1017 lines
34 KiB
Diff
1017 lines
34 KiB
Diff
|
From 3da0e186904ad81dd87cf74bfae88270f14bb770 Mon Sep 17 00:00:00 2001
|
||
|
From: Rob Crittenden <rcritten@redhat.com>
|
||
|
Date: Tue, 21 Aug 2018 17:25:21 -0400
|
||
|
Subject: [PATCH 1/7] Use the correct slot when saving certificates in NSS
|
||
|
|
||
|
Certificates were always stored in the NSS certdb.
|
||
|
---
|
||
|
src/certsave-n.c | 915 ++++++++++++++++++++++++++++---------------------------
|
||
|
1 file changed, 474 insertions(+), 441 deletions(-)
|
||
|
|
||
|
diff --git a/src/certsave-n.c b/src/certsave-n.c
|
||
|
index 8e15a18a..af176ce5 100644
|
||
|
--- a/src/certsave-n.c
|
||
|
+++ b/src/certsave-n.c
|
||
|
@@ -92,7 +92,11 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
|
||
|
SECStatus error;
|
||
|
SECItem *item, subject;
|
||
|
char *p, *q, *pin;
|
||
|
+ const char *token;
|
||
|
const char *es;
|
||
|
+ PK11SlotList *slotlist;
|
||
|
+ PK11SlotListElement *sle;
|
||
|
+ CK_MECHANISM_TYPE mech;
|
||
|
NSSInitContext *ctx;
|
||
|
CERTCertDBHandle *certdb;
|
||
|
CERTCertList *certlist;
|
||
|
@@ -192,231 +196,253 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
|
||
|
}
|
||
|
_exit(CM_CERTSAVE_STATUS_INTERNAL_ERROR);
|
||
|
}
|
||
|
- /* Be ready to count our uses of a PIN. */
|
||
|
- memset(&cb_data, 0, sizeof(cb_data));
|
||
|
- cb_data.entry = entry;
|
||
|
- cb_data.n_attempts = 0;
|
||
|
- pin = NULL;
|
||
|
- if (cm_pin_read_for_key(entry, &pin) != 0) {
|
||
|
- cm_log(1, "Error reading PIN for key store, "
|
||
|
- "failing to save certificate.\n");
|
||
|
+ /* Find the tokens that we might use for cert storage. */
|
||
|
+ mech = CKM_RSA_X_509;
|
||
|
+ slotlist = PK11_GetAllTokens(mech, PR_FALSE, PR_FALSE, NULL);
|
||
|
+ if (slotlist == NULL) {
|
||
|
+ cm_log(1, "Error getting list of tokens.\n");
|
||
|
PORT_FreeArena(arena, PR_TRUE);
|
||
|
- error = NSS_ShutdownContext(ctx);
|
||
|
- if (error != SECSuccess) {
|
||
|
+ if (NSS_ShutdownContext(ctx) != SECSuccess) {
|
||
|
cm_log(1, "Error shutting down NSS.\n");
|
||
|
}
|
||
|
- _exit(CM_CERTSAVE_STATUS_AUTH);
|
||
|
+ _exit(2);
|
||
|
}
|
||
|
- /* Set a PIN if we're supposed to be using one and aren't using
|
||
|
- * one yet in this database. */
|
||
|
- if (PK11_NeedUserInit(PK11_GetInternalKeySlot())) {
|
||
|
- PK11_InitPin(PK11_GetInternalKeySlot(), NULL,
|
||
|
- pin ? pin : "");
|
||
|
- ec = PORT_GetError();
|
||
|
- if (ec != 0) {
|
||
|
- es = PR_ErrorToName(ec);
|
||
|
+ /* Walk the list looking for the requested slot, or the first one if
|
||
|
+ * none was requested. */
|
||
|
+ if (cm_pin_read_for_cert(entry, &pin) != 0) {
|
||
|
+ cm_log(1, "Error reading PIN for cert db.\n");
|
||
|
+ _exit(CM_SUB_STATUS_ERROR_AUTH);
|
||
|
+ }
|
||
|
+ PK11_SetPasswordFunc(&cm_pin_read_for_cert_nss_cb);
|
||
|
+ for (sle = slotlist->head;
|
||
|
+ ((sle != NULL) && (sle->slot != NULL));
|
||
|
+ sle = sle->next)
|
||
|
+ {
|
||
|
+ /* Log the slot's name. */
|
||
|
+ token = PK11_GetTokenName(sle->slot);
|
||
|
+ if (token != NULL) {
|
||
|
+ cm_log(3, "Found token '%s'.\n", token);
|
||
|
} else {
|
||
|
- es = NULL;
|
||
|
+ cm_log(3, "Found unnamed token.\n");
|
||
|
}
|
||
|
- if (PK11_NeedUserInit(PK11_GetInternalKeySlot())) {
|
||
|
- if (es != NULL) {
|
||
|
- cm_log(1, "Key storage slot still "
|
||
|
- "needs user PIN to be set: "
|
||
|
- "%s.\n", es);
|
||
|
- } else {
|
||
|
- cm_log(1, "Key storage slot still "
|
||
|
- "needs user PIN to be set.\n");
|
||
|
- }
|
||
|
+ /* If we're looking for a specific slot, and this isn't it,
|
||
|
+ * keep going. */
|
||
|
+ if ((entry->cm_cert_token != NULL) &&
|
||
|
+ ((token == NULL) ||
|
||
|
+ (strcmp(entry->cm_cert_token, token) != 0))) {
|
||
|
+ if (token != NULL) {
|
||
|
+ cm_log(1,
|
||
|
+ "Token is named \"%s\", not \"%s\", "
|
||
|
+ "skipping.\n",
|
||
|
+ token, entry->cm_cert_token);
|
||
|
+ } else {
|
||
|
+ cm_log(1,
|
||
|
+ "Token is unnamed, not \"%s\", "
|
||
|
+ "skipping.\n",
|
||
|
+ entry->cm_cert_token);
|
||
|
+ }
|
||
|
+ goto next_slot;
|
||
|
+ }
|
||
|
+ /* Be ready to count our uses of a PIN. */
|
||
|
+ memset(&cb_data, 0, sizeof(cb_data));
|
||
|
+ cb_data.entry = entry;
|
||
|
+ cb_data.n_attempts = 0;
|
||
|
+ pin = NULL;
|
||
|
+ if (cm_pin_read_for_key(entry, &pin) != 0) {
|
||
|
+ cm_log(1, "Error reading PIN for key store, "
|
||
|
+ "failing to save certificate.\n");
|
||
|
PORT_FreeArena(arena, PR_TRUE);
|
||
|
error = NSS_ShutdownContext(ctx);
|
||
|
if (error != SECSuccess) {
|
||
|
cm_log(1, "Error shutting down NSS.\n");
|
||
|
}
|
||
|
- switch (ec) {
|
||
|
- case PR_NO_ACCESS_RIGHTS_ERROR: /* EACCES or EPERM */
|
||
|
- _exit(CM_CERTSAVE_STATUS_PERMS);
|
||
|
- break;
|
||
|
- default:
|
||
|
- _exit(CM_CERTSAVE_STATUS_AUTH);
|
||
|
- break;
|
||
|
- }
|
||
|
+ _exit(CM_CERTSAVE_STATUS_AUTH);
|
||
|
}
|
||
|
- /* We're authenticated now, so count this as a use of
|
||
|
- * the PIN. */
|
||
|
- if ((pin != NULL) && (strlen(pin) > 0)) {
|
||
|
- cb_data.n_attempts++;
|
||
|
- }
|
||
|
- }
|
||
|
- /* Log in, if case we need to muck around with the key
|
||
|
- * database. */
|
||
|
- PK11_SetPasswordFunc(&cm_pin_read_for_key_nss_cb);
|
||
|
- error = PK11_Authenticate(PK11_GetInternalKeySlot(), PR_TRUE,
|
||
|
- &cb_data);
|
||
|
- ec = PORT_GetError();
|
||
|
- if (error != SECSuccess) {
|
||
|
- if (ec != 0) {
|
||
|
+ if (PK11_NeedUserInit(sle->slot)) {
|
||
|
+ PK11_InitPin(sle->slot, NULL, pin ? pin : "");
|
||
|
+ ec = PORT_GetError();
|
||
|
es = PR_ErrorToName(ec);
|
||
|
- } else {
|
||
|
- es = NULL;
|
||
|
- }
|
||
|
- if (es != NULL) {
|
||
|
- cm_log(1, "Error authenticating to key store: %s.\n",
|
||
|
- es);
|
||
|
- } else {
|
||
|
- cm_log(1, "Error authenticating to key store.\n");
|
||
|
- }
|
||
|
- PORT_FreeArena(arena, PR_TRUE);
|
||
|
- error = NSS_ShutdownContext(ctx);
|
||
|
- if (error != SECSuccess) {
|
||
|
- cm_log(1, "Error shutting down NSS.\n");
|
||
|
- }
|
||
|
- _exit(CM_CERTSAVE_STATUS_AUTH);
|
||
|
- }
|
||
|
- if ((pin != NULL) &&
|
||
|
- (strlen(pin) > 0) &&
|
||
|
- (cb_data.n_attempts == 0)) {
|
||
|
- cm_log(1, "PIN was not needed to auth to key "
|
||
|
- "store, though one was provided. "
|
||
|
- "Treating this as an error.\n");
|
||
|
- PORT_FreeArena(arena, PR_TRUE);
|
||
|
- error = NSS_ShutdownContext(ctx);
|
||
|
- if (error != SECSuccess) {
|
||
|
- cm_log(1, "Error shutting down NSS.\n");
|
||
|
- }
|
||
|
- _exit(CM_CERTSAVE_STATUS_AUTH);
|
||
|
- }
|
||
|
- certdb = CERT_GetDefaultCertDB();
|
||
|
- if (certdb != NULL) {
|
||
|
- /* Strip the header and footer. */
|
||
|
- p = entry->cm_cert;
|
||
|
- q = NULL;
|
||
|
- if (p != NULL) {
|
||
|
- while (strncmp(p, "-----BEGIN ", 11) == 0) {
|
||
|
- p += strcspn(p, "\r\n");
|
||
|
- p += strspn(p, "\r\n");
|
||
|
+ if (PK11_NeedUserInit(sle->slot)) {
|
||
|
+ if (es != NULL) {
|
||
|
+ cm_log(1, "Key storage slot still "
|
||
|
+ "needs user PIN to be set: "
|
||
|
+ "%s.\n", es);
|
||
|
+ } else {
|
||
|
+ cm_log(1, "Key storage slot still "
|
||
|
+ "needs user PIN to be set.\n");
|
||
|
+ }
|
||
|
+ PORT_FreeArena(arena, PR_TRUE);
|
||
|
+ error = NSS_ShutdownContext(ctx);
|
||
|
+ if (error != SECSuccess) {
|
||
|
+ cm_log(1, "Error shutting down NSS.\n");
|
||
|
+ }
|
||
|
+ switch (ec) {
|
||
|
+ case PR_NO_ACCESS_RIGHTS_ERROR: /* EACCES or EPERM */
|
||
|
+ _exit(CM_CERTSAVE_STATUS_PERMS);
|
||
|
+ break;
|
||
|
+ default:
|
||
|
+ _exit(CM_CERTSAVE_STATUS_AUTH);
|
||
|
+ break;
|
||
|
+ }
|
||
|
}
|
||
|
- q = strstr(p, "-----END");
|
||
|
+ /* count this as use of the PIN */
|
||
|
+ cb_data.n_attempts++;
|
||
|
}
|
||
|
- if ((q == NULL) || (*p == '\0')) {
|
||
|
- cm_log(1, "Unable to parse certificate.\n");
|
||
|
- PORT_FreeArena(arena, PR_TRUE);
|
||
|
- if (NSS_ShutdownContext(ctx) != SECSuccess) {
|
||
|
- cm_log(1, "Error shutting down NSS.\n");
|
||
|
+ if (PK11_NeedLogin(sle->slot)) {
|
||
|
+ error = PK11_Authenticate(sle->slot, PR_TRUE, &cb_data);
|
||
|
+ if (error != SECSuccess) {
|
||
|
+ cm_log(1, "Error authenticating to cert db for token "
|
||
|
+ "%s.\n", token);
|
||
|
+ goto next_slot;
|
||
|
}
|
||
|
- _exit(CM_CERTSAVE_STATUS_INTERNAL_ERROR);
|
||
|
+ cb_data.n_attempts++;
|
||
|
}
|
||
|
- /* Handle the base64 decode. */
|
||
|
- item = NSSBase64_DecodeBuffer(arena, NULL, p, q - p);
|
||
|
- if (item == NULL) {
|
||
|
- cm_log(1, "Unable to decode certificate "
|
||
|
- "into buffer.\n");
|
||
|
+ if ((pin != NULL) &&
|
||
|
+ (strlen(pin) > 0) &&
|
||
|
+ (cb_data.n_attempts == 0)) {
|
||
|
+ cm_log(1, "PIN was not needed to auth to key "
|
||
|
+ "store, though one was provided. "
|
||
|
+ "Treating this as an error.\n");
|
||
|
PORT_FreeArena(arena, PR_TRUE);
|
||
|
- if (NSS_ShutdownContext(ctx) != SECSuccess) {
|
||
|
+ error = NSS_ShutdownContext(ctx);
|
||
|
+ if (error != SECSuccess) {
|
||
|
cm_log(1, "Error shutting down NSS.\n");
|
||
|
}
|
||
|
- _exit(CM_CERTSAVE_STATUS_INTERNAL_ERROR);
|
||
|
+ _exit(CM_CERTSAVE_STATUS_AUTH);
|
||
|
}
|
||
|
- /* Do a "shallow" decode to pull out the subject name
|
||
|
- * so that we can check for a conflict. */
|
||
|
- memset(&csdata, 0, sizeof(csdata));
|
||
|
- if (SEC_ASN1DecodeItem(arena, &csdata,
|
||
|
- CERT_SignedDataTemplate,
|
||
|
- item) != SECSuccess) {
|
||
|
- cm_log(1, "Unable to decode certificate "
|
||
|
- "signed data into buffer.\n");
|
||
|
- PORT_FreeArena(arena, PR_TRUE);
|
||
|
- if (NSS_ShutdownContext(ctx) != SECSuccess) {
|
||
|
- cm_log(1, "Error shutting down NSS.\n");
|
||
|
+ certdb = CERT_GetDefaultCertDB();
|
||
|
+ if (certdb != NULL) {
|
||
|
+ /* Strip the header and footer. */
|
||
|
+ p = entry->cm_cert;
|
||
|
+ q = NULL;
|
||
|
+ if (p != NULL) {
|
||
|
+ while (strncmp(p, "-----BEGIN ", 11) == 0) {
|
||
|
+ p += strcspn(p, "\r\n");
|
||
|
+ p += strspn(p, "\r\n");
|
||
|
+ }
|
||
|
+ q = strstr(p, "-----END");
|
||
|
}
|
||
|
- _exit(CM_CERTSAVE_STATUS_INTERNAL_ERROR);
|
||
|
- }
|
||
|
- memset(&cert, 0, sizeof(cert));
|
||
|
- if (SEC_ASN1DecodeItem(arena, &cert,
|
||
|
- CERT_CertificateTemplate,
|
||
|
- &csdata.data) != SECSuccess) {
|
||
|
- cm_log(1, "Unable to decode certificate "
|
||
|
- "data into buffer.\n");
|
||
|
- PORT_FreeArena(arena, PR_TRUE);
|
||
|
- if (NSS_ShutdownContext(ctx) != SECSuccess) {
|
||
|
- cm_log(1, "Error shutting down NSS.\n");
|
||
|
+ if ((q == NULL) || (*p == '\0')) {
|
||
|
+ cm_log(1, "Unable to parse certificate.\n");
|
||
|
+ PORT_FreeArena(arena, PR_TRUE);
|
||
|
+ if (NSS_ShutdownContext(ctx) != SECSuccess) {
|
||
|
+ cm_log(1, "Error shutting down NSS.\n");
|
||
|
+ }
|
||
|
+ _exit(CM_CERTSAVE_STATUS_INTERNAL_ERROR);
|
||
|
}
|
||
|
- _exit(CM_CERTSAVE_STATUS_INTERNAL_ERROR);
|
||
|
- }
|
||
|
- subject = cert.derSubject;
|
||
|
- /* Ask NSS if there would be a conflict. */
|
||
|
- have_trust = PR_FALSE;
|
||
|
- if (SEC_CertNicknameConflict(entry->cm_cert_nickname,
|
||
|
- &subject,
|
||
|
- certdb)) {
|
||
|
- /* Delete the certificate that's already there
|
||
|
- * with the nickname we want, otherwise our
|
||
|
- * cert with a different subject name will be
|
||
|
- * discarded. */
|
||
|
- certlist = PK11_FindCertsFromNickname(entry->cm_cert_nickname,
|
||
|
- NULL);
|
||
|
+ /* Handle the base64 decode. */
|
||
|
+ item = NSSBase64_DecodeBuffer(arena, NULL, p, q - p);
|
||
|
+ if (item == NULL) {
|
||
|
+ cm_log(1, "Unable to decode certificate "
|
||
|
+ "into buffer.\n");
|
||
|
+ PORT_FreeArena(arena, PR_TRUE);
|
||
|
+ if (NSS_ShutdownContext(ctx) != SECSuccess) {
|
||
|
+ cm_log(1, "Error shutting down NSS.\n");
|
||
|
+ }
|
||
|
+ _exit(CM_CERTSAVE_STATUS_INTERNAL_ERROR);
|
||
|
+ }
|
||
|
+ /* Do a "shallow" decode to pull out the subject name
|
||
|
+ * so that we can check for a conflict. */
|
||
|
+ memset(&csdata, 0, sizeof(csdata));
|
||
|
+ if (SEC_ASN1DecodeItem(arena, &csdata,
|
||
|
+ CERT_SignedDataTemplate,
|
||
|
+ item) != SECSuccess) {
|
||
|
+ cm_log(1, "Unable to decode certificate "
|
||
|
+ "signed data into buffer.\n");
|
||
|
+ PORT_FreeArena(arena, PR_TRUE);
|
||
|
+ if (NSS_ShutdownContext(ctx) != SECSuccess) {
|
||
|
+ cm_log(1, "Error shutting down NSS.\n");
|
||
|
+ }
|
||
|
+ _exit(CM_CERTSAVE_STATUS_INTERNAL_ERROR);
|
||
|
+ }
|
||
|
+ memset(&cert, 0, sizeof(cert));
|
||
|
+ if (SEC_ASN1DecodeItem(arena, &cert,
|
||
|
+ CERT_CertificateTemplate,
|
||
|
+ &csdata.data) != SECSuccess) {
|
||
|
+ cm_log(1, "Unable to decode certificate "
|
||
|
+ "data into buffer.\n");
|
||
|
+ PORT_FreeArena(arena, PR_TRUE);
|
||
|
+ if (NSS_ShutdownContext(ctx) != SECSuccess) {
|
||
|
+ cm_log(1, "Error shutting down NSS.\n");
|
||
|
+ }
|
||
|
+ _exit(CM_CERTSAVE_STATUS_INTERNAL_ERROR);
|
||
|
+ }
|
||
|
+ subject = cert.derSubject;
|
||
|
+ /* Ask NSS if there would be a conflict. */
|
||
|
+ have_trust = PR_FALSE;
|
||
|
+ if (SEC_CertNicknameConflict(entry->cm_cert_nickname,
|
||
|
+ &subject,
|
||
|
+ certdb)) {
|
||
|
+ /* Delete the certificate that's already there
|
||
|
+ * with the nickname we want, otherwise our
|
||
|
+ * cert with a different subject name will be
|
||
|
+ * discarded. */
|
||
|
+ certlist = PK11_FindCertsFromNickname(entry->cm_cert_nickname,
|
||
|
+ NULL);
|
||
|
+ if (certlist != NULL) {
|
||
|
+ /* Look for certs with different
|
||
|
+ * subject names but the same nickname,
|
||
|
+ * because they've got to go. */
|
||
|
+ for (node = CERT_LIST_HEAD(certlist);
|
||
|
+ (node != NULL) &&
|
||
|
+ !CERT_LIST_EMPTY(certlist) &&
|
||
|
+ !CERT_LIST_END(node, certlist);
|
||
|
+ node = CERT_LIST_NEXT(node)) {
|
||
|
+ if (!SECITEM_ItemsAreEqual(&subject,
|
||
|
+ &node->cert->derSubject)) {
|
||
|
+ cm_log(3, "Found a "
|
||
|
+ "certificate "
|
||
|
+ "with the same "
|
||
|
+ "nickname but "
|
||
|
+ "different "
|
||
|
+ "subject, "
|
||
|
+ "removing "
|
||
|
+ "certificate "
|
||
|
+ "\"%s\" with "
|
||
|
+ "subject "
|
||
|
+ "\"%s\".\n",
|
||
|
+ node->cert->nickname,
|
||
|
+ node->cert->subjectName ?
|
||
|
+ node->cert->subjectName :
|
||
|
+ "");
|
||
|
+ /* Get a handle for
|
||
|
+ * this certificate's
|
||
|
+ * private key, in case
|
||
|
+ * we need to remove
|
||
|
+ * it. */
|
||
|
+ privkey = PK11_FindKeyByAnyCert(node->cert, NULL);
|
||
|
+ privkeys = add_privkey_to_list(privkeys, privkey);
|
||
|
+ SEC_DeletePermCertificate(node->cert);
|
||
|
+ }
|
||
|
+ }
|
||
|
+ CERT_DestroyCertList(certlist);
|
||
|
+ }
|
||
|
+ } else {
|
||
|
+ cm_log(3, "No duplicate nickname entries.\n");
|
||
|
+ }
|
||
|
+ /* This certificate's subject may already be present
|
||
|
+ * with a different nickname. Delete those, too. */
|
||
|
+ certlist = CERT_CreateSubjectCertList(NULL, certdb,
|
||
|
+ &subject,
|
||
|
+ PR_FALSE,
|
||
|
+ PR_FALSE);
|
||
|
if (certlist != NULL) {
|
||
|
- /* Look for certs with different
|
||
|
- * subject names but the same nickname,
|
||
|
- * because they've got to go. */
|
||
|
+ /* Look for certs with different nicknames but
|
||
|
+ * the same subject name, because those have
|
||
|
+ * got to go. */
|
||
|
+ i = 0;
|
||
|
for (node = CERT_LIST_HEAD(certlist);
|
||
|
(node != NULL) &&
|
||
|
!CERT_LIST_EMPTY(certlist) &&
|
||
|
!CERT_LIST_END(node, certlist);
|
||
|
node = CERT_LIST_NEXT(node)) {
|
||
|
- if (!SECITEM_ItemsAreEqual(&subject,
|
||
|
- &node->cert->derSubject)) {
|
||
|
+ if ((node->cert->nickname != NULL) &&
|
||
|
+ (strcmp(entry->cm_cert_nickname,
|
||
|
+ node->cert->nickname) != 0))
|
||
|
+ {
|
||
|
+ i++;
|
||
|
cm_log(3, "Found a "
|
||
|
- "certificate "
|
||
|
- "with the same "
|
||
|
- "nickname but "
|
||
|
- "different "
|
||
|
- "subject, "
|
||
|
- "removing "
|
||
|
- "certificate "
|
||
|
- "\"%s\" with "
|
||
|
- "subject "
|
||
|
- "\"%s\".\n",
|
||
|
- node->cert->nickname,
|
||
|
- node->cert->subjectName ?
|
||
|
- node->cert->subjectName :
|
||
|
- "");
|
||
|
- /* Get a handle for
|
||
|
- * this certificate's
|
||
|
- * private key, in case
|
||
|
- * we need to remove
|
||
|
- * it. */
|
||
|
- privkey = PK11_FindKeyByAnyCert(node->cert, NULL);
|
||
|
- privkeys = add_privkey_to_list(privkeys, privkey);
|
||
|
- SEC_DeletePermCertificate(node->cert);
|
||
|
- }
|
||
|
- }
|
||
|
- CERT_DestroyCertList(certlist);
|
||
|
- }
|
||
|
- } else {
|
||
|
- cm_log(3, "No duplicate nickname entries.\n");
|
||
|
- }
|
||
|
- /* This certificate's subject may already be present
|
||
|
- * with a different nickname. Delete those, too. */
|
||
|
- certlist = CERT_CreateSubjectCertList(NULL, certdb,
|
||
|
- &subject,
|
||
|
- PR_FALSE,
|
||
|
- PR_FALSE);
|
||
|
- if (certlist != NULL) {
|
||
|
- /* Look for certs with different nicknames but
|
||
|
- * the same subject name, because those have
|
||
|
- * got to go. */
|
||
|
- i = 0;
|
||
|
- for (node = CERT_LIST_HEAD(certlist);
|
||
|
- (node != NULL) &&
|
||
|
- !CERT_LIST_EMPTY(certlist) &&
|
||
|
- !CERT_LIST_END(node, certlist);
|
||
|
- node = CERT_LIST_NEXT(node)) {
|
||
|
- if ((node->cert->nickname != NULL) &&
|
||
|
- (strcmp(entry->cm_cert_nickname,
|
||
|
- node->cert->nickname) != 0)) {
|
||
|
- i++;
|
||
|
- cm_log(3, "Found a "
|
||
|
- "certificate with a "
|
||
|
+ "certificate with a "
|
||
|
"different nickname but "
|
||
|
"the same subject, "
|
||
|
"removing certificate "
|
||
|
@@ -426,284 +452,291 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
|
||
|
node->cert->subjectName ?
|
||
|
node->cert->subjectName :
|
||
|
"");
|
||
|
- /* Get a handle for this
|
||
|
- * certificate's private key,
|
||
|
- * in case we need to remove
|
||
|
- * it. */
|
||
|
- privkey = PK11_FindKeyByAnyCert(node->cert, NULL);
|
||
|
- privkeys = add_privkey_to_list(privkeys, privkey);
|
||
|
- SEC_DeletePermCertificate(node->cert);
|
||
|
- } else {
|
||
|
- /* Same nickname, and we
|
||
|
- * already know it has the same
|
||
|
- * subject name. Save its
|
||
|
- * trust. */
|
||
|
- if (!have_trust) {
|
||
|
- if (CERT_GetCertTrust(node->cert,
|
||
|
+ /* Get a handle for this
|
||
|
+ * certificate's private key,
|
||
|
+ * in case we need to remove
|
||
|
+ * it. */
|
||
|
+ privkey = PK11_FindKeyByAnyCert(node->cert, NULL);
|
||
|
+ privkeys = add_privkey_to_list(privkeys, privkey);
|
||
|
+ SEC_DeletePermCertificate(node->cert);
|
||
|
+ } else {
|
||
|
+ /* Same nickname, and we
|
||
|
+ * already know it has the same
|
||
|
+ * subject name. Save its
|
||
|
+ * trust. */
|
||
|
+ if (!have_trust) {
|
||
|
+ if (CERT_GetCertTrust(node->cert,
|
||
|
&trust) == SECSuccess) {
|
||
|
- have_trust = PR_TRUE;
|
||
|
+ have_trust = PR_TRUE;
|
||
|
+ }
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
- }
|
||
|
- if (i == 0) {
|
||
|
- cm_log(3, "No duplicate subject name entries.\n");
|
||
|
- }
|
||
|
- CERT_DestroyCertList(certlist);
|
||
|
- } else {
|
||
|
- cm_log(3, "No duplicate subject name entries.\n");
|
||
|
- }
|
||
|
- /* Make one more attempt at finding an existing trust
|
||
|
- * value. */
|
||
|
- if (!have_trust) {
|
||
|
- oldcert = PK11_FindCertFromNickname(entry->cm_cert_nickname, NULL);
|
||
|
- if (oldcert != NULL) {
|
||
|
- if (CERT_GetCertTrust(oldcert,
|
||
|
- &trust) == SECSuccess) {
|
||
|
- have_trust = PR_TRUE;
|
||
|
+ if (i == 0) {
|
||
|
+ cm_log(3, "No duplicate subject name entries.\n");
|
||
|
}
|
||
|
- CERT_DestroyCertificate(oldcert);
|
||
|
+ CERT_DestroyCertList(certlist);
|
||
|
+ } else {
|
||
|
+ cm_log(3, "No duplicate subject name entries.\n");
|
||
|
}
|
||
|
- }
|
||
|
- /* Import the certificate. */
|
||
|
- returned = NULL;
|
||
|
- error = CERT_ImportCerts(certdb,
|
||
|
- certUsageUserCertImport,
|
||
|
- 1, &item, &returned,
|
||
|
- PR_TRUE,
|
||
|
- PR_FALSE,
|
||
|
- entry->cm_cert_nickname);
|
||
|
- ec = PORT_GetError();
|
||
|
- if (error == SECSuccess) {
|
||
|
- /* If NSS uses SQL DB storage, CERT_ImportCerts creates
|
||
|
- * an incomplete internal state (the cert isn't
|
||
|
- * associated with the private key, and calling
|
||
|
- * PK11_FindKeyByAnyCert returns no result).
|
||
|
- * As a workaround, we import the cert again using
|
||
|
- * PK11_ImportCert, which magically fixes the issue.
|
||
|
- * See rhbz#1532188 */
|
||
|
- error = PK11_ImportCert(PK11_GetInternalKeySlot(),
|
||
|
- returned[0],
|
||
|
- CK_INVALID_HANDLE,
|
||
|
- returned[0]->nickname,
|
||
|
- PR_FALSE);
|
||
|
- }
|
||
|
- if (error == SECSuccess) {
|
||
|
- cm_log(1, "Imported certificate \"%s\", got "
|
||
|
- "nickname \"%s\".\n",
|
||
|
- entry->cm_cert_nickname,
|
||
|
- returned[0]->nickname);
|
||
|
- status = 0;
|
||
|
- /* Set the trust on the new certificate,
|
||
|
- * perhaps matching the trust on an
|
||
|
- * already-present certificate with the same
|
||
|
- * nickname. */
|
||
|
+ /* Make one more attempt at finding an existing trust
|
||
|
+ * value. */
|
||
|
if (!have_trust) {
|
||
|
- memset(&trust, 0, sizeof(trust));
|
||
|
- trust.sslFlags = CERTDB_USER;
|
||
|
- trust.emailFlags = CERTDB_USER;
|
||
|
- trust.objectSigningFlags = CERTDB_USER;
|
||
|
+ oldcert = PK11_FindCertFromNickname(entry->cm_cert_nickname, NULL);
|
||
|
+ if (oldcert != NULL) {
|
||
|
+ if (CERT_GetCertTrust(oldcert,
|
||
|
+ &trust) == SECSuccess) {
|
||
|
+ have_trust = PR_TRUE;
|
||
|
+ }
|
||
|
+ CERT_DestroyCertificate(oldcert);
|
||
|
+ }
|
||
|
}
|
||
|
- error = CERT_ChangeCertTrust(certdb,
|
||
|
- returned[0],
|
||
|
- &trust);
|
||
|
+ /* Import the certificate. */
|
||
|
+ returned = NULL;
|
||
|
+ error = CERT_ImportCerts(certdb,
|
||
|
+ certUsageUserCertImport,
|
||
|
+ 1, &item, &returned,
|
||
|
+ PR_TRUE,
|
||
|
+ PR_FALSE,
|
||
|
+ entry->cm_cert_nickname);
|
||
|
ec = PORT_GetError();
|
||
|
- if (error != SECSuccess) {
|
||
|
+ if (error == SECSuccess) {
|
||
|
+ /* If NSS uses SQL DB storage, CERT_ImportCerts creates
|
||
|
+ * an incomplete internal state (the cert isn't
|
||
|
+ * associated with the private key, and calling
|
||
|
+ * PK11_FindKeyByAnyCert returns no result).
|
||
|
+ * As a workaround, we import the cert again using
|
||
|
+ * PK11_ImportCert, which magically fixes the issue.
|
||
|
+ * See rhbz#1532188 */
|
||
|
+ error = PK11_ImportCert(sle->slot,
|
||
|
+ returned[0],
|
||
|
+ CK_INVALID_HANDLE,
|
||
|
+ returned[0]->nickname,
|
||
|
+ PR_FALSE);
|
||
|
+ }
|
||
|
+ if (error == SECSuccess) {
|
||
|
+ cm_log(1, "Imported certificate \"%s\", got "
|
||
|
+ "nickname \"%s\".\n",
|
||
|
+ entry->cm_cert_nickname,
|
||
|
+ returned[0]->nickname);
|
||
|
+ status = 0;
|
||
|
+ /* Set the trust on the new certificate,
|
||
|
+ * perhaps matching the trust on an
|
||
|
+ * already-present certificate with the same
|
||
|
+ * nickname. */
|
||
|
+ if (!have_trust) {
|
||
|
+ memset(&trust, 0, sizeof(trust));
|
||
|
+ trust.sslFlags = CERTDB_USER;
|
||
|
+ trust.emailFlags = CERTDB_USER;
|
||
|
+ trust.objectSigningFlags = CERTDB_USER;
|
||
|
+ }
|
||
|
+ error = CERT_ChangeCertTrust(certdb,
|
||
|
+ returned[0],
|
||
|
+ &trust);
|
||
|
+ ec = PORT_GetError();
|
||
|
+ if (error != SECSuccess) {
|
||
|
+ if (ec != 0) {
|
||
|
+ es = PR_ErrorToName(ec);
|
||
|
+ } else {
|
||
|
+ es = NULL;
|
||
|
+ }
|
||
|
+ if (es != NULL) {
|
||
|
+ cm_log(0, "Error setting trust "
|
||
|
+ "on certificate \"%s\": "
|
||
|
+ "%s.\n",
|
||
|
+ entry->cm_cert_nickname, es);
|
||
|
+ } else {
|
||
|
+ cm_log(0, "Error setting trust "
|
||
|
+ "on certificate \"%s\".\n",
|
||
|
+ entry->cm_cert_nickname);
|
||
|
+ }
|
||
|
+ }
|
||
|
+ /* Delete any other certificates that are there
|
||
|
+ * with the same nickname. While NSS's
|
||
|
+ * database allows duplicates so long as they
|
||
|
+ * have the same subject name and nickname,
|
||
|
+ * several APIs and many applications can't
|
||
|
+ * dependably find the right one among more
|
||
|
+ * than one. So bye-bye, old certificates. */
|
||
|
+ certlist = PK11_FindCertsFromNickname(entry->cm_cert_nickname,
|
||
|
+ NULL);
|
||
|
+ if (certlist != NULL) {
|
||
|
+ /* Look for certs with contents. */
|
||
|
+ for (node = CERT_LIST_HEAD(certlist);
|
||
|
+ (node != NULL) &&
|
||
|
+ !CERT_LIST_EMPTY(certlist) &&
|
||
|
+ !CERT_LIST_END(node, certlist);
|
||
|
+ node = CERT_LIST_NEXT(node)) {
|
||
|
+ if (!SECITEM_ItemsAreEqual(item,
|
||
|
+ &node->cert->derCert)) {
|
||
|
+ cm_log(3, "Found a "
|
||
|
+ "certificate "
|
||
|
+ "with the same "
|
||
|
+ "nickname and "
|
||
|
+ "subject, but "
|
||
|
+ "different "
|
||
|
+ "contents, "
|
||
|
+ "removing it.\n");
|
||
|
+ /* Get a handle for
|
||
|
+ * this certificate's
|
||
|
+ * private key, in case
|
||
|
+ * we need to remove
|
||
|
+ * it. */
|
||
|
+ privkey = PK11_FindKeyByAnyCert(node->cert, NULL);
|
||
|
+ privkeys = add_privkey_to_list(privkeys, privkey);
|
||
|
+ SEC_DeletePermCertificate(node->cert);
|
||
|
+ }
|
||
|
+ }
|
||
|
+ CERT_DestroyCertList(certlist);
|
||
|
+ }
|
||
|
+ } else {
|
||
|
if (ec != 0) {
|
||
|
es = PR_ErrorToName(ec);
|
||
|
} else {
|
||
|
es = NULL;
|
||
|
}
|
||
|
if (es != NULL) {
|
||
|
- cm_log(0, "Error setting trust "
|
||
|
- "on certificate \"%s\": "
|
||
|
- "%s.\n",
|
||
|
- entry->cm_cert_nickname, es);
|
||
|
+ cm_log(0, "Error importing certificate "
|
||
|
+ "into NSSDB \"%s\": %s.\n",
|
||
|
+ entry->cm_cert_storage_location,
|
||
|
+ es);
|
||
|
} else {
|
||
|
- cm_log(0, "Error setting trust "
|
||
|
- "on certificate \"%s\".\n",
|
||
|
- entry->cm_cert_nickname);
|
||
|
+ cm_log(0, "Error importing certificate "
|
||
|
+ "into NSSDB \"%s\".\n",
|
||
|
+ entry->cm_cert_storage_location);
|
||
|
}
|
||
|
- }
|
||
|
- /* Delete any other certificates that are there
|
||
|
- * with the same nickname. While NSS's
|
||
|
- * database allows duplicates so long as they
|
||
|
- * have the same subject name and nickname,
|
||
|
- * several APIs and many applications can't
|
||
|
- * dependably find the right one among more
|
||
|
- * than one. So bye-bye, old certificates. */
|
||
|
- certlist = PK11_FindCertsFromNickname(entry->cm_cert_nickname,
|
||
|
- NULL);
|
||
|
- if (certlist != NULL) {
|
||
|
- /* Look for certs with contents. */
|
||
|
- for (node = CERT_LIST_HEAD(certlist);
|
||
|
- (node != NULL) &&
|
||
|
- !CERT_LIST_EMPTY(certlist) &&
|
||
|
- !CERT_LIST_END(node, certlist);
|
||
|
- node = CERT_LIST_NEXT(node)) {
|
||
|
- if (!SECITEM_ItemsAreEqual(item,
|
||
|
- &node->cert->derCert)) {
|
||
|
- cm_log(3, "Found a "
|
||
|
- "certificate "
|
||
|
- "with the same "
|
||
|
- "nickname and "
|
||
|
- "subject, but "
|
||
|
- "different "
|
||
|
- "contents, "
|
||
|
- "removing it.\n");
|
||
|
- /* Get a handle for
|
||
|
- * this certificate's
|
||
|
- * private key, in case
|
||
|
- * we need to remove
|
||
|
- * it. */
|
||
|
- privkey = PK11_FindKeyByAnyCert(node->cert, NULL);
|
||
|
- privkeys = add_privkey_to_list(privkeys, privkey);
|
||
|
- SEC_DeletePermCertificate(node->cert);
|
||
|
- }
|
||
|
+ switch (ec) {
|
||
|
+ case PR_NO_ACCESS_RIGHTS_ERROR: /* ACCES/PERM */
|
||
|
+ status = CM_CERTSAVE_STATUS_PERMS;
|
||
|
+ break;
|
||
|
+ default:
|
||
|
+ status = CM_CERTSAVE_STATUS_INTERNAL_ERROR;
|
||
|
+ break;
|
||
|
}
|
||
|
- CERT_DestroyCertList(certlist);
|
||
|
- }
|
||
|
- } else {
|
||
|
- if (ec != 0) {
|
||
|
- es = PR_ErrorToName(ec);
|
||
|
- } else {
|
||
|
- es = NULL;
|
||
|
}
|
||
|
- if (es != NULL) {
|
||
|
- cm_log(0, "Error importing certificate "
|
||
|
- "into NSSDB \"%s\": %s.\n",
|
||
|
- entry->cm_cert_storage_location,
|
||
|
- es);
|
||
|
- } else {
|
||
|
- cm_log(0, "Error importing certificate "
|
||
|
- "into NSSDB \"%s\".\n",
|
||
|
- entry->cm_cert_storage_location);
|
||
|
- }
|
||
|
- switch (ec) {
|
||
|
- case PR_NO_ACCESS_RIGHTS_ERROR: /* ACCES/PERM */
|
||
|
- status = CM_CERTSAVE_STATUS_PERMS;
|
||
|
- break;
|
||
|
- default:
|
||
|
- status = CM_CERTSAVE_STATUS_INTERNAL_ERROR;
|
||
|
- break;
|
||
|
+ /* If we managed to import the certificate, mark its
|
||
|
+ * key for having its nickname removed. */
|
||
|
+ if ((returned != NULL) && (returned[0] != NULL)) {
|
||
|
+ privkey = PK11_FindKeyByAnyCert(returned[0], NULL);
|
||
|
+ privkeys = add_privkey_to_list(privkeys, privkey);
|
||
|
+ CERT_DestroyCertArray(returned, 1);
|
||
|
}
|
||
|
- }
|
||
|
- /* If we managed to import the certificate, mark its
|
||
|
- * key for having its nickname removed. */
|
||
|
- if ((returned != NULL) && (returned[0] != NULL)) {
|
||
|
- privkey = PK11_FindKeyByAnyCert(returned[0], NULL);
|
||
|
- privkeys = add_privkey_to_list(privkeys, privkey);
|
||
|
- CERT_DestroyCertArray(returned, 1);
|
||
|
- }
|
||
|
- /* In case we're rekeying, but failed, mark the
|
||
|
- * candidate key for name-clearing or removal, too. */
|
||
|
- if ((entry->cm_key_next_marker != NULL) &&
|
||
|
- (strlen(entry->cm_key_next_marker) > 0)) {
|
||
|
- p = util_build_next_nickname(entry->cm_key_nickname,
|
||
|
- entry->cm_key_next_marker);
|
||
|
- privkeylist = PK11_ListPrivKeysInSlot(PK11_GetInternalKeySlot(), p, NULL);
|
||
|
- if (privkeylist != NULL) {
|
||
|
- for (knode = PRIVKEY_LIST_HEAD(privkeylist);
|
||
|
- !PRIVKEY_LIST_EMPTY(privkeylist) &&
|
||
|
- !PRIVKEY_LIST_END(knode, privkeylist);
|
||
|
- knode = PRIVKEY_LIST_NEXT(knode)) {
|
||
|
- q = PK11_GetPrivateKeyNickname(knode->key);
|
||
|
- if ((q != NULL) &&
|
||
|
- (strcmp(p, q) == 0)) {
|
||
|
- privkey = SECKEY_CopyPrivateKey(knode->key);
|
||
|
- privkeys = add_privkey_to_list(privkeys, privkey);
|
||
|
- break;
|
||
|
+ /* In case we're rekeying, but failed, mark the
|
||
|
+ * candidate key for name-clearing or removal, too. */
|
||
|
+ if ((entry->cm_key_next_marker != NULL) &&
|
||
|
+ (strlen(entry->cm_key_next_marker) > 0)) {
|
||
|
+ p = util_build_next_nickname(entry->cm_key_nickname,
|
||
|
+ entry->cm_key_next_marker);
|
||
|
+ privkeylist = PK11_ListPrivKeysInSlot(sle->slot, p, NULL);
|
||
|
+ if (privkeylist != NULL) {
|
||
|
+ for (knode = PRIVKEY_LIST_HEAD(privkeylist);
|
||
|
+ !PRIVKEY_LIST_EMPTY(privkeylist) &&
|
||
|
+ !PRIVKEY_LIST_END(knode, privkeylist);
|
||
|
+ knode = PRIVKEY_LIST_NEXT(knode)) {
|
||
|
+ q = PK11_GetPrivateKeyNickname(knode->key);
|
||
|
+ if ((q != NULL) &&
|
||
|
+ (strcmp(p, q) == 0)) {
|
||
|
+ privkey = SECKEY_CopyPrivateKey(knode->key);
|
||
|
+ privkeys = add_privkey_to_list(privkeys, privkey);
|
||
|
+ break;
|
||
|
+ }
|
||
|
}
|
||
|
+ SECKEY_DestroyPrivateKeyList(privkeylist);
|
||
|
}
|
||
|
- SECKEY_DestroyPrivateKeyList(privkeylist);
|
||
|
}
|
||
|
- }
|
||
|
- if (privkeys != NULL) {
|
||
|
- /* Check if any certificates are still using
|
||
|
- * the keys that correspond to certificates
|
||
|
- * that we removed. */
|
||
|
- for (i = 0; privkeys[i] != NULL; i++) {
|
||
|
- privkey = privkeys[i];
|
||
|
- oldcert = PK11_GetCertFromPrivateKey(privkey);
|
||
|
- if (!entry->cm_key_preserve && (oldcert == NULL)) {
|
||
|
- /* We're not preserving
|
||
|
- * orphaned keys, so remove
|
||
|
- * this one. No need to mess
|
||
|
- * with its nickname first. */
|
||
|
- PK11_DeleteTokenPrivateKey(privkey, PR_FALSE);
|
||
|
- if (error == SECSuccess) {
|
||
|
- cm_log(3, "Removed old key.\n");
|
||
|
- } else {
|
||
|
- ec = PORT_GetError();
|
||
|
- if (ec != 0) {
|
||
|
- es = PR_ErrorToName(ec);
|
||
|
+ if (privkeys != NULL) {
|
||
|
+ /* Check if any certificates are still using
|
||
|
+ * the keys that correspond to certificates
|
||
|
+ * that we removed. */
|
||
|
+ for (i = 0; privkeys[i] != NULL; i++) {
|
||
|
+ privkey = privkeys[i];
|
||
|
+ oldcert = PK11_GetCertFromPrivateKey(privkey);
|
||
|
+ if (!entry->cm_key_preserve && (oldcert == NULL)) {
|
||
|
+ /* We're not preserving
|
||
|
+ * orphaned keys, so remove
|
||
|
+ * this one. No need to mess
|
||
|
+ * with its nickname first. */
|
||
|
+ PK11_DeleteTokenPrivateKey(privkey, PR_FALSE);
|
||
|
+ if (error == SECSuccess) {
|
||
|
+ cm_log(3, "Removed old key.\n");
|
||
|
} else {
|
||
|
- es = NULL;
|
||
|
+ ec = PORT_GetError();
|
||
|
+ if (ec != 0) {
|
||
|
+ es = PR_ErrorToName(ec);
|
||
|
+ } else {
|
||
|
+ es = NULL;
|
||
|
+ }
|
||
|
+ if (es != NULL) {
|
||
|
+ cm_log(0, "Failed "
|
||
|
+ "to remove "
|
||
|
+ "old key: "
|
||
|
+ "%s.\n", es);
|
||
|
+ } else {
|
||
|
+ cm_log(0, "Failed "
|
||
|
+ "to remove "
|
||
|
+ "old key.\n");
|
||
|
+ }
|
||
|
}
|
||
|
- if (es != NULL) {
|
||
|
- cm_log(0, "Failed "
|
||
|
- "to remove "
|
||
|
- "old key: "
|
||
|
- "%s.\n", es);
|
||
|
- } else {
|
||
|
- cm_log(0, "Failed "
|
||
|
- "to remove "
|
||
|
- "old key.\n");
|
||
|
- }
|
||
|
- }
|
||
|
- } else {
|
||
|
- /* Remove the explicit
|
||
|
- * nickname, so that the key
|
||
|
- * will have to be found using
|
||
|
- * the certificate's nickname,
|
||
|
- * and certutil will display
|
||
|
- * the matching certificate's
|
||
|
- * nickname when it's asked to
|
||
|
- * list the keys in the
|
||
|
- * database. */
|
||
|
- error = PK11_SetPrivateKeyNickname(privkey, "");
|
||
|
- if (error == SECSuccess) {
|
||
|
- cm_log(3, "Removed "
|
||
|
- "name from old "
|
||
|
- "key.\n");
|
||
|
} else {
|
||
|
- ec = PORT_GetError();
|
||
|
- if (ec != 0) {
|
||
|
- es = PR_ErrorToName(ec);
|
||
|
+ /* Remove the explicit
|
||
|
+ * nickname, so that the key
|
||
|
+ * will have to be found using
|
||
|
+ * the certificate's nickname,
|
||
|
+ * and certutil will display
|
||
|
+ * the matching certificate's
|
||
|
+ * nickname when it's asked to
|
||
|
+ * list the keys in the
|
||
|
+ * database. */
|
||
|
+ error = PK11_SetPrivateKeyNickname(privkey, "");
|
||
|
+ if (error == SECSuccess) {
|
||
|
+ cm_log(3, "Removed "
|
||
|
+ "name from old "
|
||
|
+ "key.\n");
|
||
|
} else {
|
||
|
- es = NULL;
|
||
|
- }
|
||
|
- if (es != NULL) {
|
||
|
- cm_log(0, "Failed "
|
||
|
- "to unname "
|
||
|
- "old key: "
|
||
|
- "%s.\n", es);
|
||
|
- } else {
|
||
|
- cm_log(0, "Failed "
|
||
|
- "to unname "
|
||
|
- "old key.\n");
|
||
|
+ ec = PORT_GetError();
|
||
|
+ if (ec != 0) {
|
||
|
+ es = PR_ErrorToName(ec);
|
||
|
+ } else {
|
||
|
+ es = NULL;
|
||
|
+ }
|
||
|
+ if (es != NULL) {
|
||
|
+ cm_log(0, "Failed "
|
||
|
+ "to unname "
|
||
|
+ "old key: "
|
||
|
+ "%s.\n", es);
|
||
|
+ } else {
|
||
|
+ cm_log(0, "Failed "
|
||
|
+ "to unname "
|
||
|
+ "old key.\n");
|
||
|
+ }
|
||
|
}
|
||
|
+ SECKEY_DestroyPrivateKey(privkey);
|
||
|
+ }
|
||
|
+ if (oldcert != NULL) {
|
||
|
+ CERT_DestroyCertificate(oldcert);
|
||
|
}
|
||
|
- SECKEY_DestroyPrivateKey(privkey);
|
||
|
- }
|
||
|
- if (oldcert != NULL) {
|
||
|
- CERT_DestroyCertificate(oldcert);
|
||
|
}
|
||
|
+ free(privkeys);
|
||
|
}
|
||
|
- free(privkeys);
|
||
|
+ } else {
|
||
|
+ cm_log(1, "Error getting handle to default NSS DB.\n");
|
||
|
}
|
||
|
- } else {
|
||
|
- cm_log(1, "Error getting handle to default NSS DB.\n");
|
||
|
- }
|
||
|
- PORT_FreeArena(arena, PR_TRUE);
|
||
|
- if (NSS_ShutdownContext(ctx) != SECSuccess) {
|
||
|
- cm_log(1, "Error shutting down NSS.\n");
|
||
|
- }
|
||
|
- /* Fixup the ownership and permissions on the key and
|
||
|
- * certificate databases. */
|
||
|
- util_set_db_entry_key_owner(entry->cm_key_storage_location, entry);
|
||
|
- util_set_db_entry_cert_owner(entry->cm_cert_storage_location, entry);
|
||
|
- }
|
||
|
+ PORT_FreeArena(arena, PR_TRUE);
|
||
|
+ if (NSS_ShutdownContext(ctx) != SECSuccess) {
|
||
|
+ cm_log(1, "Error shutting down NSS.\n");
|
||
|
+ }
|
||
|
+ /* Fixup the ownership and permissions on the key and
|
||
|
+ * certificate databases. */
|
||
|
+ util_set_db_entry_key_owner(entry->cm_key_storage_location, entry);
|
||
|
+ util_set_db_entry_cert_owner(entry->cm_cert_storage_location, entry);
|
||
|
+ break;
|
||
|
+next_slot:
|
||
|
+ if (sle == slotlist->tail) {
|
||
|
+ break;
|
||
|
+ }
|
||
|
+ } /* for slot loop */
|
||
|
+ } /* ctx == NULL */
|
||
|
+
|
||
|
if (status != 0) {
|
||
|
_exit(status);
|
||
|
}
|
||
|
--
|
||
|
2.14.4
|
||
|
|