[27117] in CVS-changelog-for-Kerberos-V5

home help back first fref pref prev next nref lref last post

krb5 commit: Sanity-check loading keys and certs from PEM files

daemon@ATHENA.MIT.EDU (Greg Hudson)
Mon Oct 15 11:42:49 2012

Date: Mon, 15 Oct 2012 11:42:46 -0400
From: Greg Hudson <ghudson@mit.edu>
Message-Id: <201210151542.q9FFgklq003216@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu

https://github.com/krb5/krb5/commit/3a747275b650a003ae81f0479e1202b10b2ea466
commit 3a747275b650a003ae81f0479e1202b10b2ea466
Author: Nalin Dahyabhai <nalin@redhat.com>
Date:   Tue Oct 9 13:41:46 2012 -0400

    Sanity-check loading keys and certs from PEM files
    
    Print a debug message if we're unable to locate the matching private key
    for a certificate when we've just loaded both of them from PEM files.

 src/plugins/preauth/pkinit/pkinit_crypto_nss.c |   15 +++++++++++++++
 1 files changed, 15 insertions(+), 0 deletions(-)

diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c
index 2f93a86..1aa5779 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c
@@ -2402,6 +2402,7 @@ crypto_load_files(krb5_context context,
     CERTCertificate *cert;
     CERTCertList *before, *after;
     CERTCertListNode *anode, *bnode;
+    SECKEYPrivateKey *key;
     CK_ATTRIBUTE attrs[4];
     CK_BBOOL cktrue = CK_TRUE, cktrust;
     CK_OBJECT_CLASS keyclass = CKO_PRIVATE_KEY, certclass = CKO_CERTIFICATE;
@@ -2555,6 +2556,20 @@ crypto_load_files(krb5_context context,
         if (before != NULL) {
             CERT_DestroyCertList(before);
         }
+        if ((keyfile != NULL) && (obj->cert != NULL)) {
+            key = PK11_FindPrivateKeyFromCert(slot, obj->cert,
+                                              crypto_pwcb_prep(id_cryptoctx,
+                                                               context));
+            if (key == NULL) {
+                pkiDebug("%s: no key private found for \"%s\"(%s), "
+                         "even though we just loaded that key?\n",
+                         __FUNCTION__,
+                         obj->cert->nickname ?
+                         obj->cert->nickname : "(no name)",
+                         certfile);
+            } else
+                SECKEY_DestroyPrivateKey(req_cryptoctx->client_dh_privkey);
+        }
     }
 
     /* If we succeeded to this point, or more likely didn't do anything
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
home help back first fref pref prev next nref lref last post