From 3a747275b650a003ae81f0479e1202b10b2ea466 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Tue, 9 Oct 2012 13:41:46 -0400 Subject: [PATCH] Sanity-check loading keys and certs from PEM files Print a debug message if we're unable to locate the matching private key for a certificate when we've just loaded both of them from PEM files. --- src/plugins/preauth/pkinit/pkinit_crypto_nss.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c index 2f93a86e08..1aa5779cd5 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c @@ -2402,6 +2402,7 @@ crypto_load_files(krb5_context context, CERTCertificate *cert; CERTCertList *before, *after; CERTCertListNode *anode, *bnode; + SECKEYPrivateKey *key; CK_ATTRIBUTE attrs[4]; CK_BBOOL cktrue = CK_TRUE, cktrust; CK_OBJECT_CLASS keyclass = CKO_PRIVATE_KEY, certclass = CKO_CERTIFICATE; @@ -2555,6 +2556,20 @@ crypto_load_files(krb5_context context, if (before != NULL) { CERT_DestroyCertList(before); } + if ((keyfile != NULL) && (obj->cert != NULL)) { + key = PK11_FindPrivateKeyFromCert(slot, obj->cert, + crypto_pwcb_prep(id_cryptoctx, + context)); + if (key == NULL) { + pkiDebug("%s: no key private found for \"%s\"(%s), " + "even though we just loaded that key?\n", + __FUNCTION__, + obj->cert->nickname ? + obj->cert->nickname : "(no name)", + certfile); + } else + SECKEY_DestroyPrivateKey(req_cryptoctx->client_dh_privkey); + } } /* If we succeeded to this point, or more likely didn't do anything -- 2.47.3