certmonger

Clone

#126 Fix handling of NSS tokens
Merged 4 years ago by rcritten. Opened 4 years ago by rcritten.
rcritten/certmonger nomoddb  into  master

file modified
+1 -2 
@@ -111,8 +111,7 @@ 
 

  					break;
 

  				default:
 

  					flags = NSS_INIT_READONLY |
 

- 						NSS_INIT_NOROOTINIT |
 

- 						NSS_INIT_NOMODDB;
 

+ 						NSS_INIT_NOROOTINIT;
 

  					/* Sigh.  Not a lot of detail.  Check
 

  					 * if we succeed in read-only mode,
 

  					 * which we'll interpret as lack of

file modified
+16 -17 
@@ -157,27 +157,22 @@ 
 

  		cm_log(1, "Unable to open NSS database.\n");
 

  		_exit(status);
 

  	}
 

+     /* Re-open the database with modules enabled */
 

+ 	NSS_ShutdownContext(ctx);
 

+ 	ctx = NSS_InitContext(entry->cm_cert_storage_location,
 

+ 			      NULL, NULL, NULL, NULL,
 

+ 			      (readwrite ? 0 : NSS_INIT_READONLY) |
 

+ 			      NSS_INIT_NOROOTINIT);
 

  	es = util_n_fips_hook();
 

  	if (es != NULL) {
 

  		cm_log(1, "Error putting NSS into FIPS mode: %s\n", es);
 

  		_exit(CM_SUB_STATUS_ERROR_INITIALIZING);
 

  	}
 

- 	/* Allocate a memory pool. */
 

- 	arena = PORT_NewArena(sizeof(double));
 

- 	if (arena == NULL) {
 

- 		cm_log(1, "Error opening database '%s'.\n",
 

- 		       entry->cm_cert_storage_location);
 

- 		if (NSS_ShutdownContext(ctx) != SECSuccess) {
 

- 			cm_log(1, "Error shutting down NSS.\n");
 

- 		}
 

- 		_exit(ENOMEM);
 

- 	}
 

  	/* Find the tokens that we might use for cert storage. */
 

  	mech = CKM_RSA_X_509;
 

  	slotlist = PK11_GetAllTokens(mech, PR_FALSE, PR_FALSE, NULL);
 

  	if (slotlist == NULL) {
 

  		cm_log(1, "Error getting list of tokens.\n");
 

- 		PORT_FreeArena(arena, PR_TRUE);
 

  		if (NSS_ShutdownContext(ctx) != SECSuccess) {
 

  			cm_log(1, "Error shutting down NSS.\n");
 

  		}
 
@@ -249,6 +244,7 @@ 
 

  		}
 

  		/* If we need to log in in order to read certificates, do so. */
 

  		if (PK11_NeedLogin(sle->slot)) {
 

+ 			cm_log(3, "Need login to token %s\n", PK11_GetTokenName(sle->slot));
 

  			if (cm_pin_read_for_cert(entry, &pin) != 0) {
 

  				cm_log(1, "Error reading PIN for cert db, "
 

  				       "skipping.\n");
 
@@ -272,13 +268,19 @@ 
 

  		/* Walk the list of certificates in the slot, looking for one
 

  		 * which matches the specified nickname. */
 

  		certs = PK11_ListCertsInSlot(sle->slot);
 

+ 		cm_log(3, "Looking for %s\n", entry->cm_cert_nickname);
 

  		if (certs != NULL) {
 

  			for (node = CERT_LIST_HEAD(certs);
 

  			     !CERT_LIST_EMPTY(certs) &&
 

  			     !CERT_LIST_END(node, certs);
 

  			     node = CERT_LIST_NEXT(node)) {
 

- 				if (strcmp(node->cert->nickname,
 

- 					   entry->cm_cert_nickname) == 0) {
 

+ 				cm_log(3, "certread-n: Slot nickname %s\n",
 

+ 							node->cert->nickname);
 

+ 		        es = talloc_asprintf(entry, "%s:%s",
 

+ 					   entry->cm_cert_token, entry->cm_cert_nickname);
 

+ 				if ((strcmp(node->cert->nickname,
 

+ 					   entry->cm_cert_nickname) == 0) ||
 

+                     (strcmp(node->cert->nickname, es) == 0)) {
 

  					cm_log(3, "Located the certificate "
 

  					       "\"%s\".\n",
 

  					       entry->cm_cert_nickname);
 
@@ -321,7 +323,6 @@ 
 

  	if (cert == NULL) {
 

  		cm_log(1, "Error locating certificate.\n");
 

  		PK11_FreeSlotList(slotlist);
 

- 		PORT_FreeArena(arena, PR_TRUE);
 

  		if (NSS_ShutdownContext(ctx) != SECSuccess) {
 

  			cm_log(1, "Error shutting down NSS.\n");
 

  		}
 
@@ -332,7 +333,6 @@ 
 

  	fclose(fp);
 

  	CERT_DestroyCertificate(cert);
 

  	PK11_FreeSlotList(slotlist);
 

- 	PORT_FreeArena(arena, PR_TRUE);
 

  	if (NSS_ShutdownContext(ctx) != SECSuccess) {
 

  		cm_log(1, "Error shutting down NSS.\n");
 

  	}
 
@@ -358,8 +358,7 @@ 
 

  			      NULL, NULL, NULL, NULL,
 

  			      NSS_INIT_NOCERTDB |
 

  			      NSS_INIT_READONLY |
 

- 			      NSS_INIT_NOROOTINIT |
 

- 			      NSS_INIT_NOMODDB);
 

+ 			      NSS_INIT_NOROOTINIT);
 

  	if (ctx == NULL) {
 

  		cm_log(1, "Unable to initialize NSS.\n");
 

  		_exit(1);

file modified
+5 
@@ -186,6 +186,11 @@ 
 

  	} else {
 

  		/* We don't try to force FIPS mode here, as it seems to get in
 

  		 * the way of saving the certificate. */
 

+ 		NSS_ShutdownContext(ctx);
 

+ 		ctx = NSS_InitContext(entry->cm_cert_storage_location,
 

+ 				      NULL, NULL, NULL, NULL,
 

+ 				      (readwrite ? 0 : NSS_INIT_READONLY) |
 

+ 				      NSS_INIT_NOROOTINIT);
 

  

  		/* Allocate a memory pool. */
 

  		arena = PORT_NewArena(sizeof(double));

file modified
+1 -2 
@@ -306,8 +306,7 @@ 
 

  			       NULL, NULL, NULL, NULL,
 

  			       NSS_INIT_NOCERTDB |
 

  			       NSS_INIT_READONLY |
 

- 			       NSS_INIT_NOROOTINIT |
 

- 			       NSS_INIT_NOMODDB);
 

+ 			       NSS_INIT_NOROOTINIT);
 

  	if (nctx == NULL) {
 

  		cm_log(1, "Unable to initialize NSS.\n");
 

  		_exit(1);

file modified
+5 
@@ -226,6 +226,11 @@ 
 

  			break;
 

  		}
 

  	}
 

+ 	NSS_ShutdownContext(ctx);
 

+ 	ctx = NSS_InitContext(entry->cm_key_storage_location,
 

+ 			      NULL, NULL, NULL, NULL,
 

+ 			      (readwrite ? 0 : NSS_INIT_READONLY) |
 

+ 			      NSS_INIT_NOROOTINIT);
 

  	reason = util_n_fips_hook();
 

  	if (reason != NULL) {
 

  		cm_log(1, "Error putting NSS into FIPS mode: %s\n", reason);

file modified
+10 -1 
@@ -115,6 +115,11 @@ 
 

  			break;
 

  		}
 

  	}
 

+ 	NSS_ShutdownContext(ctx);
 

+ 	ctx = NSS_InitContext(entry->cm_key_storage_location,
 

+ 			      NULL, NULL, NULL, NULL,
 

+ 			      (readwrite ? 0 : NSS_INIT_READONLY) |
 

+ 			      NSS_INIT_NOROOTINIT);
 

  	reason = util_n_fips_hook();
 

  	if (reason != NULL) {
 

  		cm_log(1, "Error putting NSS into FIPS mode: %s\n", reason);
 
@@ -340,8 +345,12 @@ 
 

  			     cnode = CERT_LIST_NEXT(cnode)) {
 

  				nickname = entry->cm_key_nickname;
 

  				cert = cnode->cert;
 

+ 				es = talloc_asprintf(entry, "%s:%s",
 

+ 									         entry->cm_cert_token,
 

+ 											 entry->cm_cert_nickname);
 

  				if ((nickname != NULL) &&
 

- 				    (strcmp(cert->nickname, nickname) == 0)) {
 

+ 				    ((strcmp(cert->nickname, nickname) == 0) ||
 

+ 					(strcmp(cert->nickname, es) == 0))) {
 

  					cm_log(3, "Located a certificate with "
 

  					       "the key's nickname (\"%s\").\n",
 

  					       nickname);

file modified
+5 
@@ -183,6 +183,11 @@ 
 

  			break;
 

  		}
 

  	}
 

+ 	NSS_ShutdownContext(ctx);
 

+ 	ctx = NSS_InitContext(entry->cm_key_storage_location,
 

+ 			      NULL, NULL, NULL, NULL,
 

+ 			      NSS_INIT_READONLY |
 

+ 			      NSS_INIT_NOROOTINIT);
 

  	reason = util_n_fips_hook();
 

  	if (reason != NULL) {
 

  		cm_log(1, "Error putting NSS into FIPS mode: %s\n", reason);

file modified
+5 
@@ -317,6 +317,11 @@ 
 

  		}
 

  		goto done;
 

  	}
 

+ 	NSS_ShutdownContext(ctx);
 

+ 	ctx = NSS_InitContext(args->entry->cm_key_storage_location,
 

+ 			      NULL, NULL, NULL, NULL,
 

+ 			      NSS_INIT_READONLY |
 

+ 			      NSS_INIT_NOROOTINIT);
 

  	reason = util_n_fips_hook();
 

  	if (reason != NULL) {
 

  		cm_log(1, "Error putting NSS into FIPS mode: %s\n", reason);

file modified
+1 -1 
@@ -79,7 +79,7 @@ 
 

  

  	/* Open the database. */
 

  	ctx = NSS_InitContext(dbdir, NULL, NULL, NULL, NULL,
 

- 			      NSS_INIT_NOROOTINIT | NSS_INIT_NOMODDB);
 

+ 			      NSS_INIT_NOROOTINIT);
 

  	if (ctx == NULL) {
 

  		printf("Unable to open NSS database '%s'.\n", dbdir);
 

  		_exit(CM_SUB_STATUS_ERROR_INITIALIZING);

file modified
+16 
@@ -45,50 +45,66 @@ 
 

  [dbm:keygen]
 

  $owner:$group|0600|cert8.db
 

  $owner:$group|0620|key3.db
 

+ $owner:$group|0600|secmod.db
 

  [dbm:reset]
 

  $owner:$group|0755|cert8.db
 

  $owner:$group|0755|key3.db
 

+ $owner:$group|0755|secmod.db
 

  [dbm:csrgen]
 

  $owner:$group|0755|cert8.db
 

  $owner:$group|0620|key3.db
 

+ $owner:$group|0755|secmod.db
 

  [dbm:reset]
 

  $owner:$group|0755|cert8.db
 

  $owner:$group|0755|key3.db
 

+ $owner:$group|0755|secmod.db
 

  [dbm:submit]
 

  $owner:$group|0755|cert8.db
 

  $owner:$group|0755|key3.db
 

+ $owner:$group|0755|secmod.db
 

  [dbm:reset]
 

  $owner:$group|0755|cert8.db
 

  $owner:$group|0755|key3.db
 

+ $owner:$group|0755|secmod.db
 

  [dbm:save]
 

  $owner:$group|0662|cert8.db
 

  $owner:$group|0620|key3.db
 

+ $owner:$group|0662|secmod.db
 

  [rekey:dbm:start]
 

  [rekey:dbm:keygen]
 

  $owner:$group|0600|cert8.db
 

  $owner:$group|0620|key3.db
 

+ $owner:$group|0600|secmod.db
 

  [rekey:dbm:reset]
 

  $owner:$group|0755|cert8.db
 

  $owner:$group|0755|key3.db
 

+ $owner:$group|0755|secmod.db
 

  [rekey:dbm:keygen]
 

  $owner:$group|0755|cert8.db
 

  $owner:$group|0620|key3.db
 

+ $owner:$group|0755|secmod.db
 

  [rekey:dbm:reset]
 

  $owner:$group|0755|cert8.db
 

  $owner:$group|0755|key3.db
 

+ $owner:$group|0755|secmod.db
 

  [rekey:dbm:csrgen]
 

  $owner:$group|0755|cert8.db
 

  $owner:$group|0620|key3.db
 

+ $owner:$group|0755|secmod.db
 

  [rekey:dbm:reset]
 

  $owner:$group|0755|cert8.db
 

  $owner:$group|0755|key3.db
 

+ $owner:$group|0755|secmod.db
 

  [rekey:dbm:submit]
 

  $owner:$group|0755|cert8.db
 

  $owner:$group|0755|key3.db
 

+ $owner:$group|0755|secmod.db
 

  [rekey:dbm:reset]
 

  $owner:$group|0755|cert8.db
 

  $owner:$group|0755|key3.db
 

+ $owner:$group|0755|secmod.db
 

  [rekey:dbm:save]
 

  $owner:$group|0662|cert8.db
 

  $owner:$group|0620|key3.db
 

+ $owner:$group|0662|secmod.db
 

  OK

file modified
+16 
@@ -45,50 +45,66 @@ 
 

  [sql:keygen]
 

  $owner:$group|0600|cert9.db
 

  $owner:$group|0620|key4.db
 

+ $owner:$group|0600|pkcs11.txt
 

  [sql:reset]
 

  $owner:$group|0755|cert9.db
 

  $owner:$group|0755|key4.db
 

+ $owner:$group|0755|pkcs11.txt
 

  [sql:csrgen]
 

  $owner:$group|0755|cert9.db
 

  $owner:$group|0620|key4.db
 

+ $owner:$group|0755|pkcs11.txt
 

  [sql:reset]
 

  $owner:$group|0755|cert9.db
 

  $owner:$group|0755|key4.db
 

+ $owner:$group|0755|pkcs11.txt
 

  [sql:submit]
 

  $owner:$group|0755|cert9.db
 

  $owner:$group|0755|key4.db
 

+ $owner:$group|0755|pkcs11.txt
 

  [sql:reset]
 

  $owner:$group|0755|cert9.db
 

  $owner:$group|0755|key4.db
 

+ $owner:$group|0755|pkcs11.txt
 

  [sql:save]
 

  $owner:$group|0662|cert9.db
 

  $owner:$group|0620|key4.db
 

+ $owner:$group|0662|pkcs11.txt
 

  [rekey:sql:start]
 

  [rekey:sql:keygen]
 

  $owner:$group|0600|cert9.db
 

  $owner:$group|0620|key4.db
 

+ $owner:$group|0600|pkcs11.txt
 

  [rekey:sql:reset]
 

  $owner:$group|0755|cert9.db
 

  $owner:$group|0755|key4.db
 

+ $owner:$group|0755|pkcs11.txt
 

  [rekey:sql:keygen]
 

  $owner:$group|0755|cert9.db
 

  $owner:$group|0620|key4.db
 

+ $owner:$group|0755|pkcs11.txt
 

  [rekey:sql:reset]
 

  $owner:$group|0755|cert9.db
 

  $owner:$group|0755|key4.db
 

+ $owner:$group|0755|pkcs11.txt
 

  [rekey:sql:csrgen]
 

  $owner:$group|0755|cert9.db
 

  $owner:$group|0620|key4.db
 

+ $owner:$group|0755|pkcs11.txt
 

  [rekey:sql:reset]
 

  $owner:$group|0755|cert9.db
 

  $owner:$group|0755|key4.db
 

+ $owner:$group|0755|pkcs11.txt
 

  [rekey:sql:submit]
 

  $owner:$group|0755|cert9.db
 

  $owner:$group|0755|key4.db
 

+ $owner:$group|0755|pkcs11.txt
 

  [rekey:sql:reset]
 

  $owner:$group|0755|cert9.db
 

  $owner:$group|0755|key4.db
 

+ $owner:$group|0755|pkcs11.txt
 

  [rekey:sql:save]
 

  $owner:$group|0662|cert9.db
 

  $owner:$group|0620|key4.db
 

+ $owner:$group|0662|pkcs11.txt
 

  OK

file modified
+16 
@@ -45,50 +45,66 @@ 
 

  [dbm:keygen]
 

  $owner:$group|0600|cert8.db
 

  $owner:$group|0620|key3.db
 

+ $owner:$group|0600|secmod.db
 

  [dbm:reset]
 

  $owner:$group|0755|cert8.db
 

  $owner:$group|0755|key3.db
 

+ $owner:$group|0755|secmod.db
 

  [dbm:csrgen]
 

  $owner:$group|0755|cert8.db
 

  $owner:$group|0620|key3.db
 

+ $owner:$group|0755|secmod.db
 

  [dbm:reset]
 

  $owner:$group|0755|cert8.db
 

  $owner:$group|0755|key3.db
 

+ $owner:$group|0755|secmod.db
 

  [dbm:submit]
 

  $owner:$group|0755|cert8.db
 

  $owner:$group|0755|key3.db
 

+ $owner:$group|0755|secmod.db
 

  [dbm:reset]
 

  $owner:$group|0755|cert8.db
 

  $owner:$group|0755|key3.db
 

+ $owner:$group|0755|secmod.db
 

  [dbm:save]
 

  $owner:$group|0662|cert8.db
 

  $owner:$group|0620|key3.db
 

+ $owner:$group|0662|secmod.db
 

  [rekey:dbm:start]
 

  [rekey:dbm:keygen]
 

  $owner:$group|0600|cert8.db
 

  $owner:$group|0620|key3.db
 

+ $owner:$group|0600|secmod.db
 

  [rekey:dbm:reset]
 

  $owner:$group|0755|cert8.db
 

  $owner:$group|0755|key3.db
 

+ $owner:$group|0755|secmod.db
 

  [rekey:dbm:keygen]
 

  $owner:$group|0755|cert8.db
 

  $owner:$group|0620|key3.db
 

+ $owner:$group|0755|secmod.db
 

  [rekey:dbm:reset]
 

  $owner:$group|0755|cert8.db
 

  $owner:$group|0755|key3.db
 

+ $owner:$group|0755|secmod.db
 

  [rekey:dbm:csrgen]
 

  $owner:$group|0755|cert8.db
 

  $owner:$group|0620|key3.db
 

+ $owner:$group|0755|secmod.db
 

  [rekey:dbm:reset]
 

  $owner:$group|0755|cert8.db
 

  $owner:$group|0755|key3.db
 

+ $owner:$group|0755|secmod.db
 

  [rekey:dbm:submit]
 

  $owner:$group|0755|cert8.db
 

  $owner:$group|0755|key3.db
 

+ $owner:$group|0755|secmod.db
 

  [rekey:dbm:reset]
 

  $owner:$group|0755|cert8.db
 

  $owner:$group|0755|key3.db
 

+ $owner:$group|0755|secmod.db
 

  [rekey:dbm:save]
 

  $owner:$group|0662|cert8.db
 

  $owner:$group|0620|key3.db
 

+ $owner:$group|0662|secmod.db
 

  OK

Fix handling of NSS tokens. The database was opened NOMODDB so not all tokens were visible to certmonger so it couldn't always find certificates associated with those tokens (keys too).

There are some places where permission testing is done to ensure the database can be opened both for perms and SELinux reasons. Leave that with NOMODDB and re-open if necessary.

Also use slot:nickname when comparing to see if the right certificate is found.

rebased onto da4dcf4ba71f0457c9dd311979325cd772753b1d
4 years ago

rebased onto ba6ae1bd256bad86121378ba4b3b1b302dc9e55a
4 years ago

rebased onto 59df833
4 years ago

Reporter successfully tested this, merging.

Pull-Request has been merged by rcritten
4 years ago
Metadata
None
No Tags
Changes Summary 12
+1 -2
file changed
src/casave.c
+16 -17
file changed
src/certread-n.c
+5 -0
file changed
src/certsave-n.c
+1 -2
file changed
src/dogtag.c
+5 -0
file changed
src/keygen-n.c
+10 -1
file changed
src/keyiread-n.c
+5 -0
file changed
src/scepgen-n.c
+5 -0
file changed
src/submit-n.c
+1 -1
file changed
src/toklist.c
+16 -0
file changed
tests/034-perms-dbm/expected.out
+16 -0
file changed
tests/034-perms-sql/expected.out
+16 -0
file changed
tests/034-perms/expected.out
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.