admserv/cgi-src40/security.c | 100 +++++++++++++++++++++++++++----------------
1 file changed, 63 insertions(+), 37 deletions(-)
New commits:
commit f7554f273e9919890732bc6253297ada56c76d08
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Thu Mar 3 15:51:47 2011 -0800
Bug 158926 - Unable to install CA certificate when using
hardware token ( LunaSA )
https://bugzilla.redhat.com/show_bug.cgi?id=158926
Description: Installing/Importing CA cert to the hardware token
was not correctly supported in the security CGI. This patch
passes hardware token name to the installCACert helper function
and get the correct slot for the hardware token. Then, import
the cert to the slot.
diff --git a/admserv/cgi-src40/security.c b/admserv/cgi-src40/security.c
index c53f065..2941eb3 100644
--- a/admserv/cgi-src40/security.c
+++ b/admserv/cgi-src40/security.c
@@ -1311,8 +1311,9 @@ static void printDERCert(int isCACert) {
/*
* Install a server certificate.
*/
-static void installServerCert(char *tokenName, char *certname) {
-
+static void
+installServerCert(char *tokenName, char *certname)
+{
SECStatus rv;
CERTCertificate *cert;
CERTCertTrust trust;
@@ -1397,43 +1398,66 @@ static void installServerCert(char *tokenName, char *certname) {
/*
* Install a CA cert and set its trust
*/
-static void installCACert(char *certname) {
-
- /* need to decode der cert */
- char *derCertBase64 =
getParameter("dercert",getResourceString(DBT_DER_CERT));
- CERTDERCerts *collectArgs = decodeDERCert(derCertBase64);
-
- /* remove leading space in certificate name */
- if (certname) {
- while (isspace(*certname)) ++certname;
- }
-
- /* Import CA Cert and set trust */
- {
+static void
+installCACert(char *tokenName, char *certname)
+{
+ /* need to decode der cert */
+ CERTCertificate *cert;
+ char *derCertBase64 = NULL;
+ CERTDERCerts *collectArgs = NULL;
+ PK11SlotInfo *slot = NULL;
CERTCertificate **retCerts = 0;
PRBool keepCerts = PR_TRUE;
PRBool caOnly = PR_TRUE;
- char *nickname = certname;
- char *truststr = getParameter("trust_flag",getResourceString(DBT_TRUST));
+ char *nickname = certname;
+ char *truststr = NULL;
+ char *endptr = NULL;
+ int trustflag;
int trustedCA;
- char *endptr = NULL;
- int trustflag = strtol(truststr, &endptr, 0);
+ SECStatus rc = 0;
- if ((*truststr == '\0') || !endptr || (*endptr != '\0')) {
- /* invalid trust flags */
- errorRpt(GENERAL_FAILURE, getResourceString(DBT_TRUST_SET_FAIL));
- }
- trustedCA = (trustflag & CERTDB_TRUSTED_CA);
- CERT_ImportCerts(certdb,(trustedCA ? certUsageSSLCA : certUsageAnyCA),
+ derCertBase64 = getParameter("dercert",getResourceString(DBT_DER_CERT));
+ collectArgs = decodeDERCert(derCertBase64);
+
+ truststr = getParameter("trust_flag",getResourceString(DBT_TRUST));
+ trustflag = strtol(truststr, &endptr, 0);
+ if (tokenName) {
+ slot = PK11_FindSlotByName(tokenName);
+ } else {
+ slot = PK11_GetInternalKeySlot();
+ }
+ /* remove leading space in certificate name */
+ if (certname) {
+ while (isspace(*certname)) ++certname;
+ }
+
+ /* Import CA Cert and set trust */
+ if ((*truststr == '\0') || !endptr || (*endptr != '\0')) {
+ /* invalid trust flags */
+ errorRpt(GENERAL_FAILURE, getResourceString(DBT_TRUST_SET_FAIL));
+ }
+ trustedCA = (trustflag & CERTDB_TRUSTED_CA);
+ rc = CERT_ImportCerts(certdb, (trustedCA ? certUsageSSLCA : certUsageAnyCA),
collectArgs->numcerts, &collectArgs->rawCerts,
&retCerts, keepCerts, caOnly, nickname);
+ CERT_FindCertByDERCert(certdb, collectArgs->rawCerts);
+ cert = retCerts[0];
+ rc = PK11_ImportCert(slot, cert, CK_INVALID_HANDLE, certname, PR_FALSE);
+ if (rc != SECSuccess) {
+ char *tmpLine = (char *)PR_Malloc(PR_GetErrorTextLength()+1);
+ PR_GetErrorText(tmpLine);
+ PR_snprintf(line, sizeof(line), "%d:%s", PR_GetError(), tmpLine);
+ PR_Free(tmpLine);
+ /* if unable to import report error */
+ rpt_err(SYSTEM_ERROR, getResourceString(DBT_INTERNAL_ERROR),
+ getResourceString(DBT_INSTALL_FAIL), line);
+ }
- if(!CERT_FindCertByDERCert(certdb, collectArgs->rawCerts)) {
- errorRpt(GENERAL_FAILURE, getResourceString(DBT_INSTALL_FAIL));
+ if(NULL == PK11_FindCertInSlot(slot, cert, NULL)) {
+ errorRpt(GENERAL_FAILURE, getResourceString(DBT_INSTALL_FAIL));
}
setTrust(processNullString(getMD5Fingerprint(retCerts[0])), trustflag);
- }
}
@@ -1965,18 +1989,21 @@ static void keyCertMigrate() {
int main(int argc, char *argv[])
{
/* cgi env setup */
- int _ai = ADMUTIL_Init();
- char * m = getenv("REQUEST_METHOD");
+ char *m = NULL;
char msg[BIG_LINE];
AdmldapInfo ldapInfo; /* our config */
int rc = 0;
char *sie;
- char *configdir = util_get_conf_dir();
- const char *secdir = util_get_security_dir();
+ char *configdir = NULL;
+ const char *secdir = NULL;
#if 0
CGI_Debug("security");
#endif
+ ADMUTIL_Init();
+ m = getenv("REQUEST_METHOD");
+ configdir = util_get_conf_dir();
+ secdir = util_get_security_dir();
/*setup i18n stuff*/
{
@@ -2013,7 +2040,6 @@ int main(int argc, char *argv[])
}
securitydir = getSecurityDir(ldapInfo, sie);
-
{
char* operation = getParameter("formop",getResourceString(DBT_OP));
@@ -2079,11 +2105,11 @@ int main(int argc, char *argv[])
else { /* install a certificate */
char *certName = get_cgi_var("certname", NULL, NULL);
+ char *tokenName =
+
getParameter("tokenname",getResourceString(DBT_TOKEN_NAME));
if (isCACert) {
- installCACert(certName);
- }
- else {
- char *tokenName =
getParameter("tokenname",getResourceString(DBT_TOKEN_NAME));
+ installCACert(tokenName, certName);
+ } else {
installServerCert(tokenName, certName);
}
}