Bug 1347613 - nss-tool: allow removing certs and keys from a DB, changing a DB password r=ttaubert

Differential Revision: https://nss-review.dev.mozaws.net/D247
author: Stefan Gschiel <stefan.gschiel.sg@gmail.com> 2017-03-15 17:08:34 +0100
committer: Stefan Gschiel <stefan.gschiel.sg@gmail.com> 2017-03-15 17:08:34 +0100
commit: 8d2fad3c4c6a71691ab8c602c5396db1ba0de0f6 (patch)
tree: 9fe4fb4fa987420d424eca7f6be298f725f61616 /nss-tool/common
parent: f934ffb318d05812fcdc8fcf8a434b00fe5363e2 (diff)
download: nss-hg-8d2fad3c4c6a71691ab8c602c5396db1ba0de0f6.tar.gz
2 files changed, 45 insertions, 9 deletions
diff --git a/nss-tool/common/util.cc b/nss-tool/common/util.cc
index 7cc4352c6..5b7ed0b9d 100644
--- a/nss-tool/common/util.cc
+++ b/nss-tool/common/util.cc
@@ -85,6 +85,21 @@ static std::vector<char> ReadFromIstream(std::istream &is) {
   return certData;
 }
 
+static std::string GetNewPasswordFromUser(void) {
+  std::string pw;
+
+  while (true) {
+    pw = GetPassword("Enter new password: ");
+    if (pw == GetPassword("Re-enter password: ")) {
+      break;
+    }
+
+    std::cerr << "Passwords do not match. Try again." << std::endl;
+  }
+
+  return pw;
+}
+
 bool InitSlotPassword(void) {
   ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
   if (slot.get() == nullptr) {
@@ -95,23 +110,43 @@ bool InitSlotPassword(void) {
   std::cout << "Enter a password which will be used to encrypt your keys."
             << std::endl
             << std::endl;
-  std::string pw;
+  std::string pw = GetNewPasswordFromUser();
 
-  while (true) {
-    pw = GetPassword("Enter new password: ");
-    if (pw == GetPassword("Re-enter password: ")) {
-      break;
-    }
+  SECStatus rv = PK11_InitPin(slot.get(), nullptr, pw.c_str());
+  if (rv != SECSuccess) {
+    std::cerr << "Init db password failed." << std::endl;
+    return false;
+  }
 
-    std::cerr << "Passwords do not match. Try again." << std::endl;
+  return true;
+}
+
+bool ChangeSlotPassword(void) {
+  ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
+  if (slot.get() == nullptr) {
+    std::cerr << "Error: Init PK11SlotInfo failed!" << std::endl;
+    return false;
   }
 
-  SECStatus rv = PK11_InitPin(slot.get(), nullptr, pw.c_str());
+  // get old password and authenticate to db
+  PK11_SetPasswordFunc(&GetModulePassword);
+  std::string oldPw = GetPassword("Enter your current password: ");
+  PwData pwData = {PW_PLAINTEXT, const_cast<char *>(oldPw.c_str())};
+  SECStatus rv = PK11_Authenticate(slot.get(), false /*loadCerts*/, &pwData);
   if (rv != SECSuccess) {
-    std::cerr << "Init db password failed." << std::endl;
+    std::cerr << "Password incorrect." << std::endl;
+    return false;
+  }
+
+  // get new password
+  std::string newPw = GetNewPasswordFromUser();
+
+  if (PK11_ChangePW(slot.get(), oldPw.c_str(), newPw.c_str()) != SECSuccess) {
+    std::cerr << "Failed to change password." << std::endl;
     return false;
   }
 
+  std::cout << "Password changed successfully." << std::endl;
   return true;
 }
 
diff --git a/nss-tool/common/util.h b/nss-tool/common/util.h
index 8b3b0f11e..bfe6dbf70 100644
--- a/nss-tool/common/util.h
+++ b/nss-tool/common/util.h
@@ -18,6 +18,7 @@ typedef struct {
 } PwData;
 
 bool InitSlotPassword(void);
+bool ChangeSlotPassword(void);
 bool DBLoginIfNeeded(const ScopedPK11SlotInfo &slot);
 std::string StringToHex(const ScopedSECItem &input);
 std::vector<char> ReadInputData(std::string &dataPath);
author	Stefan Gschiel <stefan.gschiel.sg@gmail.com>	2017-03-15 17:08:34 +0100
committer	Stefan Gschiel <stefan.gschiel.sg@gmail.com>	2017-03-15 17:08:34 +0100
commit	8d2fad3c4c6a71691ab8c602c5396db1ba0de0f6 (patch)
tree	9fe4fb4fa987420d424eca7f6be298f725f61616 /nss-tool/common
parent	f934ffb318d05812fcdc8fcf8a434b00fe5363e2 (diff)
download	nss-hg-8d2fad3c4c6a71691ab8c602c5396db1ba0de0f6.tar.gz