On Fri, Oct 31, 2008 at 12:25 AM, Robert Relyea <[EMAIL PROTECTED]> wrote:
> Stanislav Brabec wrote:
>> Could it be implemented using CERT_DecodeDERCertificate()?
>>
>> extern CERTCertificate *
>> CERT_DecodeDERCertificate (SECItem *derSignedCert, PRBool copyDER, char
>> *nickname);
>>
>
> Don't use CERT_DecodeDERCertificate. It's a private symbol that requires
> much care (it doesn't return a fully usable CERTCertificate *). To inidcate
> this you will find that it's exported as __CERT_DecodeDERCertificate() and
> requires work to get to.
>
> Use CERT_NewTempCertificate() instead. Older versions of NSS exported this
> symbol as __CERT_NewTemp.... as well, but we've officially blessed it as
> safe. In nss 3.12 it's fully exported (the old symbol will continue to be
> available as well).
>
> It's Signature is
>
> extern CERTCertificate *
> CERT_NewTempCertificate (CERTCertDBHandle *handle, SECItem *derCert,
> char *nickname, PRBool isperm, PRBool copyDER);
>
> handle is an historical dreg passing it CERT_GetDefaultCertDB() is fine.
> Nickname can be NULL, isPerm should be set to FALSE (or it will try to load
> the cert into the default database).
I propose the included patch.
Notes:
- I used 0 for copyDER. But I don't know what it is used for.
- I have not tested the code. It compiles and all symbols are resolved.
Using libnss 1.8.0.15~pre080614d-0etch1 (from Debian Etch) I can
compile using CERT_NewTempCertificate() but the symbol is not found:
undefined symbol: CERT_NewTempCertificate
(src/mappers/.libs/ldap_mapper.so)
Using __CERT_NewTempCertificate() works but it is not a nice name
Using libnss 3.12.0-5 (from Debian Lenny, released soon) I can use
CERT_NewTempCertificate(). I do not plan to support Etch.
Does the patch looks good for you Bob?
bye
--
Dr. Ludovic Rousseau
Index: src/mappers/ldap_mapper.c
===================================================================
--- src/mappers/ldap_mapper.c (révision 354)
+++ src/mappers/ldap_mapper.c (copie de travail)
@@ -757,7 +757,11 @@ static int ldap_get_certificate(const ch
{
/* SaW: not nifty, but otherwise gcc doesn't optimize */
bv_val = &bvals[rv]->bv_val;
+#ifdef HAVE_NSS
+ ldap_x509[rv] =
CERT_NewTempCertificate(CERT_GetDefaultCertDB(), bv_val, NULL, 0, 0);
+#else
ldap_x509[rv] = d2i_X509(NULL, ((const unsigned char
**) bv_val), bvals[rv]->bv_len);
+#endif
if (NULL == ldap_x509) {
DBG1("d2i_X509() failed for certificate %d",
rv);
free(ldap_x509);
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
