From 34209826900abc541c60c8b04bea29484a056b31 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Mon, 1 Nov 2010 23:07:46 -0400 Subject: [PATCH 101/150] - start using a unique slot for pkcs12 imports --- src/plugins/preauth/pkinit/pkinit_crypto_nss.c | 25 +++++++++++++++++++++-- 1 files changed, 22 insertions(+), 3 deletions(-) diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c index 6054125..d752655 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c @@ -65,7 +65,7 @@ * unless we can be sure that the list of trusted roots isn't being shared with * general-purpose SSL/TLS configuration, even though we're leaning on SSL/TLS * trust settings. */ -#define CONFIGDIR "/etc/pki/nssdb" +#define DEFAULT_CONFIGDIR "/etc/pki/nssdb" #define NSS_CMSContentInfo_SetDontStream(a, b) (SECSuccess) /* FIXME once this API works */ /* #define DEBUG_DER "/usr/lib64/nss/unsupported-tools/derdump" */ @@ -234,6 +234,7 @@ struct _pkinit_identity_crypto_context { SECMODModule *pem_module; SECMODModule **id_modules; PK11SlotInfo **id_userdbs; + PK11SlotInfo *id_p12_slot; PK11GenericObject **id_objects; CERTCertList *id_certs, *ca_certs; CERTCertificate *id_cert; @@ -653,6 +654,9 @@ pkinit_fini_identity_crypto(pkinit_identity_crypto_context id_cryptoctx) PK11_DestroyGenericObjects(id_cryptoctx->id_objects[i]); } } + if (id_cryptoctx->id_p12_slot != NULL) { + SECMOD_CloseUserDB(id_cryptoctx->id_p12_slot); + } if (id_cryptoctx->id_userdbs != NULL) { for (i = 0; id_cryptoctx->id_userdbs[i] != NULL; i++) { SECMOD_CloseUserDB(id_cryptoctx->id_userdbs[i]); @@ -700,7 +704,7 @@ pkinit_init_plg_crypto(pkinit_plg_crypto_context *plg_cryptoctx) sizeof(**plg_cryptoctx)); if (*plg_cryptoctx != NULL) { (*plg_cryptoctx)->pool = pool; - (*plg_cryptoctx)->ncontext = NSS_InitContext(CONFIGDIR, + (*plg_cryptoctx)->ncontext = NSS_InitContext(DEFAULT_CONFIGDIR, NULL, NULL, NULL, @@ -2008,6 +2012,21 @@ crypto_get_pem_slot(struct _pkinit_identity_crypto_context *id) return slot; } +static PK11SlotInfo * +crypto_get_p12_slot(struct _pkinit_identity_crypto_context *id) +{ +#if 0 + return crypto_get_pem_slot(id); +#else + if (id->id_p12_slot == NULL) { + id->id_p12_slot = SECMOD_OpenUserDB("configDir='" + DEFAULT_CONFIGDIR + "' flags=readOnly"); + } + return id->id_p12_slot; +#endif +} + static SECStatus crypto_load_pkcs12(krb5_context context, pkinit_plg_crypto_context plg_cryptoctx, @@ -2019,7 +2038,7 @@ crypto_load_pkcs12(krb5_context context, SEC_PKCS12DecoderContext *ctx; SECItem tmp, empty; - if ((slot = crypto_get_pem_slot(id_cryptoctx)) == NULL) { + if ((slot = crypto_get_p12_slot(id_cryptoctx)) == NULL) { pkiDebug("%s: skipping identity PKCS12 bundle \"%s\": " "no slot found\n", __FUNCTION__, name); return SECFailure; -- 1.7.6.4