diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2018-05-04 08:39:30 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2018-05-07 13:25:39 +0200 |
commit | f40eca8c9bfc826d727d185f9a708f9599581e37 (patch) | |
tree | b028428c529d3987c079349bb822cd818d296625 | |
parent | 557444c11832685b2f92e4e06bee4bebe5049098 (diff) | |
download | gnutls-tmp-certtool-passwd.tar.gz |
certtool: honor --ask-pass when loading a private keytmp-certtool-passwd
This also improves the password prompt when the password requested
is not for a smart card.
Resolves: #436
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
-rw-r--r-- | src/certtool-common.h | 1 | ||||
-rw-r--r-- | src/certtool.c | 2 | ||||
-rw-r--r-- | src/common.c | 18 | ||||
-rw-r--r-- | tests/cert-tests/Makefile.am | 4 | ||||
-rwxr-xr-x | tests/cert-tests/certtool | 40 |
5 files changed, 50 insertions, 15 deletions
diff --git a/src/certtool-common.h b/src/certtool-common.h index ee07f133c8..ed6de4a677 100644 --- a/src/certtool-common.h +++ b/src/certtool-common.h @@ -54,6 +54,7 @@ typedef struct common_info { const char *password; int null_password; int empty_password; + int ask_pass; unsigned int crq_extensions; unsigned int v1_cert; /* for key generation */ diff --git a/src/certtool.c b/src/certtool.c index 95b2aed88e..6664d21c3a 100644 --- a/src/certtool.c +++ b/src/certtool.c @@ -1228,7 +1228,6 @@ static void cmd_parser(int argc, char **argv) template_parse(OPT_ARG(TEMPLATE)); } - ask_pass = ENABLED_OPT(ASK_PASS); gnutls_global_set_log_function(tls_log_func); @@ -1244,6 +1243,7 @@ static void cmd_parser(int argc, char **argv) memset(&cinfo, 0, sizeof(cinfo)); + ask_pass = cinfo.ask_pass = ENABLED_OPT(ASK_PASS); cinfo.hash = GNUTLS_DIG_UNKNOWN; if (HAVE_OPT(HASH)) { cinfo.hash = hash_to_id(OPT_ARG(HASH)); diff --git a/src/common.c b/src/common.c index 5e1b1a5582..fb98100677 100644 --- a/src/common.c +++ b/src/common.c @@ -1034,15 +1034,21 @@ pin_callback(void *user, int attempt, const char *token_url, password = getenv("GNUTLS_PIN"); } - if (password == NULL && (info == NULL || info->batch == 0)) { - fprintf(stderr, "Token '%s' with URL '%s' ", token_label, token_url); - fprintf(stderr, "requires %s PIN\n", desc); + if (password == NULL && (info == NULL || info->batch == 0 || info->ask_pass != 0)) { + if (token_label && token_label[0] != 0) { + fprintf(stderr, "Token '%s' with URL '%s' ", token_label, token_url); + fprintf(stderr, "requires %s PIN\n", desc); + password = getpass("Enter PIN: "); + } else { + password = getpass("Enter password: "); + } - password = getpass("Enter PIN: "); } else { if (flags & GNUTLS_PIN_WRONG) { - fprintf(stderr, "Token '%s' with URL '%s' ", token_label, token_url); - fprintf(stderr, "requires %s PIN\n", desc); + if (token_label && token_label[0] != 0) { + fprintf(stderr, "Token '%s' with URL '%s' ", token_label, token_url); + fprintf(stderr, "requires %s PIN\n", desc); + } fprintf(stderr, "Cannot continue with a wrong password in the environment.\n"); exit(1); } diff --git a/tests/cert-tests/Makefile.am b/tests/cert-tests/Makefile.am index d0b1bb21c3..1b019303c4 100644 --- a/tests/cert-tests/Makefile.am +++ b/tests/cert-tests/Makefile.am @@ -91,7 +91,7 @@ EXTRA_DIST = data/ca-no-pathlen.pem data/no-ca-or-pathlen.pem data/aki-cert.pem data data/pkcs8-invalid9.der data/key-invalid2.der data/pkcs8-invalid10.der \ data/key-invalid3.der data/pkcs8-eddsa.pem data/pkcs8-eddsa.pem.txt -dist_check_SCRIPTS = pathlen aki certtool invalid-sig email \ +dist_check_SCRIPTS = pathlen aki invalid-sig email \ pkcs7 pkcs7-broken-sigs privkey-import name-constraints certtool-long-cn crl provable-privkey \ provable-dh userid sha2-test sha2-dsa-test provable-privkey-dsa2048 \ provable-privkey-rsa2048 provable-privkey-gen-default pkcs7-constraints \ @@ -111,7 +111,7 @@ endif if !WINDOWS dist_check_SCRIPTS += template-test pem-decoding othername-test krb5-test sha3-test md5-test \ - tlsfeature-test template-exts-test pkcs1-pad pkcs12-utf8 rsa-pss-pad dsa + tlsfeature-test template-exts-test pkcs1-pad pkcs12-utf8 rsa-pss-pad dsa certtool endif if ENABLE_DANE diff --git a/tests/cert-tests/certtool b/tests/cert-tests/certtool index e9c62aa76f..3c7c620dee 100755 --- a/tests/cert-tests/certtool +++ b/tests/cert-tests/certtool @@ -1,6 +1,7 @@ -#!/bin/sh +#!/usr/bin/env bash -# Copyright (C) 2014 Nikos Mavrogiannopoulos +# Copyright (C) 2014-2018 Nikos Mavrogiannopoulos +# Copyright (C) 2018 Red Hat, Inc. # # This file is part of GnuTLS. # @@ -14,15 +15,17 @@ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # -# You should have received a copy of the GNU General Public License -# along with GnuTLS; if not, write to the Free Software Foundation, -# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +# You should have received a copy of the GNU Lesser General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/> #set -e srcdir="${srcdir:-.}" CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}" DIFF="${DIFF:-diff -b -B}" +TMPFILE1=certtool-file1.$$.tmp +TMPFILE2=certtool-file2.$$.tmp +PASS="1234" if ! test -x "${CERTTOOL}"; then exit 77 @@ -32,6 +35,30 @@ if ! test -z "${VALGRIND}"; then VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" fi +SETSID=$(which setsid) +if test -n "${SETSID}";then + ${VALGRIND} "${CERTTOOL}" --generate-privkey --rsa --outfile ${TMPFILE1} --pkcs8 --password ${PASS} + if test $? != 0;then + echo "private key generation failed" + exit 1 + fi + + #check whether ask-pass is being honoured + ${SETSID} "${CERTTOOL}" --generate-self-signed --load-privkey ${TMPFILE1} --template "${srcdir}/templates/template-test.tmpl" --ask-pass >${TMPFILE2} 2>&1 <<<${PASS} + if test $? != 0;then + cat ${TMPFILE2} + echo "cert generation failed" + exit 1 + fi + + grep "Enter password" ${TMPFILE2} >/dev/null 2>&1 + if test $? != 0;then + cat ${TMPFILE2} + echo "No password was asked" + exit 1 + fi +fi + #check whether "funny" spaces can be interpreted id=`${VALGRIND} "${CERTTOOL}" --key-id --infile "${srcdir}/data/funny-spacing.pem" --hash sha1| tr -d '\r'` rc=$? @@ -98,6 +125,8 @@ if test "${id}" != "c4880390506a849cd2d8289fb8aea8c189e635aff1054faba58658a0f107 exit 1 fi +rm -f ${TMPFILE1} ${TMPFILE2} + export TZ="UTC" . ${srcdir}/../scripts/common.sh @@ -113,5 +142,4 @@ if test "${rc}" != "0"; then exit 1 fi - exit 0 |