Bug 1282627 - Merge can be confused with a modified trust flags set.

r=franziskus
sailfishos-mirror · Oct 26, 2016 · a2b66d9 · a2b66d9
1 parent 96d63cf
commit a2b66d9
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 6 deletions.
diff --git a/lib/pk11wrap/pk11merge.c b/lib/pk11wrap/pk11merge.c
@@ -61,20 +61,45 @@ pk11_copyAttributes(PLArenaPool *arena,
 	PK11SlotInfo *sourceSlot, CK_OBJECT_HANDLE sourceID,
 	CK_ATTRIBUTE *copyTemplate, CK_ULONG copyTemplateCount)
 {
-    SECStatus rv = PK11_GetAttributes(arena, sourceSlot, sourceID, 
+    SECStatus rv;
+    CK_ATTRIBUTE *newTemplate = NULL;
+    CK_RV crv;
+
+    crv  = PK11_GetAttributes(arena, sourceSlot, sourceID,
+				copyTemplate, copyTemplateCount);
+    /* if we have missing attributes, just skip them and create the object */
+    if (crv == CKR_ATTRIBUTE_TYPE_INVALID) {
+	int i,j;
+	newTemplate = PORT_NewArray(CK_ATTRIBUTE, copyTemplateCount);
+	/* remove the unknown attributes. If we don't have enough attributes
+	 * PK11_CreateNewObject() will fail */
+	for (i=0,j=0; i < copyTemplateCount; i++) {
+	    if (copyTemplate[i].ulValueLen != -1) {
+		newTemplate[j] = copyTemplate[i];
+		j++;
+	    }
+	}
+	copyTemplate = newTemplate;
+	copyTemplateCount = j;
+    	crv  = PK11_GetAttributes(arena, sourceSlot, sourceID,
 				copyTemplate, copyTemplateCount);
-    if (rv != SECSuccess) {
-	return rv;
+    }
+    if (crv != CKR_OK) {
+ 	PORT_SetError( PK11_MapError(crv) );
+	return SECFailure;
     }
     if (targetID == CK_INVALID_HANDLE) {
 	/* we need to create the object */
-	rv = PK11_CreateNewObject(targetSlot, CK_INVALID_SESSION, 
+	rv = PK11_CreateNewObject(targetSlot, CK_INVALID_SESSION,
 		copyTemplate, copyTemplateCount, PR_TRUE, &targetID);
     } else {
 	/* update the existing object with the new attributes */
-	rv = pk11_setAttributes(targetSlot, targetID, 
+	rv = pk11_setAttributes(targetSlot, targetID,
 			copyTemplate, copyTemplateCount);
     }
+    if (newTemplate) {
+	free(newTemplate);
+    }
     return rv;
 }
 

diff --git a/tests/merge/merge.sh b/tests/merge/merge.sh
@@ -104,7 +104,9 @@ merge_init()
   certutil -N -d ${CONFLICT1DIR} -f ${R_PWFILE}
   certutil -N -d ${CONFLICT2DIR} -f ${R_PWFILE}
   certutil -A -n Alice -t ,, -i ${R_CADIR}/TestUser41.cert -d ${CONFLICT1DIR}
-  certutil -A -n "Alice #1" -t ,, -i ${R_CADIR}/TestUser42.cert -d ${CONFLICT1DIR}
+  # modify CONFLICTDIR potentially corrupting the database
+  certutil -A -n "Alice #1" -t C,, -i ${R_CADIR}/TestUser42.cert -d ${CONFLICT1DIR} -f ${R_PWFILE}
+  certutil -M -n "Alice #1" -t ,, -d ${CONFLICT1DIR} -f ${R_PWFILE}
   certutil -A -n "Alice #99" -t ,, -i ${R_CADIR}/TestUser43.cert -d ${CONFLICT1DIR}
   certutil -A -n Alice -t ,, -i ${R_CADIR}/TestUser44.cert -d ${CONFLICT2DIR}
   certutil -A -n "Alice #1" -t ,, -i ${R_CADIR}/TestUser45.cert -d ${CONFLICT2DIR}
@@ -268,5 +270,8 @@ merge_cleanup()
 
 merge_init
 merge_main
+echo "TEST_MODE=${TEST_MODE}"
+echo "NSS_DEFAULT_DB_TYPE=${NSS_DEFAULT_DB_TYPE}"
 merge_cleanup
 
+