Script to test for correct certificate database password

Question

Hello,

I'm attempting to write a bash routine that tests whether or not a user's input is the correct password to my certificate database.

Originally I imagined I'd first execute a benign certutil or pk12util operation on the certificate database that required a password. Then test the return code to see if it was successful.

However, certutil's password argument takes a password file (which is undesirable). I could use pk12util to export a certifcate and private key to test (not really happy with extra pk12 files lying around either).

Any suggestions of other methods to test the database password?

PR

Answer 1

Use certutil's password file along with mktemp(1). This generates a temporary file which is only readable by the current user (which should be the same person who already knows the password).

Also add a trap "rm $tmpfile" EXIT to the script to make sure the password gets deleted when the script exits for whatever reason.

If that is still not secure enough, you must write a small C program which operates on the certificate DB.

Answer 2

Try using Process Substitution. Example

read -s -p "Enter Password: " pass
if certutil -f <(echo "$pass"); then
    # Password correct, do stuff here
else
    # Password incorrect, do stuff here
fi