From 65013d222a9e612aaaaf49ee03ceed5d6c154f59 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Wed, 16 Nov 2016 03:42:49 +0100
Subject: Fixed hanging subordinate CA with HSM installation in FIPS mode.

When installing subordinate CA with HSM, the installer calls the
pki CLI (which is implemented using JSS) to validate the imported
CA certificate in HSM. Normally, the HSM password is specified as
CLI parameter, but in FIPS mode JSS requires both the HSM and the
internal token passwords. Since the CLI only takes one password,
JSS will prompt for the missing one on the console causing the
installation to hang.

As a temporary solution, the pki-server subsystem-cert-validate
command has been modified to validate certificates stored in the
internal token only and it will use the internal token password,
so only a single password is required. Further investigation in
CLI/JSS/NSS is needed to support validating certificates in HSM
without password prompts.

https://fedorahosted.org/pki/ticket/2543
---
 base/server/python/pki/server/cli/subsystem.py | 21 ++++++++-------------
 1 file changed, 8 insertions(+), 13 deletions(-)

diff --git a/base/server/python/pki/server/cli/subsystem.py b/base/server/python/pki/server/cli/subsystem.py
index 42da26e10..04461f2f6 100644
--- a/base/server/python/pki/server/cli/subsystem.py
+++ b/base/server/python/pki/server/cli/subsystem.py
@@ -951,11 +951,8 @@ class SubsystemCertValidateCLI(pki.cli.CLI):
 
         print('  Token: %s' % token)
 
-        if token and token.lower() in ['internal', 'internal key storage token']:
-            token = None
-
-        # get token password and store in temporary file
-        passwd = instance.get_token_password(token)
+        # get internal token password and store in temporary file
+        passwd = instance.get_token_password()
 
         pwfile_handle, pwfile_path = mkstemp()
         os.write(pwfile_handle, passwd)
@@ -964,15 +961,13 @@ class SubsystemCertValidateCLI(pki.cli.CLI):
         try:
             cmd = ['pki',
                    '-d', instance.nssdb_dir,
-                   '-C', pwfile_path]
-
-            if token:
-                cmd.extend(['--token', token])
+                   '-C', pwfile_path,
+                   'client-cert-validate',
+                   nickname,
+                   '--certusage', usage]
 
-            cmd.extend(['client-cert-validate',
-                        nickname,
-                        '--certusage', usage
-                       ])
+            if self.verbose:
+                print('Command: %s' % cmd)
 
             subprocess.check_output(cmd, stderr=subprocess.STDOUT)
             print('  Status: VALID')
-- 
cgit