Don't initialize NSS if we don't have to, clean up unused cert refs

Check to see if NSS is initialized before trying to do so again. If we are temporarily creating a certificate be sure to delete it in order to remove references to it and avoid NSS shutdown issues. In the certificate load validator shut down NSS if we end up initializing it. I'm not entirely sure why but this prevents a later shutdown issue if we are passed the --ca-cert-file option.
2025-02-25 18:55:28 -06:00 · 2013-01-16 13:20:14 -05:00 · 2013-01-16 13:20:14 -05:00 · 31e41eea6c
commit 31e41eea6c
parent a1991aeac1
2 changed files with 30 additions and 13 deletions
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@ -48,6 +48,7 @@ try:
    from ipapython.dn import DN
    from ipapython.ssh import SSHPublicKey
    from ipalib.rpc import delete_persistent_client_session_data
    import nss.nss as nss
    import SSSDConfig
    from ConfigParser import RawConfigParser
    from optparse import SUPPRESS_HELP, OptionGroup, OptionValueError
@ -77,10 +78,15 @@ def parse_options():
        if not os.path.isabs(value):
            raise OptionValueError("%s option '%s' is not an absolute file path" % (opt, value))
        initialized = nss.nss_is_initialized()
        try:
            cert = x509.load_certificate_from_file(value)
        except Exception, e:
            raise OptionValueError("%s option '%s' is not a valid certificate file" % (opt, value))
        else:
            del(cert)
            if not initialized:
                nss.nss_shutdown()
        parser.values.ca_cert_file = value
@ -1372,6 +1378,8 @@ def get_ca_cert_from_file(url):
    except Exception, e:
        raise errors.FileError(reason =
            u"cannot write certificate file '%s': %s" % (CACERT, e))
    else:
        del(cert)
 def get_ca_cert_from_http(url, ca_file, warn=True):
    '''
@ -1478,6 +1486,8 @@ def validate_new_ca_cert(existing_ca_cert, ca_file, ask, override=False):
        root_logger.debug(
                "Existing CA cert and Retrieved CA cert are identical")
        os.remove(ca_file)
        del(existing_ca_cert)
        del(new_ca_cert)
 def get_ca_cert(fstore, options, server, basedn):
--- a/ipalib/x509.py
+++ b/ipalib/x509.py
@ -91,6 +91,7 @@ def load_certificate(data, datatype=PEM, dbdir=None):
        data = strip_header(data)
        data = base64.b64decode(data)
    if not nss.nss_is_initialized():
        if dbdir is None:
            if 'in_tree' in api.env:
                if api.env.in_tree:
@ -103,7 +104,6 @@ def load_certificate(data, datatype=PEM, dbdir=None):
        else:
            nss.nss_init(dbdir)
    return nss.Certificate(buffer(data))
 def load_certificate_chain_from_file(filename, dbdir=None):
@ -139,7 +139,9 @@ def get_subject(certificate, datatype=PEM, dbdir=None):
    """
    nsscert = load_certificate(certificate, datatype, dbdir)
-    return nsscert.subject
+    subject = nsscert.subject
    del(nsscert)
    return subject
 def get_issuer(certificate, datatype=PEM, dbdir=None):
    """
@ -147,14 +149,18 @@ def get_issuer(certificate, datatype=PEM, dbdir=None):
    """
    nsscert = load_certificate(certificate, datatype, dbdir)
-    return nsscert.issuer
+    issuer = nsscert.issuer
    del(nsscert)
    return issuer
 def get_serial_number(certificate, datatype=PEM, dbdir=None):
    """
    Return the decimal value of the serial number.
    """
    nsscert = load_certificate(certificate, datatype, dbdir)
-    return nsscert.serial_number
+    serial_number = nsscert.serial_number
    del(nsscert)
    return serial_number
 def make_pem(data):
    """
@ -230,6 +236,7 @@ def verify_cert_subject(ldap, hostname, dercert):
    nsscert = load_certificate(dercert, datatype=DER)
    subject = str(nsscert.subject)
    issuer = str(nsscert.issuer)
    del(nsscert)
    # Handle both supported forms of issuer, from selfsign and dogtag.
    if (not valid_issuer(issuer)):