37cd032951
The updated NSS crypto-policy enables all tokens which broke requesting certificates due to the way that tokens were managed.
135 lines
4.6 KiB
Diff
135 lines
4.6 KiB
Diff
From f396b19b2c222fa0a50e9bb9704059af4578e678 Mon Sep 17 00:00:00 2001
|
|
From: Rob Crittenden <rcritten@redhat.com>
|
|
Date: Fri, 31 Aug 2018 12:08:35 -0400
|
|
Subject: [PATCH 3/7] Add utility function to get the internal token name
|
|
|
|
The NSS internal token is the default if no token is specified for
|
|
the cert or the key.
|
|
---
|
|
src/certread-n.c | 6 +++++-
|
|
src/certsave-n.c | 3 +++
|
|
src/keygen-n.c | 3 +++
|
|
src/keyiread-n.c | 3 +++
|
|
src/submit-n.c | 5 ++++-
|
|
src/util-n.c | 6 ++++++
|
|
src/util-n.h | 1 +
|
|
7 files changed, 25 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/src/certread-n.c b/src/certread-n.c
|
|
index 57a38dcf..1d9217c6 100644
|
|
--- a/src/certread-n.c
|
|
+++ b/src/certread-n.c
|
|
@@ -190,6 +190,9 @@ cm_certread_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
|
|
cm_log(1, "Error reading PIN for cert db.\n");
|
|
_exit(CM_SUB_STATUS_ERROR_AUTH);
|
|
}
|
|
+ if (entry->cm_cert_token == NULL) {
|
|
+ entry->cm_cert_token = util_internal_token_name();
|
|
+ }
|
|
PK11_SetPasswordFunc(&cm_pin_read_for_cert_nss_cb);
|
|
for (sle = slotlist->head;
|
|
((sle != NULL) && (sle->slot != NULL));
|
|
@@ -253,7 +256,8 @@ cm_certread_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
|
|
}
|
|
error = PK11_Authenticate(sle->slot, PR_TRUE, &cb_data);
|
|
if (error != SECSuccess) {
|
|
- cm_log(1, "Error authenticating to cert db.\n");
|
|
+ cm_log(1, "certread-n: Error authenticating to cert db "
|
|
+ "slot %s.\n", PK11_GetTokenName(sle->slot));
|
|
goto next_slot;
|
|
}
|
|
if ((pin != NULL) &&
|
|
diff --git a/src/certsave-n.c b/src/certsave-n.c
|
|
index af176ce5..193309c5 100644
|
|
--- a/src/certsave-n.c
|
|
+++ b/src/certsave-n.c
|
|
@@ -214,6 +214,9 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
|
|
_exit(CM_SUB_STATUS_ERROR_AUTH);
|
|
}
|
|
PK11_SetPasswordFunc(&cm_pin_read_for_cert_nss_cb);
|
|
+ if (entry->cm_cert_token == NULL) {
|
|
+ entry->cm_cert_token = util_internal_token_name();
|
|
+ }
|
|
for (sle = slotlist->head;
|
|
((sle != NULL) && (sle->slot != NULL));
|
|
sle = sle->next)
|
|
diff --git a/src/keygen-n.c b/src/keygen-n.c
|
|
index 84b0bbd3..f7fdf6c0 100644
|
|
--- a/src/keygen-n.c
|
|
+++ b/src/keygen-n.c
|
|
@@ -272,6 +272,9 @@ cm_keygen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
|
|
cm_log(1, "Error locating token for key generation.\n");
|
|
_exit(CM_SUB_STATUS_ERROR_NO_TOKEN);
|
|
}
|
|
+ if (entry->cm_cert_token == NULL) {
|
|
+ entry->cm_cert_token = util_internal_token_name();
|
|
+ }
|
|
/* Walk the list looking for the requested slot, or the first one if
|
|
* none was requested. */
|
|
slot = NULL;
|
|
diff --git a/src/keyiread-n.c b/src/keyiread-n.c
|
|
index 89913aa2..b8408bf1 100644
|
|
--- a/src/keyiread-n.c
|
|
+++ b/src/keyiread-n.c
|
|
@@ -152,6 +152,9 @@ cm_keyiread_n_get_keys(struct cm_store_entry *entry, int readwrite)
|
|
_exit(CM_SUB_STATUS_ERROR_AUTH);
|
|
}
|
|
PK11_SetPasswordFunc(&cm_pin_read_for_cert_nss_cb);
|
|
+ if (entry->cm_key_token == NULL) {
|
|
+ entry->cm_key_token = util_internal_token_name();
|
|
+ }
|
|
n_tokens = 0;
|
|
pubkey = NULL;
|
|
/* In practice, the internal slot is either a non-storage slot (in
|
|
diff --git a/src/submit-n.c b/src/submit-n.c
|
|
index 872153ea..da07d253 100644
|
|
--- a/src/submit-n.c
|
|
+++ b/src/submit-n.c
|
|
@@ -346,6 +346,9 @@ cm_submit_n_decrypt_envelope(const unsigned char *envelope,
|
|
cm_log(1, "Error reading PIN for key storage.\n");
|
|
goto done;
|
|
}
|
|
+ if (args->entry->cm_key_token == NULL) {
|
|
+ args->entry->cm_key_token = util_internal_token_name();
|
|
+ }
|
|
PK11_SetPasswordFunc(&cm_pin_read_for_cert_nss_cb);
|
|
n_tokens = 0;
|
|
/* In practice, the internal slot is either a non-storage slot (in
|
|
@@ -402,7 +405,7 @@ cm_submit_n_decrypt_envelope(const unsigned char *envelope,
|
|
}
|
|
error = PK11_Authenticate(slot, PR_TRUE, &cb_data);
|
|
if (error != SECSuccess) {
|
|
- cm_log(1, "Error authenticating to token "
|
|
+ cm_log(1, "submit-n: Error authenticating to token "
|
|
"\"%s\".\n", token);
|
|
goto done;
|
|
}
|
|
diff --git a/src/util-n.c b/src/util-n.c
|
|
index 7805e58e..293e2583 100644
|
|
--- a/src/util-n.c
|
|
+++ b/src/util-n.c
|
|
@@ -287,3 +287,9 @@ util_set_db_entry_cert_owner(const char *dbdir, struct cm_store_entry *entry)
|
|
util_set_db_owner_perms(dbdir, secmoddb, entry->cm_cert_owner,
|
|
entry->cm_cert_perms);
|
|
}
|
|
+
|
|
+char *
|
|
+util_internal_token_name()
|
|
+{
|
|
+ return strdup(PK11_GetTokenName(PK11_GetInternalKeySlot()));
|
|
+}
|
|
diff --git a/src/util-n.h b/src/util-n.h
|
|
index 8a918d5c..637fd4b1 100644
|
|
--- a/src/util-n.h
|
|
+++ b/src/util-n.h
|
|
@@ -29,5 +29,6 @@ void util_set_db_entry_key_owner(const char *dbdir,
|
|
struct cm_store_entry *entry);
|
|
void util_set_db_entry_cert_owner(const char *dbdir,
|
|
struct cm_store_entry *entry);
|
|
+char * util_internal_token_name();
|
|
|
|
#endif
|
|
--
|
|
2.14.4
|
|
|