193394 - cert.sh doesn't check modutils return after switching to fips mode

Status: RESOLVED FIXED

(NSS :: Test, defect)

Description

[Sonja Mirtitsch]

modutil failed in tinderbox QA on AIX 4.3 32 bit to switch to fips mode, but no
error was reported in results.html:

certutil -N -d . -f ../tests.fipspw.52226
cert.sh: Enable FIPS mode on database -----------------------

WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type 
'q <enter>' to abort, or <enter> to continue: 
Using database directory ....
ERROR: Unable to switch FIPS modes.
cert.sh: Generate Certificate for FIPS PUB 140-1 Test Certificate
--------------------------
certutil -s "CN=FIPS PUB 140-1 Test Certificate, E=fips@bogus.com, O=BOGUS NSS,
OU=FIPS PUB 140-1, L=Mountain View, ST=California, C=US" -S -n
FIPS_PUB_140-1_Test_Certificate -x -t Cu,Cu,Cu -d . -f ../tests.fipspw.52226 -k
dsa -m 500 -z ../tes
ts_noise.52226


Generating key.  This may take a few moments...

cert.sh SUCCESS: FIPS passed
cert.sh cert.sh: finished cert.sh

Comment 1

[Sonja Mirtitsch]

Attachment: patch to move assignement before modutil

Comment 2

[Wan-Teh Chang]

Comment on attachment 114471 [details] [diff] [review]
patch to move assignement before modutil

r=wtc.	Please go ahead and check it into the
tip.

So an assignment like
    CU_ACTION="..."
also has an exit code?

We might also want to echo the modutil command
so that it is shown in the output.log.

Comment 3

[Sonja Mirtitsch]

patch checked in

> So an assignment like
>    CU_ACTION="..."
> also has an exit code?
yes, I tested it in a bash and a sh  from the commandline:
kentuckyderby(63) sh
$ ls this-file-does-not-exist
this-file-does-not-exist: No such file or directory
$ echo $?
2
$ ls this-file-does-not-exist
this-file-does-not-exist: No such file or directory
$ a=b
$ echo $?
0
$ 

Comment 4

[Sonja Mirtitsch]

Attachment: echo modutil command line to stdout

Comment 5

[Wan-Teh Chang]

Comment on attachment 114477 [details] [diff] [review]
echo modutil command line to stdout

r=wtc.

Comment 6

[Sonja Mirtitsch]

The same error showed up on AIX 4.3 64 bit, but this time the error was reported
in the result.html as well.
2nd part of the fix (echo modutil line) checked in as well, but found a 3rd
problem, that the returncode does not get reported correctly in log file (still
says 0).
Will attach new patch

cert.sh: Enable FIPS mode on database -----------------------

WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type 
'q <enter>' to abort, or <enter> to continue: 
Using database directory ....
ERROR: Unable to switch FIPS modes.
cert.sh ERROR: Enable FIPS mode on database for FIPS PUB 140-1 Test Certificate
failed 0
cert.sh: Generate Certificate for FIPS PUB 140-1 Test Certificate
--------------------------

Comment 7

[Sonja Mirtitsch]

Attachment: assign return code to variable

Comment 8

[Wan-Teh Chang]

Comment on attachment 114940 [details] [diff] [review]
assign return code to variable

r=wtc.

Comment 9

[Sonja Mirtitsch]

failed again, prints return code now
hbombaix.2 Enable FIPS mode on database for FIPS PUB 140-1 Test Certificate (11)
Failed
hbombaix.2 Verify this module is in FIPS mode (modutil -chkfips true) Failed
hbombaix.2/output.log:ERROR: Unable to switch FIPS modes.
hbombaix.2/output.log:cert.sh ERROR: Enable FIPS mode on database for FIPS PUB
140-1 Test Certificate failed 11