Fixes #37384 - properly pass fips=false when checking keystore

In a FIPS-enabled environment, calling `keytool -list` with a wrong password doesn't yield an error, unless we also pass `fips=false` like we do when creating the keystore: # keytool -list -keystore ./store -storepass wrong-password Keystore type: PKCS11 Keystore provider: SunPKCS11-NSS-FIPS Your keystore contains 0 entries Passing `fips=false` makes it correctly raise the expected exception: # keytool -list -keystore ./store -storepass wrong-password -J-Dcom.redhat.fips=false keytool error: java.io.IOException: keystore password was incorrect Fixes: 6fea0bb (cherry picked from commit b9667a0)
theforeman · Apr 25, 2024 · 818b7f2 · 818b7f2
1 parent c1eaa90
commit 818b7f2
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/lib/puppet_x/certs/provider/keystore.rb b/lib/puppet_x/certs/provider/keystore.rb
@@ -18,6 +18,7 @@ def exists?
               '-list',
               '-keystore', store,
               '-storepass:file', resource[:password_file],
+              '-J-Dcom.redhat.fips=false',
             )
           rescue Puppet::ExecutionFailure => e
             if e.message.include?('java.security.UnrecoverableKeyException') || e.message.include?('keystore password was incorrect')