certmonger/0004-Add-utility-function-to-get-the-internal-token-name.patch

From f396b19b2c222fa0a50e9bb9704059af4578e678 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Fri, 31 Aug 2018 12:08:35 -0400
Subject: [PATCH 3/7] Add utility function to get the internal token name

The NSS internal token is the default if no token is specified for
the cert or the key.
---
 src/certread-n.c | 6 +++++-
 src/certsave-n.c | 3 +++
 src/keygen-n.c   | 3 +++
 src/keyiread-n.c | 3 +++
 src/submit-n.c   | 5 ++++-
 src/util-n.c     | 6 ++++++
 src/util-n.h     | 1 +
 7 files changed, 25 insertions(+), 2 deletions(-)

diff --git a/src/certread-n.c b/src/certread-n.c
index 57a38dcf..1d9217c6 100644
--- a/src/certread-n.c
+++ b/src/certread-n.c
@@ -190,6 +190,9 @@ cm_certread_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
 		cm_log(1, "Error reading PIN for cert db.\n");
 		_exit(CM_SUB_STATUS_ERROR_AUTH);
 	}
+	if (entry->cm_cert_token == NULL) {
+		entry->cm_cert_token = util_internal_token_name();
+	}
 	PK11_SetPasswordFunc(&cm_pin_read_for_cert_nss_cb);
 	for (sle = slotlist->head;
 	     ((sle != NULL) && (sle->slot != NULL));
@@ -253,7 +256,8 @@ cm_certread_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
 			}
 			error = PK11_Authenticate(sle->slot, PR_TRUE, &cb_data);
 			if (error != SECSuccess) {
-				cm_log(1, "Error authenticating to cert db.\n");
+				cm_log(1, "certread-n: Error authenticating to cert db "
+					   "slot %s.\n", PK11_GetTokenName(sle->slot));
 				goto next_slot;
 			}
 			if ((pin != NULL) &&
diff --git a/src/certsave-n.c b/src/certsave-n.c
index af176ce5..193309c5 100644
--- a/src/certsave-n.c
+++ b/src/certsave-n.c
@@ -214,6 +214,9 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
 			_exit(CM_SUB_STATUS_ERROR_AUTH);
 		}
 		PK11_SetPasswordFunc(&cm_pin_read_for_cert_nss_cb);
+		if (entry->cm_cert_token == NULL) {
+			entry->cm_cert_token = util_internal_token_name();
+		}
 		for (sle = slotlist->head;
 		     ((sle != NULL) && (sle->slot != NULL));
 		     sle = sle->next)
diff --git a/src/keygen-n.c b/src/keygen-n.c
index 84b0bbd3..f7fdf6c0 100644
--- a/src/keygen-n.c
+++ b/src/keygen-n.c
@@ -272,6 +272,9 @@ cm_keygen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
 		cm_log(1, "Error locating token for key generation.\n");
 		_exit(CM_SUB_STATUS_ERROR_NO_TOKEN);
 	}
+	if (entry->cm_cert_token == NULL) {
+		entry->cm_cert_token = util_internal_token_name();
+	}
 	/* Walk the list looking for the requested slot, or the first one if
 	 * none was requested. */
 	slot = NULL;
diff --git a/src/keyiread-n.c b/src/keyiread-n.c
index 89913aa2..b8408bf1 100644
--- a/src/keyiread-n.c
+++ b/src/keyiread-n.c
@@ -152,6 +152,9 @@ cm_keyiread_n_get_keys(struct cm_store_entry *entry, int readwrite)
 		_exit(CM_SUB_STATUS_ERROR_AUTH);
 	}
 	PK11_SetPasswordFunc(&cm_pin_read_for_cert_nss_cb);
+	if (entry->cm_key_token == NULL) {
+		entry->cm_key_token = util_internal_token_name();
+	}
 	n_tokens = 0;
 	pubkey = NULL;
 	/* In practice, the internal slot is either a non-storage slot (in
diff --git a/src/submit-n.c b/src/submit-n.c
index 872153ea..da07d253 100644
--- a/src/submit-n.c
+++ b/src/submit-n.c
@@ -346,6 +346,9 @@ cm_submit_n_decrypt_envelope(const unsigned char *envelope,
 		cm_log(1, "Error reading PIN for key storage.\n");
 		goto done;
 	}
+	if (args->entry->cm_key_token == NULL) {
+		args->entry->cm_key_token = util_internal_token_name();
+	}
 	PK11_SetPasswordFunc(&cm_pin_read_for_cert_nss_cb);
 	n_tokens = 0;
 	/* In practice, the internal slot is either a non-storage slot (in
@@ -402,7 +405,7 @@ cm_submit_n_decrypt_envelope(const unsigned char *envelope,
 		}
 		error = PK11_Authenticate(slot, PR_TRUE, &cb_data);
 		if (error != SECSuccess) {
-			cm_log(1, "Error authenticating to token "
+			cm_log(1, "submit-n: Error authenticating to token "
 			       "\"%s\".\n", token);
 			goto done;
 		}
diff --git a/src/util-n.c b/src/util-n.c
index 7805e58e..293e2583 100644
--- a/src/util-n.c
+++ b/src/util-n.c
@@ -287,3 +287,9 @@ util_set_db_entry_cert_owner(const char *dbdir, struct cm_store_entry *entry)
 	util_set_db_owner_perms(dbdir, secmoddb, entry->cm_cert_owner,
 				entry->cm_cert_perms);
 }
+
+char *
+util_internal_token_name()
+{
+	return strdup(PK11_GetTokenName(PK11_GetInternalKeySlot()));
+}
diff --git a/src/util-n.h b/src/util-n.h
index 8a918d5c..637fd4b1 100644
--- a/src/util-n.h
+++ b/src/util-n.h
@@ -29,5 +29,6 @@ void util_set_db_entry_key_owner(const char *dbdir,
 				 struct cm_store_entry *entry);
 void util_set_db_entry_cert_owner(const char *dbdir,
 				  struct cm_store_entry *entry);
+char * util_internal_token_name();
 
 #endif
-- 
2.14.4
Improve NSS token handling The updated NSS crypto-policy enables all tokens which broke requesting certificates due to the way that tokens were managed. 2018-10-01 18:34:36 +00:00			`From f396b19b2c222fa0a50e9bb9704059af4578e678 Mon Sep 17 00:00:00 2001`
			`From: Rob Crittenden <rcritten@redhat.com>`
			`Date: Fri, 31 Aug 2018 12:08:35 -0400`
			`Subject: [PATCH 3/7] Add utility function to get the internal token name`

			`The NSS internal token is the default if no token is specified for`
			`the cert or the key.`
			`---`
			`src/certread-n.c \| 6 +++++-`
			`src/certsave-n.c \| 3 +++`
			`src/keygen-n.c \| 3 +++`
			`src/keyiread-n.c \| 3 +++`
			`src/submit-n.c \| 5 ++++-`
			`src/util-n.c \| 6 ++++++`
			`src/util-n.h \| 1 +`
			`7 files changed, 25 insertions(+), 2 deletions(-)`

			`diff --git a/src/certread-n.c b/src/certread-n.c`
			`index 57a38dcf..1d9217c6 100644`
			`--- a/src/certread-n.c`
			`+++ b/src/certread-n.c`
			`@@ -190,6 +190,9 @@ cm_certread_n_main(int fd, struct cm_store_ca ca, struct cm_store_entry entry,`
			`cm_log(1, "Error reading PIN for cert db.\n");`
			`_exit(CM_SUB_STATUS_ERROR_AUTH);`
			`}`
			`+ if (entry->cm_cert_token == NULL) {`
			`+ entry->cm_cert_token = util_internal_token_name();`
			`+ }`
			`PK11_SetPasswordFunc(&cm_pin_read_for_cert_nss_cb);`
			`for (sle = slotlist->head;`
			`((sle != NULL) && (sle->slot != NULL));`
			`@@ -253,7 +256,8 @@ cm_certread_n_main(int fd, struct cm_store_ca ca, struct cm_store_entry entry,`
			`}`
			`error = PK11_Authenticate(sle->slot, PR_TRUE, &cb_data);`
			`if (error != SECSuccess) {`
			`- cm_log(1, "Error authenticating to cert db.\n");`
			`+ cm_log(1, "certread-n: Error authenticating to cert db "`
			`+ "slot %s.\n", PK11_GetTokenName(sle->slot));`
			`goto next_slot;`
			`}`
			`if ((pin != NULL) &&`
			`diff --git a/src/certsave-n.c b/src/certsave-n.c`
			`index af176ce5..193309c5 100644`
			`--- a/src/certsave-n.c`
			`+++ b/src/certsave-n.c`
			`@@ -214,6 +214,9 @@ cm_certsave_n_main(int fd, struct cm_store_ca ca, struct cm_store_entry entry,`
			`_exit(CM_SUB_STATUS_ERROR_AUTH);`
			`}`
			`PK11_SetPasswordFunc(&cm_pin_read_for_cert_nss_cb);`
			`+ if (entry->cm_cert_token == NULL) {`
			`+ entry->cm_cert_token = util_internal_token_name();`
			`+ }`
			`for (sle = slotlist->head;`
			`((sle != NULL) && (sle->slot != NULL));`
			`sle = sle->next)`
			`diff --git a/src/keygen-n.c b/src/keygen-n.c`
			`index 84b0bbd3..f7fdf6c0 100644`
			`--- a/src/keygen-n.c`
			`+++ b/src/keygen-n.c`
			`@@ -272,6 +272,9 @@ cm_keygen_n_main(int fd, struct cm_store_ca ca, struct cm_store_entry entry,`
			`cm_log(1, "Error locating token for key generation.\n");`
			`_exit(CM_SUB_STATUS_ERROR_NO_TOKEN);`
			`}`
			`+ if (entry->cm_cert_token == NULL) {`
			`+ entry->cm_cert_token = util_internal_token_name();`
			`+ }`
			`/* Walk the list looking for the requested slot, or the first one if`
			`* none was requested. */`
			`slot = NULL;`
			`diff --git a/src/keyiread-n.c b/src/keyiread-n.c`
			`index 89913aa2..b8408bf1 100644`
			`--- a/src/keyiread-n.c`
			`+++ b/src/keyiread-n.c`
			`@@ -152,6 +152,9 @@ cm_keyiread_n_get_keys(struct cm_store_entry *entry, int readwrite)`
			`_exit(CM_SUB_STATUS_ERROR_AUTH);`
			`}`
			`PK11_SetPasswordFunc(&cm_pin_read_for_cert_nss_cb);`
			`+ if (entry->cm_key_token == NULL) {`
			`+ entry->cm_key_token = util_internal_token_name();`
			`+ }`
			`n_tokens = 0;`
			`pubkey = NULL;`
			`/* In practice, the internal slot is either a non-storage slot (in`
			`diff --git a/src/submit-n.c b/src/submit-n.c`
			`index 872153ea..da07d253 100644`
			`--- a/src/submit-n.c`
			`+++ b/src/submit-n.c`
			`@@ -346,6 +346,9 @@ cm_submit_n_decrypt_envelope(const unsigned char *envelope,`
			`cm_log(1, "Error reading PIN for key storage.\n");`
			`goto done;`
			`}`
			`+ if (args->entry->cm_key_token == NULL) {`
			`+ args->entry->cm_key_token = util_internal_token_name();`
			`+ }`
			`PK11_SetPasswordFunc(&cm_pin_read_for_cert_nss_cb);`
			`n_tokens = 0;`
			`/* In practice, the internal slot is either a non-storage slot (in`
			`@@ -402,7 +405,7 @@ cm_submit_n_decrypt_envelope(const unsigned char *envelope,`
			`}`
			`error = PK11_Authenticate(slot, PR_TRUE, &cb_data);`
			`if (error != SECSuccess) {`
			`- cm_log(1, "Error authenticating to token "`
			`+ cm_log(1, "submit-n: Error authenticating to token "`
			`"\"%s\".\n", token);`
			`goto done;`
			`}`
			`diff --git a/src/util-n.c b/src/util-n.c`
			`index 7805e58e..293e2583 100644`
			`--- a/src/util-n.c`
			`+++ b/src/util-n.c`
			`@@ -287,3 +287,9 @@ util_set_db_entry_cert_owner(const char dbdir, struct cm_store_entry entry)`
			`util_set_db_owner_perms(dbdir, secmoddb, entry->cm_cert_owner,`
			`entry->cm_cert_perms);`
			`}`
			`+`
			`+char *`
			`+util_internal_token_name()`
			`+{`
			`+ return strdup(PK11_GetTokenName(PK11_GetInternalKeySlot()));`
			`+}`
			`diff --git a/src/util-n.h b/src/util-n.h`
			`index 8a918d5c..637fd4b1 100644`
			`--- a/src/util-n.h`
			`+++ b/src/util-n.h`
			`@@ -29,5 +29,6 @@ void util_set_db_entry_key_owner(const char *dbdir,`
			`struct cm_store_entry *entry);`
			`void util_set_db_entry_cert_owner(const char *dbdir,`
			`struct cm_store_entry *entry);`
			`+char * util_internal_token_name();`

			`#endif`
			`--`
			`2.14.4`