From 83fe9a4eb7b96d9d02066a73fe1894fb8b797753 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka <slaznick@redhat.com>
Date: Wed, 26 Apr 2017 08:19:27 +0200
Subject: [PATCH] Fix CA/server cert validation in FIPS

In FIPS, the NSS library needs to be passed passwords to perform
certificate validation. Should we not have passed it and the NSS
guys have not fixed this yet, we would get SEC_ERROR_BAD_SIGNATURE
which is completely different error than one would expect but
that's just how things are with NSS right now.

https://pagure.io/freeipa/issue/6897

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Abhijeet Kasurde <akasurde@redhat.com>
---
 ipapython/certdb.py | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/ipapython/certdb.py b/ipapython/certdb.py
index 0665f944457fb09820eb244c742cb1782e515ad1..ea73ec139df9013b860df447fcffd9038cf7c8f2 100644
--- a/ipapython/certdb.py
+++ b/ipapython/certdb.py
@@ -77,6 +77,11 @@ def find_cert_from_txt(cert, start=0):
     return (cert, e)
 
 
+def get_file_cont(slot, token, filename):
+    with open(filename) as f:
+        return f.read()
+
+
 class NSSDatabase(object):
     """A general-purpose wrapper around a NSS cert database
 
@@ -547,12 +552,14 @@ class NSSDatabase(object):
         if nss.nss_is_initialized():
             nss.nss_shutdown()
         nss.nss_init(self.secdir)
+        nss.set_password_callback(get_file_cont)
         try:
             certdb = nss.get_default_certdb()
             cert = nss.find_cert_from_nickname(nickname)
             intended_usage = nss.certificateUsageSSLServer
             try:
-                approved_usage = cert.verify_now(certdb, True, intended_usage)
+                approved_usage = cert.verify_now(certdb, True, intended_usage,
+                                                 self.pwd_file)
             except NSPRError as e:
                 if e.errno != -8102:
                     raise ValueError(e.strerror)
@@ -572,6 +579,7 @@ class NSSDatabase(object):
         if nss.nss_is_initialized():
             nss.nss_shutdown()
         nss.nss_init(self.secdir)
+        nss.set_password_callback(get_file_cont)
         try:
             certdb = nss.get_default_certdb()
             cert = nss.find_cert_from_nickname(nickname)
@@ -586,7 +594,8 @@ class NSSDatabase(object):
                 raise ValueError("not a CA certificate")
             intended_usage = nss.certificateUsageSSLCA
             try:
-                approved_usage = cert.verify_now(certdb, True, intended_usage)
+                approved_usage = cert.verify_now(certdb, True, intended_usage,
+                                                 self.pwd_file)
             except NSPRError as e:
                 if e.errno != -8102:    # SEC_ERROR_INADEQUATE_KEY_USAGE
                     raise ValueError(e.strerror)
-- 
2.12.2