pki-server instance-externalcert-add used with invalid token flag prompts for password instead of failing automatically with NoSuchTokenException

[tayloredherring]

Summary:

If the command pki-server instance-externalcert-add is used with an invalid token flag, it should automatically fail with an error like the following, as it does with the pki command:

org.mozilla.jss.NoSuchTokenException: No such token: INVALID

However it prompts for a password instead. Additionally a keyctl_search error is thrown: keyctl_search: Required key not available

Build:

OS: Fedora release 43 (Forty Three)
dogtag-pki-11.9.0~alpha1^20251204170034.f53863fd-1.fc43.x86_64
dogtag-pki-server-11.9.0~alpha1^20251204170034.f53863fd-1.fc43.noarch
COPR: @pki/master

Steps to reproduce:

1. Install DS, CA instances

2. Create a cert for a user

pki -d /tmp/nssdb -c password -p 8443 client-cert-request "UID=testuser129475,CN=testuser129475" --algorithm rsa --length 2048 --profile caUserCert --type pkcs10
pki -d /tmp/nssdb -p 8443 -u caadmin -w SECret.123 ca-cert-request-approve 0x31e7eb406624aebeea0f16029d70
pki -d /tmp/nssdb -c password -p 8443 client-cert-import "testuser129475" --serial 0x1ed9f26ba2569253d6d5966a79c19675

3. Export the certificate to a file:

pki -d /tmp/nssdb -c password client-cert-show "testuser129475" --cert /tmp/testuser129475.pem

4. Attempt to add the external cert with pki-server:

pki-server instance-externalcert-add -i pki-tomcat --cert-file /tmp/testuser129475.pem --token INVALID --nickname "testuser129475" --trust-args "u,u,u"

Expected Result:

pki-server instance-externalcert-add will just throw a "No such token: INVALID" error

Actual Result:

it prompts for a password and also gives a keyctl_search error:

keyctl_search: Required key not available
Enter password for INVALID:

Additional Info: