[Fedora-directory-commits] adminserver/admserv/cgi-src40 security.c, 1.18, 1.19
Richard Allen Megginson
rmeggins at fedoraproject.org
Mon Dec 15 20:06:58 UTC 2008
Author: rmeggins
Update of /cvs/dirsec/adminserver/admserv/cgi-src40
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv29896/adminserver/admserv/cgi-src40
Modified Files:
security.c
Log Message:
Resolves: bug 426439
Bug Description: Unable to load CRL file for a DS instance - when its placed under /etc/dirsrv/slapd-INSTANCE
Reviewed by: nhosoi (Thanks!)
Fix Description: The main problem was that it was not using the getSecurityDir function to get the security dir based on the SIE passed in. This function is called in main after getting the SIE. I changed the code to set this value in a static variable that can be used throughout the program.
In addition, I found and fixed some other bugs related to CRL handling:
1) The code did not work with ASCII CRLs generated by newer versions of crlutil which use the BEGIN CRL header. I added processing for that header type.
2) The code did not handle date/time in generalized time format. I added code to format the date/time based on the type of date/time stored in the CRL.
Platforms tested: RHEL5
Flag Day: no
Doc impact: no
Index: security.c
===================================================================
RCS file: /cvs/dirsec/adminserver/admserv/cgi-src40/security.c,v
retrieving revision 1.18
retrieving revision 1.19
diff -u -r1.18 -r1.19
--- security.c 11 Dec 2008 18:06:42 -0000 1.18
+++ security.c 15 Dec 2008 20:06:55 -0000 1.19
@@ -39,6 +39,7 @@
#include "certt.h"
#include "key.h"
#include "secport.h"
+#include "secder.h"
#include "plstr.h"
#include "prsystem.h"
@@ -102,6 +103,8 @@
#define X509CRLFOOTER "-----END X509 CRL-----"
#define CRLHEADER "-----BEGIN CERTIFICATE REVOCATION LIST-----\n"
#define CRLFOOTER "-----END CERTIFICATE REVOCATION LIST-----\n"
+#define NEWCRLHEADER "-----BEGIN CRL-----"
+#define NEWCRLFOOTER "-----END CRL-----"
/*#else
#define HEADER "-----BEGIN CERTIFICATE----\n"
#define FOOTER "\n-----END CERTIFICATE-----\n"
@@ -113,6 +116,8 @@
CERTCertDBHandle *certdb = NULL;
char line[BIG_LINE];
+static char *securitydir; /* based on the sie - security dir for ds or as */
+
#define RESOURCE_FILE "security"
/* main resource string */
@@ -385,6 +390,28 @@
}
}
+static char *
+formatDateTime(SECItem *timechoice)
+{
+ PRTime decodedTime = 0;
+
+ /* decode the time into the integral value */
+ if (SECSuccess != DER_DecodeTimeChoice(&decodedTime, timechoice)) {
+ return NULL;
+ }
+ switch (timechoice->type) {
+ case siUTCTime:
+ return DER_UTCTimeToAscii(timechoice);
+ break;
+ case siGeneralizedTime:
+ return CERT_GenTime2FormattedAscii(decodedTime, "%a %b %d %H:%M:%S %Y");
+ break;
+ default:
+ return NULL;
+ }
+
+ return NULL;
+}
/*
* Fingerprint (MD5) for a cert
*/
@@ -581,13 +608,13 @@
fprintf(stdout, "\t<TRUST>%d</TRUST>\n\t<AFTERDATE>%s</AFTERDATE>\n",
trustBit,
- processNullString((char*)DER_UTCTimeToAscii(&cert->validity.notAfter)));
+ processNullString((char*)formatDateTime(&cert->validity.notAfter)));
fprintf(stdout, "\t<FINGERPRINT>%s</FINGERPRINT>\n", processNullString(getMD5Fingerprint(cert)));
if (showDetail) {
fprintf(stdout, "\t<BEFOREDATE>%s</BEFOREDATE>\n",
- processNullString((char*)DER_UTCTimeToAscii(&cert->validity.notBefore)));
+ processNullString((char*)formatDateTime(&cert->validity.notBefore)));
fprintf(stdout, "\t<SERIAL>%s</SERIAL>\n", processNullString(Hexify((&cert->serialNumber))));
@@ -732,7 +759,7 @@
if (entry != NULL) {
fprintf(stdout, "\t<ENTRY%d>\n", x);
fprintf(stdout, "\t\t<SERIAL_NUMBER>%s</SERIAL_NUMBER>\n", processNullString(Hexify(&entry->serialNumber)));
- fprintf(stdout, "\t\t<REVOKE_DATE>%s</REVOKE_DATE>\n",DER_UTCTimeToAscii(&entry->revocationDate));
+ fprintf(stdout, "\t\t<REVOKE_DATE>%s</REVOKE_DATE>\n",formatDateTime(&entry->revocationDate));
fprintf(stdout, "\t</ENTRY%d>\n", x);
x++;
} else {
@@ -743,8 +770,8 @@
}
fprintf(stdout, "\t<LAST_UPDATE>%s</LAST_UPDATE>\n\t<NEXT_UPDATE>%s</NEXT_UPDATE>\n\t<TYPE>%s</TYPE>\n",
- DER_UTCTimeToAscii(&crl->crl.lastUpdate),
- DER_UTCTimeToAscii(&crl->crl.nextUpdate),
+ formatDateTime(&crl->crl.lastUpdate),
+ formatDateTime(&crl->crl.nextUpdate),
list_type==SEC_CRL_TYPE?"CRL":"CKL");
}
@@ -1496,13 +1523,12 @@
CERTSignedCrl *signed_crl, *excrl, *crl_rv = NULL;
SECItem derCrl;
char msg[BIG_LINE];
- char *secdir = util_get_security_dir();
char full_path[PATH_MAX];
int list_type = (type && !PORT_Strcmp(type, "CKL"))? SEC_KRL_TYPE : SEC_CRL_TYPE;
if (!filename || !*filename ||
!util_is_valid_path_string(filename) ||
- !util_verify_file_or_dir(secdir, PR_FILE_DIRECTORY, filename, -1, PR_FILE_FILE)) {
+ !util_verify_file_or_dir(securitydir, PR_FILE_DIRECTORY, filename, -1, PR_FILE_FILE)) {
/* invalid file */
PR_snprintf(msg, sizeof(msg), getResourceString(DBT_NO_FILE_EXISTS), filename);
errorRpt(FILE_ERROR, msg);
@@ -1511,7 +1537,7 @@
{/*try open the file*/
FILE *f;
- PR_snprintf(full_path, sizeof(full_path), "%s%c%s", secdir, FILE_PATHSEP, filename);
+ PR_snprintf(full_path, sizeof(full_path), "%s%c%s", securitydir, FILE_PATHSEP, filename);
if( !(f = fopen(full_path, "rb")) ) {
PR_snprintf(msg, sizeof(msg), getResourceString(DBT_NO_FILE_EXISTS), full_path);
@@ -1558,12 +1584,19 @@
if (begin == NULL) {
begin = (char*) PORT_Strstr((const char*)ascii, X509CRLHEADER);
headerlen = strlen(X509CRLHEADER);
+ if (begin == NULL) {
+ begin = (char*) PORT_Strstr((const char*)ascii, NEWCRLHEADER);
+ headerlen = strlen(NEWCRLHEADER);
+ }
} else {
headerlen = strlen(CRLHEADER);
}
if (end == NULL) {
end = (char*) PORT_Strstr((const char*)ascii, X509CRLFOOTER);
+ if (end == NULL) {
+ end = (char*) PORT_Strstr((const char*)ascii, NEWCRLFOOTER);
+ }
}
if ((begin != NULL) && (end != NULL)) {
@@ -1799,7 +1832,6 @@
static void moduleOperation(char* op) {
const char *binary = "modutil"; /* PATH and LD_LIBRARY_PATH must already be set correctly */
const char *install_dir = LIBDIR;
- const char *database_dir = util_get_security_dir();
char *filename, *filetype, *dllname;
char cmd[BIG_LINE];
char msg[BIG_LINE];
@@ -1813,7 +1845,7 @@
}
PR_snprintf(cmd, sizeof(cmd), "%s -dbdir %s -force -nocertdb -delete \"%s\" 2>&1",
binary,
- database_dir,
+ securitydir,
dllname);
} else if (!PORT_Strcmp(op, "add")) {
@@ -1821,9 +1853,9 @@
filename = getParameter("filename",getResourceString(DBT_MISSING_FILE));
filetype = getParameter("format",getResourceString(DBT_MISSING_FORMAT));
- /* see if filename exists in database_dir (securitydir) */
+ /* see if filename exists in securitydir */
if(!util_is_valid_path_string(filename) ||
- !util_verify_file_or_dir(database_dir, PR_FILE_DIRECTORY, filename, -1, PR_FILE_FILE)) {
+ !util_verify_file_or_dir(securitydir, PR_FILE_DIRECTORY, filename, -1, PR_FILE_FILE)) {
PR_snprintf(msg, sizeof(msg), getResourceString(DBT_NO_FILE_EXISTS), filename);
rpt_err(FILE_ERROR, msg, NULL, NULL);
}
@@ -1848,11 +1880,11 @@
binary,
filename,
install_dir,
- database_dir);
+ securitydir);
else if (!PORT_Strcmp(filetype, "dll"))
PR_snprintf(cmd, sizeof(cmd), "%s -dbdir %s -add \"%s\" -libfile %s -force -nocertdb 2>&1",
binary,
- database_dir,
+ securitydir,
dllname,
filename);
@@ -1931,7 +1963,6 @@
/* cgi env setup */
int _ai = ADMUTIL_Init();
char * m = getenv("REQUEST_METHOD");
- char *securitydir = NULL; /* looked up via sie */
char msg[BIG_LINE];
AdmldapInfo ldapInfo; /* our config */
int rc = 0;
More information about the Fedora-directory-commits
mailing list