From b4279d5328b8746d7c87e24e196f31f99df06392 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 18 Jan 2023 16:20:28 +0100 Subject: [PATCH 1/3] pobject: logout when a new encrypted private key is loaded This forces CKFW to call pem_mdSession_Login() each time we load a new encrypted private key into nss-pem. Otherwise it would be called only for the first encrypted private key and an attempt to use the other keys would fail later on with: `The key does not support the requested operation.` Bug: https://bugzilla.redhat.com/2121064 Upstream-commit: 25312ae55da718690fb68a13cfc709efcab17162 Signed-off-by: Kamil Dudka --- src/pobject.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/pobject.c b/src/pobject.c index a86640e..bd9d330 100644 --- a/src/pobject.c +++ b/src/pobject.c @@ -1267,6 +1267,7 @@ pem_CreateObject /* FIXME: dirty hack relying on NSS internals */ CK_SESSION_HANDLE hSession = NSSCKFWInstance_FindSessionHandle(fwInstance, fwSession); + NSSCKFWC_Logout(fwInstance, hSession); NSSCKFWInstance_DestroySessionHandle(fwInstance, hSession); } else { *pError = CKR_KEY_UNEXTRACTABLE; -- 2.39.2 From d85beb202c9fd6d976f8dced54b32b994a0f8181 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 18 Jan 2023 16:28:30 +0100 Subject: [PATCH 2/3] psession: find the key to decrypt in reverse order If we attempt to decrypt a key that is already decrypted, curl fails with a misleading error: `Unable to load client key: Incorrect password`. In practice, we usually want to decrypt the key that was loaded the last time. Reversing the order of search through the global array makes nss-pem work in a scenario where 2 distinct encrypted private keys are used. Bug: https://bugzilla.redhat.com/2121064 Upstream-commit: b29f61b52ef622c071b0451255a84b081511bc7b Signed-off-by: Kamil Dudka --- src/psession.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/psession.c b/src/psession.c index 13a5e5d..1aebd81 100644 --- a/src/psession.c +++ b/src/psession.c @@ -256,7 +256,7 @@ pem_mdSession_Login token_needsLogin[slotID - 1] = PR_FALSE; /* Find the right key object */ - list_for_each_entry(curObj, &pem_objs, gl_list) { + list_for_each_entry_reverse(curObj, &pem_objs, gl_list) { if ((slotID == curObj->slotID) && (curObj->type == pemBareKey)) { io = curObj; break; -- 2.39.2 From f1087f6ab4e6514c0dbc8cfa320ca207bfa78f7b Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Thu, 16 Feb 2023 15:55:15 +0100 Subject: [PATCH 3/3] pobject: include to avoid implicit function declaration MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ``` src/pobject.c: In function ‘pem_CreateObject’: src/pobject.c:1249:13: warning: implicit declaration of function ‘NSSCKFWC_Logout’ [-Wimplicit-function-declaration] 1249 | NSSCKFWC_Logout(fwInstance, hSession); | ^~~~~~~~~~~~~~~ ``` This is a follow-up commit to nss-pem-1.0.8-5-g25312ae which introduced the warning. Closes: https://github.com/kdudka/nss-pem/pull/15 Upstream-commit: 9e160fce7a3aa0e6167400b0dc5cbb7f400585c1 Signed-off-by: Kamil Dudka --- src/pobject.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/pobject.c b/src/pobject.c index bd9d330..1d918dd 100644 --- a/src/pobject.c +++ b/src/pobject.c @@ -46,6 +46,7 @@ #include #include +#include #include #include -- 2.39.2