static CURLcode nss_load_key(struct connectdata *conn, int sockindex,
char *key_file)
{
PK11SlotInfo *slot;
SECStatus status;
CURLcode rv;
struct ssl_connect_data *ssl = conn->ssl;
(void)sockindex; /* unused */
rv = nss_create_object(ssl, CKO_PRIVATE_KEY, key_file, FALSE);
if(CURLE_OK != rv) {
PR_SetError(SEC_ERROR_BAD_KEY, 0);
return rv;
}
slot = PK11_FindSlotByName("PEM Token #1");
if(!slot)
return CURLE_SSL_CERTPROBLEM;
/* This will force the token to be seen as re-inserted */
SECMOD_WaitForAnyTokenEvent(mod, 0, 0);
PK11_IsPresent(slot);
status = PK11_Authenticate(slot, PR_TRUE,
conn->data->set.str[STRING_KEY_PASSWD]);
PK11_FreeSlot(slot);
return (SECSuccess == status)
? CURLE_OK
: CURLE_SSL_CERTPROBLEM;
}
static int nss_load_key(struct connectdata *conn, int sockindex,
char *key_file)
{
#ifdef HAVE_PK11_CREATEGENERICOBJECT
PK11SlotInfo *slot;
SECStatus status;
struct ssl_connect_data *ssl = conn->ssl;
if(CURLE_OK != nss_create_object(ssl, CKO_PRIVATE_KEY, key_file, FALSE)) {
PR_SetError(SEC_ERROR_BAD_KEY, 0);
return 0;
}
slot = PK11_FindSlotByName("PEM Token #1");
if(!slot)
return 0;
/* This will force the token to be seen as re-inserted */
SECMOD_WaitForAnyTokenEvent(mod, 0, 0);
PK11_IsPresent(slot);
status = PK11_Authenticate(slot, PR_TRUE,
conn->data->set.str[STRING_KEY_PASSWD]);
PK11_FreeSlot(slot);
return (SECSuccess == status) ? 1 : 0;
#else
/* If we don't have PK11_CreateGenericObject then we can't load a file-based
* key.
*/
(void)conn; /* unused */
(void)key_file; /* unused */
return 0;
#endif
}
static CURLcode nss_load_cert(struct ssl_connect_data *ssl,
const char *filename, PRBool cacert)
{
CURLcode err = (cacert)
? CURLE_SSL_CACERT_BADFILE
: CURLE_SSL_CERTPROBLEM;
#ifdef HAVE_PK11_CREATEGENERICOBJECT
/* libnsspem.so leaks memory if the requested file does not exist. For more
* details, go to <https://bugzilla.redhat.com/734760>. */
if(is_file(filename))
err = nss_create_object(ssl, CKO_CERTIFICATE, filename, cacert);
if(CURLE_OK == err && !cacert) {
/* we have successfully loaded a client certificate */
CERTCertificate *cert;
char *nickname = NULL;
char *n = strrchr(filename, '/');
if(n)
n++;
/* The following undocumented magic helps to avoid a SIGSEGV on call
* of PK11_ReadRawAttribute() from SelectClientCert() when using an
* immature version of libnsspem.so. For more details, go to
* <https://bugzilla.redhat.com/733685>. */
nickname = aprintf("PEM Token #1:%s", n);
if(nickname) {
cert = PK11_FindCertFromNickname(nickname, NULL);
if(cert)
CERT_DestroyCertificate(cert);
free(nickname);
}
}
#endif
return err;
}
static int nss_load_cert(struct ssl_connect_data *ssl,
const char *filename, PRBool cacert)
{
#ifdef HAVE_PK11_CREATEGENERICOBJECT
/* All CA and trust objects go into slot 0. Other slots are used
* for storing certificates.
*/
const int slot_id = (cacert) ? 0 : 1;
#endif
CERTCertificate *cert;
char *nickname = NULL;
char *n = NULL;
/* If there is no slash in the filename it is assumed to be a regular
* NSS nickname.
*/
if(is_file(filename)) {
n = strrchr(filename, '/');
if(n)
n++;
if(!mod)
return 1;
}
else {
/* A nickname from the NSS internal database */
if(cacert)
return 0; /* You can't specify an NSS CA nickname this way */
nickname = strdup(filename);
if(!nickname)
return 0;
goto done;
}
#ifdef HAVE_PK11_CREATEGENERICOBJECT
nickname = aprintf("PEM Token #%d:%s", slot_id, n);
if(!nickname)
return 0;
if(CURLE_OK != nss_create_object(ssl, CKO_CERTIFICATE, filename, cacert)) {
free(nickname);
return 0;
}
#else
/* We don't have PK11_CreateGenericObject but a file-based cert was passed
* in. We need to fail.
*/
return 0;
#endif
done:
/* Double-check that the certificate or nickname requested exists in
* either the token or the NSS certificate database.
*/
if(!cacert) {
cert = PK11_FindCertFromNickname((char *)nickname, NULL);
/* An invalid nickname was passed in */
if(cert == NULL) {
free(nickname);
PR_SetError(SEC_ERROR_UNKNOWN_CERT, 0);
return 0;
}
CERT_DestroyCertificate(cert);
}
free(nickname);
return 1;
}
