Author: rmeggins
Update of /cvs/dirsec/ldapserver/ldap/servers/slapd
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv5976/ldapserver/ldap/servers/slapd
Modified Files:
ssl.c
Log Message:
Resolves: bug 224672
Bug Description: Get rid of key/cert db prefix
Reviewed by: nhosoi (Thanks!)
Fix Description: Now that we have everything in its own instance
specific directory, we do not need the troublesome key/cert database
prefix. This simplifies the slapd_nss_init code a great deal.
Platforms tested: RHEL4
Flag Day: no
Doc impact: YES - A couple of the pages on the wiki talk about slapd-instance-cert8.db and
so on - these pages will have to change once FDS 1.1 is released
Index: ssl.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/ssl.c,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -r1.11 -r1.12
--- ssl.c 10 Nov 2006 23:45:40 -0000 1.11
+++ ssl.c 29 Jan 2007 16:46:25 -0000 1.12
@@ -424,146 +424,68 @@
* config. entries from dse.ldif are NOT available (used only when
* running in referral mode).
* As of DS6.1, the init_ssl flag passed is ignored.
+ *
+ * richm 20070126 - By default now we put the key/cert db files
+ * in an instance specific directory (the certdir directory) so
+ * we do not need a prefix any more.
*/
int
slapd_nss_init(int init_ssl, int config_available)
{
SECStatus secStatus;
PRErrorCode errorCode;
- char *keyfn = NULL;
- char *certfn = NULL;
- char *val = NULL;
- char certPref[1024];
- char keyPref[1024];
- char path[1024];
+ PRStatus status;
int rv = 0;
int len = 0;
PRUint32 nssFlags = 0;
- Slapi_Entry *ec = NULL;
char *certdir;
- if (config_available) {
- getConfigEntry( configDN, &ec );
- }
-
- if ( ec != NULL ) {
- certfn = slapi_entry_attr_get_charptr( ec, "nscertfile" );
- keyfn = slapi_entry_attr_get_charptr( ec, "nskeyfile" );
- slapi_entry_free (ec);
- ec = NULL;
- }
-
/* set in slapd_bootstrap_config,
thus certdir is available even if config_available is false */
certdir = config_get_certdir();
- PL_strncpyz(path, certdir, sizeof(path));
- slapi_ch_free_string(&certdir);
/* make sure path does not end in the path separator character */
- len = strlen(path);
- if (path[len-1] == '/' || path[len-1] == '\\') {
- path[len-1] = '\0';
- }
-
- /* get the server instance dir name from path:
- <sysconfig>/BRAND_DS/slapd-<id> */
- val = strrchr(path, '/');
- if (!val) {
- val = strrchr(path, '\\');
- }
- val++;
-
- if (keyfn && certfn) {
- if (is_abspath(certfn)) {
- warn_if_no_cert_file(certfn);
- /* first, initialize path from the certfn */
- PL_strncpyz(path, certfn, sizeof(path));
- /* extract path from cert db filename */
- val = strrchr(path, '/');
- if (!val) {
- val = strrchr(path, '\\');
- }
- *val = 0; /* path is initialized */
- /* next, init the cert db prefix */
- val++;
- PL_strncpyz(certPref, val, sizeof(certPref));
- } else {
- PL_strncpyz(val, certfn, sizeof(path)-(val-path));
- warn_if_no_cert_file(path); /* assumes certfn is relative to server root */
- val = strrchr(path, '/');
- if (!val) {
- val = strrchr(path, '\\');
- }
- val++;
- PL_strncpyz(certPref, val, sizeof(certPref));
- *val = '\0';
- }
- /* path represents now the base directory where cert, key, pin, and module db live */
- /* richm - use strrstr to get the last occurance of -cert in the string, in case
- the instance is named slapd-cert - the certdb name will be slapd-cert-cert7.db
- */
- val = PL_strrstr(certPref, "-cert");
- val++;
- *val = '\0';
- /* certPref keeps the prefix added to the cert db, usually "slapd-myserver-"
*/
-
- /* now find the key db prefix */
- val = strrchr(keyfn, '/');
- if (!val) {
- val = strrchr(keyfn, '\\');
- }
- if (val != NULL) {
- val++;
- } else {
- val = keyfn;
- }
- PL_strncpyz(keyPref, val, sizeof(keyPref));
- warn_if_no_key_file(path, keyPref);
- /* richm - use strrstr to get the last occurance of -key in the string, in case
- the instance is named slapd-key - the keydb name will be slapd-key-key3.db
- */
- val = PL_strrstr(keyPref, "-key");
- val++;
- *val = '\0';
- /* keypref keeps the prefix added to the key db, usually "slapd-myserver-"
*/
- } else {
- if ( config_get_security() ) {
- /* Have to have the key and cert file names to enable an SSL port */
- errorCode = PR_GetError();
- slapd_SSL_warn("Security Initialization: Failed to retrieve SSL "
- "configuration information ("
- SLAPI_COMPONENT_NAME_NSPR " error %d - %s): "
- "nskeyfile: %s, nscertfile: %s ",
- errorCode, slapd_pr_strerror(errorCode),
- (keyfn ? "found" : "not found"),
- (certfn ? "found" : "not found"));
- }
- PR_snprintf(certPref, sizeof(certPref), "%s-", val);
- PL_strncpyz(keyPref, certPref, sizeof(keyPref));
+ len = strlen(certdir);
+ if (certdir[len-1] == '/' || certdir[len-1] == '\\') {
+ certdir[len-1] = '\0';
}
- slapi_ch_free((void **) &certfn);
- slapi_ch_free((void **) &keyfn);
+ /* we open the key/cert db in rw mode, so make sure the directory
+ is writable */
+ if (PR_SUCCESS != (status = PR_Access(certdir, PR_ACCESS_WRITE_OK))) {
+ char *serveruser = "unknown";
+#ifndef _WIN32
+ serveruser = config_get_localuser();
+#endif
+ slapi_log_error(SLAPI_LOG_FATAL, "SSL Initialization",
+ "Warning: The key/cert database directory [%s] is not
writable by "
+ "the server uid [%s]: initialization likely to
fail.\n",
+ certdir, serveruser);
+#ifndef _WIN32
+ slapi_ch_free_string(&serveruser);
+#endif
+ }
/******** Initialise NSS *********/
nssFlags &= (~NSS_INIT_READONLY);
slapd_pk11_configurePKCS11(NULL, NULL, tokDes, ptokDes, NULL, NULL, NULL, NULL, 0, 0
);
- secStatus = NSS_Initialize(path, certPref, keyPref, "secmod.db", nssFlags);
+ secStatus = NSS_Initialize(certdir, NULL, NULL, "secmod.db", nssFlags);
- dongle_file_name = PR_smprintf("%s/%spin.txt", path, certPref);
+ dongle_file_name = PR_smprintf("%s/pin.txt", certdir);
if (secStatus != SECSuccess) {
errorCode = PR_GetError();
slapd_SSL_warn("Security Initialization: NSS initialization failed ("
SLAPI_COMPONENT_NAME_NSPR " error %d - %s): "
- "path: %s, certdb prefix: %s, keydb prefix: %s.",
- errorCode, slapd_pr_strerror(errorCode), path, certPref, keyPref);
+ "certdir: %s",
+ errorCode, slapd_pr_strerror(errorCode), certdir);
rv = -1;
}
/****** end of NSS Initialization ******/
+ slapi_ch_free_string(&certdir);
return rv;
}