From eff68d32ed4b6d64b76c2538053c88606d0cd6c4 Mon Sep 17 00:00:00 2001
From: Nalin Dahyabhai <nalin@dahyabhai.net>
Date: Mon, 8 Nov 2010 19:13:06 -0500
Subject: [PATCH 108/150] - clean up slot/token and cert-by-label/cert-by-id
 logic

---
 src/plugins/preauth/pkinit/pkinit_crypto_nss.c |   67 +++++++++++++++++-------
 1 files changed, 47 insertions(+), 20 deletions(-)

diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c
index 46ca363..9188ba0 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c
@@ -1938,9 +1938,10 @@ cert_load_ca_certs_from_slot(krb5_context context,
 /* Load certificates for which we have private keys from the slot. */
 static int
 cert_load_certs_with_keys_from_slot(krb5_context context,
-				    pkinit_identity_crypto_context id,
+				    pkinit_identity_crypto_context id_cryptoctx,
 				    PK11SlotInfo *slot,
-				    const char *label)
+				    const char *label,
+				    const char *id)
 {
 	CERTCertificate *cert;
 	CERTCertList *clist;
@@ -1949,12 +1950,12 @@ cert_load_certs_with_keys_from_slot(krb5_context context,
 	int status;
 
 	/* Log in if the slot requires it. */
-	if (!PK11_IsLoggedIn(slot, crypto_pwcb_prep(id, context)) &&
+	if (!PK11_IsLoggedIn(slot, crypto_pwcb_prep(id_cryptoctx, context)) &&
 	    PK11_NeedLogin(slot)) {
 		pkiDebug("%s: logging in to token \"%s\"\n",
 			 __FUNCTION__, PK11_GetTokenName(slot));
 		if (PK11_Authenticate(slot, PR_TRUE,
-				      crypto_pwcb_prep(id,
+				      crypto_pwcb_prep(id_cryptoctx,
 						       context)) != SECSuccess) {
 			pkiDebug("%s: error logging into \"%s\", skipping\n",
 				 __FUNCTION__, PK11_GetTokenName(slot));
@@ -1983,14 +1984,27 @@ cert_load_certs_with_keys_from_slot(krb5_context context,
 	     (cnode->cert != NULL) &&
 	     !CERT_LIST_END(cnode, clist);
 	     cnode = CERT_LIST_NEXT(cnode)) {
-		if (label != NULL) {
-			if ((cnode->cert->nickname == NULL) ||
-			    (strcmp(label, cnode->cert->nickname) != 0)) {
-				continue;
+		if (cnode->cert->nickname == NULL) {
+			if ((label == NULL) && (id == NULL)) {
+				if ((strcmp(id, cnode->cert->nickname) != 0) &&
+				    (strcmp(label, cnode->cert->nickname) != 0)) {
+					continue;
+				}
+			} else
+			if (label == NULL) {
+				if (strcmp(label, cnode->cert->nickname) != 0) {
+					continue;
+				}
+			} else
+			if (id == NULL) {
+				if (strcmp(id, cnode->cert->nickname) != 0) {
+					continue;
+				}
 			}
 		}
 		key = PK11_FindPrivateKeyFromCert(slot, cnode->cert,
-						  crypto_pwcb_prep(id, context));
+						  crypto_pwcb_prep(id_cryptoctx,
+						 		   context));
 		if (key == NULL) {
 			pkiDebug("%s: no key for \"%s\", skipping it\n",
 				 __FUNCTION__,
@@ -2005,7 +2019,8 @@ cert_load_certs_with_keys_from_slot(krb5_context context,
 		/* DestroyCertList frees all of the certs in the list,
 		 * so we need to create a copy that it can own. */
 		cert = CERT_DupCertificate(cnode->cert);
-		if (cert_maybe_add_to_list(id->id_certs, cert) != SECSuccess) {
+		if (cert_maybe_add_to_list(id_cryptoctx->id_certs,
+					   cert) != SECSuccess) {
 			status = ENOMEM;
 		}
 		/* We don't need this reference to the key. */
@@ -2025,7 +2040,7 @@ crypto_load_pkcs11(krb5_context context,
 	SECMODModule **id_modules, *module;
 	PK11SlotInfo *slot;
 	char *spec;
-	const char *label, *slotname, *tokenname;
+	const char *label, *id, *slotname, *tokenname;
 	SECStatus status;
 	int i, j;
 
@@ -2089,20 +2104,32 @@ crypto_load_pkcs11(krb5_context context,
 	     (i < module->slotCount) && ((slot = module->slots[i]) != NULL);
 	     i++) {
 		if (idopts->token_label != NULL) {
+			label = idopts->token_label;
 			slotname = PK11_GetSlotName(slot);
 			tokenname = PK11_GetTokenName(slot);
-			if (((slotname == NULL) ||
-			     (strcmp(label, slotname) != 0)) &&
-			    ((tokenname == NULL) ||
-			     (strcmp(label, tokenname) != 0))) {
-				continue;
+			if ((slotname != NULL) && (tokenname != NULL)) {
+				if ((strcmp(label, slotname) != 0) &&
+				    (strcmp(label, tokenname) != 0)) {
+					continue;
+				}
+			} else
+			if (slotname != NULL) {
+				if (strcmp(label, slotname) != 0) {
+					continue;
+				}
+			} else
+			if (tokenname != NULL) {
+				if (strcmp(label, tokenname) != 0) {
+					continue;
+				}
 			}
 		}
 		/* Load private keys and their certs from this slot. */
 		label = idopts->cert_label;
+		id = idopts->cert_id_string;
 		if (cert_load_certs_with_keys_from_slot(context, id_cryptoctx,
 							slot,
-							label) == 0) {
+							label, id) == 0) {
 			status = SECSuccess;
 		}
 	}
@@ -2260,8 +2287,8 @@ crypto_load_pkcs12(krb5_context context,
 	}
 	pkiDebug("%s: imported PKCS12 bundle \"%s\"\n", __FUNCTION__, name);
 	SEC_PKCS12DecoderFinish(ctx);
-	if (cert_load_certs_with_keys_from_slot(context, id_cryptoctx,
-						slot, NULL) == 0) {
+	if (cert_load_certs_with_keys_from_slot(context, id_cryptoctx, slot,
+						NULL, NULL) == 0) {
 		return SECSuccess;
 	} else {
 		return SECFailure;
@@ -2639,7 +2666,7 @@ crypto_load_certdb(krb5_context context,
 
 	/* Load the keys from the database. */
 	return cert_load_certs_with_keys_from_slot(context, id_cryptoctx,
-						   userdb, NULL);
+						   userdb, NULL, NULL);
 }
 
 /* Load up a certificate and associated key. */
-- 
1.7.6.4