From 3668f5e0d8a19c20e20db079b4d5e67d8abfa03f Mon Sep 17 00:00:00 2001 From: Stanislav Levin Date: Jun 24 2020 22:05:23 +0000 Subject: [PATCH 1/4] tests: Split the NSS db specific tests If NSS is configured with NSS_DISABLE_DBM then Certmonger's tests which are related to DBM fail. The legacy NSS db type(DBM) will be eventually disabled. Thus, Certmonger should handle this. NSS db specific tests are placed under the corresponding HAVE_SQL_NSSDB and HAVE_DBM_NSSDB sections. Fixes: https://pagure.io/certmonger/issue/155 Signed-off-by: Stanislav Levin --- diff --git a/tests/Makefile.am b/tests/Makefile.am index 4bdc201..6e761bd 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -344,7 +344,6 @@ EXTRA_DIST = \ subdirs = \ 001-keyiread \ 001-keyiread-rsa \ - 002-keygen \ 002-keygen-rsa \ 003-csrgen \ 003-csrgen-rsa \ @@ -352,17 +351,11 @@ subdirs = \ 004-selfsign-rsa \ 005-dbusm \ 006-serial \ - 007-certsave \ 008-certread \ 009-oiddict \ 010-iterate \ - 011-dbinit \ - 012-dbadd \ - 013-enckey \ 014-prefs \ - 015-lockedkey \ 016-dates \ - 017-notoken \ 018-pembase \ 019-dparse \ 021-resume \ @@ -378,7 +371,6 @@ subdirs = \ 031-pkcs7 \ 032-chain \ 033-scep \ - 034-perms \ 035-json \ 036-getcert \ 037-rekey2 \ @@ -387,6 +379,7 @@ subdirs = \ if HAVE_DBM_NSSDB subdirs += \ + 002-keygen-dbm \ 007-certsave-dbm \ 011-dbinit-dbm \ 012-dbadd-dbm \ @@ -398,6 +391,7 @@ endif if HAVE_SQL_NSSDB subdirs += \ + 002-keygen-sql \ 007-certsave-sql \ 011-dbinit-sql \ 012-dbadd-sql \ From 1bba4075fc5bf232af811e22acfeee9f51f553e2 Mon Sep 17 00:00:00 2001 From: Stanislav Levin Date: Jun 24 2020 22:05:23 +0000 Subject: [PATCH 2/4] tests: Parametrize 025-casave with NSS db types This test fails against NSS having disabled DBM. Fixes: https://pagure.io/certmonger/issue/155 Signed-off-by: Stanislav Levin --- diff --git a/tests/025-casave-dbm/expected.out b/tests/025-casave-dbm/expected.out new file mode 100644 index 0000000..aadb198 --- /dev/null +++ b/tests/025-casave-dbm/expected.out @@ -0,0 +1,381 @@ +[(CAB1)] +[bundle1] +2 +[bundle2] +0 +[bundle3] +0 +[bundle-all] +6 +[db1] +[db2] +[db3] +[dba] + +[(CAB2)] +[bundle1] +0 +[bundle2] +1 +[bundle3] +0 +[bundle-all] +6 +[db1] +[db2] +[db3] +[dba] + +[(CAB3)] +[bundle1] +0 +[bundle2] +0 +[bundle3] +2 +[bundle-all] +6 +[db1] +[db2] +[db3] +[dba] + +[(CAD1)] +[bundle1] +0 +[bundle2] +0 +[bundle3] +0 +[bundle-all] +0 +[db1] +Root Certificate D1 CT,C,C +[db2] +[db3] +[dba] +Other Certificate D1 ,, +Other Root Certificate D1 CT,C,C +Root Certificate D1 CT,C,C + +[(CAD2)] +[bundle1] +0 +[bundle2] +0 +[bundle3] +0 +[bundle-all] +0 +[db1] +[db2] +Other Root Certificate D2 CT,C,C +[db3] +[dba] +Other Certificate D2 ,, +Other Root Certificate D2 CT,C,C +Root Certificate D2 CT,C,C + +[(CAD3)] +[bundle1] +0 +[bundle2] +0 +[bundle3] +0 +[bundle-all] +0 +[db1] +[db2] +[db3] +Other Certificate D3 ,, +[dba] +Other Certificate D3 ,, +Other Root Certificate D3 CT,C,C +Root Certificate D3 CT,C,C + +[(EntryB1)] +[bundle1] +2 +[bundle2] +0 +[bundle3] +0 +[bundle-all] +6 +[db1] +[db2] +[db3] +[dba] + +[(EntryB2)] +[bundle1] +0 +[bundle2] +1 +[bundle3] +0 +[bundle-all] +6 +[db1] +[db2] +[db3] +[dba] + +[(EntryB3)] +[bundle1] +0 +[bundle2] +0 +[bundle3] +2 +[bundle-all] +6 +[db1] +[db2] +[db3] +[dba] + +[(EntryD1)] +[bundle1] +0 +[bundle2] +0 +[bundle3] +0 +[bundle-all] +0 +[db1] +Per-certificate Signing Authority D1 CT,C,C +[db2] +[db3] +[dba] +Per-certificate Signing Authority D1 CT,C,C + +[(EntryD2)] +[bundle1] +0 +[bundle2] +0 +[bundle3] +0 +[bundle-all] +0 +[db1] +[db2] +[db3] +[dba] + +[(EntryD3)] +[bundle1] +0 +[bundle2] +0 +[bundle3] +0 +[bundle-all] +0 +[db1] +[db2] +[db3] +Per-certificate Signing Authority D3 ,, +[dba] +Per-certificate Signing Authority D3 ,, + +[(EntryCB1)] +[bundle1] +2 +[bundle2] +0 +[bundle3] +0 +[bundle-all] +6 +[db1] +[db2] +[db3] +[dba] + +[(EntryCB2)] +[bundle1] +0 +[bundle2] +1 +[bundle3] +0 +[bundle-all] +6 +[db1] +[db2] +[db3] +[dba] + +[(EntryCB3)] +[bundle1] +0 +[bundle2] +0 +[bundle3] +2 +[bundle-all] +6 +[db1] +[db2] +[db3] +[dba] + +[(EntryCD1)] +[bundle1] +0 +[bundle2] +0 +[bundle3] +0 +[bundle-all] +0 +[db1] +Per-certificate Signing Authority CD1 CT,C,C +Root Certificate D1 CT,C,C +[db2] +[db3] +[dba] +Other Certificate D1 ,, +Other Root Certificate D1 CT,C,C +Per-certificate Signing Authority CD1 CT,C,C +Root Certificate D1 CT,C,C + +[(EntryCD2)] +[bundle1] +0 +[bundle2] +0 +[bundle3] +0 +[bundle-all] +0 +[db1] +[db2] +Other Root Certificate D2 CT,C,C +[db3] +[dba] +Other Certificate D2 ,, +Other Root Certificate D2 CT,C,C +Root Certificate D2 CT,C,C + +[(EntryCD3)] +[bundle1] +0 +[bundle2] +0 +[bundle3] +0 +[bundle-all] +0 +[db1] +[db2] +[db3] +Other Certificate D3 ,, +Per-certificate Signing Authority CD3 ,, +[dba] +Other Certificate D3 ,, +Other Root Certificate D3 CT,C,C +Per-certificate Signing Authority CD3 ,, +Root Certificate D3 CT,C,C + +[(EntryCAB1)] +[bundle1] +2 +[bundle2] +0 +[bundle3] +0 +[bundle-all] +6 +[db1] +[db2] +[db3] +[dba] + +[(EntryCAB2)] +[bundle1] +0 +[bundle2] +1 +[bundle3] +0 +[bundle-all] +6 +[db1] +[db2] +[db3] +[dba] + +[(EntryCAB3)] +[bundle1] +0 +[bundle2] +0 +[bundle3] +2 +[bundle-all] +6 +[db1] +[db2] +[db3] +[dba] + +[(EntryCAD1)] +[bundle1] +0 +[bundle2] +0 +[bundle3] +0 +[bundle-all] +0 +[db1] +Root Certificate D1 CT,C,C +[db2] +[db3] +[dba] +Other Certificate D1 ,, +Other Root Certificate D1 CT,C,C +Root Certificate D1 CT,C,C + +[(EntryCAD2)] +[bundle1] +0 +[bundle2] +0 +[bundle3] +0 +[bundle-all] +0 +[db1] +[db2] +Other Root Certificate D2 CT,C,C +[db3] +[dba] +Other Certificate D2 ,, +Other Root Certificate D2 CT,C,C +Root Certificate D2 CT,C,C + +[(EntryCAD3)] +[bundle1] +0 +[bundle2] +0 +[bundle3] +0 +[bundle-all] +0 +[db1] +[db2] +[db3] +Other Certificate D3 ,, +[dba] +Other Certificate D3 ,, +Other Root Certificate D3 CT,C,C +Root Certificate D3 CT,C,C + +OK. diff --git a/tests/025-casave-dbm/run.sh b/tests/025-casave-dbm/run.sh new file mode 100755 index 0000000..c5d7220 --- /dev/null +++ b/tests/025-casave-dbm/run.sh @@ -0,0 +1,3 @@ +#!/bin/bash -e + +exec env scheme=dbm ../025-casave/run.sh diff --git a/tests/025-casave-sql/expected.out b/tests/025-casave-sql/expected.out new file mode 100644 index 0000000..aadb198 --- /dev/null +++ b/tests/025-casave-sql/expected.out @@ -0,0 +1,381 @@ +[(CAB1)] +[bundle1] +2 +[bundle2] +0 +[bundle3] +0 +[bundle-all] +6 +[db1] +[db2] +[db3] +[dba] + +[(CAB2)] +[bundle1] +0 +[bundle2] +1 +[bundle3] +0 +[bundle-all] +6 +[db1] +[db2] +[db3] +[dba] + +[(CAB3)] +[bundle1] +0 +[bundle2] +0 +[bundle3] +2 +[bundle-all] +6 +[db1] +[db2] +[db3] +[dba] + +[(CAD1)] +[bundle1] +0 +[bundle2] +0 +[bundle3] +0 +[bundle-all] +0 +[db1] +Root Certificate D1 CT,C,C +[db2] +[db3] +[dba] +Other Certificate D1 ,, +Other Root Certificate D1 CT,C,C +Root Certificate D1 CT,C,C + +[(CAD2)] +[bundle1] +0 +[bundle2] +0 +[bundle3] +0 +[bundle-all] +0 +[db1] +[db2] +Other Root Certificate D2 CT,C,C +[db3] +[dba] +Other Certificate D2 ,, +Other Root Certificate D2 CT,C,C +Root Certificate D2 CT,C,C + +[(CAD3)] +[bundle1] +0 +[bundle2] +0 +[bundle3] +0 +[bundle-all] +0 +[db1] +[db2] +[db3] +Other Certificate D3 ,, +[dba] +Other Certificate D3 ,, +Other Root Certificate D3 CT,C,C +Root Certificate D3 CT,C,C + +[(EntryB1)] +[bundle1] +2 +[bundle2] +0 +[bundle3] +0 +[bundle-all] +6 +[db1] +[db2] +[db3] +[dba] + +[(EntryB2)] +[bundle1] +0 +[bundle2] +1 +[bundle3] +0 +[bundle-all] +6 +[db1] +[db2] +[db3] +[dba] + +[(EntryB3)] +[bundle1] +0 +[bundle2] +0 +[bundle3] +2 +[bundle-all] +6 +[db1] +[db2] +[db3] +[dba] + +[(EntryD1)] +[bundle1] +0 +[bundle2] +0 +[bundle3] +0 +[bundle-all] +0 +[db1] +Per-certificate Signing Authority D1 CT,C,C +[db2] +[db3] +[dba] +Per-certificate Signing Authority D1 CT,C,C + +[(EntryD2)] +[bundle1] +0 +[bundle2] +0 +[bundle3] +0 +[bundle-all] +0 +[db1] +[db2] +[db3] +[dba] + +[(EntryD3)] +[bundle1] +0 +[bundle2] +0 +[bundle3] +0 +[bundle-all] +0 +[db1] +[db2] +[db3] +Per-certificate Signing Authority D3 ,, +[dba] +Per-certificate Signing Authority D3 ,, + +[(EntryCB1)] +[bundle1] +2 +[bundle2] +0 +[bundle3] +0 +[bundle-all] +6 +[db1] +[db2] +[db3] +[dba] + +[(EntryCB2)] +[bundle1] +0 +[bundle2] +1 +[bundle3] +0 +[bundle-all] +6 +[db1] +[db2] +[db3] +[dba] + +[(EntryCB3)] +[bundle1] +0 +[bundle2] +0 +[bundle3] +2 +[bundle-all] +6 +[db1] +[db2] +[db3] +[dba] + +[(EntryCD1)] +[bundle1] +0 +[bundle2] +0 +[bundle3] +0 +[bundle-all] +0 +[db1] +Per-certificate Signing Authority CD1 CT,C,C +Root Certificate D1 CT,C,C +[db2] +[db3] +[dba] +Other Certificate D1 ,, +Other Root Certificate D1 CT,C,C +Per-certificate Signing Authority CD1 CT,C,C +Root Certificate D1 CT,C,C + +[(EntryCD2)] +[bundle1] +0 +[bundle2] +0 +[bundle3] +0 +[bundle-all] +0 +[db1] +[db2] +Other Root Certificate D2 CT,C,C +[db3] +[dba] +Other Certificate D2 ,, +Other Root Certificate D2 CT,C,C +Root Certificate D2 CT,C,C + +[(EntryCD3)] +[bundle1] +0 +[bundle2] +0 +[bundle3] +0 +[bundle-all] +0 +[db1] +[db2] +[db3] +Other Certificate D3 ,, +Per-certificate Signing Authority CD3 ,, +[dba] +Other Certificate D3 ,, +Other Root Certificate D3 CT,C,C +Per-certificate Signing Authority CD3 ,, +Root Certificate D3 CT,C,C + +[(EntryCAB1)] +[bundle1] +2 +[bundle2] +0 +[bundle3] +0 +[bundle-all] +6 +[db1] +[db2] +[db3] +[dba] + +[(EntryCAB2)] +[bundle1] +0 +[bundle2] +1 +[bundle3] +0 +[bundle-all] +6 +[db1] +[db2] +[db3] +[dba] + +[(EntryCAB3)] +[bundle1] +0 +[bundle2] +0 +[bundle3] +2 +[bundle-all] +6 +[db1] +[db2] +[db3] +[dba] + +[(EntryCAD1)] +[bundle1] +0 +[bundle2] +0 +[bundle3] +0 +[bundle-all] +0 +[db1] +Root Certificate D1 CT,C,C +[db2] +[db3] +[dba] +Other Certificate D1 ,, +Other Root Certificate D1 CT,C,C +Root Certificate D1 CT,C,C + +[(EntryCAD2)] +[bundle1] +0 +[bundle2] +0 +[bundle3] +0 +[bundle-all] +0 +[db1] +[db2] +Other Root Certificate D2 CT,C,C +[db3] +[dba] +Other Certificate D2 ,, +Other Root Certificate D2 CT,C,C +Root Certificate D2 CT,C,C + +[(EntryCAD3)] +[bundle1] +0 +[bundle2] +0 +[bundle3] +0 +[bundle-all] +0 +[db1] +[db2] +[db3] +Other Certificate D3 ,, +[dba] +Other Certificate D3 ,, +Other Root Certificate D3 CT,C,C +Root Certificate D3 CT,C,C + +OK. diff --git a/tests/025-casave-sql/run.sh b/tests/025-casave-sql/run.sh new file mode 100755 index 0000000..f675535 --- /dev/null +++ b/tests/025-casave-sql/run.sh @@ -0,0 +1,3 @@ +#!/bin/bash -e + +exec env scheme=sql ../025-casave/run.sh diff --git a/tests/025-casave/run.sh b/tests/025-casave/run.sh index aff1e6d..60f92d0 100755 --- a/tests/025-casave/run.sh +++ b/tests/025-casave/run.sh @@ -2,6 +2,7 @@ cd $tmpdir +scheme="${scheme:-dbm}" cat > $tmpdir/entrycb1 <<- EOF id=EntryCB1 ca_name=CAB1 @@ -196,7 +197,7 @@ id=EntryD1 root_cert_files= other_root_cert_files= other_cert_files= -root_cert_dbs=dbm:$tmpdir/db1,dbm:$tmpdir/dba +root_cert_dbs=$scheme:$tmpdir/db1,$scheme:$tmpdir/dba other_root_cert_dbs= other_cert_dbs= cert_roots=Per-certificate Signing Authority D1 @@ -229,7 +230,7 @@ root_cert_files= other_root_cert_files= other_cert_files= root_cert_dbs= -other_root_cert_dbs=dbm:$tmpdir/db2,dbm:$tmpdir/dba +other_root_cert_dbs=$scheme:$tmpdir/db2,$scheme:$tmpdir/dba other_cert_dbs= EOF cat > $tmpdir/entryd3 <<- EOF @@ -239,7 +240,7 @@ other_root_cert_files= other_cert_files= root_cert_dbs= other_root_cert_dbs= -other_cert_dbs=dbm:$tmpdir/db3,dbm:$tmpdir/dba +other_cert_dbs=$scheme:$tmpdir/db3,$scheme:$tmpdir/dba cert_chain=Per-certificate Signing Authority D3 -----BEGIN CERTIFICATE----- MIIDjjCCAnagAwIBAgIRALuVK2FuXklPuMP4qtRyQjUwDQYJKoZIhvcNAQELBQAw @@ -300,7 +301,7 @@ ca_name=CAD1 root_cert_files= other_root_cert_files= other_cert_files= -root_cert_dbs=dbm:$tmpdir/db1,dbm:$tmpdir/dba +root_cert_dbs=$scheme:$tmpdir/db1,$scheme:$tmpdir/dba other_root_cert_dbs= other_cert_dbs= EOF @@ -311,7 +312,7 @@ root_cert_files= other_root_cert_files= other_cert_files= root_cert_dbs= -other_root_cert_dbs=dbm:$tmpdir/db2,dbm:$tmpdir/dba +other_root_cert_dbs=$scheme:$tmpdir/db2,$scheme:$tmpdir/dba other_cert_dbs= EOF cat > $tmpdir/entrycad3 <<- EOF @@ -322,7 +323,7 @@ other_root_cert_files= other_cert_files= root_cert_dbs= other_root_cert_dbs= -other_cert_dbs=dbm:$tmpdir/db3,dbm:$tmpdir/dba +other_cert_dbs=$scheme:$tmpdir/db3,$scheme:$tmpdir/dba EOF cat > $tmpdir/cab1 <<- EOF @@ -564,9 +565,9 @@ ca_external_helper=$tmpdir/no-such-helper.sh ca_root_cert_files= ca_other_root_cert_files= ca_other_cert_files= -ca_root_cert_dbs=dbm:$tmpdir/db1,dbm:$tmpdir/dba -ca_other_root_cert_dbs=dbm:$tmpdir/dba -ca_other_cert_dbs=dbm:$tmpdir/dba +ca_root_cert_dbs=$scheme:$tmpdir/db1,$scheme:$tmpdir/dba +ca_other_root_cert_dbs=$scheme:$tmpdir/dba +ca_other_cert_dbs=$scheme:$tmpdir/dba ca_root_certs=Root Certificate D1 -----BEGIN CERTIFICATE----- MIIDdzCCAl+gAwIBAgIEAgAAuTANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ @@ -639,9 +640,9 @@ ca_external_helper=$tmpdir/no-such-helper.sh ca_root_cert_files= ca_other_root_cert_files= ca_other_cert_files= -ca_root_cert_dbs=dbm:$tmpdir/dba -ca_other_root_cert_dbs=dbm:$tmpdir/db2,dbm:$tmpdir/dba -ca_other_cert_dbs=dbm:$tmpdir/dba +ca_root_cert_dbs=$scheme:$tmpdir/dba +ca_other_root_cert_dbs=$scheme:$tmpdir/db2,$scheme:$tmpdir/dba +ca_other_cert_dbs=$scheme:$tmpdir/dba ca_root_certs=Root Certificate D2 -----BEGIN CERTIFICATE----- MIIEDzCCAvegAwIBAgIBATANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJTSzET @@ -722,9 +723,9 @@ ca_external_helper=$tmpdir/no-such-helper.sh ca_root_cert_files= ca_other_root_cert_files= ca_other_cert_files= -ca_root_cert_dbs=,dbm:$tmpdir/dba -ca_other_root_cert_dbs=,dbm:$tmpdir/dba, -ca_other_cert_dbs=dbm:$tmpdir/db3,dbm:$tmpdir/dba +ca_root_cert_dbs=,$scheme:$tmpdir/dba +ca_other_root_cert_dbs=,$scheme:$tmpdir/dba, +ca_other_cert_dbs=$scheme:$tmpdir/db3,$scheme:$tmpdir/dba ca_root_certs=Root Certificate D3 -----BEGIN CERTIFICATE----- MIICiTCCAg+gAwIBAgIQH0evqmIAcFBUTAGem2OZKjAKBggqhkjOPQQDAzCBhTEL @@ -796,9 +797,9 @@ ca_external_helper=$tmpdir/no-such-helper.sh ca_root_cert_files=$tmpdir/bundle-all ca_other_root_cert_files= ca_other_cert_files= -ca_root_cert_dbs=dbm:$tmpdir/dba -ca_other_root_cert_dbs=,dbm:$tmpdir/dba -ca_other_cert_dbs=,dbm:$tmpdir/dba +ca_root_cert_dbs=$scheme:$tmpdir/dba +ca_other_root_cert_dbs=,$scheme:$tmpdir/dba +ca_other_cert_dbs=,$scheme:$tmpdir/dba ca_root_certs=Root Certificate DA -----BEGIN CERTIFICATE----- MIICiDCCAg2gAwIBAgIQNfwmXNmET8k9Jj1Xm67XVjAKBggqhkjOPQQDAzCBhDEL diff --git a/tests/Makefile.am b/tests/Makefile.am index 6e761bd..bbd4049 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -92,6 +92,10 @@ CLEANFILES = \ 024-citerate/actual.err \ 025-casave/actual.out \ 025-casave/actual.err \ + 025-casave-dbm/actual.out \ + 025-casave-dbm/actual.err \ + 025-casave-sql/actual.out \ + 025-casave-sql/actual.err \ 026-local/actual.out \ 026-local/actual.err \ 027-hooks/actual.out \ @@ -263,6 +267,10 @@ EXTRA_DIST = \ 024-citerate/run.sh \ 025-casave/expected.out \ 025-casave/run.sh \ + 025-casave-dbm/expected.out \ + 025-casave-dbm/run.sh \ + 025-casave-sql/expected.out \ + 025-casave-sql/run.sh \ 026-local/expected.out \ 026-local/run.sh \ 027-hooks/expected.out \ @@ -362,7 +370,6 @@ subdirs = \ 022-base64 \ 023-cadata \ 024-citerate \ - 025-casave \ 026-local \ 027-hooks \ 028-dbus \ @@ -386,6 +393,7 @@ subdirs += \ 013-enckey-dbm \ 015-lockedkey-dbm \ 017-notoken-dbm \ + 025-casave-dbm \ 034-perms-dbm endif @@ -398,6 +406,7 @@ subdirs += \ 013-enckey-sql \ 015-lockedkey-sql \ 017-notoken-sql \ + 025-casave-sql \ 034-perms-sql endif From 3c74b97af4222ba88cba340673f1d5d11c9c0b47 Mon Sep 17 00:00:00 2001 From: Stanislav Levin Date: Jun 24 2020 22:05:23 +0000 Subject: [PATCH 3/4] make: Add missing files to clean up and to distribute Fixes: https://pagure.io/certmonger/issue/155 Signed-off-by: Stanislav Levin --- diff --git a/tests/Makefile.am b/tests/Makefile.am index bbd4049..c1ce841 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -8,6 +8,10 @@ CLEANFILES = \ 001-keyiread-rsa/actual.err \ 002-keygen/actual.out \ 002-keygen/actual.err \ + 002-keygen-dbm/actual.out \ + 002-keygen-dbm/actual.err \ + 002-keygen-sql/actual.out \ + 002-keygen-sql/actual.err \ 002-keygen-dsa/actual.out \ 002-keygen-dsa/actual.err \ 002-keygen-ec/actual.out \ @@ -142,6 +146,10 @@ EXTRA_DIST = \ 002-keygen/prequal.sh \ 002-keygen/run.sh \ 002-keygen/expected.out \ + 002-keygen-dbm/run.sh \ + 002-keygen-dbm/expected.out \ + 002-keygen-sql/run.sh \ + 002-keygen-sql/expected.out \ 002-keygen-rsa/prequal.sh \ 002-keygen-rsa/run.sh \ 002-keygen-rsa/expected.out \ From 1e61e1114c9a692bcc41ed5cd06a8f42bcdd1abc Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Jun 24 2020 22:19:44 +0000 Subject: [PATCH 4/4] Handle an uninitialized token when adding CA certs to an NSS db The getcert -a option will add the CA chain to an NSS database. It will create this database if it doesn't already exist. For sqlite database it is created with an uninitialized PIN. Catch this condition and set an empty PIN. Related to: https://pagure.io/certmonger/issue/155 --- diff --git a/src/casave.c b/src/casave.c index 1cf5a40..f2a5bb7 100644 --- a/src/casave.c +++ b/src/casave.c @@ -86,9 +86,10 @@ cm_casave_main_n(int fd, struct cm_store_ca *ca, struct cm_store_entry *e, FILE *fp; NSSInitContext *ctx; SECStatus err; - CERTCertificate *decoded, *found, **imported = NULL; + CERTCertificate *decoded, *found; CERTCertTrust trust; CERTCertDBHandle *certdb; + PK11SlotInfo *slot = NULL; SECItem *items[2]; PRUint32 flags; const char *es, *ttrust; @@ -157,6 +158,16 @@ cm_casave_main_n(int fd, struct cm_store_ca *ca, struct cm_store_entry *e, } } certdb = CERT_GetDefaultCertDB(); + slot = PK11_GetInternalKeySlot(); + if (PK11_NeedUserInit(slot)) { + /* If no PIN is set at all on the database set an empty one + * in case we are the creator. */ + PK11_InitPin(slot, NULL, ""); + } + if (PK11_NeedLogin(slot)) { + cm_log(0, "NSS database %s requires login\n", state->nssdb); + return CM_CERTSAVE_STATUS_INTERNAL_ERROR; + } for (i = 0; state->certs[i] != NULL; i++) { package = state->certs[i]->cert; decoded = CERT_DecodeCertFromPackage(package, @@ -186,16 +197,10 @@ cm_casave_main_n(int fd, struct cm_store_ca *ca, struct cm_store_entry *e, found = CERT_FindCertByDERCert(certdb, &decoded->derCert); if (found != NULL) { - items[0] = &found->derCert; - items[1] = NULL; - if ((CERT_ImportCerts(certdb, - certUsageSSLCA, - 1, items, - &imported, - PR_TRUE, PR_FALSE, - p) != SECSuccess) || - (imported == NULL) || - (imported[0] == NULL)) { + if (PK11_ImportCert(slot, found, + CK_INVALID_HANDLE, + p, + PR_FALSE) != SECSuccess) { ec = PORT_GetError(); if (ec != 0) { es = PR_ErrorToName(ec); @@ -217,10 +222,15 @@ cm_casave_main_n(int fd, struct cm_store_ca *ca, struct cm_store_entry *e, cm_log(3, "Wrote '%s' to " "database '%s'.\n", p, state->nssdb); - CERT_ChangeCertTrust(certdb, - imported[0], - &trust); - CERT_DestroyCertificate(imported[0]); + if (CERT_ChangeCertTrust(certdb, + found, + &trust) != SECSuccess) { + if (PORT_GetError() == SEC_ERROR_TOKEN_NOT_LOGGED_IN) + { + cm_log(0, "Unable to set trust. " + "Token not logged in.\n"); + } + } } CERT_DestroyCertificate(found); } else{ @@ -234,6 +244,7 @@ cm_casave_main_n(int fd, struct cm_store_ca *ca, struct cm_store_entry *e, p); } } + PK11_FreeSlot(slot); err = NSS_ShutdownContext(ctx); if (err != SECSuccess) { cm_log(1, "Error shutting down NSS.\n"); diff --git a/tests/025-casave/run.sh b/tests/025-casave/run.sh index 60f92d0..d81df82 100755 --- a/tests/025-casave/run.sh +++ b/tests/025-casave/run.sh @@ -844,7 +844,7 @@ for which in CAB1 CAB2 CAB3 CAD1 CAD2 CAD3 EntryB1 EntryB2 EntryB3 EntryD1 Entry done for db in 1 2 3 a ; do echo "[db$db]" - certutil -L -d "db$db" 2> /dev/null | \ + certutil -L -d "$scheme:db$db" 2> /dev/null | \ grep , | grep -v JAR/XPI | sed -r 's, +, ,g' | \ env LANG=C sort | tee "olddblist$db" done @@ -853,7 +853,7 @@ for which in CAB1 CAB2 CAB3 CAD1 CAD2 CAD3 EntryB1 EntryB2 EntryB3 EntryD1 Entry diff -u "bundle$bundle" "oldbundle$bundle" done for db in 1 2 3 a ; do - certutil -L -d "db$db" 2> /dev/null | \ + certutil -L -d "$scheme:db$db" 2> /dev/null | \ grep , | grep -v JAR/XPI | sed -r 's, +, ,g' | \ env LANG=C sort > "dblist$db" diff -u "olddblist$db" "dblist$db"