From d0de7701d44c7a75210a9cb04634913ce3a94bfb Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Nov 26 2015 15:34:32 +0000 Subject: p11: check if cert is valid before selecting it Currently the first certificate was selected and if it was not valid p11_child just returned an error. With this patch the validity is checked first and the first valid certificate is selected. Resolves https://fedorahosted.org/sssd/ticket/2801 Reviewed-by: Jakub Hrozek --- diff --git a/src/p11_child/p11_child_nss.c b/src/p11_child/p11_child_nss.c index 41d9fd1..39c88d9 100644 --- a/src/p11_child/p11_child_nss.c +++ b/src/p11_child/p11_child_nss.c @@ -272,6 +272,18 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db, const char *slot_name_in, cert_list_node->cert->nickname, cert_list_node->cert->subjectName); + rv = CERT_VerifyCertificateNow(handle, cert_list_node->cert, + PR_TRUE, certificateUsageSSLClient, + NULL, NULL); + if (rv != SECSuccess) { + DEBUG(SSSDBG_OP_FAILURE, + "Certificate [%s][%s] not valid [%d], skipping.\n", + cert_list_node->cert->nickname, + cert_list_node->cert->subjectName, PR_GetError()); + continue; + } + + if (found_cert == NULL) { found_cert = cert_list_node->cert; } else { @@ -291,16 +303,6 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db, const char *slot_name_in, goto done; } - rv = CERT_VerifyCertificateNow(handle, found_cert, PR_TRUE, - certificateUsageSSLClient, NULL, NULL); - if (rv != SECSuccess) { - DEBUG(SSSDBG_OP_FAILURE, - "CERT_VerifyCertificateNow failed [%d].\n", - PR_GetError()); - ret = EIO; - goto done; - } - if (mode == OP_AUTH) { rv = PK11_GenerateRandom(random_value, sizeof(random_value)); if (rv != SECSuccess) {