certtool: honor --ask-pass when loading a private keytmp-certtool-passwd

This also improves the password prompt when the password requested
is not for a smart card.

Resolves: #436

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

5 files changed, 50 insertions, 15 deletions

diff --git a/src/certtool-common.h b/src/certtool-common.h
index ee07f133c8..ed6de4a677 100644
--- a/src/certtool-common.h
+++ b/src/certtool-common.h
@@ -54,6 +54,7 @@ typedef struct common_info {
 	const char *password;
 	int null_password;
 	int empty_password;
+	int ask_pass;
 	unsigned int crq_extensions;
 	unsigned int v1_cert;
 	/* for key generation */
diff --git a/src/certtool.c b/src/certtool.c
index 95b2aed88e..6664d21c3a 100644
--- a/src/certtool.c
+++ b/src/certtool.c
@@ -1228,7 +1228,6 @@ static void cmd_parser(int argc, char **argv)
 		template_parse(OPT_ARG(TEMPLATE));
 	}
 
-	ask_pass = ENABLED_OPT(ASK_PASS);
 
 	gnutls_global_set_log_function(tls_log_func);
 
@@ -1244,6 +1243,7 @@ static void cmd_parser(int argc, char **argv)
 
 	memset(&cinfo, 0, sizeof(cinfo));
 
+	ask_pass = cinfo.ask_pass = ENABLED_OPT(ASK_PASS);
 	cinfo.hash = GNUTLS_DIG_UNKNOWN;
 	if (HAVE_OPT(HASH)) {
 		cinfo.hash = hash_to_id(OPT_ARG(HASH));
diff --git a/src/common.c b/src/common.c
index 5e1b1a5582..fb98100677 100644
--- a/src/common.c
+++ b/src/common.c
@@ -1034,15 +1034,21 @@ pin_callback(void *user, int attempt, const char *token_url,
 			password = getenv("GNUTLS_PIN");
 	}
 
-	if (password == NULL && (info == NULL || info->batch == 0)) {
-		fprintf(stderr, "Token '%s' with URL '%s' ", token_label, token_url);
-		fprintf(stderr, "requires %s PIN\n", desc);
+	if (password == NULL && (info == NULL || info->batch == 0 || info->ask_pass != 0)) {
+		if (token_label && token_label[0] != 0) {
+			fprintf(stderr, "Token '%s' with URL '%s' ", token_label, token_url);
+			fprintf(stderr, "requires %s PIN\n", desc);
+			password = getpass("Enter PIN: ");
+		} else {
+			password = getpass("Enter password: ");
+		}
 
-		password = getpass("Enter PIN: ");
 	} else {
 		if (flags & GNUTLS_PIN_WRONG) {
-			fprintf(stderr, "Token '%s' with URL '%s' ", token_label, token_url);
-			fprintf(stderr, "requires %s PIN\n", desc);
+			if (token_label && token_label[0] != 0) {
+				fprintf(stderr, "Token '%s' with URL '%s' ", token_label, token_url);
+				fprintf(stderr, "requires %s PIN\n", desc);
+			}
 			fprintf(stderr, "Cannot continue with a wrong password in the environment.\n");
 			exit(1);
 		}
diff --git a/tests/cert-tests/Makefile.am b/tests/cert-tests/Makefile.am
index d0b1bb21c3..1b019303c4 100644
--- a/tests/cert-tests/Makefile.am
+++ b/tests/cert-tests/Makefile.am
@@ -91,7 +91,7 @@ EXTRA_DIST = data/ca-no-pathlen.pem data/no-ca-or-pathlen.pem data/aki-cert.pem
 	data data/pkcs8-invalid9.der data/key-invalid2.der data/pkcs8-invalid10.der \
 	data/key-invalid3.der data/pkcs8-eddsa.pem data/pkcs8-eddsa.pem.txt
 
-dist_check_SCRIPTS = pathlen aki certtool invalid-sig email \
+dist_check_SCRIPTS = pathlen aki invalid-sig email \
 	pkcs7 pkcs7-broken-sigs privkey-import name-constraints certtool-long-cn crl provable-privkey \
 	provable-dh userid sha2-test sha2-dsa-test provable-privkey-dsa2048 \
 	provable-privkey-rsa2048 provable-privkey-gen-default pkcs7-constraints \
@@ -111,7 +111,7 @@ endif
 
 if !WINDOWS
 dist_check_SCRIPTS += template-test pem-decoding othername-test krb5-test sha3-test md5-test \
-	tlsfeature-test template-exts-test pkcs1-pad pkcs12-utf8 rsa-pss-pad dsa
+	tlsfeature-test template-exts-test pkcs1-pad pkcs12-utf8 rsa-pss-pad dsa certtool
 endif
 
 if ENABLE_DANE
diff --git a/tests/cert-tests/certtool b/tests/cert-tests/certtool
index e9c62aa76f..3c7c620dee 100755
--- a/tests/cert-tests/certtool
+++ b/tests/cert-tests/certtool
@@ -1,6 +1,7 @@
-#!/bin/sh
+#!/usr/bin/env bash
 
-# Copyright (C) 2014 Nikos Mavrogiannopoulos
+# Copyright (C) 2014-2018 Nikos Mavrogiannopoulos
+# Copyright (C) 2018 Red Hat, Inc.
 #
 # This file is part of GnuTLS.
 #
@@ -14,15 +15,17 @@
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 # General Public License for more details.
 #
-# You should have received a copy of the GNU General Public License
-# along with GnuTLS; if not, write to the Free Software Foundation,
-# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+# You should have received a copy of the GNU Lesser General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>
 
 #set -e
 
 srcdir="${srcdir:-.}"
 CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}"
 DIFF="${DIFF:-diff -b -B}"
+TMPFILE1=certtool-file1.$$.tmp
+TMPFILE2=certtool-file2.$$.tmp
+PASS="1234"
 
 if ! test -x "${CERTTOOL}"; then
 	exit 77
@@ -32,6 +35,30 @@ if ! test -z "${VALGRIND}"; then
 	VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}"
 fi
 
+SETSID=$(which setsid)
+if test -n "${SETSID}";then
+	${VALGRIND} "${CERTTOOL}" --generate-privkey --rsa --outfile ${TMPFILE1} --pkcs8 --password ${PASS}
+	if test $? != 0;then
+		echo "private key generation failed"
+		exit 1
+	fi
+
+	#check whether ask-pass is being honoured
+	${SETSID} "${CERTTOOL}" --generate-self-signed --load-privkey ${TMPFILE1} --template "${srcdir}/templates/template-test.tmpl" --ask-pass >${TMPFILE2} 2>&1 <<<${PASS}
+	if test $? != 0;then
+		cat ${TMPFILE2}
+		echo "cert generation failed"
+		exit 1
+	fi
+
+	grep "Enter password" ${TMPFILE2} >/dev/null 2>&1
+	if test $? != 0;then
+		cat ${TMPFILE2}
+		echo "No password was asked"
+		exit 1
+	fi
+fi
+
 #check whether "funny" spaces can be interpreted
 id=`${VALGRIND} "${CERTTOOL}" --key-id --infile "${srcdir}/data/funny-spacing.pem" --hash sha1| tr -d '\r'`
 rc=$?
@@ -98,6 +125,8 @@ if test "${id}" != "c4880390506a849cd2d8289fb8aea8c189e635aff1054faba58658a0f107
 	exit 1
 fi
 
+rm -f ${TMPFILE1} ${TMPFILE2}
+
 export TZ="UTC"
 
 . ${srcdir}/../scripts/common.sh
@@ -113,5 +142,4 @@ if test "${rc}" != "0"; then
 	exit 1
 fi
 
-
 exit 0