Re: (ITS#6278) Patch - Enhancement - provide support for PEM files in MozNSS crypto - openldap-bugs

Friday, 28 August 2009

rmeggins(a)redhat.com wrote:
...
 Full_Name: Rich Megginson
 Version: 2.4.18 (current CVS HEAD)
 OS: Fedora
 URL: ftp://ftp.openldap.org/incoming/openldap-2.4.18-moznss-20090828.patch
 Submission from: (NULL) (76.113.59.19)

 This patch adds support for reading PEM encoded cert and key files to the MozNSS
 crypto implementation.  It depends on having the nsspem module library available
 somewhere for the runtime linker to find it (e.g. on a linux system, it uses
 dlopen() to load libnsspem.so).  This module is available on Fedora and is
 provided by the package nss-3.12.3.99.  Work is underway to incorporate the PEM
 module into MozNSS upstream at mozilla.org.  The current source code repository
 is
 git://fedorapeople.org/~rcritten/pemnss.git

 The tlsm_init code attempts to determine if you are using PEM files or are using
 a MozNSS key/cert database.  If you specify the TLS cacertdir directive, and
 that directory has valid key/cert databases in it, it will use them.  Otherwise,
 it will load the PEM module and attempt to load the certs and keys specified by
 cacertdir, cacertfile, certfile, and keyfile. 
Thanks. I tweaked the #includes this time around because /usr/include/nspr and 
/usr/include/nss already exist on my Ubuntu machine. Unfortunately, several of 
the nspr header files still use unqualified paths to reference each other, so 
you still need -I/usr/include/nspr to get this to compile successfully. 
Needless to say, I think nspr needs to be cleaned up a bit more before it's 
ready for primetime.

With that small change it compiles OK so I've committed it to HEAD.

I'm not too thrilled to see PL_strdup / PL_strfree and friends here; 
everything else in the source tree uses our wrappers that funnel into 
ber_memalloc and we rely on this for accounting, leak testing and other 
validation. (Not to mention avoiding silly crashes when running on Windows 
where each DLL has its own heap manager...) It looks like all of the uses are 
self-contained and won't escape this module so it's probably OK. I'd suggest 
overriding the NSPR malloc hooks but that would probably mess up any other 
applications.

We can probably roll this code into RE24 as well but I'm still going to omit 
the configure switch for the moment.

...
      This patch file is derived from OpenLDAP Software. All of the
 modifications to OpenLDAP Software represented in the following
 patch(es) were developed by Red Hat, Inc.. Red Hat, Inc. has not
 assigned rights and/or interest in this work to any party. I, Richard
 Megginson am authorized by Red Hat, Inc., my employer, to release this
 work under the following terms.

      Red Hat, Inc. hereby place the following modifications to OpenLDAP
 Software (and only these modifications) into the public domain. Hence,
 these modifications may be freely used and/or redistributed for any
 purpose with or without attribution and/or other notice.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

Re: (ITS#6278) Patch - Enhancement - provide support for PEM files in MozNSS crypto