From 863fad56d826b72642b4ce6a409397b08e25d65c Mon Sep 17 00:00:00 2001
From: Nalin Dahyabhai <nalin@dahyabhai.net>
Date: Fri, 29 Oct 2010 14:57:17 -0400
Subject: [PATCH 083/150] - this should add file-based creds to the candidate
 list for "our" cert

---
 src/plugins/preauth/pkinit/pkinit_crypto_nss.c |   54 ++++++++++++++++++++++-
 1 files changed, 51 insertions(+), 3 deletions(-)

diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c
index 37e1289..8b74b64 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c
@@ -1981,7 +1981,10 @@ crypto_load_files(krb5_context context,
 {
 	PK11SlotInfo *slot;
 	PK11GenericObject *obj;
-	PRBool permanent;
+	PRBool permanent, match;
+	CERTCertificate *cert;
+	CERTCertList *before, *after;
+	CERTCertListNode *anode, *bnode;
 	CK_ATTRIBUTE attrs[4];
 	CK_BBOOL cktrue = CK_TRUE, cktrust;
 	CK_OBJECT_CLASS keyclass = CKO_PRIVATE_KEY, certclass = CKO_CERTIFICATE;
@@ -2032,6 +2035,11 @@ crypto_load_files(krb5_context context,
 		}
 	}
 	if ((status == SECSuccess) && (certfile != NULL)) {
+		if (cert_self) {
+			before = PK11_ListCertsInSlot(slot);
+		} else {
+			before = NULL;
+		}
 		n_attrs = 0;
 		crypto_set_attributes(&attrs[n_attrs++], CKA_CLASS,
 				      &certclass, sizeof(certclass));
@@ -2050,10 +2058,50 @@ crypto_load_files(krb5_context context,
 				 cert_mark_trusted ? "CA " : "",
 				 certfile);
 			status = SECFailure;
+		} else {
+			status = SECSuccess;
+		}
+		if (cert_self) {
+			/* Add any certs which are in the slot now, but which
+			 * weren't before, and for which we have keys, to the
+			 * list of possible identity certs. */
+			after = PK11_ListCertsInSlot(slot);
+			if (after != NULL) {
+				for (anode = CERT_LIST_HEAD(after);
+				     (anode != NULL) &&
+				     (anode->cert != NULL) &&
+				     !CERT_LIST_END(anode, after);
+				     anode = CERT_LIST_NEXT(anode)) {
+					match = PR_FALSE;
+					if (before != NULL) {
+						for (bnode = CERT_LIST_HEAD(before);
+						     (bnode != NULL) &&
+						     (bnode->cert != NULL) &&
+						     !CERT_LIST_END(bnode, after);
+						     bnode = CERT_LIST_NEXT(bnode)) {
+							if (SECITEM_ItemsAreEqual(&anode->cert->derCert,
+										  &bnode->cert->derCert)) {
+								match = PR_TRUE;
+								break;
+							}
+						}
+					}
+					if (!match) {
+						cert = CERT_DupCertificate(anode->cert);
+						if (CERT_AddCertToListTail(id_cryptoctx->id_certs, cert) != SECSuccess) {
+							status = SECFailure;
+						}
+					}
+				}
+				CERT_DestroyCertList(after);
+			}
+		}
+		if (before != NULL) {
+			CERT_DestroyCertList(before);
 		}
 	}
 	PK11_FreeSlot(slot);
-	return SECSuccess;
+	return status;
 }
 
 static SECStatus
@@ -2103,7 +2151,7 @@ crypto_load_dir(krb5_context context,
 			continue;
 		}
 		sprintf(certcrl, "%s/%s", dirname, ent->d_name);
-		if (load_crl) {
+		if (load_crl || !cert_self) {
 			/* No key. */
 			key = NULL;
 		} else {
-- 
1.7.6.4