Bug 1342412, certutil: Error out when setting password fails, r=kaie
authorDaiki Ueno <dueno@redhat.com>
Wed, 30 Aug 2017 12:33:57 +0200
changeset 13554 07d0f4131459a147f7dd95d92f070272242bdfae
parent 13553 597c4badcc6c0c1bfc92d1898580807e5c448c00
child 13555 3df3d4a827362dffde0bdf015ddfa4aeff7bf3ec
push id2343
push userkaie@kuix.de
push dateThu, 31 Aug 2017 13:09:40 +0000
reviewerskaie
bugs1342412
Bug 1342412, certutil: Error out when setting password fails, r=kaie
cmd/certutil/certutil.c
tests/cert/cert.sh
--- a/cmd/certutil/certutil.c
+++ b/cmd/certutil/certutil.c
@@ -3031,21 +3031,26 @@ certutil_main(int argc, char **argv, PRB
 
         SECU_PrintError(progName, "could not find the slot %s", slotname);
         rv = SECFailure;
         goto shutdown;
     }
 
     /*  If creating new database, initialize the password.  */
     if (certutil.commands[cmd_NewDBs].activated) {
-        if (certutil.options[opt_EmptyPassword].activated && (PK11_NeedUserInit(slot)))
-            PK11_InitPin(slot, (char *)NULL, "");
-        else
-            SECU_ChangePW2(slot, 0, 0, certutil.options[opt_PasswordFile].arg,
-                           certutil.options[opt_NewPasswordFile].arg);
+        if (certutil.options[opt_EmptyPassword].activated && (PK11_NeedUserInit(slot))) {
+            rv = PK11_InitPin(slot, (char *)NULL, "");
+        } else {
+            rv = SECU_ChangePW2(slot, 0, 0, certutil.options[opt_PasswordFile].arg,
+                                certutil.options[opt_NewPasswordFile].arg);
+        }
+        if (rv != SECSuccess) {
+            SECU_PrintError(progName, "Could not set password for the slot");
+            goto shutdown;
+        }
     }
 
     /* walk through the upgrade merge if necessary.
      * This option is more to test what some applications will want to do
      * to do an automatic upgrade. The --merge command is more useful for
      * the general case where 2 database need to be merged together.
      */
     if (certutil.commands[cmd_UpgradeMerge].activated) {
@@ -3236,17 +3241,20 @@ certutil_main(int argc, char **argv, PRB
         rv = ChangeTrustAttributes(certHandle, slot, name,
                                    certutil.options[opt_Trust].arg, &pwdata);
         goto shutdown;
     }
     /*  Change key db password (-W) (future - change pw to slot?)  */
     if (certutil.commands[cmd_ChangePassword].activated) {
         rv = SECU_ChangePW2(slot, 0, 0, certutil.options[opt_PasswordFile].arg,
                             certutil.options[opt_NewPasswordFile].arg);
-        goto shutdown;
+        if (rv != SECSuccess) {
+            SECU_PrintError(progName, "Could not set password for the slot");
+            goto shutdown;
+        }
     }
     /*  Reset the a token */
     if (certutil.commands[cmd_TokenReset].activated) {
         char *sso_pass = "";
 
         if (certutil.options[opt_SSOPass].activated) {
             sso_pass = certutil.options[opt_SSOPass].arg;
         }
--- a/tests/cert/cert.sh
+++ b/tests/cert/cert.sh
@@ -1271,16 +1271,21 @@ MODSCRIPT
   RET=$?
   if [ "$RET" -ne 0 ]; then
     html_failed "${CU_ACTION} ($RET) " 
     cert_log "ERROR: ${CU_ACTION} failed $RET"
   else
     html_passed "${CU_ACTION}"
   fi
 
+  CU_ACTION="Setting invalid database password in FIPS mode"
+  RETEXPECTED=255
+  certu -W -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" -@ "${R_FIPSBADPWFILE}" 2>&1
+  RETEXPECTED=0
+
   CU_ACTION="Generate Certificate for ${CERTNAME}"
   CU_SUBJECT="CN=${CERTNAME}, E=fips@bogus.com, O=BOGUS NSS, OU=FIPS PUB 140, L=Mountain View, ST=California, C=US"
   certu -S -n ${FIPSCERTNICK} -x -t "Cu,Cu,Cu" -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" -k dsa -v 600 -m 500 -z "${R_NOISE_FILE}" 2>&1
   if [ "$RET" -eq 0 ]; then
     cert_log "SUCCESS: FIPS passed"
   fi
 }