s\"\n", __FUNCTION__, crlfile); } return SECFailure; @@ -1962,7 +1947,6 @@ crypto_load_certs(krb5_context context, plg_cryptoctx, req_cryptoctx, idopts->p11_module_name, - PR_TRUE, PR_FALSE, PR_FALSE, id_cryptoctx); if (status != SECSuccess) { pkiDebug("%s: error loading module \"%s\"\n", @@ -2516,25 +2500,6 @@ crypto_load_cas_and_crls(krb5_context context, } return 0; break; - case IDTYPE_PKCS11: - status = crypto_load_pkcs11(context, - plg_cryptoctx, - req_cryptoctx, - id ? id : idopts->p11_module_name, - cert_self, - cert_mark_trusted, - load_crl, - id_cryptoctx); - if (status != SECSuccess) { - pkiDebug("%s: error loading module \"%s\"\n", - __FUNCTION__, idopts->p11_module_name); - return ENOMEM; - } - return 0; - break; - case IDTYPE_PKCS12: - return ENOSYS; - break; default: return EINVAL; break; -- 1.7.6.4