Traverse tokens like we do with OpenSSL for NSS

When PKINIT is built with NSS, change how it traverses tokens to match
the way it's done when built using OpenSSL: ignore slot names (we used
to treat the token label as a possible slot label, too), and either only
look at the token with the specified label, or the first token if a no
token label was specified.

diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c
index 2ef8ffdc03be5af92b66d49483fb33c063476a80..f9e9b979aa305256d1d25d40ea785dd6ee0e3f17 100644 (file)
--- a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c
@@ -2098,7 +2098,7 @@ crypto_load_pkcs11(krb5_context context,
     PK11SlotInfo *slot;
     char *spec;
     size_t spec_size;
-    const char *label, *id, *slotname, *tokenname;
+    const char *label, *id, *tokenname;
     SECStatus status;
     int i, j;
 
@@ -2166,21 +2166,16 @@ crypto_load_pkcs11(krb5_context context,
          (i < module->module->slotCount) &&
          ((slot = module->module->slots[i]) != NULL);
          i++) {
+        if (idopts->slotid != PK_NOSLOT) {
+            if (idopts->slotid != PK11_GetSlotID(slot))
+                continue;
+        }
+        tokenname = PK11_GetTokenName(slot);
+        if (tokenname == NULL || strlen(tokenname) == 0)
+            continue;
         if (idopts->token_label != NULL) {
-            label = idopts->token_label;
-            slotname = PK11_GetSlotName(slot);
-            tokenname = PK11_GetTokenName(slot);
-            if ((slotname != NULL) && (tokenname != NULL)) {
-                if ((strcmp(label, slotname) != 0) &&
-                    (strcmp(label, tokenname) != 0))
-                    continue;
-            } else if (slotname != NULL) {
-                if (strcmp(label, slotname) != 0)
-                    continue;
-            } else if (tokenname != NULL) {
-                if (strcmp(label, tokenname) != 0)
-                    continue;
-            }
+            if (strcmp(idopts->cert_label, tokenname) != 0)
+                continue;
         }
         /* Load private keys and their certs from this slot. */
         label = idopts->cert_label;
@@ -2188,6 +2183,10 @@ crypto_load_pkcs11(krb5_context context,
         if (cert_load_certs_with_keys_from_slot(context, id_cryptoctx,
                                                 slot, label, id) == 0)
             status = SECSuccess;
+        /* If no label was specified, then we've looked at a token, so we're
+         * done. */
+        if (idopts->token_label == NULL)
+            break;
     }
     return status;
 }