From 6805a1a5a274b9059dae15188cfaaaae58393438 Mon Sep 17 00:00:00 2001 From: Stan Cox Date: Thu, 25 Mar 2021 09:39:01 -0400 Subject: [PATCH] Add workaround to set trust for new client certificates The nss switchover from dbm to sql results in CERT_ChangeCertTrust not changing the trust so call certutil in those instances to set it manually. --- client-nss.cxx | 33 +++++++++++++++++++++++++++++++++ nsscommon.cxx | 2 +- 2 files changed, 34 insertions(+), 1 deletion(-) diff --git a/client-nss.cxx b/client-nss.cxx index 55266feb7..6acb4d30a 100644 --- a/client-nss.cxx +++ b/client-nss.cxx @@ -472,6 +472,26 @@ isIPv6LinkLocal (const PRNetAddr &address) return false; } +/* Begin sql: change trust workaround */ +static int change_cert_trust() __attribute((unused)); +static int +change_cert_trust () +{ + /* certutil will find the last added certificate, which should be the one + * just added in nss_trustNewServer that CERT_ChangeCertTrust failed for. + */ + vector cmd + { + "certutil", "-M", "-t", "P,P,P" + }; + cmd.push_back ("-d"); + cmd.push_back (local_client_cert_db_path()); + cmd.push_back ("-n"); + cmd.push_back (server_cert_nickname()); + return stap_system (false, cmd); +} +/* End sql: change trust workaround */ + static int client_connect (const compile_server_info &server, const char* infileName, const char* outfileName, @@ -512,6 +532,19 @@ client_connect (const compile_server_info &server, errCode = NSS_SERVER_CERT_EXPIRED_ERROR; return errCode; case SEC_ERROR_CA_CERT_INVALID: + /* Begin sql: change trust workaround */ + /* TODO Fix trust without using certutil + * The nss switch from dbm: to sql: results in change trust failing; + * using certutil and retrying is a workaround */ +#if (NSS_VMAJOR > 3) || (NSS_VMAJOR == 3 && NSS_VMINOR >= 55) + case SEC_ERROR_INVALID_ALGORITHM: + if (!change_cert_trust ()) + { + sleep (1); + break; + } +#endif + /* End sql: change trust workaround */ /* The server's certificate is not trusted. The exit code must reflect this. */ errCode = NSS_CA_CERT_INVALID_ERROR; diff --git a/nsscommon.cxx b/nsscommon.cxx index cb2928f23..77bcfcb1d 100644 --- a/nsscommon.cxx +++ b/nsscommon.cxx @@ -65,7 +65,7 @@ server_cert_nickname () string add_cert_db_prefix (const string &db_path) { -#if 0 && ((NSS_VMAJOR > 3) || (NSS_VMAJOR == 3 && NSS_VMINOR >= 37)) +#if (NSS_VMAJOR > 3) || (NSS_VMAJOR == 3 && NSS_VMINOR >= 55) // https://wiki.mozilla.org/NSS_Shared_DB if (db_path.find (':') == string::npos) return string("sql:") + db_path; -- 2.43.5