PR#104: Improve NSS token handling - - Pagure.io

Static archive. pagure.io was sunset in 2026; this is a read-only snapshot.

certmonger

#104 Improve NSS token handling

Merged Oct 1, 2018 by rcritten. Opened Sep 5, 2018 by rcritten.

rcritten/certmonger tokens into master

Use only PK11_ImportCert to import certs, not CERT_ImportCerts

Rob Crittenden • Sep 25, 2018

15d406ee3afbb52832d5c61a1afb735724d109a2

Log test failures of bad pin

Rob Crittenden • Sep 25, 2018

e93ecadec7c868f4227e084ffb65c70a6efd7314

Ensure that an OpenSSL random seed file exists when testing

Rob Crittenden • Sep 25, 2018

697dd085e7b2ce15eefc454509987270131d7f1e

Only de-duplicate certificates within the same token

Rob Crittenden • Sep 25, 2018

6ebe5695a626c6cd254b249bbebf9846bcb936c0

Add utility function to get the internal token name

Rob Crittenden • Sep 25, 2018

f396b19b2c222fa0a50e9bb9704059af4578e678

Include the token name when a PIN is provided but is unused

Rob Crittenden • Sep 25, 2018

c029b32c04a9a5993b9c8715fb82421fee613137

Use the correct slot when saving certificates in NSS

Rob Crittenden • Sep 25, 2018

3da0e186904ad81dd87cf74bfae88270f14bb770

Download 104.patch

rcritten commented Sep 5, 2018

Certificates could not be saved to the appropriate token. They were always stored in the NSS certificate database and in the case of a token we may not have access to it. This also affects de-duplication where other tokens are no longer examined.

The NSS p11-kit-proxy introduced in F29 makes extra tokens visible at all times which was confusing certmonger because in some cases it was trying to authenticate to the wrong token.

Note that most of the changes are simply moving code into deeper nesting. The big change in certsave-n.c is to find the right token and authenticate to it.

If no token is specified (for cert or key) then the internal NSS token is assumed.

The final change is related to the tests. Apparently $HOME/.rnd is required for some openssl commands but not created automatically? I just need to ensure it exists for the tests to pass.

rcritten commented Sep 17, 2018

Note that I've found a few more places where token handling isn't correct. It doesn't cause things to blow up but it does mean that certs seem to be saved both to the internal token and to the named token. I'm still investigating.

1 new commit added

Use only PK11_ImportCert to import certs, not CERT_ImportCerts

Sep 18, 2018

cheimes commented Sep 25, 2018

Why do you check for strlen() != 0, too?

rcritten commented Sep 25, 2018

Yeah, probably not needed. I don't know that an empty token value is even allowed. Maybe it was an attempt to save a strcmp? I can remove it.

rebased onto 3da0e186904ad81dd87cf74bfae88270f14bb770

Sep 25, 2018

Pull-Request has been merged by rcritten

Oct 1, 2018

Metadata

Assignee

None

Tags

No Tags

Changes Summary 9

file changed

src/certread-n.c

file changed

src/certsave-n.c

file changed

file changed

src/keyiread-n.c

file changed

file changed

file changed

file changed

tests/Makefile.am

file changed

tests/tools/certsave.c

Static archive. pagure.io was sunset in 2026; this is a read-only snapshot.

Fedora is sponsored by Red Hat. Learn more about the relationship between Red Hat and Fedora »

© Red Hat, Inc. and others.