[openldap/private-moznss-f17] update: enhancement: prefer unlocked slots when getting private key
jvcelak
jvcelak at fedoraproject.org
Mon Aug 13 13:42:29 UTC 2012
commit 9f3240285a9b7b2989d46914d30bd8eaf14bb31d
Author: Jan Vcelak <jvcelak at redhat.com>
Date: Mon Aug 13 15:33:35 2012 +0200
update: enhancement: prefer unlocked slots when getting private key
openldap-nss-prefer-unlocked-slot.patch | 72 +++++++++++++++++++++++++++++++
1 files changed, 72 insertions(+), 0 deletions(-)
---
diff --git a/openldap-nss-prefer-unlocked-slot.patch b/openldap-nss-prefer-unlocked-slot.patch
new file mode 100644
index 0000000..fc25e7a
--- /dev/null
+++ b/openldap-nss-prefer-unlocked-slot.patch
@@ -0,0 +1,72 @@
+From c59072eaa7d85a56c36073bebb7e21b3e2a95492 Mon Sep 17 00:00:00 2001
+From: Jan Vcelak <jvcelak at redhat.com>
+Date: Mon, 13 Aug 2012 14:25:47 +0200
+Subject: [PATCH] MozNSS: prefer unlocked slot when getting private key
+
+---
+ libraries/libldap/tls_m.c | 41 ++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 40 insertions(+), 1 deletion(-)
+
+diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
+index f37da06..061d6b8 100644
+--- a/libraries/libldap/tls_m.c
++++ b/libraries/libldap/tls_m.c
+@@ -990,6 +990,36 @@ tlsm_cert_is_self_issued( CERTCertificate *cert )
+ return is_self_issued;
+ }
+
++/*
++ * The private key for used certificate can be already unlocked by other
++ * thread or library. Find the unlocked slot if possible.
++ */
++static PK11SlotInfo *
++tlsm_find_unlocked_slot(tlsm_ctx *ctx)
++{
++ PK11SlotInfo *result = NULL;
++
++ PK11SlotList *slots = PK11_GetAllSlotsForCert(ctx->tc_certificate, NULL);
++ if (!slots) {
++ PRErrorCode errcode = PR_GetError();
++ Debug(LDAP_DEBUG_ANY,
++ "TLS: cannot get all slots for certificate '%s' (error %d: %s)",
++ tlsm_ctx_subject_name(ctx), errcode,
++ PR_ErrorToString(errcode, PR_LANGUAGE_I_DEFAULT));
++ return result;
++ }
++
++ PK11SlotListElement *le;
++ for (le = slots->head; le && !result; le = le->next) {
++ PK11SlotInfo *slot = le->slot;
++ if (PK11_IsLoggedIn(slot, NULL))
++ result = slot;
++ }
++
++ PK11_FreeSlotList(slots);
++ return result;
++}
++
+ static SECStatus
+ tlsm_verify_cert(CERTCertDBHandle *handle, CERTCertificate *cert, void *pinarg,
+ PRBool checksig, SECCertificateUsage certUsage, PRBool warn_only,
+@@ -1302,8 +1332,17 @@ tlsm_ctx_load_private_key(tlsm_ctx *ctx)
+ return 0;
+
+ void *pin_arg = SSL_RevealPinArg(ctx->tc_model);
++ PK11SlotInfo *unlockedSlot = tlsm_find_unlocked_slot(ctx);
++
++ Debug(LDAP_DEBUG_ANY,
++ "TLS: %s unlocked slot for certificate '%s'.\n",
++ unlockedSlot ? "found" : "no", tlsm_ctx_subject_name(ctx), 0);
++
++ if (unlockedSlot)
++ ctx->tc_private_key = PK11_FindKeyByDERCert(unlockedSlot, ctx->tc_certificate, pin_arg);
++ else
++ ctx->tc_private_key = PK11_FindKeyByAnyCert(ctx->tc_certificate, pin_arg);
+
+- ctx->tc_private_key = PK11_FindKeyByAnyCert(ctx->tc_certificate, pin_arg);
+ if (!ctx->tc_private_key) {
+ PRErrorCode errcode = PR_GetError();
+ Debug(LDAP_DEBUG_ANY,
+--
+1.7.11.4
+
More information about the scm-commits
mailing list