Fix bug 115660. Note that fixing the bugs necessitates fixing the test

cases as well. The test case was depending on the failure to read certs to detect the failure to read keys. Now certutil returns a failure if no keys are found. This also means that the FIPS test after the key and cert has been deleted should expect a failure to list any keys.
2024-10-12 04:45:45 +00:00 · 2002-01-25 19:03:17 +00:00 · 2002-01-25 19:03:17 +00:00 · a7723c632d
commit a7723c632d
parent 99fb97305e
3 changed files with 54 additions and 7 deletions
--- a/security/nss/cmd/certutil/certutil.c
+++ b/security/nss/cmd/certutil/certutil.c
@ -934,14 +934,21 @@ printKeyCB(SECKEYPublicKey *key, SECItem *data, void *arg)
    return SECSuccess;
 }

+struct secuCBData {
+    FILE *file;
+    int	keycount;
+};
+
 /* callback for listing certs through pkcs11 */
-SECStatus
+static SECStatus
 secu_PrintKeyFromCert(CERTCertificate *cert, void *data)
 {
    FILE *out;
+    struct secuCBData *cbdata;
    SECKEYPrivateKey *key;

-    out = (FILE *)data;
+    cbdata = (struct secuCBData *)data;
+    out = cbdata->file;
    key = PK11_FindPrivateKeyFromCert(PK11_GetInternalKeySlot(), cert, NULL);
    if (!key) {
 	fprintf(out, "XXX could not extract key for %s.\n", cert->nickname);
@ -950,6 +957,8 @@ secu_PrintKeyFromCert(CERTCertificate *cert, void *data)
    /* XXX should have a type field also */
    fprintf(out, "<%d> %s\n", 0, cert->nickname);

+    cbdata->keycount++;
+
    return SECSuccess;
 }

@ -957,6 +966,10 @@ static SECStatus
 listKeys(PK11SlotInfo *slot, KeyType keyType, void *pwarg)
 {
    SECStatus rv = SECSuccess;
+    struct secuCBData cbdata;
+
+    cbdata.keycount = 0;
+    cbdata.file = stdout;

 #ifdef notdef
    if (PK11_IsInternal(slot)) {
@ -974,11 +987,15 @@ listKeys(PK11SlotInfo *slot, KeyType keyType, void *pwarg)
    /*rv = PK11_TraverseSlotKeys(slotname, keyType, printKeyCB, NULL, NULL);*/
 	if (PK11_NeedLogin(slot))
 	    PK11_Authenticate(slot, PR_TRUE, pwarg);
-	rv = PK11_TraverseCertsInSlot(slot, secu_PrintKeyFromCert, stdout);
+	rv = PK11_TraverseCertsInSlot(slot, secu_PrintKeyFromCert, &cbdata);
 	if (rv) {
 	    SECU_PrintError(progName, "problem listing keys");
 	    return SECFailure;
 	}
+	if (cbdata.keycount == 0) {
+	    SECU_PrintError(progName, "no keys found");
+	    return SECFailure;
+	}
 	return SECSuccess;
 #ifdef notdef
    }
--- a/security/nss/lib/softoken/fipstokn.c
+++ b/security/nss/lib/softoken/fipstokn.c
@ -394,7 +394,33 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) {
 * that match a template. */
 CK_RV FC_FindObjectsInit(CK_SESSION_HANDLE hSession,
    			CK_ATTRIBUTE_PTR pTemplate,CK_ULONG usCount) {
-    PK11_FIPSCHECK();
+    /* let publically readable object be found */
+    int i;
+    CK_RV rv;
+    PRBool needLogin = PR_FALSE;
+
+    PK11_FIPSFATALCHECK();
+
+    for (i=0; i < usCount; i++) {
+	CK_OBJECT_CLASS class;
+	if (pTemplate[i].type != CKA_CLASS) {
+	    continue;
+	}
+	if (pTemplate[i].ulValueLen != sizeof(CK_OBJECT_CLASS)) {
+	    continue;
+	}
+	if (pTemplate[i].pValue == NULL) {
+	    continue;
+	}
+	class = *(CK_OBJECT_CLASS *)pTemplate[i].pValue;
+	if ((class == CKO_PRIVATE_KEY) || (class == CKO_SECRET_KEY)) {
+	    needLogin = PR_TRUE;
+	    break;
+	}
+    }
+    if (needLogin) {
+	if ((rv = pk11_fipsCheck()) != CKR_OK) return rv;
+    }
    return NSC_FindObjectsInit(hSession,pTemplate,usCount);
 }

@ -404,7 +430,8 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) {
 CK_RV FC_FindObjects(CK_SESSION_HANDLE hSession,
    CK_OBJECT_HANDLE_PTR phObject,CK_ULONG usMaxObjectCount,
    					CK_ULONG_PTR pusObjectCount) {
-    PK11_FIPSCHECK();
+    /* let publically readable object be found */
+    PK11_FIPSFATALCHECK();
    return NSC_FindObjects(hSession,phObject,usMaxObjectCount,
    							pusObjectCount);
 }
@ -840,7 +867,8 @@ CK_RV FC_SetOperationState(CK_SESSION_HANDLE hSession,

 /* FC_FindObjectsFinal finishes a search for token and session objects. */
 CK_RV FC_FindObjectsFinal(CK_SESSION_HANDLE hSession) {
-    PK11_FIPSCHECK();
+    /* let publically readable object be found */
+    PK11_FIPSFATALCHECK();
    return NSC_FindObjectsFinal(hSession);
 }

--- a/security/nss/tests/fips/fips.sh
+++ b/security/nss/tests/fips/fips.sh
@ -141,7 +141,9 @@ fips_140_1()
  echo "$SCRIPTNAME: List the FIPS module keys."
  echo "certutil -d ${R_FIPSDIR} -K -f ${R_FIPSPWFILE}"
  certutil -d ${R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1
-  html_msg $? 0 "List the FIPS module keys (certutil -K)"
+  # certutil -K now returns a failure if no keys are found. This verifies that
+  # our delete succeded.
+  html_msg $? 255 "List the FIPS module keys (certutil -K)"

  echo "$SCRIPTNAME: Import the certificate and key from the PKCS#12 file"
  echo "pk12util -d ${R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE}"