|
 |
ced1f5 |
From 62275e72ff0b9849c899f0fecea90731fff9da0a Mon Sep 17 00:00:00 2001
|
|
|
ced1f5 |
From: Sumit Bose <sbose@redhat.com>
|
|
|
ced1f5 |
Date: Thu, 7 Dec 2017 17:08:33 +0100
|
|
|
ced1f5 |
Subject: [PATCH 84/86] p11_child: make sure OCSP checks are done
|
|
|
ced1f5 |
MIME-Version: 1.0
|
|
|
ced1f5 |
Content-Type: text/plain; charset=UTF-8
|
|
|
ced1f5 |
Content-Transfer-Encoding: 8bit
|
|
|
ced1f5 |
|
|
|
ced1f5 |
If CERT_VerifyCertificateNow() is used with
|
|
|
ced1f5 |
'certificateUsageCheckAllUsages' OCSP checks are skipped even if OCSP
|
|
|
ced1f5 |
was enabled.
|
|
|
ced1f5 |
|
|
|
ced1f5 |
This patch calls CERT_CheckOCSPStatus() explicitly if OCSP checks are
|
|
|
ced1f5 |
enabled.
|
|
|
ced1f5 |
|
|
|
ced1f5 |
Related to https://pagure.io/SSSD/sssd/issue/3560
|
|
|
ced1f5 |
|
|
|
ced1f5 |
Reviewed-by: Fabiano FidĂȘncio <fidencio@redhat.com>
|
|
|
ced1f5 |
(cherry picked from commit 2297cc7d6cd5c38a7d64027165e4e82ca497f418)
|
|
|
ced1f5 |
---
|
|
|
ced1f5 |
src/p11_child/p11_child_nss.c | 17 +++++++++++++++++
|
|
|
ced1f5 |
1 file changed, 17 insertions(+)
|
|
|
ced1f5 |
|
|
|
ced1f5 |
diff --git a/src/p11_child/p11_child_nss.c b/src/p11_child/p11_child_nss.c
|
|
|
ced1f5 |
index 21c508eb1b1b68b3606d0a5eed36573b01f27a19..bf533f3efe4d680f4c6dbd10a0d2c5a5da371c67 100644
|
|
|
ced1f5 |
--- a/src/p11_child/p11_child_nss.c
|
|
|
ced1f5 |
+++ b/src/p11_child/p11_child_nss.c
|
|
|
ced1f5 |
@@ -338,6 +338,23 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db,
|
|
|
ced1f5 |
PR_GetError(), PORT_ErrorToString(PR_GetError()));
|
|
|
ced1f5 |
continue;
|
|
|
ced1f5 |
}
|
|
|
ced1f5 |
+
|
|
|
ced1f5 |
+ /* with 'certificateUsageCheckAllUsages' set
|
|
|
ced1f5 |
+ * CERT_VerifyCertificateNow() does not do OCSP so it must be done
|
|
|
ced1f5 |
+ * explicitly */
|
|
|
ced1f5 |
+ if (cert_verify_opts->do_ocsp) {
|
|
|
ced1f5 |
+ rv = CERT_CheckOCSPStatus(handle, cert_list_node->cert,
|
|
|
ced1f5 |
+ PR_Now(), NULL);
|
|
|
ced1f5 |
+ if (rv != SECSuccess) {
|
|
|
ced1f5 |
+ DEBUG(SSSDBG_OP_FAILURE,
|
|
|
ced1f5 |
+ "Certificate [%s][%s] failed OCSP check [%d][%s], "
|
|
|
ced1f5 |
+ "skipping.\n",
|
|
|
ced1f5 |
+ cert_list_node->cert->nickname,
|
|
|
ced1f5 |
+ cert_list_node->cert->subjectName,
|
|
|
ced1f5 |
+ PR_GetError(), PORT_ErrorToString(PR_GetError()));
|
|
|
ced1f5 |
+ continue;
|
|
|
ced1f5 |
+ }
|
|
|
ced1f5 |
+ }
|
|
|
ced1f5 |
}
|
|
|
ced1f5 |
|
|
|
ced1f5 |
if (key_id_in != NULL) {
|
|
|
ced1f5 |
--
|
|
|
ced1f5 |
2.14.3
|
|
|
ced1f5 |
|