From 2197fb2f7d140641aaead0529d25bae6014fa351 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 7 Nov 2024 12:03:07 -0500
Subject: [PATCH] Add more tests for NSSDB

Signed-off-by: Simo Sorce <simo@redhat.com>
---
 src/tests/nssdb.rs | 62 ++++++++++++++++++++++++++++++++++++++++++++++
 src/token.rs       | 16 +++++++-----
 2 files changed, 72 insertions(+), 6 deletions(-)

diff --git a/src/tests/nssdb.rs b/src/tests/nssdb.rs
index daaa8d4a..913cb1fe 100644
--- a/src/tests/nssdb.rs
+++ b/src/tests/nssdb.rs
@@ -250,3 +250,65 @@ fn test_nssdb_token() {
 
     testtokn.finalize();
 }
+
+#[test]
+#[parallel]
+fn test_nssdb_init_token() {
+    let datadir = format!("{}/{}", TESTDIR, "test_nssdb_init_token");
+
+    let dbpath = format!("configDir={}", datadir);
+    let dbtype = "nssdb";
+    let dbname = format!("{}:{}", dbtype, dbpath);
+
+    let mut testtokn = TestToken::new(dbname);
+
+    /* pre-populate conf so we get the correct slot number assigned */
+    let mut slot = config::Slot::with_db(dbtype, Some(dbpath.clone()));
+    slot.slot = u32::try_from(testtokn.get_slot()).unwrap();
+    let ret = add_slot(slot);
+
+    assert_eq!(ret, CKR_OK);
+    let mut args = TestToken::make_init_args(Some(dbpath.clone()));
+    let args_ptr = &mut args as *mut CK_C_INITIALIZE_ARGS;
+    let ret = fn_initialize(args_ptr as *mut std::ffi::c_void);
+    assert_eq!(ret, CKR_OK);
+
+    /* init once (NSSDB ignores SO pin) */
+    let pin_value = "Unused";
+    let ret = fn_init_token(
+        testtokn.get_slot(),
+        CString::new(pin_value).unwrap().into_raw() as *mut u8,
+        pin_value.len() as CK_ULONG,
+        std::ptr::null_mut(),
+    );
+    assert_eq!(ret, CKR_OK);
+
+    let session = testtokn.get_session(true);
+
+    /* NSS allows SO login w/o PIN only to set the initial User PIN */
+    let ret = fn_login(session, CKU_SO, &mut [] as *mut u8, 0);
+    assert_eq!(ret, CKR_OK);
+
+    /* set user pin */
+    let user_pin = "User PIN Value";
+    let ret = fn_init_pin(
+        session,
+        CString::new(user_pin).unwrap().into_raw() as *mut u8,
+        user_pin.len() as CK_ULONG,
+    );
+    assert_eq!(ret, CKR_OK);
+
+    let ret = fn_logout(session);
+    assert_eq!(ret, CKR_OK);
+
+    /* try to login as user */
+    let ret = fn_login(
+        session,
+        CKU_USER,
+        CString::new(user_pin).unwrap().into_raw() as *mut u8,
+        user_pin.len() as CK_ULONG,
+    );
+    assert_eq!(ret, CKR_OK);
+
+    testtokn.finalize();
+}
diff --git a/src/token.rs b/src/token.rs
index 5ae4524f..663d401d 100644
--- a/src/token.rs
+++ b/src/token.rs
@@ -162,7 +162,15 @@ impl Token {
         let mut info = self.storage.reinit(&self.facilities)?;
 
         /* Add SO PIN */
-        self.set_pin(CKU_SO, pin, &[])?;
+        match self.set_pin(CKU_SO, pin, &[]) {
+            Ok(()) => (),
+            Err(e) => {
+                /* not all storage dbs support setting a CKU_SO Pin */
+                if e.rv() != CKR_USER_TYPE_INVALID {
+                    return Err(e);
+                }
+            }
+        }
 
         /* copy Label */
         copy_sized_string(label, &mut info.label);
@@ -214,10 +222,6 @@ impl Token {
     }
 
     pub fn is_logged_in(&self, user_type: CK_USER_TYPE) -> bool {
-        if user_type != CKU_SO && self.info.flags & CKF_LOGIN_REQUIRED == 0 {
-            return true;
-        }
-
         match user_type {
             KRY_UNSPEC => self.logged == CKU_SO || self.logged == CKU_USER,
             CKU_SO => self.logged == CKU_SO,
@@ -459,7 +463,7 @@ impl Token {
         let is_logged = self.is_logged_in(KRY_UNSPEC);
 
         /* value does not matter, only type does */
-        let dnm: CK_BBOOL = 0;
+        let dnm: CK_BBOOL = CK_FALSE;
         let mut attrs = CkAttrs::from(template);
         if !is_logged {
             attrs.add_bool(CKA_TOKEN, &dnm);