mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-10-12 04:45:45 +00:00
Fix bug 115660. Note that fixing the bugs necessitates fixing the test
cases as well. The test case was depending on the failure to read certs to detect the failure to read keys. Now certutil returns a failure if no keys are found. This also means that the FIPS test after the key and cert has been deleted should expect a failure to list any keys.
This commit is contained in:
parent
99fb97305e
commit
a7723c632d
@ -934,14 +934,21 @@ printKeyCB(SECKEYPublicKey *key, SECItem *data, void *arg)
|
||||
return SECSuccess;
|
||||
}
|
||||
|
||||
struct secuCBData {
|
||||
FILE *file;
|
||||
int keycount;
|
||||
};
|
||||
|
||||
/* callback for listing certs through pkcs11 */
|
||||
SECStatus
|
||||
static SECStatus
|
||||
secu_PrintKeyFromCert(CERTCertificate *cert, void *data)
|
||||
{
|
||||
FILE *out;
|
||||
struct secuCBData *cbdata;
|
||||
SECKEYPrivateKey *key;
|
||||
|
||||
out = (FILE *)data;
|
||||
cbdata = (struct secuCBData *)data;
|
||||
out = cbdata->file;
|
||||
key = PK11_FindPrivateKeyFromCert(PK11_GetInternalKeySlot(), cert, NULL);
|
||||
if (!key) {
|
||||
fprintf(out, "XXX could not extract key for %s.\n", cert->nickname);
|
||||
@ -950,6 +957,8 @@ secu_PrintKeyFromCert(CERTCertificate *cert, void *data)
|
||||
/* XXX should have a type field also */
|
||||
fprintf(out, "<%d> %s\n", 0, cert->nickname);
|
||||
|
||||
cbdata->keycount++;
|
||||
|
||||
return SECSuccess;
|
||||
}
|
||||
|
||||
@ -957,6 +966,10 @@ static SECStatus
|
||||
listKeys(PK11SlotInfo *slot, KeyType keyType, void *pwarg)
|
||||
{
|
||||
SECStatus rv = SECSuccess;
|
||||
struct secuCBData cbdata;
|
||||
|
||||
cbdata.keycount = 0;
|
||||
cbdata.file = stdout;
|
||||
|
||||
#ifdef notdef
|
||||
if (PK11_IsInternal(slot)) {
|
||||
@ -974,11 +987,15 @@ listKeys(PK11SlotInfo *slot, KeyType keyType, void *pwarg)
|
||||
/*rv = PK11_TraverseSlotKeys(slotname, keyType, printKeyCB, NULL, NULL);*/
|
||||
if (PK11_NeedLogin(slot))
|
||||
PK11_Authenticate(slot, PR_TRUE, pwarg);
|
||||
rv = PK11_TraverseCertsInSlot(slot, secu_PrintKeyFromCert, stdout);
|
||||
rv = PK11_TraverseCertsInSlot(slot, secu_PrintKeyFromCert, &cbdata);
|
||||
if (rv) {
|
||||
SECU_PrintError(progName, "problem listing keys");
|
||||
return SECFailure;
|
||||
}
|
||||
if (cbdata.keycount == 0) {
|
||||
SECU_PrintError(progName, "no keys found");
|
||||
return SECFailure;
|
||||
}
|
||||
return SECSuccess;
|
||||
#ifdef notdef
|
||||
}
|
||||
|
@ -394,7 +394,33 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) {
|
||||
* that match a template. */
|
||||
CK_RV FC_FindObjectsInit(CK_SESSION_HANDLE hSession,
|
||||
CK_ATTRIBUTE_PTR pTemplate,CK_ULONG usCount) {
|
||||
PK11_FIPSCHECK();
|
||||
/* let publically readable object be found */
|
||||
int i;
|
||||
CK_RV rv;
|
||||
PRBool needLogin = PR_FALSE;
|
||||
|
||||
PK11_FIPSFATALCHECK();
|
||||
|
||||
for (i=0; i < usCount; i++) {
|
||||
CK_OBJECT_CLASS class;
|
||||
if (pTemplate[i].type != CKA_CLASS) {
|
||||
continue;
|
||||
}
|
||||
if (pTemplate[i].ulValueLen != sizeof(CK_OBJECT_CLASS)) {
|
||||
continue;
|
||||
}
|
||||
if (pTemplate[i].pValue == NULL) {
|
||||
continue;
|
||||
}
|
||||
class = *(CK_OBJECT_CLASS *)pTemplate[i].pValue;
|
||||
if ((class == CKO_PRIVATE_KEY) || (class == CKO_SECRET_KEY)) {
|
||||
needLogin = PR_TRUE;
|
||||
break;
|
||||
}
|
||||
}
|
||||
if (needLogin) {
|
||||
if ((rv = pk11_fipsCheck()) != CKR_OK) return rv;
|
||||
}
|
||||
return NSC_FindObjectsInit(hSession,pTemplate,usCount);
|
||||
}
|
||||
|
||||
@ -404,7 +430,8 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) {
|
||||
CK_RV FC_FindObjects(CK_SESSION_HANDLE hSession,
|
||||
CK_OBJECT_HANDLE_PTR phObject,CK_ULONG usMaxObjectCount,
|
||||
CK_ULONG_PTR pusObjectCount) {
|
||||
PK11_FIPSCHECK();
|
||||
/* let publically readable object be found */
|
||||
PK11_FIPSFATALCHECK();
|
||||
return NSC_FindObjects(hSession,phObject,usMaxObjectCount,
|
||||
pusObjectCount);
|
||||
}
|
||||
@ -840,7 +867,8 @@ CK_RV FC_SetOperationState(CK_SESSION_HANDLE hSession,
|
||||
|
||||
/* FC_FindObjectsFinal finishes a search for token and session objects. */
|
||||
CK_RV FC_FindObjectsFinal(CK_SESSION_HANDLE hSession) {
|
||||
PK11_FIPSCHECK();
|
||||
/* let publically readable object be found */
|
||||
PK11_FIPSFATALCHECK();
|
||||
return NSC_FindObjectsFinal(hSession);
|
||||
}
|
||||
|
||||
|
@ -141,7 +141,9 @@ fips_140_1()
|
||||
echo "$SCRIPTNAME: List the FIPS module keys."
|
||||
echo "certutil -d ${R_FIPSDIR} -K -f ${R_FIPSPWFILE}"
|
||||
certutil -d ${R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1
|
||||
html_msg $? 0 "List the FIPS module keys (certutil -K)"
|
||||
# certutil -K now returns a failure if no keys are found. This verifies that
|
||||
# our delete succeded.
|
||||
html_msg $? 255 "List the FIPS module keys (certutil -K)"
|
||||
|
||||
echo "$SCRIPTNAME: Import the certificate and key from the PKCS#12 file"
|
||||
echo "pk12util -d ${R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE}"
|
||||
|
Loading…
Reference in New Issue
Block a user