Revision b9667a02
Added by Evgeni Golov 25 days ago
lib/puppet_x/certs/provider/keystore.rb | ||
---|---|---|
'-list',
|
||
'-keystore', store,
|
||
'-storepass:file', resource[:password_file],
|
||
'-J-Dcom.redhat.fips=false',
|
||
)
|
||
rescue Puppet::ExecutionFailure => e
|
||
if e.message.include?('java.security.UnrecoverableKeyException') || e.message.include?('keystore password was incorrect')
|
Also available in: Unified diff
Fixes #37384 - properly pass fips=false when checking keystore
In a FIPS-enabled environment, calling `keytool -list` with a wrong
password doesn't yield an error, unless we also pass `fips=false` like
we do when creating the keystore:
Keystore type: PKCS11
Keystore provider: SunPKCS11-NSS-FIPS
Passing `fips=false` makes it correctly raise the expected exception:
keytool error: java.io.IOException: keystore password was incorrect
Fixes: 6fea0bbb4143ca439cff01bf9f0e54cf88140d10