fix: libldap does not load PEM certificate if certdb is used as TLS_CACERTDIR

Resolves: #857455

openldap-nss-certs-from-certdb-fallback-pem.patch

@@ -0,0 +1,80 @@
+MozNSS: load certificates from certdb, fallback to PEM
+
+If TLS_CACERT pointed to a PEM file and TLS_CACERTDIR was set to NSS certificate database, the backend assumed that
+the certificate is always located in the certificate database. This assumption might be wrong. This patch makes the
+library to try to load the certificate from NSS database and fallback to PEM file if unsuccessfull.
+
+Author: Jan Vcelak <jvcelak@redhat.com>
+Upstream ITS: #7389
+Resolves: #857455
+
+diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
+index 7ebcd24..634f9d9 100644
+--- a/libraries/libldap/tls_m.c
++++ b/libraries/libldap/tls_m.c
+@@ -1412,7 +1412,7 @@ tlsm_ctx_load_private_key(tlsm_ctx *ctx)
+ 	/* prefer unlocked key, then key from opened certdb, then any other */
+ 	if (unlocked_key)
+ 		ctx->tc_private_key = unlocked_key;
+-	else if (ctx->tc_certdb_slot)
++	else if ( ctx->tc_certdb_slot && !ctx->tc_using_pem )
+ 		ctx->tc_private_key = PK11_FindKeyByDERCert(ctx->tc_certdb_slot, ctx->tc_certificate, pin_arg);
+ 	else
+ 		ctx->tc_private_key = PK11_FindKeyByAnyCert(ctx->tc_certificate, pin_arg);
+@@ -1906,8 +1906,6 @@ tlsm_deferred_init( void *arg )
+ 				}
+ 				return -1;
+ 			}
+-
+-			ctx->tc_using_pem = PR_TRUE;
+ 		}
+ 
+ 		NSS_SetDomesticPolicy();
+@@ -2360,15 +2358,9 @@ tlsm_deferred_ctx_init( void *arg )
+ 
+ 	/* set up our cert and key, if any */
+ 	if ( lt->lt_certfile ) {
+-		/* if using the PEM module, load the PEM file specified by lt_certfile */
+-		/* otherwise, assume this is the name of a cert already in the db */
+-		if ( ctx->tc_using_pem ) {
+-			/* this sets ctx->tc_certificate to the correct value */
+-			int rc = tlsm_add_cert_from_file( ctx, lt->lt_certfile, PR_FALSE );
+-			if ( rc ) {
+-				return rc;
+-			}
+-		} else {
++
++		/* first search in certdb (lt_certfile is nickname) */
++		if ( ctx->tc_certdb ) {
+ 			char *tmp_certname;
+ 
+ 			if (tlsm_is_tokenname_certnick(lt->lt_certfile)) {
+@@ -2388,9 +2380,24 @@ tlsm_deferred_ctx_init( void *arg )
+ 				Debug( LDAP_DEBUG_ANY,
+ 					   "TLS: error: the certificate '%s' could not be found in the database - error %d:%s.\n",
+ 					   lt->lt_certfile, errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) );
+-				return -1;
+ 			}
+ 		}
++
++		/* fallback to PEM module (lt_certfile is filename) */
++		if ( !ctx->tc_certificate && pem_module ) {
++			/* this sets ctx->tc_certificate to the correct value */
++			if ( !tlsm_add_cert_from_file( ctx, lt->lt_certfile, PR_FALSE ) ) {
++				ctx->tc_using_pem = PR_TRUE;
++			}
++		}
++
++		if ( ctx->tc_certificate ) {
++			Debug( LDAP_DEBUG_ANY,
++				   "TLS: certificate '%s' successfully loaded from %s.\n", lt->lt_certfile,
++				   ctx->tc_using_pem ? "PEM file" : "moznss database", 0);
++		} else {
++			return -1;
++		}
+ 	}
+ 
+ 	if ( lt->lt_keyfile ) {
+-- 
+1.7.11.4
+

openldap.spec

@@ -46,6 +46,7 @@ Patch14: openldap-nss-update-list-of-ciphers.patch
 Patch15: openldap-tls-no-reuse-of-tls_session.patch
 Patch16: openldap-nss-regex-search-hashed-cacert-dir.patch
 Patch17: openldap-nss-ignore-certdb-sql-prefix.patch
+Patch18: openldap-nss-certs-from-certdb-fallback-pem.patch
 
 # Fedora specific patches
 Patch100: openldap-autoconf-pkgconfig-nss.patch
@@ -165,6 +166,7 @@ ln -s %{_includedir}/nspr4 include/nspr
 %patch15 -p1
 %patch16 -p1
 %patch17 -p1
+%patch18 -p1
 
 %patch101 -p1
 
@@ -627,6 +629,7 @@ exit 0
 - fix: connection hangs after fallback to second server when certificate hostname verification fails (#852476)
 - fix: not all certificates in OpenSSL compatible CA certificate directory format are loaded (#852786)
 - fix: MozNSS certificate database in SQL format cannot be used (#857390)
+- fix: libldap does not load PEM certificate if certdb is used as TLS_CACERTDIR (#857455)
 
 * Mon Aug 20 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.32-2
 - enhancement: TLS, prefer private keys from authenticated slots