krb5 commit: In PKINIT NSS crypto, support encrypted PEM keys

Greg Hudson ghudson at MIT.EDU
Mon May 13 02:00:07 EDT 2013 

https://github.com/krb5/krb5/commit/f190b7abe307a005b9f58a634c53d06a3a3381ee
commit f190b7abe307a005b9f58a634c53d06a3a3381ee
Author: Nalin Dahyabhai <nalin at dahyabhai.net>
Date:   Wed Apr 24 15:29:27 2013 -0400

    In PKINIT NSS crypto, support encrypted PEM keys
    
    When the PEM module is given an encrypted key, it changes its token
    flags to indicate that a password is required (by setting needs-login)
    to signal the application that we need to supply a password to decrypt
    it.  Attempts to load any other items will fail until the flag is
    cleared.
    
    If we detect that the flag is set after we've attempted to load a
    private key, attempt to "log in" to the "token" using a password.  Even
    if we fail, the token will reset its needs-login flag, which is
    necessary before we can import anything else.

 src/plugins/preauth/pkinit/pkinit_crypto_nss.c |   26 ++++++++++++++++++++++++
 1 files changed, 26 insertions(+), 0 deletions(-)

diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c
index 0c798b5..d5b49e7 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c
@@ -2642,6 +2642,32 @@ crypto_load_files(krb5_context context,
             }
         }
 
+        /* "Log in" (provide an encryption password) if the PEM slot now
+         * requires it. */
+        PK11_TokenRefresh(slot);
+
+        /*
+         * Unlike most tokens, this one won't self-destruct if we throw wrong
+         * passwords at it, but it will cause the module to clear the
+         * needs-login flag so that we can continue importing PEM items.
+         */
+        if (!PK11_IsLoggedIn(slot, crypto_pwcb_prep(id_cryptoctx,
+                                                    context)) &&
+            PK11_NeedLogin(slot)) {
+            pkiDebug("%s: logging in to token \"%s\"\n",
+                     __FUNCTION__, PK11_GetTokenName(slot));
+            if (PK11_Authenticate(slot, PR_TRUE,
+                                  crypto_pwcb_prep(id_cryptoctx,
+                                                   context)) != SECSuccess) {
+                pkiDebug("%s: error logging into \"%s\": %s, skipping\n",
+                         __FUNCTION__, PK11_GetTokenName(slot),
+                         PORT_ErrorToName(PORT_GetError()));
+                status = SECFailure;
+                PK11_DestroyGenericObject(kobj->obj);
+                kobj->obj = NULL;
+            }
+        }
+
         /* If we loaded a key and a certificate, see if they match. */
         if (cobj != NULL && cobj->cert != NULL && kobj->obj != NULL) {
             key = PK11_FindPrivateKeyFromCert(slot, cobj->cert,

More information about the cvs-krb5 mailing list