From 59df833ca5fb80c596df621a24dc461a550dba71 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Sep 04 2019 18:06:51 +0000
Subject: [PATCH 1/2] Update tests to include the security module DB in expected output


certmonger was previously always initializing the databases with
the flag NSS_INIT_NOMODDB but in at elast NSS 3.44 this doesn't
seem to initialize external modules (tested with SoftHSM2).

https://pagure.io/certmonger/issue/125

---

diff --git a/tests/034-perms-dbm/expected.out b/tests/034-perms-dbm/expected.out
index c062d40..7bf23a3 100644
--- a/tests/034-perms-dbm/expected.out
+++ b/tests/034-perms-dbm/expected.out
@@ -45,50 +45,66 @@ $owner:$group|0620|ee.key
 [dbm:keygen]
 $owner:$group|0600|cert8.db
 $owner:$group|0620|key3.db
+$owner:$group|0600|secmod.db
 [dbm:reset]
 $owner:$group|0755|cert8.db
 $owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
 [dbm:csrgen]
 $owner:$group|0755|cert8.db
 $owner:$group|0620|key3.db
+$owner:$group|0755|secmod.db
 [dbm:reset]
 $owner:$group|0755|cert8.db
 $owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
 [dbm:submit]
 $owner:$group|0755|cert8.db
 $owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
 [dbm:reset]
 $owner:$group|0755|cert8.db
 $owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
 [dbm:save]
 $owner:$group|0662|cert8.db
 $owner:$group|0620|key3.db
+$owner:$group|0662|secmod.db
 [rekey:dbm:start]
 [rekey:dbm:keygen]
 $owner:$group|0600|cert8.db
 $owner:$group|0620|key3.db
+$owner:$group|0600|secmod.db
 [rekey:dbm:reset]
 $owner:$group|0755|cert8.db
 $owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
 [rekey:dbm:keygen]
 $owner:$group|0755|cert8.db
 $owner:$group|0620|key3.db
+$owner:$group|0755|secmod.db
 [rekey:dbm:reset]
 $owner:$group|0755|cert8.db
 $owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
 [rekey:dbm:csrgen]
 $owner:$group|0755|cert8.db
 $owner:$group|0620|key3.db
+$owner:$group|0755|secmod.db
 [rekey:dbm:reset]
 $owner:$group|0755|cert8.db
 $owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
 [rekey:dbm:submit]
 $owner:$group|0755|cert8.db
 $owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
 [rekey:dbm:reset]
 $owner:$group|0755|cert8.db
 $owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
 [rekey:dbm:save]
 $owner:$group|0662|cert8.db
 $owner:$group|0620|key3.db
+$owner:$group|0662|secmod.db
 OK
diff --git a/tests/034-perms-sql/expected.out b/tests/034-perms-sql/expected.out
index 2808e02..c5914e0 100644
--- a/tests/034-perms-sql/expected.out
+++ b/tests/034-perms-sql/expected.out
@@ -45,50 +45,66 @@ $owner:$group|0620|ee.key
 [sql:keygen]
 $owner:$group|0600|cert9.db
 $owner:$group|0620|key4.db
+$owner:$group|0600|pkcs11.txt
 [sql:reset]
 $owner:$group|0755|cert9.db
 $owner:$group|0755|key4.db
+$owner:$group|0755|pkcs11.txt
 [sql:csrgen]
 $owner:$group|0755|cert9.db
 $owner:$group|0620|key4.db
+$owner:$group|0755|pkcs11.txt
 [sql:reset]
 $owner:$group|0755|cert9.db
 $owner:$group|0755|key4.db
+$owner:$group|0755|pkcs11.txt
 [sql:submit]
 $owner:$group|0755|cert9.db
 $owner:$group|0755|key4.db
+$owner:$group|0755|pkcs11.txt
 [sql:reset]
 $owner:$group|0755|cert9.db
 $owner:$group|0755|key4.db
+$owner:$group|0755|pkcs11.txt
 [sql:save]
 $owner:$group|0662|cert9.db
 $owner:$group|0620|key4.db
+$owner:$group|0662|pkcs11.txt
 [rekey:sql:start]
 [rekey:sql:keygen]
 $owner:$group|0600|cert9.db
 $owner:$group|0620|key4.db
+$owner:$group|0600|pkcs11.txt
 [rekey:sql:reset]
 $owner:$group|0755|cert9.db
 $owner:$group|0755|key4.db
+$owner:$group|0755|pkcs11.txt
 [rekey:sql:keygen]
 $owner:$group|0755|cert9.db
 $owner:$group|0620|key4.db
+$owner:$group|0755|pkcs11.txt
 [rekey:sql:reset]
 $owner:$group|0755|cert9.db
 $owner:$group|0755|key4.db
+$owner:$group|0755|pkcs11.txt
 [rekey:sql:csrgen]
 $owner:$group|0755|cert9.db
 $owner:$group|0620|key4.db
+$owner:$group|0755|pkcs11.txt
 [rekey:sql:reset]
 $owner:$group|0755|cert9.db
 $owner:$group|0755|key4.db
+$owner:$group|0755|pkcs11.txt
 [rekey:sql:submit]
 $owner:$group|0755|cert9.db
 $owner:$group|0755|key4.db
+$owner:$group|0755|pkcs11.txt
 [rekey:sql:reset]
 $owner:$group|0755|cert9.db
 $owner:$group|0755|key4.db
+$owner:$group|0755|pkcs11.txt
 [rekey:sql:save]
 $owner:$group|0662|cert9.db
 $owner:$group|0620|key4.db
+$owner:$group|0662|pkcs11.txt
 OK
diff --git a/tests/034-perms/expected.out b/tests/034-perms/expected.out
index c062d40..7bf23a3 100644
--- a/tests/034-perms/expected.out
+++ b/tests/034-perms/expected.out
@@ -45,50 +45,66 @@ $owner:$group|0620|ee.key
 [dbm:keygen]
 $owner:$group|0600|cert8.db
 $owner:$group|0620|key3.db
+$owner:$group|0600|secmod.db
 [dbm:reset]
 $owner:$group|0755|cert8.db
 $owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
 [dbm:csrgen]
 $owner:$group|0755|cert8.db
 $owner:$group|0620|key3.db
+$owner:$group|0755|secmod.db
 [dbm:reset]
 $owner:$group|0755|cert8.db
 $owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
 [dbm:submit]
 $owner:$group|0755|cert8.db
 $owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
 [dbm:reset]
 $owner:$group|0755|cert8.db
 $owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
 [dbm:save]
 $owner:$group|0662|cert8.db
 $owner:$group|0620|key3.db
+$owner:$group|0662|secmod.db
 [rekey:dbm:start]
 [rekey:dbm:keygen]
 $owner:$group|0600|cert8.db
 $owner:$group|0620|key3.db
+$owner:$group|0600|secmod.db
 [rekey:dbm:reset]
 $owner:$group|0755|cert8.db
 $owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
 [rekey:dbm:keygen]
 $owner:$group|0755|cert8.db
 $owner:$group|0620|key3.db
+$owner:$group|0755|secmod.db
 [rekey:dbm:reset]
 $owner:$group|0755|cert8.db
 $owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
 [rekey:dbm:csrgen]
 $owner:$group|0755|cert8.db
 $owner:$group|0620|key3.db
+$owner:$group|0755|secmod.db
 [rekey:dbm:reset]
 $owner:$group|0755|cert8.db
 $owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
 [rekey:dbm:submit]
 $owner:$group|0755|cert8.db
 $owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
 [rekey:dbm:reset]
 $owner:$group|0755|cert8.db
 $owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
 [rekey:dbm:save]
 $owner:$group|0662|cert8.db
 $owner:$group|0620|key3.db
+$owner:$group|0662|secmod.db
 OK

From 34c120f0259750ff2228def2955de9ad985340e6 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Sep 04 2019 18:06:51 +0000
Subject: [PATCH 2/2] Remove NOMODDB flag flag from context init, look for full tokens


The NSS databases were almost universally initialized with the
NOMODDB flag. I'm not sure if something changed in NSS but the
PKCS#11 modules were not being initialized. Adding this back after
permission checks are done results in tokens working again.

When looking for certs and keys try the full token:nickname string
as well as just nickname when comparing values.

https://pagure.io/certmonger/issue/125

---

diff --git a/src/casave.c b/src/casave.c
index bde63f9..1cf5a40 100644
--- a/src/casave.c
+++ b/src/casave.c
@@ -111,8 +111,7 @@ cm_casave_main_n(int fd, struct cm_store_ca *ca, struct cm_store_entry *e,
 					break;
 				default:
 					flags = NSS_INIT_READONLY |
-						NSS_INIT_NOROOTINIT |
-						NSS_INIT_NOMODDB;
+						NSS_INIT_NOROOTINIT;
 					/* Sigh.  Not a lot of detail.  Check
 					 * if we succeed in read-only mode,
 					 * which we'll interpret as lack of
diff --git a/src/certread-n.c b/src/certread-n.c
index d535030..bb61b61 100644
--- a/src/certread-n.c
+++ b/src/certread-n.c
@@ -157,27 +157,22 @@ cm_certread_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
 		cm_log(1, "Unable to open NSS database.\n");
 		_exit(status);
 	}
+    /* Re-open the database with modules enabled */
+	NSS_ShutdownContext(ctx);
+	ctx = NSS_InitContext(entry->cm_cert_storage_location,
+			      NULL, NULL, NULL, NULL,
+			      (readwrite ? 0 : NSS_INIT_READONLY) |
+			      NSS_INIT_NOROOTINIT);
 	es = util_n_fips_hook();
 	if (es != NULL) {
 		cm_log(1, "Error putting NSS into FIPS mode: %s\n", es);
 		_exit(CM_SUB_STATUS_ERROR_INITIALIZING);
 	}
-	/* Allocate a memory pool. */
-	arena = PORT_NewArena(sizeof(double));
-	if (arena == NULL) {
-		cm_log(1, "Error opening database '%s'.\n",
-		       entry->cm_cert_storage_location);
-		if (NSS_ShutdownContext(ctx) != SECSuccess) {
-			cm_log(1, "Error shutting down NSS.\n");
-		}
-		_exit(ENOMEM);
-	}
 	/* Find the tokens that we might use for cert storage. */
 	mech = CKM_RSA_X_509;
 	slotlist = PK11_GetAllTokens(mech, PR_FALSE, PR_FALSE, NULL);
 	if (slotlist == NULL) {
 		cm_log(1, "Error getting list of tokens.\n");
-		PORT_FreeArena(arena, PR_TRUE);
 		if (NSS_ShutdownContext(ctx) != SECSuccess) {
 			cm_log(1, "Error shutting down NSS.\n");
 		}
@@ -249,6 +244,7 @@ cm_certread_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
 		}
 		/* If we need to log in in order to read certificates, do so. */
 		if (PK11_NeedLogin(sle->slot)) {
+			cm_log(3, "Need login to token %s\n", PK11_GetTokenName(sle->slot));
 			if (cm_pin_read_for_cert(entry, &pin) != 0) {
 				cm_log(1, "Error reading PIN for cert db, "
 				       "skipping.\n");
@@ -272,13 +268,19 @@ cm_certread_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
 		/* Walk the list of certificates in the slot, looking for one
 		 * which matches the specified nickname. */
 		certs = PK11_ListCertsInSlot(sle->slot);
+		cm_log(3, "Looking for %s\n", entry->cm_cert_nickname);
 		if (certs != NULL) {
 			for (node = CERT_LIST_HEAD(certs);
 			     !CERT_LIST_EMPTY(certs) &&
 			     !CERT_LIST_END(node, certs);
 			     node = CERT_LIST_NEXT(node)) {
-				if (strcmp(node->cert->nickname,
-					   entry->cm_cert_nickname) == 0) {
+				cm_log(3, "certread-n: Slot nickname %s\n",
+							node->cert->nickname);
+		        es = talloc_asprintf(entry, "%s:%s",
+					   entry->cm_cert_token, entry->cm_cert_nickname);
+				if ((strcmp(node->cert->nickname,
+					   entry->cm_cert_nickname) == 0) ||
+                    (strcmp(node->cert->nickname, es) == 0)) {
 					cm_log(3, "Located the certificate "
 					       "\"%s\".\n",
 					       entry->cm_cert_nickname);
@@ -321,7 +323,6 @@ next_slot:
 	if (cert == NULL) {
 		cm_log(1, "Error locating certificate.\n");
 		PK11_FreeSlotList(slotlist);
-		PORT_FreeArena(arena, PR_TRUE);
 		if (NSS_ShutdownContext(ctx) != SECSuccess) {
 			cm_log(1, "Error shutting down NSS.\n");
 		}
@@ -332,7 +333,6 @@ next_slot:
 	fclose(fp);
 	CERT_DestroyCertificate(cert);
 	PK11_FreeSlotList(slotlist);
-	PORT_FreeArena(arena, PR_TRUE);
 	if (NSS_ShutdownContext(ctx) != SECSuccess) {
 		cm_log(1, "Error shutting down NSS.\n");
 	}
@@ -358,8 +358,7 @@ cm_certread_n_parse(struct cm_store_entry *entry,
 			      NULL, NULL, NULL, NULL,
 			      NSS_INIT_NOCERTDB |
 			      NSS_INIT_READONLY |
-			      NSS_INIT_NOROOTINIT |
-			      NSS_INIT_NOMODDB);
+			      NSS_INIT_NOROOTINIT);
 	if (ctx == NULL) {
 		cm_log(1, "Unable to initialize NSS.\n");
 		_exit(1);
diff --git a/src/certsave-n.c b/src/certsave-n.c
index 972a1df..eda03b3 100644
--- a/src/certsave-n.c
+++ b/src/certsave-n.c
@@ -186,6 +186,11 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
 	} else {
 		/* We don't try to force FIPS mode here, as it seems to get in
 		 * the way of saving the certificate. */
+		NSS_ShutdownContext(ctx);
+		ctx = NSS_InitContext(entry->cm_cert_storage_location,
+				      NULL, NULL, NULL, NULL,
+				      (readwrite ? 0 : NSS_INIT_READONLY) |
+				      NSS_INIT_NOROOTINIT);
 
 		/* Allocate a memory pool. */
 		arena = PORT_NewArena(sizeof(double));
diff --git a/src/dogtag.c b/src/dogtag.c
index 55607f3..c43664e 100644
--- a/src/dogtag.c
+++ b/src/dogtag.c
@@ -306,8 +306,7 @@ main(int argc, const char **argv)
 			       NULL, NULL, NULL, NULL,
 			       NSS_INIT_NOCERTDB |
 			       NSS_INIT_READONLY |
-			       NSS_INIT_NOROOTINIT |
-			       NSS_INIT_NOMODDB);
+			       NSS_INIT_NOROOTINIT);
 	if (nctx == NULL) {
 		cm_log(1, "Unable to initialize NSS.\n");
 		_exit(1);
diff --git a/src/keygen-n.c b/src/keygen-n.c
index 061bd2a..e921d7e 100644
--- a/src/keygen-n.c
+++ b/src/keygen-n.c
@@ -226,6 +226,11 @@ cm_keygen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
 			break;
 		}
 	}
+	NSS_ShutdownContext(ctx);
+	ctx = NSS_InitContext(entry->cm_key_storage_location,
+			      NULL, NULL, NULL, NULL,
+			      (readwrite ? 0 : NSS_INIT_READONLY) |
+			      NSS_INIT_NOROOTINIT);
 	reason = util_n_fips_hook();
 	if (reason != NULL) {
 		cm_log(1, "Error putting NSS into FIPS mode: %s\n", reason);
diff --git a/src/keyiread-n.c b/src/keyiread-n.c
index 91b1be4..dc1c609 100644
--- a/src/keyiread-n.c
+++ b/src/keyiread-n.c
@@ -115,6 +115,11 @@ cm_keyiread_n_get_keys(struct cm_store_entry *entry, int readwrite)
 			break;
 		}
 	}
+	NSS_ShutdownContext(ctx);
+	ctx = NSS_InitContext(entry->cm_key_storage_location,
+			      NULL, NULL, NULL, NULL,
+			      (readwrite ? 0 : NSS_INIT_READONLY) |
+			      NSS_INIT_NOROOTINIT);
 	reason = util_n_fips_hook();
 	if (reason != NULL) {
 		cm_log(1, "Error putting NSS into FIPS mode: %s\n", reason);
@@ -340,8 +345,12 @@ cm_keyiread_n_get_keys(struct cm_store_entry *entry, int readwrite)
 			     cnode = CERT_LIST_NEXT(cnode)) {
 				nickname = entry->cm_key_nickname;
 				cert = cnode->cert;
+				es = talloc_asprintf(entry, "%s:%s",
+									         entry->cm_cert_token,
+											 entry->cm_cert_nickname);
 				if ((nickname != NULL) &&
-				    (strcmp(cert->nickname, nickname) == 0)) {
+				    ((strcmp(cert->nickname, nickname) == 0) ||
+					(strcmp(cert->nickname, es) == 0))) {
 					cm_log(3, "Located a certificate with "
 					       "the key's nickname (\"%s\").\n",
 					       nickname);
diff --git a/src/scepgen-n.c b/src/scepgen-n.c
index d6735aa..8c67b12 100644
--- a/src/scepgen-n.c
+++ b/src/scepgen-n.c
@@ -183,6 +183,11 @@ cm_scepgen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
 			break;
 		}
 	}
+	NSS_ShutdownContext(ctx);
+	ctx = NSS_InitContext(entry->cm_key_storage_location,
+			      NULL, NULL, NULL, NULL,
+			      NSS_INIT_READONLY |
+			      NSS_INIT_NOROOTINIT);
 	reason = util_n_fips_hook();
 	if (reason != NULL) {
 		cm_log(1, "Error putting NSS into FIPS mode: %s\n", reason);
diff --git a/src/submit-n.c b/src/submit-n.c
index b07ea23..f27b9c7 100644
--- a/src/submit-n.c
+++ b/src/submit-n.c
@@ -317,6 +317,11 @@ cm_submit_n_decrypt_envelope(const unsigned char *envelope,
 		}
 		goto done;
 	}
+	NSS_ShutdownContext(ctx);
+	ctx = NSS_InitContext(args->entry->cm_key_storage_location,
+			      NULL, NULL, NULL, NULL,
+			      NSS_INIT_READONLY |
+			      NSS_INIT_NOROOTINIT);
 	reason = util_n_fips_hook();
 	if (reason != NULL) {
 		cm_log(1, "Error putting NSS into FIPS mode: %s\n", reason);
diff --git a/src/toklist.c b/src/toklist.c
index a432821..ac16672 100644
--- a/src/toklist.c
+++ b/src/toklist.c
@@ -79,7 +79,7 @@ main(int argc, const char **argv)
 
 	/* Open the database. */
 	ctx = NSS_InitContext(dbdir, NULL, NULL, NULL, NULL,
-			      NSS_INIT_NOROOTINIT | NSS_INIT_NOMODDB);
+			      NSS_INIT_NOROOTINIT);
 	if (ctx == NULL) {
 		printf("Unable to open NSS database '%s'.\n", dbdir);
 		_exit(CM_SUB_STATUS_ERROR_INITIALIZING);