[evolution/gnome-2-30] Bug 626066 - log in to NSS database on demand for changing trust

From: David Woodhouse <dwmw2 src gnome org>
To: commits-list gnome org
Cc:
Subject: [evolution/gnome-2-30] Bug 626066 - log in to NSS database on demand for changing trust
Date: Mon, 13 Sep 2010 20:04:27 +0000 (UTC)
commit 12415fd17113335a36d37d32add346fb7c802824
Author: David Woodhouse <David Woodhouse intel com>
Date:   Mon Sep 13 20:59:45 2010 +0100

    Bug 626066 - log in to NSS database on demand for changing trust

 smime/gui/cert-trust-dialog.c   |    4 ++--
 smime/gui/certificate-manager.c |    8 ++------
 smime/lib/e-cert-db.c           |   31 +++++++++++++++++++++++++++++--
 smime/lib/e-cert-db.h           |    3 +++
 4 files changed, 36 insertions(+), 10 deletions(-)
---
diff --git a/smime/gui/cert-trust-dialog.c b/smime/gui/cert-trust-dialog.c
index 9c87c66..66ce69b 100644
--- a/smime/gui/cert-trust-dialog.c
+++ b/smime/gui/cert-trust-dialog.c
@@ -73,7 +73,7 @@ ctd_response(GtkWidget *w, guint id, CertTrustDialogData *data)
 		e_cert_trust_add_peer_trust (&trust, FALSE,
 					     gtk_toggle_button_get_active(GTK_TOGGLE_BUTTON (data->trust_button)),
 					     FALSE);
-		CERT_ChangeCertTrust (CERT_GetDefaultCertDB(), icert, &trust);
+		e_cert_db_change_cert_trust (icert, &trust);
 		break;
 	case GTK_RESPONSE_ACCEPT: {
 		/* just *what on earth* was chris thinking here!?!?!  copied from certificate-manager.c */
@@ -101,7 +101,7 @@ ctd_response(GtkWidget *w, guint id, CertTrustDialogData *data)
 						   trust_email,
 						   trust_objsign);
 
-			CERT_ChangeCertTrust(CERT_GetDefaultCertDB(), icert, &trust);
+			e_cert_db_change_cert_trust (icert, &trust);
 		}
 
 		gtk_widget_destroy (dialog);
diff --git a/smime/gui/certificate-manager.c b/smime/gui/certificate-manager.c
index f0c68f2..a59b54e 100644
--- a/smime/gui/certificate-manager.c
+++ b/smime/gui/certificate-manager.c
@@ -592,7 +592,7 @@ edit_ca (GtkWidget *widget, CertificateManagerData *cfm)
 							   trust_email,
 							   trust_objsign);
 
-				CERT_ChangeCertTrust (CERT_GetDefaultCertDB(), icert, &trust);
+				e_cert_db_change_cert_trust (icert, &trust);
 			}
 
 			gtk_widget_destroy (dialog);
@@ -1000,15 +1000,11 @@ certificate_manager_config_init (EShell *shell)
 	CertificateManagerData *cfm_data;
 	GtkWidget *preferences_window;
 	GtkWidget *widget;
-	PK11SlotInfo* slot;
-	ECertDB *cert_db;
 
 	g_return_if_fail (E_IS_SHELL (shell));
 
 	/* We need to peek the db here to make sure it (and NSS) are fully initialized. */
-	cert_db = e_cert_db_peek();
-	slot = PK11_GetInternalKeySlot();
-	e_cert_db_login_to_slot(cert_db, slot);
+	e_cert_db_peek ();
 
 	cfm_data = g_new0 (CertificateManagerData, 1);
 
diff --git a/smime/lib/e-cert-db.c b/smime/lib/e-cert-db.c
index 52545f3..c3517ba 100644
--- a/smime/lib/e-cert-db.c
+++ b/smime/lib/e-cert-db.c
@@ -66,6 +66,7 @@
 #include "p12plcy.h"
 #include "pk11func.h"
 #include "nssckbi.h"
+#include <secerr.h>
 #include "secmod.h"
 #include "certdb.h"
 #include "plstr.h"
@@ -716,6 +717,16 @@ handle_ca_cert_download(ECertDB *cert_db, GList *certs, GError **error)
 		srv = CERT_AddTempCertToPerm(tmpCert,
 					     nickname,
 					     &trust);
+		/*
+		  If this fails with SEC_ERROR_TOKEN_NOT_LOGGED_IN, it seems
+		  that the import *has* worked, but the setting of trust bits
+		  failed -- so only set the trust. This *has* to be an NSS bug?
+		*/
+		if (srv != SECSuccess &&
+		    PORT_GetError () == SEC_ERROR_TOKEN_NOT_LOGGED_IN &&
+		    e_cert_db_login_to_slot (NULL, PK11_GetInternalKeySlot()))
+			srv = CERT_ChangeCertTrust (CERT_GetDefaultCertDB (),
+						    tmpCert, &trust);
 
 		if (srv != SECSuccess) {
 			/* XXX gerror */
@@ -752,6 +763,23 @@ handle_ca_cert_download(ECertDB *cert_db, GList *certs, GError **error)
 		return TRUE;
 	}
 }
+gboolean e_cert_db_change_cert_trust(CERTCertificate *cert, CERTCertTrust *trust)
+{
+	SECStatus srv;
+
+	srv = CERT_ChangeCertTrust (CERT_GetDefaultCertDB (),
+				    cert, trust);
+	if (srv != SECSuccess &&
+	    PORT_GetError () == SEC_ERROR_TOKEN_NOT_LOGGED_IN &&
+	    e_cert_db_login_to_slot (NULL, PK11_GetInternalKeySlot()))
+		srv = CERT_ChangeCertTrust (CERT_GetDefaultCertDB (),
+					    cert, trust);
+
+	if (srv != SECSuccess)
+		return FALSE;
+	return TRUE;
+}
+
 
 /* deleting certificates */
 gboolean
@@ -779,8 +807,7 @@ e_cert_db_delete_cert (ECertDB *certdb,
 		CERTCertTrust trust;
 
 		e_cert_trust_init_with_values (&trust, 0, 0, 0);
-		srv = CERT_ChangeCertTrust(CERT_GetDefaultCertDB(),
-					   cert, &trust);
+		srv = e_cert_db_change_cert_trust (cert, &trust);
 	}
 
 	/*PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("cert deleted: %d", srv));*/
diff --git a/smime/lib/e-cert-db.h b/smime/lib/e-cert-db.h
index 0e19e00..25c8dfd 100644
--- a/smime/lib/e-cert-db.h
+++ b/smime/lib/e-cert-db.h
@@ -135,4 +135,7 @@ gboolean             e_cert_db_export_pkcs12_file (ECertDB *cert_db,
 gboolean             e_cert_db_login_to_slot      (ECertDB *cert_db,
 						   PK11SlotInfo *slot);
 
+gboolean	     e_cert_db_change_cert_trust  (CERTCertificate *cert,
+						   CERTCertTrust *trust);
+
 #endif /* _E_CERT_DB_H_ */
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]