pki client cert request fails with unfriendly error when password is not provided

[kimettog]

Summary:
pki client cert request fails with unfriendly error when password is not provided

Description:
pki client cert request fails with unfriendly error when password is not provided

Environment:

Fedora release 42 (Adams)

rpm -qa | grep pki

python3-dogtag-pki-11.9.0alpha1^20250718191622.11292e8a-1.fc42.noarch
dogtag-pki-base-11.9.0alpha1^20250718191622.11292e8a-1.fc42.noarch
dogtag-pki-server-11.9.0alpha1^20250718191622.11292e8a-1.fc42.noarch
dogtag-pki-acme-11.9.0alpha1^20250718191622.11292e8a-1.fc42.noarch
dogtag-pki-ca-11.9.0alpha1^20250718191622.11292e8a-1.fc42.noarch
dogtag-pki-est-11.9.0alpha1^20250718191622.11292e8a-1.fc42.noarch
dogtag-pki-kra-11.9.0alpha1^20250718191622.11292e8a-1.fc42.noarch
dogtag-pki-11.9.0alpha1^20250718191622.11292e8a-1.fc42.x86_64

Steps to Reproduce:

1. Install CA and KRA subsystems
2. Execute: pki -d /tmp/nssdb -P http -p 20080 client-cert-request "uid=testcert"

Expected Result: Successful if command provided but prompt the user for a password if it fails

Actual:
--> pki -d /tmp/nssdb -P http -p 20080 client-cert-request "uid=testcert"
org.mozilla.jss.crypto.TokenException: unable to login to token
at org.mozilla.jss.pkcs11.PK11KeyPairGenerator.generateRSAKeyPairWithOpFlags(Native Method)
at org.mozilla.jss.pkcs11.PK11KeyPairGenerator.generateKeyPair(PK11KeyPairGenerator.java:351)
at org.mozilla.jss.crypto.KeyPairGenerator.genKeyPair(KeyPairGenerator.java:50)
at com.netscape.cmsutil.crypto.CryptoUtil.generateRSAKeyPair(CryptoUtil.java:476)
at org.dogtagpki.nss.NSSDatabase.createRSAKeyPair(NSSDatabase.java:1010)
at com.netscape.cmstools.client.ClientCertRequestCLI.execute(ClientCertRequestCLI.java:260)
at org.dogtagpki.cli.CommandCLI.execute(CommandCLI.java:58)
at org.dogtagpki.cli.CLI.execute(CLI.java:353)
at org.dogtagpki.cli.CLI.execute(CLI.java:353)
at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:694)
at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:733)

Try with password :

--> pki -d /tmp/nssdb -P http -p 20080 -c SECret.123 client-cert-request "uid=testcert"
Request ID: 0x9f7742c66dd674bfbe2c7136bc2e55a9
Type: enrollment
Request Status: pending
Operation Result: success
Creation Time: Wed Jul 30 10:56:26 EDT 2025
Modification Time: Wed Jul 30 10:56:26 EDT 2025

[kimettog]

Ticket created : IDM-2527

[gkimetto]

I was not able to replicate this error. This was a shared tomcat

root@pki pki]# rpm -qa | grep pki

pki-resteasy-core-3.0.26-32.fc42.noarch
pki-resteasy-client-3.0.26-32.fc42.noarch
pki-resteasy-servlet-initializer-3.0.26-32.fc42.noarch
pki-resteasy-jackson2-provider-3.0.26-32.fc42.noarch
python3-dogtag-pki-11.9.0alpha1-1.fc42.noarch
dogtag-pki-base-11.9.0alpha1-1.fc42.noarch
dogtag-pki-java-11.9.0alpha1-1.fc42.noarch
dogtag-pki-tools-11.9.0alpha1-1.fc42.x86_64
dogtag-pki-server-11.9.0alpha1-1.fc42.noarch
dogtag-pki-acme-11.9.0alpha1-1.fc42.noarch
dogtag-pki-ca-11.9.0alpha1-1.fc42.noarch
dogtag-pki-est-11.9.0alpha1-1.fc42.noarch
dogtag-pki-kra-11.9.0alpha1-1.fc42.noarch
dogtag-pki-ocsp-11.9.0alpha1-1.fc42.noarch
dogtag-pki-tks-11.9.0alpha1-1.fc42.noarch
dogtag-pki-tps-11.9.0alpha1-1.fc42.noarch
dogtag-pki-theme-11.9.0alpha1-1.fc42.noarch
dogtag-pki-tests-11.9.0alpha1-1.fc42.noarch
dogtag-pki-javadoc-11.9.0alpha1-1.fc42.noarch
dogtag-pki-11.9.0alpha1-1.fc42.x86_64
pki-debugsource-11.9.0alpha1-1.fc42.x86_64
dogtag-pki-tools-debuginfo-11.9.0alpha1-1.fc42.x86_64

[root@pki pki]# pki -d /tmp/nssdb -P http -p 8080 client-cert-request "uid=testcert"

Request ID: 0x718d6332696d7a166dbbb3c78b898f4a
Type: enrollment
Request Status: pending
Operation Result: success
Creation Time: Wed Oct 08 01:21:47 UTC 2025
Modification Time: Wed Oct 08 01:21:47 UTC 2025

[root@pki pki]# pki -d /tmp/nssdb -P http -p 8080 -c SECret.123 client-cert-request "uid=testcert"

Request ID: 0x8451e0503b9908f95018e17c870f0495
Type: enrollment
Request Status: pending
Operation Result: success
Creation Time: Wed Oct 08 01:23:30 UTC 2025
Modification Time: Wed Oct 08 01:23:30 UTC 2025

UPDATE:
Will retest but this seems to be different problem ...not checking the password now thats why the original bug is not encountered.

pki -d /tmp/nssdb -P http -p 8080 -c bogus_pass client-cert-request "uid=testcert"

Request ID: 0x92adb52e76f6971ac17ceedbaab82c06
Type: enrollment
Request Status: pending
Operation Result: success
Creation Time: Wed Oct 08 01:30:14 UTC 2025
Modification Time: Wed Oct 08 01:30:14 UTC 2025

[kimettog]

Closing as not a bug.

pki -d /tmp/nssdb -P http -p 20080 client-cert-request "uid=testcert"

HttpHostConnectException: Connect to pki.example.com:20080 [pki.example.com/172.18.0.3] failed: Connection refused
[root@pki pki]# pki -d /tmp/nssdb -P http -p 8080 client-cert-request "uid=testcert"
Request ID: 0x4ad21098332d7408ead7be3b89ecdc8f
Type: enrollment
Request Status: pending
Operation Result: success
Creation Time: Thu Oct 09 19:41:32 UTC 2025
Modification Time: Thu Oct 09 19:41:33 UTC 2025
[root@pki pki]# pki -d /tmp/nssdb -P http -p 20080 -c SECret.123 client-cert-request "uid=testcert"
HttpHostConnectException: Connect to pki.example.com:20080 [pki.example.com/172.18.0.3] failed: Connection refused
[root@pki pki]# pki -d /tmp/nssdb -P http -p 8080 -c SECret.123 client-cert-request "uid=testcert"
Request ID: 0xf394f8bf52739c4ee3f794fcae64ff32
Type: enrollment
Request Status: pending
Operation Result: success
Creation Time: Thu Oct 09 19:41:56 UTC 2025
Modification Time: Thu Oct 09 19:41:56 UTC 2025

[fmarco76]

@kimettog The issue is still present. If the client nssdb has a password and the password is not provided there is the error.

I have modified the password for default nssdb and then run the command:

[root@pki pki]# certutil -d ~/.dogtag/nssdb/ -W
Enter Password or Pin for "NSS Certificate DB":
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.

Enter new password: 
Re-enter password: 
Password changed successfully.
[root@pki pki]# pki client-cert-request uid=Pluto
org.mozilla.jss.crypto.TokenException: unable to login to token
	at org.mozilla.jss.pkcs11.PK11KeyPairGenerator.generateRSAKeyPairWithOpFlags(Native Method)
	at org.mozilla.jss.pkcs11.PK11KeyPairGenerator.generateKeyPair(PK11KeyPairGenerator.java:369)
	at org.mozilla.jss.crypto.KeyPairGenerator.genKeyPair(KeyPairGenerator.java:50)
	at com.netscape.cmsutil.crypto.CryptoUtil.generateRSAKeyPair(CryptoUtil.java:476)
	at org.dogtagpki.nss.NSSDatabase.createRSAKeyPair(NSSDatabase.java:1024)
	at com.netscape.cmstools.client.ClientCertRequestCLI.execute(ClientCertRequestCLI.java:260)
	at org.dogtagpki.cli.CommandCLI.execute(CommandCLI.java:58)
	at org.dogtagpki.cli.CLI.execute(CLI.java:353)
	at org.dogtagpki.cli.CLI.execute(CLI.java:353)
	at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:694)
	at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:733)