Blame SOURCES/0029-Remove-NOMODDB-flag-flag-from-context-init-look-for-.patch

398fc5
From 34c120f0259750ff2228def2955de9ad985340e6 Mon Sep 17 00:00:00 2001
398fc5
From: Rob Crittenden <rcritten@redhat.com>
398fc5
Date: Mon, 26 Aug 2019 22:01:35 +0000
398fc5
Subject: [PATCH] Remove NOMODDB flag flag from context init, look for full
398fc5
 tokens
398fc5
398fc5
The NSS databases were almost universally initialized with the
398fc5
NOMODDB flag. I'm not sure if something changed in NSS but the
398fc5
PKCS#11 modules were not being initialized. Adding this back after
398fc5
permission checks are done results in tokens working again.
398fc5
398fc5
When looking for certs and keys try the full token:nickname string
398fc5
as well as just nickname when comparing values.
398fc5
398fc5
https://pagure.io/certmonger/issue/125
398fc5
---
398fc5
 src/casave.c     |  3 +--
398fc5
 src/certread-n.c | 33 ++++++++++++++++-----------------
398fc5
 src/certsave-n.c |  5 +++++
398fc5
 src/dogtag.c     |  3 +--
398fc5
 src/keygen-n.c   |  5 +++++
398fc5
 src/keyiread-n.c | 11 ++++++++++-
398fc5
 src/scepgen-n.c  |  5 +++++
398fc5
 src/submit-n.c   |  5 +++++
398fc5
 src/toklist.c    |  2 +-
398fc5
 9 files changed, 49 insertions(+), 23 deletions(-)
398fc5
398fc5
diff --git a/src/casave.c b/src/casave.c
398fc5
index bde63f99..1cf5a406 100644
398fc5
--- a/src/casave.c
398fc5
+++ b/src/casave.c
398fc5
@@ -111,8 +111,7 @@ cm_casave_main_n(int fd, struct cm_store_ca *ca, struct cm_store_entry *e,
398fc5
 					break;
398fc5
 				default:
398fc5
 					flags = NSS_INIT_READONLY |
398fc5
-						NSS_INIT_NOROOTINIT |
398fc5
-						NSS_INIT_NOMODDB;
398fc5
+						NSS_INIT_NOROOTINIT;
398fc5
 					/* Sigh.  Not a lot of detail.  Check
398fc5
 					 * if we succeed in read-only mode,
398fc5
 					 * which we'll interpret as lack of
398fc5
diff --git a/src/certread-n.c b/src/certread-n.c
398fc5
index d535030b..bb61b61b 100644
398fc5
--- a/src/certread-n.c
398fc5
+++ b/src/certread-n.c
398fc5
@@ -157,27 +157,22 @@ cm_certread_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
398fc5
 		cm_log(1, "Unable to open NSS database.\n");
398fc5
 		_exit(status);
398fc5
 	}
398fc5
+    /* Re-open the database with modules enabled */
398fc5
+	NSS_ShutdownContext(ctx);
398fc5
+	ctx = NSS_InitContext(entry->cm_cert_storage_location,
398fc5
+			      NULL, NULL, NULL, NULL,
398fc5
+			      (readwrite ? 0 : NSS_INIT_READONLY) |
398fc5
+			      NSS_INIT_NOROOTINIT);
398fc5
 	es = util_n_fips_hook();
398fc5
 	if (es != NULL) {
398fc5
 		cm_log(1, "Error putting NSS into FIPS mode: %s\n", es);
398fc5
 		_exit(CM_SUB_STATUS_ERROR_INITIALIZING);
398fc5
 	}
398fc5
-	/* Allocate a memory pool. */
398fc5
-	arena = PORT_NewArena(sizeof(double));
398fc5
-	if (arena == NULL) {
398fc5
-		cm_log(1, "Error opening database '%s'.\n",
398fc5
-		       entry->cm_cert_storage_location);
398fc5
-		if (NSS_ShutdownContext(ctx) != SECSuccess) {
398fc5
-			cm_log(1, "Error shutting down NSS.\n");
398fc5
-		}
398fc5
-		_exit(ENOMEM);
398fc5
-	}
398fc5
 	/* Find the tokens that we might use for cert storage. */
398fc5
 	mech = CKM_RSA_X_509;
398fc5
 	slotlist = PK11_GetAllTokens(mech, PR_FALSE, PR_FALSE, NULL);
398fc5
 	if (slotlist == NULL) {
398fc5
 		cm_log(1, "Error getting list of tokens.\n");
398fc5
-		PORT_FreeArena(arena, PR_TRUE);
398fc5
 		if (NSS_ShutdownContext(ctx) != SECSuccess) {
398fc5
 			cm_log(1, "Error shutting down NSS.\n");
398fc5
 		}
398fc5
@@ -249,6 +244,7 @@ cm_certread_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
398fc5
 		}
398fc5
 		/* If we need to log in in order to read certificates, do so. */
398fc5
 		if (PK11_NeedLogin(sle->slot)) {
398fc5
+			cm_log(3, "Need login to token %s\n", PK11_GetTokenName(sle->slot));
398fc5
 			if (cm_pin_read_for_cert(entry, &pin) != 0) {
398fc5
 				cm_log(1, "Error reading PIN for cert db, "
398fc5
 				       "skipping.\n");
398fc5
@@ -272,13 +268,19 @@ cm_certread_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
398fc5
 		/* Walk the list of certificates in the slot, looking for one
398fc5
 		 * which matches the specified nickname. */
398fc5
 		certs = PK11_ListCertsInSlot(sle->slot);
398fc5
+		cm_log(3, "Looking for %s\n", entry->cm_cert_nickname);
398fc5
 		if (certs != NULL) {
398fc5
 			for (node = CERT_LIST_HEAD(certs);
398fc5
 			     !CERT_LIST_EMPTY(certs) &&
398fc5
 			     !CERT_LIST_END(node, certs);
398fc5
 			     node = CERT_LIST_NEXT(node)) {
398fc5
-				if (strcmp(node->cert->nickname,
398fc5
-					   entry->cm_cert_nickname) == 0) {
398fc5
+				cm_log(3, "certread-n: Slot nickname %s\n",
398fc5
+							node->cert->nickname);
398fc5
+		        es = talloc_asprintf(entry, "%s:%s",
398fc5
+					   entry->cm_cert_token, entry->cm_cert_nickname);
398fc5
+				if ((strcmp(node->cert->nickname,
398fc5
+					   entry->cm_cert_nickname) == 0) ||
398fc5
+                    (strcmp(node->cert->nickname, es) == 0)) {
398fc5
 					cm_log(3, "Located the certificate "
398fc5
 					       "\"%s\".\n",
398fc5
 					       entry->cm_cert_nickname);
398fc5
@@ -321,7 +323,6 @@ next_slot:
398fc5
 	if (cert == NULL) {
398fc5
 		cm_log(1, "Error locating certificate.\n");
398fc5
 		PK11_FreeSlotList(slotlist);
398fc5
-		PORT_FreeArena(arena, PR_TRUE);
398fc5
 		if (NSS_ShutdownContext(ctx) != SECSuccess) {
398fc5
 			cm_log(1, "Error shutting down NSS.\n");
398fc5
 		}
398fc5
@@ -332,7 +333,6 @@ next_slot:
398fc5
 	fclose(fp);
398fc5
 	CERT_DestroyCertificate(cert);
398fc5
 	PK11_FreeSlotList(slotlist);
398fc5
-	PORT_FreeArena(arena, PR_TRUE);
398fc5
 	if (NSS_ShutdownContext(ctx) != SECSuccess) {
398fc5
 		cm_log(1, "Error shutting down NSS.\n");
398fc5
 	}
398fc5
@@ -358,8 +358,7 @@ cm_certread_n_parse(struct cm_store_entry *entry,
398fc5
 			      NULL, NULL, NULL, NULL,
398fc5
 			      NSS_INIT_NOCERTDB |
398fc5
 			      NSS_INIT_READONLY |
398fc5
-			      NSS_INIT_NOROOTINIT |
398fc5
-			      NSS_INIT_NOMODDB);
398fc5
+			      NSS_INIT_NOROOTINIT);
398fc5
 	if (ctx == NULL) {
398fc5
 		cm_log(1, "Unable to initialize NSS.\n");
398fc5
 		_exit(1);
398fc5
diff --git a/src/certsave-n.c b/src/certsave-n.c
398fc5
index 972a1dfa..eda03b34 100644
398fc5
--- a/src/certsave-n.c
398fc5
+++ b/src/certsave-n.c
398fc5
@@ -186,6 +186,11 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
398fc5
 	} else {
398fc5
 		/* We don't try to force FIPS mode here, as it seems to get in
398fc5
 		 * the way of saving the certificate. */
398fc5
+		NSS_ShutdownContext(ctx);
398fc5
+		ctx = NSS_InitContext(entry->cm_cert_storage_location,
398fc5
+				      NULL, NULL, NULL, NULL,
398fc5
+				      (readwrite ? 0 : NSS_INIT_READONLY) |
398fc5
+				      NSS_INIT_NOROOTINIT);
398fc5
 
398fc5
 		/* Allocate a memory pool. */
398fc5
 		arena = PORT_NewArena(sizeof(double));
398fc5
diff --git a/src/dogtag.c b/src/dogtag.c
398fc5
index 55607f3d..c43664ef 100644
398fc5
--- a/src/dogtag.c
398fc5
+++ b/src/dogtag.c
398fc5
@@ -306,8 +306,7 @@ main(int argc, const char **argv)
398fc5
 			       NULL, NULL, NULL, NULL,
398fc5
 			       NSS_INIT_NOCERTDB |
398fc5
 			       NSS_INIT_READONLY |
398fc5
-			       NSS_INIT_NOROOTINIT |
398fc5
-			       NSS_INIT_NOMODDB);
398fc5
+			       NSS_INIT_NOROOTINIT);
398fc5
 	if (nctx == NULL) {
398fc5
 		cm_log(1, "Unable to initialize NSS.\n");
398fc5
 		_exit(1);
398fc5
diff --git a/src/keygen-n.c b/src/keygen-n.c
398fc5
index 061bd2af..e921d7ec 100644
398fc5
--- a/src/keygen-n.c
398fc5
+++ b/src/keygen-n.c
398fc5
@@ -226,6 +226,11 @@ cm_keygen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
398fc5
 			break;
398fc5
 		}
398fc5
 	}
398fc5
+	NSS_ShutdownContext(ctx);
398fc5
+	ctx = NSS_InitContext(entry->cm_key_storage_location,
398fc5
+			      NULL, NULL, NULL, NULL,
398fc5
+			      (readwrite ? 0 : NSS_INIT_READONLY) |
398fc5
+			      NSS_INIT_NOROOTINIT);
398fc5
 	reason = util_n_fips_hook();
398fc5
 	if (reason != NULL) {
398fc5
 		cm_log(1, "Error putting NSS into FIPS mode: %s\n", reason);
398fc5
diff --git a/src/keyiread-n.c b/src/keyiread-n.c
398fc5
index 91b1be41..dc1c6092 100644
398fc5
--- a/src/keyiread-n.c
398fc5
+++ b/src/keyiread-n.c
398fc5
@@ -115,6 +115,11 @@ cm_keyiread_n_get_keys(struct cm_store_entry *entry, int readwrite)
398fc5
 			break;
398fc5
 		}
398fc5
 	}
398fc5
+	NSS_ShutdownContext(ctx);
398fc5
+	ctx = NSS_InitContext(entry->cm_key_storage_location,
398fc5
+			      NULL, NULL, NULL, NULL,
398fc5
+			      (readwrite ? 0 : NSS_INIT_READONLY) |
398fc5
+			      NSS_INIT_NOROOTINIT);
398fc5
 	reason = util_n_fips_hook();
398fc5
 	if (reason != NULL) {
398fc5
 		cm_log(1, "Error putting NSS into FIPS mode: %s\n", reason);
398fc5
@@ -340,8 +345,12 @@ cm_keyiread_n_get_keys(struct cm_store_entry *entry, int readwrite)
398fc5
 			     cnode = CERT_LIST_NEXT(cnode)) {
398fc5
 				nickname = entry->cm_key_nickname;
398fc5
 				cert = cnode->cert;
398fc5
+				es = talloc_asprintf(entry, "%s:%s",
398fc5
+									         entry->cm_cert_token,
398fc5
+											 entry->cm_cert_nickname);
398fc5
 				if ((nickname != NULL) &&
398fc5
-				    (strcmp(cert->nickname, nickname) == 0)) {
398fc5
+				    ((strcmp(cert->nickname, nickname) == 0) ||
398fc5
+					(strcmp(cert->nickname, es) == 0))) {
398fc5
 					cm_log(3, "Located a certificate with "
398fc5
 					       "the key's nickname (\"%s\").\n",
398fc5
 					       nickname);
398fc5
diff --git a/src/scepgen-n.c b/src/scepgen-n.c
398fc5
index d6735aa7..8c67b122 100644
398fc5
--- a/src/scepgen-n.c
398fc5
+++ b/src/scepgen-n.c
398fc5
@@ -183,6 +183,11 @@ cm_scepgen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
398fc5
 			break;
398fc5
 		}
398fc5
 	}
398fc5
+	NSS_ShutdownContext(ctx);
398fc5
+	ctx = NSS_InitContext(entry->cm_key_storage_location,
398fc5
+			      NULL, NULL, NULL, NULL,
398fc5
+			      NSS_INIT_READONLY |
398fc5
+			      NSS_INIT_NOROOTINIT);
398fc5
 	reason = util_n_fips_hook();
398fc5
 	if (reason != NULL) {
398fc5
 		cm_log(1, "Error putting NSS into FIPS mode: %s\n", reason);
398fc5
diff --git a/src/submit-n.c b/src/submit-n.c
398fc5
index b07ea23a..f27b9c7f 100644
398fc5
--- a/src/submit-n.c
398fc5
+++ b/src/submit-n.c
398fc5
@@ -317,6 +317,11 @@ cm_submit_n_decrypt_envelope(const unsigned char *envelope,
398fc5
 		}
398fc5
 		goto done;
398fc5
 	}
398fc5
+	NSS_ShutdownContext(ctx);
398fc5
+	ctx = NSS_InitContext(args->entry->cm_key_storage_location,
398fc5
+			      NULL, NULL, NULL, NULL,
398fc5
+			      NSS_INIT_READONLY |
398fc5
+			      NSS_INIT_NOROOTINIT);
398fc5
 	reason = util_n_fips_hook();
398fc5
 	if (reason != NULL) {
398fc5
 		cm_log(1, "Error putting NSS into FIPS mode: %s\n", reason);
398fc5
diff --git a/src/toklist.c b/src/toklist.c
398fc5
index a4328218..ac166722 100644
398fc5
--- a/src/toklist.c
398fc5
+++ b/src/toklist.c
398fc5
@@ -79,7 +79,7 @@ main(int argc, const char **argv)
398fc5
 
398fc5
 	/* Open the database. */
398fc5
 	ctx = NSS_InitContext(dbdir, NULL, NULL, NULL, NULL,
398fc5
-			      NSS_INIT_NOROOTINIT | NSS_INIT_NOMODDB);
398fc5
+			      NSS_INIT_NOROOTINIT);
398fc5
 	if (ctx == NULL) {
398fc5
 		printf("Unable to open NSS database '%s'.\n", dbdir);
398fc5
 		_exit(CM_SUB_STATUS_ERROR_INITIALIZING);
398fc5
-- 
398fc5
2.21.0
398fc5