201483 - libssldap client auth cert callback does not work with dual-key certs

Status: RESOLVED FIXED

(Directory :: LDAP C SDK, defect)

Description

[Mark Smith [:mcs]]

See NSS bug 201259 - "Default SSL client auth callback NSS_GetClientAuthData
does not work with dual-key certs."

The same fix needs to be made to the get_keyandcert() function in
mozilla/directory/c-sdk/ldap/libraries/libssldap/ldapsinit.c.

Comment 1

[Mark Smith [:mcs]]

-> TM 5.14

Comment 2

[Rich Megginson]

Attachment: diffs for fix

I basically just made the same fix as in the referenced NSS bug.

Comment 3

[Mark Smith [:mcs]]

Comment on attachment 231609 [details]
diffs for fix

Looking at the implementation of CERT_FindUserCertByUsage(),  I am worried that because we pass NULL for the proto_win parameter it will no longer find certs. that are located on tokens.  See: http://lxr.mozilla.org/seamonkey/source/security/nss/lib/certhigh/certhigh.c#270

Comment 4

[Rich Megginson]

Attachment: new diffs

It looks like the proto_win/wincx void * is a bit of a misnomer - it doesn't appear to have anything to do with windows, it is merely any context (like session context) that the caller of NSS needs to keep track of.  Also, it looks like everywhere get_keyandcert() is called the LDAPSSLSessionInfo *ssip must be non-NULL, so it should always find the cert.  This version calls PK11_SetPasswordFunc first, then finds the cert and key.

Comment 5

[Mark Smith [:mcs]]

Comment on attachment 231769 [details]
new diffs

Looks good to me.  Some smoke testing might be in order if you have not already done some.

Comment 6

[Rich Megginson]

I did some smoke testing, including with startTLS, which is how I found bug 
347033 :-)  Please reassign to me or close.  Thanks!
Checking in ldapsinit.c;
/cvsroot/mozilla/directory/c-sdk/ldap/libraries/libssldap/ldapsinit.c,v  <--  ldapsinit.c
new revision: 5.13; previous revision: 5.12
done

Comment 7

[Mark Smith [:mcs]]

Closed.