krb5 commit: Sanity-check loading keys and certs from PEM files
Greg Hudson
ghudson at MIT.EDU
Mon Oct 15 11:42:46 EDT 2012
https://github.com/krb5/krb5/commit/3a747275b650a003ae81f0479e1202b10b2ea466
commit 3a747275b650a003ae81f0479e1202b10b2ea466
Author: Nalin Dahyabhai <nalin at redhat.com>
Date: Tue Oct 9 13:41:46 2012 -0400
Sanity-check loading keys and certs from PEM files
Print a debug message if we're unable to locate the matching private key
for a certificate when we've just loaded both of them from PEM files.
src/plugins/preauth/pkinit/pkinit_crypto_nss.c | 15 +++++++++++++++
1 files changed, 15 insertions(+), 0 deletions(-)
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c
index 2f93a86..1aa5779 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c
@@ -2402,6 +2402,7 @@ crypto_load_files(krb5_context context,
CERTCertificate *cert;
CERTCertList *before, *after;
CERTCertListNode *anode, *bnode;
+ SECKEYPrivateKey *key;
CK_ATTRIBUTE attrs[4];
CK_BBOOL cktrue = CK_TRUE, cktrust;
CK_OBJECT_CLASS keyclass = CKO_PRIVATE_KEY, certclass = CKO_CERTIFICATE;
@@ -2555,6 +2556,20 @@ crypto_load_files(krb5_context context,
if (before != NULL) {
CERT_DestroyCertList(before);
}
+ if ((keyfile != NULL) && (obj->cert != NULL)) {
+ key = PK11_FindPrivateKeyFromCert(slot, obj->cert,
+ crypto_pwcb_prep(id_cryptoctx,
+ context));
+ if (key == NULL) {
+ pkiDebug("%s: no key private found for \"%s\"(%s), "
+ "even though we just loaded that key?\n",
+ __FUNCTION__,
+ obj->cert->nickname ?
+ obj->cert->nickname : "(no name)",
+ certfile);
+ } else
+ SECKEY_DestroyPrivateKey(req_cryptoctx->client_dh_privkey);
+ }
}
/* If we succeeded to this point, or more likely didn't do anything
More information about the cvs-krb5
mailing list