Fix bug 115660. Note that fixing the bugs necessitates fixing the test

cases as well. The test case was depending on the failure to read certs to
detect the failure to read keys. Now certutil returns a failure if no keys
are found. This also means that the FIPS test after the key and cert
has been deleted should expect a failure to list any keys.

3 files changed, 54 insertions, 7 deletions

diff --git a/security/nss/cmd/certutil/certutil.c b/security/nss/cmd/certutil/certutil.c
index cac18850e..dc3c15721 100644
--- a/security/nss/cmd/certutil/certutil.c
+++ b/security/nss/cmd/certutil/certutil.c
@@ -934,14 +934,21 @@ printKeyCB(SECKEYPublicKey *key, SECItem *data, void *arg)
     return SECSuccess;
 }
 
+struct secuCBData {
+    FILE *file;
+    int	keycount;
+};
+
 /* callback for listing certs through pkcs11 */
-SECStatus
+static SECStatus
 secu_PrintKeyFromCert(CERTCertificate *cert, void *data)
 {
     FILE *out;
+    struct secuCBData *cbdata;
     SECKEYPrivateKey *key;
 
-    out = (FILE *)data;
+    cbdata = (struct secuCBData *)data;
+    out = cbdata->file;
     key = PK11_FindPrivateKeyFromCert(PK11_GetInternalKeySlot(), cert, NULL);
     if (!key) {
 	fprintf(out, "XXX could not extract key for %s.\n", cert->nickname);
@@ -950,6 +957,8 @@ secu_PrintKeyFromCert(CERTCertificate *cert, void *data)
     /* XXX should have a type field also */
     fprintf(out, "<%d> %s\n", 0, cert->nickname);
 
+    cbdata->keycount++;
+
     return SECSuccess;
 }
 
@@ -957,6 +966,10 @@ static SECStatus
 listKeys(PK11SlotInfo *slot, KeyType keyType, void *pwarg)
 {
     SECStatus rv = SECSuccess;
+    struct secuCBData cbdata;
+
+    cbdata.keycount = 0;
+    cbdata.file = stdout;
 
 #ifdef notdef
     if (PK11_IsInternal(slot)) {
@@ -974,11 +987,15 @@ listKeys(PK11SlotInfo *slot, KeyType keyType, void *pwarg)
     /*rv = PK11_TraverseSlotKeys(slotname, keyType, printKeyCB, NULL, NULL);*/
 	if (PK11_NeedLogin(slot))
 	    PK11_Authenticate(slot, PR_TRUE, pwarg);
-	rv = PK11_TraverseCertsInSlot(slot, secu_PrintKeyFromCert, stdout);
+	rv = PK11_TraverseCertsInSlot(slot, secu_PrintKeyFromCert, &cbdata);
 	if (rv) {
 	    SECU_PrintError(progName, "problem listing keys");
 	    return SECFailure;
 	}
+	if (cbdata.keycount == 0) {
+	    SECU_PrintError(progName, "no keys found");
+	    return SECFailure;
+	}
 	return SECSuccess;
 #ifdef notdef
     }
diff --git a/security/nss/lib/softoken/fipstokn.c b/security/nss/lib/softoken/fipstokn.c
index b547a93e4..c51ee33bb 100644
--- a/security/nss/lib/softoken/fipstokn.c
+++ b/security/nss/lib/softoken/fipstokn.c
@@ -394,7 +394,33 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) {
  * that match a template. */
  CK_RV FC_FindObjectsInit(CK_SESSION_HANDLE hSession,
     			CK_ATTRIBUTE_PTR pTemplate,CK_ULONG usCount) {
-    PK11_FIPSCHECK();
+    /* let publically readable object be found */
+    int i;
+    CK_RV rv;
+    PRBool needLogin = PR_FALSE;
+
+    PK11_FIPSFATALCHECK();
+
+    for (i=0; i < usCount; i++) {
+	CK_OBJECT_CLASS class;
+	if (pTemplate[i].type != CKA_CLASS) {
+	    continue;
+	}
+	if (pTemplate[i].ulValueLen != sizeof(CK_OBJECT_CLASS)) {
+	    continue;
+	}
+	if (pTemplate[i].pValue == NULL) {
+	    continue;
+	}
+	class = *(CK_OBJECT_CLASS *)pTemplate[i].pValue;
+	if ((class == CKO_PRIVATE_KEY) || (class == CKO_SECRET_KEY)) {
+	    needLogin = PR_TRUE;
+	    break;
+	}
+    }
+    if (needLogin) {
+	if ((rv = pk11_fipsCheck()) != CKR_OK) return rv;
+    }
     return NSC_FindObjectsInit(hSession,pTemplate,usCount);
 }
 
@@ -404,7 +430,8 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) {
  CK_RV FC_FindObjects(CK_SESSION_HANDLE hSession,
     CK_OBJECT_HANDLE_PTR phObject,CK_ULONG usMaxObjectCount,
     					CK_ULONG_PTR pusObjectCount) {
-    PK11_FIPSCHECK();
+    /* let publically readable object be found */
+    PK11_FIPSFATALCHECK();
     return NSC_FindObjects(hSession,phObject,usMaxObjectCount,
     							pusObjectCount);
 }
@@ -840,7 +867,8 @@ CK_RV FC_SetOperationState(CK_SESSION_HANDLE hSession,
 
 /* FC_FindObjectsFinal finishes a search for token and session objects. */
 CK_RV FC_FindObjectsFinal(CK_SESSION_HANDLE hSession) {
-    PK11_FIPSCHECK();
+    /* let publically readable object be found */
+    PK11_FIPSFATALCHECK();
     return NSC_FindObjectsFinal(hSession);
 }
 
diff --git a/security/nss/tests/fips/fips.sh b/security/nss/tests/fips/fips.sh
index fe4b3a055..99f8c1de1 100755
--- a/security/nss/tests/fips/fips.sh
+++ b/security/nss/tests/fips/fips.sh
@@ -141,7 +141,9 @@ fips_140_1()
   echo "$SCRIPTNAME: List the FIPS module keys."
   echo "certutil -d ${R_FIPSDIR} -K -f ${R_FIPSPWFILE}"
   certutil -d ${R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1
-  html_msg $? 0 "List the FIPS module keys (certutil -K)"
+  # certutil -K now returns a failure if no keys are found. This verifies that
+  # our delete succeded.
+  html_msg $? 255 "List the FIPS module keys (certutil -K)"
 
   echo "$SCRIPTNAME: Import the certificate and key from the PKCS#12 file"
   echo "pk12util -d ${R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE}"