Skip to content

Commit

Permalink
Fixes #37384 - properly pass fips=false when checking keystore
Browse files Browse the repository at this point in the history
In a FIPS-enabled environment, calling `keytool -list` with a wrong
password doesn't yield an error, unless we also pass `fips=false` like
we do when creating the keystore:

    # keytool -list -keystore ./store -storepass wrong-password
    Keystore type: PKCS11
    Keystore provider: SunPKCS11-NSS-FIPS

    Your keystore contains 0 entries

Passing `fips=false` makes it correctly raise the expected exception:

    # keytool -list -keystore ./store -storepass wrong-password -J-Dcom.redhat.fips=false
    keytool error: java.io.IOException: keystore password was incorrect

Fixes: 6fea0bb
(cherry picked from commit b9667a0)
  • Loading branch information
evgeni committed Apr 25, 2024
1 parent 7d1d4d3 commit 337e254
Showing 1 changed file with 1 addition and 0 deletions.
1 change: 1 addition & 0 deletions lib/puppet_x/certs/provider/keystore.rb
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ def exists?
'-list',
'-keystore', store,
'-storepass:file', resource[:password_file],
'-J-Dcom.redhat.fips=false',
)
rescue Puppet::ExecutionFailure => e
if e.message.include?('java.security.UnrecoverableKeyException') || e.message.include?('keystore password was incorrect')
Expand Down

0 comments on commit 337e254

Please sign in to comment.