Validate the HSM token library path and name during installation

It would fail eventually with the output in the CA logs but it wasn't always very obvious and you had to wait a while to find out about a typo. Scraping modutil output is a bit ugly but it is guaranteed to be installed and this should work both with p11-kit and without. Related: https://pagure.io/freeipa/issue/9273 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
freeipa · May 16, 2024 · 31d66ba · 31d66ba
1 parent 6b894f2
commit 31d66ba
Showing 1 changed file with 53 additions and 3 deletions.
diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py
@@ -182,12 +182,55 @@ def hsm_version(enabled):
     return pki_version >= pki.util.Version("11.3.0"), pki_version
 
 
-def hsm_validator(enabled):
+def hsm_validator(enabled, token_name, token_library):
     val, pki_version = hsm_version(enabled)
     if val is False:
         raise ValueError(
             "HSM is not supported in PKI version %s" % pki_version
         )
+    if ':' in token_name or ';' in token_name:
+        raise ValueError(
+            "Colon and semi-colon are not allowed in a token name."
+        )
+    if not os.path.exists(token_library):
+        raise ValueError(
+            "Token library path '%s' does not exist" % token_library
+        )
+    with certdb.NSSDatabase() as tempnssdb:
+        tempnssdb.create_db()
+        # Try adding the token library to the temporary database in
+        # case it isn't already available. Ignore all errors.
+        command = [
+            paths.MODUTIL,
+            '-dbdir', '{}:{}'.format(tempnssdb.dbtype, tempnssdb.secdir),
+            '-nocertdb',
+            '-add', 'test',
+            '-libfile', token_library,
+            '-force',
+        ]
+        # It may fail if p11-kit has already registered the library, that's
+        # ok.
+        ipautil.run(command, stdin='\n', cwd=tempnssdb.secdir,
+                    raiseonerr=False)
+
+        command = [
+            paths.MODUTIL,
+            '-dbdir', '{}:{}'.format(tempnssdb.dbtype, tempnssdb.secdir),
+            '-list',
+            '-force'
+        ]
+        lines = ipautil.run(
+            command, cwd=tempnssdb.secdir, capture_output=True).output
+        found = False
+        token_line = f'token: {token_name}'
+        for line in lines.split('\n'):
+            if token_line in line.strip():
+                found = True
+                break
+        if not found:
+            raise ValueError(
+                "Token named '%s' was not found" % token_name
+            )
 
 
 def set_subject_base_in_config(subject_base):
@@ -276,7 +319,8 @@ def install_check(standalone, replica_config, options):
     if replica_config is None:
         if options.token_name:
             try:
-                hsm_validator(True)
+                hsm_validator(
+                    True, options.token_name, options.token_library_path)
             except ValueError as e:
                 raise ScriptError(str(e))
         options._subject_base = options.subject_base
@@ -309,7 +353,13 @@ def install_check(standalone, replica_config, options):
         # better to be safe and avoid a failed install.
         if token_name:
             try:
-                hsm_validator(True)
+                hsm_validator(
+                    True,
+                    token_name,
+                    options.token_library_path
+                    if options.token_library_path
+                    else token_library_path,
+                )
             except ValueError as e:
                 raise ScriptError(str(e))
             if not options.token_library_path: