Learn more about these different git repos.
Other Git URLs
I'm helping to add HSM support for FreeIPA.
I have disabled p11-kit https://pagure.io/freeipa/issue/7810 $ rm -f /etc/crypto-policies/local.d/nss-p11-kit.config && update-crypto-policies $ reboot
Modified the FreeIPA python scripts so that internal (mostly dogtag) certificate is stored in HSM (I'm using SoftHSM for development)
$ modutil -dbdir /etc/pki/pki-tomcat/alias -list
Listing of PKCS 11 Modules
NSS Internal PKCS 11 Module uri: pkcs11:library-manufacturer=Mozilla%20Foundation;library-description=NSS%20Internal%20Crypto%20Services;library-version=3.44 slots: 2 slots attached status: loaded
slot: NSS Internal Cryptographic Services token: NSS Generic Crypto Services uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
slot: NSS User Private Key and Certificate Services token: NSS Certificate DB uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
softhsm library name: /usr/lib64/pkcs11/libsofthsm2.so uri: pkcs11:library-manufacturer=SoftHSM;library-description=Implementation%20of%20PKCS11;library-version=2.5 slots: 2 slots attached status: loaded
slot: SoftHSM slot ID 0x1e204b1f token: Dogtag uri: pkcs11:token=Dogtag;manufacturer=SoftHSM%20project;serial=2e2e45569e204b1f;model=SoftHSM%20v2
slot: SoftHSM slot ID 0x1 token: uri: pkcs11:manufacturer=SoftHSM%20project;model=SoftHSM%20v2
$ certutil -L -d /etc/pki/pki-tomcat/alias -h all
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
Enter Password or Pin for "Dogtag": Server-Cert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu caSigningCert cert-pki-ca CTu,Cu,Cu Dogtag:caSigningCert cert-pki-ca CTu,Cu,Cu Dogtag:auditSigningCert cert-pki-ca u,u,Pu Dogtag:ocspSigningCert cert-pki-ca u,u,u Dogtag:subsystemCert cert-pki-ca u,u,u
$ certutil -K -d /etc/pki/pki-tomcat/alias -h all certutil: Checking token "NSS Generic Crypto Services" in slot "NSS Internal Cryptographic Services" certutil: no keys found certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" Enter Password or Pin for "NSS Certificate DB": < 0> rsa a6793d9d3d8333c7c0de32d8ed8fe974b109f137 NSS Certificate DB:Server-Cert cert-pki-ca certutil: Checking token "Dogtag" in slot "SoftHSM slot ID 0x1e204b1f" Enter Password or Pin for "Dogtag": < 0> rsa 87f899a34660a00bc8db2df813200d80254bb8cd ocspSigningCert cert-pki-ca < 1> rsa a15e8133b16a6a194225274283c95f90b2edfebf auditSigningCert cert-pki-ca < 2> rsa d722c8de0c89b73fd7adbc9329ede583e7c5428a caSigningCert cert-pki-ca < 3> rsa f9d9e20d507d236f762a4a4102bc6b55cc6fedb3 subsystemCert cert-pki-ca
But ran into problem that certmonger will not found above token 'Dogtag'
Stop dogtag, so that certmonger can get read/write lock on nss db $ systemctl stop pki-tomcatd@pki-tomcat.service
Manually add certmonger tracking (which is the same that is done in freeipa python script) $ getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'ocspSigningCert cert-pki-ca' -t 'Dogtag' -P redhat123 -r -c dogtag-ipa-ca-renew-agent -S -B /usr/libexec/ipa/certmonger/stop_pkicad -C "/usr/libexec/ipa/certmonger/renew_ca_cert 'ocspSigningCert cert-pki-ca'"
But the token 'Dogtag' is never found $ journalctl -f -t certmonger Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [7909] Pending GetConnectionUnixUser serial 5804 Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [7909] Pending GetConnectionUnixProcessID serial 5805 Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [7909] Queuing FD 7 for Read for 0x5598c2efcd30:0x5598c2f1ed30. Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [7909] Dequeuing FD 7 for Read for 0x5598c2efcd30:0x5598c2f1ed30. Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [7909] Handling D-Bus traffic (Read) on FD 7 for 0x5598c2efcd30. Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [7909] message 0x5598c2efcd30(method_return)->5804->4294967295 Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [7909] message 0x5598c2efcd30(method_return)->5805->4294967295 Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [7909] User ID 0 PID 8390 called /org/fedorahosted/certmonger:org.fedorahosted.certmonger.add_request. Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [8391] Read value "0" from "/proc/sys/crypto/fips_enabled". Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [8391] Not attempting to set NSS FIPS mode. Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [8391] Skipping NSS internal slot (NSS Generic Crypto Services). Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [8391] Found token 'NSS Certificate DB'. Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [8391] Token is named "NSS Certificate DB", not "Dogtag", skipping. Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [8391] Error locating a key. Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [8392] Read value "0" from "/proc/sys/crypto/fips_enabled". Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [8392] Not attempting to set NSS FIPS mode. Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [8392] Found token 'NSS Generic Crypto Services'. Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [8392] Token is named "NSS Generic Crypto Services", not "Dogtag", skipping. Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [8392] Found token 'NSS Certificate DB'. Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [8392] Token is named "NSS Certificate DB", not "Dogtag", skipping. Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [8392] Error locating certificate. Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [7909] Request11('20190822103540') starts in state 'NEWLY_ADDED' Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [7909] Request11('20190822103540') taking writing lock Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [7909] Request11('20190822103540') moved to state 'NEWLY_ADDED_START_READING_KEYINFO' Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [7909] Will revisit Request11('20190822103540') now. Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [7909] Started Request11('20190822103540'). Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [7909] Queuing FD 7 for Read for 0x5598c2efcd30:0x5598c2f0a420. Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [7909] Request11('20190822103540') moved to state 'NEWLY_ADDED_READING_KEYINFO' Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [7909] Will revisit Request11('20190822103540') on traffic from 11. Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [7909] Dequeuing FD 7 for Read for 0x5598c2efcd30:0x5598c2f0a420. Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [7909] Handling D-Bus traffic (Read) on FD 7 for 0x5598c2efcd30. Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [7909] message 0x5598c2efcd30(method_call)->org.fedorahosted.certmonger:/org/fedorahosted/certmonger/requests/Request11:org.fedorahosted.certmonger.request.get_nickname Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [7909] Pending GetConnectionUnixUser serial 5809 Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [7909] Pending GetConnectionUnixProcessID serial 5810 Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [7909] Queuing FD 7 for Read for 0x5598c2efcd30:0x5598c2f1bd90. Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [7909] Dequeuing FD 7 for Read for 0x5598c2efcd30:0x5598c2f1bd90. Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [7909] Handling D-Bus traffic (Read) on FD 7 for 0x5598c2efcd30. Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [7909] message 0x5598c2efcd30(method_return)->5809->4294967295 Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [7909] message 0x5598c2efcd30(method_return)->5810->4294967295 Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [7909] User ID 0 PID 8390 called /org/fedorahosted/certmonger/requests/Request11:org.fedorahosted.certmonger.request.get_nickname. Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [7909] Queuing FD 7 for Read for 0x5598c2efcd30:0x5598c2f0a420. Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [8393] Read value "0" from "/proc/sys/crypto/fips_enabled". Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [8393] Not attempting to set NSS FIPS mode. Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [8393] Skipping NSS internal slot (NSS Generic Crypto Services). Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [8393] Found token 'NSS Certificate DB'. Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [8393] Token is named "NSS Certificate DB", not "Dogtag", skipping. Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [8393] Error locating a key. Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [7909] Request11('20190822103540') releasing writing lock Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [7909] Request11('20190822103540') moved to state 'NEWLY_ADDED_NEED_KEYINFO_READ_TOKEN' Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [7909] Will revisit Request11('20190822103540') now. Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [7909] Waiting for instructions for Request11('20190822103540').
The NSS function PK11_GetAllTokens() doesn't seem to be returning the Dogtag token.
Can you look for SELinux AVCs? Maybe certmonger can't load the pkcs#11 module or can't read the backed files.
Thanks for your reply! No, tested already $ setenforce Permissive before start-tracking, no SELinux problem.
Also maxed file permission for softhsm $ chmod 777 /var/lib/softhsm -Rv
I do not know if this is relevant, but I have disabled p11-kit. The visibility of p11-kit then differs. As root at a non existing NSS DB
# modutil -nocertdb -list Listing of PKCS #11 Modules 1. NSS Internal PKCS #11 Module uri: pkcs11:library-manufacturer=Mozilla%20Foundation;library-description=NSS%20Internal%20Crypto%20Services;library-version=3.44 slots: 2 slots attached status: loaded slot: NSS Internal Cryptographic Services token: NSS Generic Crypto Services uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203 slot: NSS User Private Key and Certificate Services token: NSS Certificate DB uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
But as root on specific NSS DB
# certutil -U -d /etc/pki/pki-tomcat/alias slot: NSS Internal Cryptographic Services token: NSS Generic Crypto Services uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203 slot: NSS User Private Key and Certificate Services token: NSS Certificate DB uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203 slot: SoftHSM slot ID 0x1e204b1f token: Dogtag uri: pkcs11:token=Dogtag;manufacturer=SoftHSM%20project;serial=2e2e45569e204b1f;model=SoftHSM%20v2
I have also tried to re enable the p11-kit (default Fedora 30 installation) and then rebooted, but with no effect.
I cannot find the API documentation for PK11_GetAllTokens, but maybe you need to supply token password when listing hsm tokens. Here null passed in.
mech = CKM_RSA_X_509; slotlist = PK11_GetAllTokens(mech, PR_FALSE, PR_FALSE, NULL);
I think you're onto something. Looks like a the token PIN is required to list the certificates at all. I'll need to try to simplify this and reproduce.
Metadata Update from @rcritten: - Issue assigned to rcritten
I duplicated it by creating an IPA service, generating a cert for it in an NSS database, exporting that to PKCS12, deleting it from the db, creating a new softhsm token and importing the PKCS12 into that token, then start tracking on it.
On Fedora 30 also.
ipa service-add test/`hostname` certutil -d /etc/pki/nssdb/ -R -a -o ipa.csr -s CN=`hostname` ipa cert-request --principal test/`hostname` --certificate-out test.pem ipa.csr certutil -A -d /etc/pki/nssdb -n test -a -i test.pem -t u,u,u pk12util -o test.p12 -d /etc/pki/nssdb -n test modutil -dbdir /etc/pki/nssdb/ -add softhsm -libfile /usr/lib64/softhsm/libsofthsm.so softhsm2-util --init-token --label "test" --pin 123456 --so-pin 123456 --free certutil -F -d /etc/pki/nssdb/ -n test pk12util -i test.p12 -d /etc/pki/nssdb/ -h test certutil -A -d /etc/pki/nssdb/ -n 'IPA CA' -t CT,, -a -i /etc/ipa/ca.crt certutil -V -u V -e -d /etc/pki/nssdb/ -h test -n test:test ipa-getcert start-tracking -d /etc/pki/nssdb/ -n test -t test -P 123456
I've figured out part of the issue. The NSS context is created with NSS_INIT_NOMODDB so it wasn't seeing the tokens at all. The investigation continues.
I'd have sworn token handling was working in master, with softhsm no less. There seem to be multiple issues affecting cert and key finding. I don't know if NSS changes its semantics or perhaps it wasn't working as well as I thought.
I have cert loading working so one can successfully start tracking a cert in a token. Renewal is the next thing to fix.
I think I have it working now but I'm not completely satisfied with it. I've got a query into the NSS team to see if anything changed regarding the NOMODDB flag.
If you want to give it a test-run I did a copr build at https://copr.fedorainfracloud.org/coprs/rcritten/certmonger/
Thanks! Tested and the first tests ran fine. Will do a few more.
I ran my reproducer on F27 and it couldn't handle tracking an imported token either. I manually upgraded to certmonger-0.79.7-1 to pick up the previous token work.
Let me know how your additional testing goes and if everything seems to be working I'll go ahead and get this merged.
Metadata Update from @rcritten: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1746543
Issue linked to Bugzilla: Bug 1746543
A little of the topic question, what is the default behavior for certmonger when renewing the certificate, to resubmit (reusing same key pair) or rekey (generating new key pair)?
It should re-use the existing key. There does seem to be an issue when renewing an imported key, https://pagure.io/certmonger/issue/124 . Are you seeing that behavior?
34c120f 59df833
Metadata Update from @rcritten: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Hi, I tested the fix and it seemed to work, but after running resubmit and using certutil to list private keys in NSS DB, certutil core dumped.
# getenforce Permissive # certutil -K -d /etc/pki/pki-tomcat/alias -h all certutil: Checking token "NSS Generic Crypto Services" in slot "NSS Internal Cryptographic Services" certutil: no keys found certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" Enter Password or Pin for "NSS Certificate DB": < 0> rsa a6793d9d3d8333c7c0de32d8ed8fe974b109f137 NSS Certificate DB:Server-Cert cert-pki-ca certutil: Checking token "Dogtag" in slot "SoftHSM slot ID 0x1e204b1f" Enter Password or Pin for "Dogtag": < 0> rsa 87f899a34660a00bc8db2df813200d80254bb8cd ocspSigningCert cert-pki-ca < 1> rsa a15e8133b16a6a194225274283c95f90b2edfebf auditSigningCert cert-pki-ca < 2> rsa d722c8de0c89b73fd7adbc9329ede583e7c5428a caSigningCert cert-pki-ca < 3> rsa f9d9e20d507d236f762a4a4102bc6b55cc6fedb3 subsystemCert cert-pki-ca # getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'ocspSigningCert cert-pki-ca' -t 'Dogtag' -P redhat123 -r -c dogtag-ipa-ca-renew-agent -S -B /usr/libexec/ipa/certmonger/stop_pkicad # getcert resubmit -i 20190912141910 # certutil -K -d /etc/pki/pki-tomcat/alias -h all certutil: Checking token "NSS Generic Crypto Services" in slot "NSS Internal Cryptographic Services" certutil: no keys found certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" Enter Password or Pin for "NSS Certificate DB": < 0> rsa a6793d9d3d8333c7c0de32d8ed8fe974b109f137 NSS Certificate DB:Server-Cert cert-pki-ca certutil: Checking token "Dogtag" in slot "SoftHSM slot ID 0x1e204b1f" Enter Password or Pin for "Dogtag": /usr/include/c++/9/bits/stl_vector.h:1027: std::vector<_Tp, _Alloc>::const_reference std::vector<_Tp, _Alloc>::operator[](std::vector<_Tp, _Alloc>::size_type) const [with _Tp = unsigned char; _Alloc = SecureAllocator<unsigned char>; std::vector<_Tp, _Alloc>::const_reference = const unsigned char&; std::vector<_Tp, _Alloc>::size_type = long unsigned int]: Assertion '__builtin_expect(__n < this->size(), true)' failed. Aborted (core dumped)
<img alt="var-log-messages" src="/certmonger/issue/raw/files/119ccbb7723399fbd9048a52b7148b24e806364e478a22c71ca757335fe2b2ae-var-log-messages" />
Metadata Update from @magnuskkarlsson: - Issue status updated to: Open (was: Closed)
Can you try to get a stacktrace out of certutil?
(gdb) run -K -d /etc/pki/pki-tomcat/alias -h all Starting program: /usr/bin/certutil -K -d /etc/pki/pki-tomcat/alias -h all warning: Loadable section ".note.gnu.property" outside of ELF segments warning: Loadable section ".note.gnu.property" outside of ELF segments [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". warning: Loadable section ".note.gnu.property" outside of ELF segments certutil: Checking token "NSS Generic Crypto Services" in slot "NSS Internal Cryptographic Services" certutil: no keys found certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" Enter Password or Pin for "NSS Certificate DB": < 0> rsa a6793d9d3d8333c7c0de32d8ed8fe974b109f137 NSS Certificate DB:Server-Cert cert-pki-ca certutil: Checking token "Dogtag" in slot "SoftHSM slot ID 0x1e204b1f" Enter Password or Pin for "Dogtag": /usr/include/c++/9/bits/stl_vector.h:1027: std::vector<_Tp, _Alloc>::const_reference std::vector<_Tp, _Alloc>::operator[](std::vector<_Tp, _Alloc>::size_type) const [with _Tp = unsigned char; _Alloc = SecureAllocator<unsigned char>; std::vector<_Tp, _Alloc>::const_reference = const unsigned char&; std::vector<_Tp, _Alloc>::size_type = long unsigned int]: Assertion '__builtin_expect(__n < this->size(), true)' failed. Program received signal SIGABRT, Aborted. 0x00007ffff7bd6e75 in raise () from /lib64/libc.so.6 (gdb) thread apply all bt full Thread 1 (Thread 0x7ffff7b8bb80 (LWP 1195)): #0 0x00007ffff7bd6e75 in raise () from /lib64/libc.so.6 No symbol table info available. #1 0x00007ffff7bc1895 in abort () from /lib64/libc.so.6 No symbol table info available. #2 0x00007ffff77f4ab8 in ?? () from /usr/lib64/pkcs11/libsofthsm2.so No symbol table info available. #3 0x00007ffff77f37c5 in ?? () from /usr/lib64/pkcs11/libsofthsm2.so No symbol table info available. #4 0x00007ffff77f3a89 in ?? () from /usr/lib64/pkcs11/libsofthsm2.so No symbol table info available. #5 0x00007ffff779c850 in ?? () from /usr/lib64/pkcs11/libsofthsm2.so No symbol table info available. #6 0x00007ffff779e7e9 in ?? () from /usr/lib64/pkcs11/libsofthsm2.so No symbol table info available. #7 0x00007ffff77d1b5c in ?? () from /usr/lib64/pkcs11/libsofthsm2.so No symbol table info available. #8 0x00007ffff778ff33 in C_GetAttributeValue () from /usr/lib64/pkcs11/libsofthsm2.so No symbol table info available. #9 0x00007ffff7dd0ad8 in ?? () from /lib64/libnss3.so No symbol table info available. #10 0x00007ffff7dd0fcc in ?? () from /lib64/libnss3.so No symbol table info available. #11 0x0000555555564ac7 in ?? () No symbol table info available. #12 0x00005555555679a0 in ?? () No symbol table info available. #13 0x000055555555e100 in ?? () No symbol table info available. #14 0x00007ffff7bc2f33 in __libc_start_main () from /lib64/libc.so.6 No symbol table info available. #15 0x000055555555e14e in ?? () No symbol table info available.
Thanks. If you install the debuginfo package for softhsm2 it will include more information in the trace but this is pretty clearly blowing up inside softhsm itself. Given that certmonger/NSS only communicate via the PKCS#11 interface I'd say this is a bug in softhsm.
Right
(gdb) run -K -d /etc/pki/pki-tomcat/alias -h all Starting program: /usr/bin/certutil -K -d /etc/pki/pki-tomcat/alias -h all warning: Loadable section ".note.gnu.property" outside of ELF segments warning: Loadable section ".note.gnu.property" outside of ELF segments [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". warning: Loadable section ".note.gnu.property" outside of ELF segments warning: Loadable section ".note.gnu.property" outside of ELF segments warning: Loadable section ".note.gnu.property" outside of ELF segments certutil: Checking token "NSS Generic Crypto Services" in slot "NSS Internal Cryptographic Services" certutil: no keys found certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" Enter Password or Pin for "NSS Certificate DB": < 0> rsa a6793d9d3d8333c7c0de32d8ed8fe974b109f137 NSS Certificate DB:Server-Cert cert-pki-ca certutil: Checking token "Dogtag" in slot "SoftHSM slot ID 0x1e204b1f" Enter Password or Pin for "Dogtag": /usr/include/c++/9/bits/stl_vector.h:1027: std::vector<_Tp, _Alloc>::const_reference std::vector<_Tp, _Alloc>::operator[](std::vector<_Tp, _Alloc>::size_type) const [with _Tp = unsigned char; _Alloc = SecureAllocator<unsigned char>; std::vector<_Tp, _Alloc>::const_reference = const unsigned char&; std::vector<_Tp, _Alloc>::size_type = long unsigned int]: Assertion '__builtin_expect(__n < this->size(), true)' failed. Program received signal SIGABRT, Aborted. 0x00007ffff7bd6e75 in raise () from /lib64/libc.so.6 (gdb) thread apply all bt full Thread 1 (Thread 0x7ffff7b8bb80 (LWP 1208)): #0 0x00007ffff7bd6e75 in raise () from /lib64/libc.so.6 No symbol table info available. #1 0x00007ffff7bc1895 in abort () from /lib64/libc.so.6 No symbol table info available. #2 0x00007ffff77f4ab8 in std::__replacement_assert (__file=__file@entry=0x7ffff7812490 "/usr/include/c++/9/bits/stl_vector.h", __line=__line@entry=1027, __function=__function@entry=0x7ffff7814e10 "std::vector<_Tp, _Alloc>::const_reference std::vector<_Tp, _Alloc>::operator[](std::vector<_Tp, _Alloc>::size_type) const [with _Tp = unsigned char; _Alloc = SecureAllocator<unsigned char>; std::vecto"..., __condition=__condition@entry=0x7ffff7812358 "__builtin_expect(__n < this->size(), true)") at /usr/include/c++/9/x86_64-redhat-linux/bits/c++config.h:2493 No locals. #3 0x00007ffff77f37c5 in std::vector<unsigned char, SecureAllocator<unsigned char> >::operator[] (__n=<optimized out>, this=<optimized out>) at ByteString.cpp:194 __PRETTY_FUNCTION__ = <optimized out> #4 ByteString::const_byte_str (this=0x7fffffffdd10) at ByteString.cpp:196 No locals. #5 0x00007ffff77f3a89 in ByteString::const_byte_str (this=this@entry=0x7fffffffdd10) at /usr/include/c++/9/bits/stl_vector.h:1025 No locals. #6 0x00007ffff779c850 in P11Attribute::retrieve (this=<optimized out>, token=token@entry=0x555555694960, isPrivate=isPrivate@entry=true, pValue=0x5555556a7130, pulValueLen=pulValueLen@entry=0x7fffffffdf50) at P11Attributes.cpp:343 value = {_vptr.ByteString = 0x7ffff783ce60 <vtable for ByteString+16>, byteString = std::vector of length 0, capacity 32} attrPtr = <optimized out> rv = 0 __func__ = "retrieve" attr = {_vptr.OSAttribute = 0x7ffff783b980 <vtable for OSAttribute+16>, attributeType = OSAttribute::BYTESTR, boolValue = false, ulongValue = 0, byteStrValue = {_vptr.ByteString = 0x7ffff783ce60 <vtable for ByteString+16>, byteString = std::vector of length 32, capacity 32 = {202 '\312', 130 '\202', 149 '\225', 14 '\016', 5 '\005', 66 'B', 198 '\306', 225 '\341', 8 '\b', 161 '\241', 211 '\323', 37 '%', 209 '\321', 252 '\374', 220 '\334', 126 '~', 255 '\377', 121 'y', 137 '\211', 126 '~', 177 '\261', 214 '\326', 4 '\004', 248 '\370', 240 '\360', 151 '\227', 255 '\377', 112 'p', 38 '&', 126 '~', 232 '\350', 232 '\350'}}, mechSetValue = std::set with 0 elements, attrMapValue = std::map with 0 elements} attrSize = 0 #7 0x00007ffff779e7e9 in P11Object::loadTemplate (this=0x5555556a74b0, token=token@entry=0x555555694960, pTemplate=pTemplate@entry=0x7fffffffdf40, ulAttributeCount=ulAttributeCount@entry=1) at P11Objects.cpp:161 attr = <optimized out> retrieve_rv = <optimized out> i = 0 isPrivate = true invalid = false sensitive = false buffer_too_small = false #8 0x00007ffff77d1b5c in SoftHSM::C_GetAttributeValue (this=<optimized out>, hSession=<optimized out>, hObject=<optimized out>, pTemplate=0x7fffffffdf40, ulCount=1) at SoftHSM.cpp:1753 session = 0x555555677890 token = 0x555555694960 object = 0x55555567d630 isOnToken = 1 '\001' isPrivate = <optimized out> rv = <optimized out> __func__ = "C_GetAttributeValue" p11object = 0x5555556a74b0 #9 0x00007ffff778ff33 in C_GetAttributeValue (hSession=1, hObject=2, pTemplate=0x7fffffffdf40, ulCount=1) at main.cpp:497 No locals. #10 0x00007ffff7dd0ad8 in ?? () from /lib64/libnss3.so No symbol table info available. #11 0x00007ffff7dd0fcc in ?? () from /lib64/libnss3.so No symbol table info available. #12 0x0000555555564ac7 in ?? () No symbol table info available. #13 0x00005555555679a0 in ?? () No symbol table info available. #14 0x000055555555e100 in ?? () No symbol table info available. #15 0x00007ffff7bc2f33 in __libc_start_main () from /lib64/libc.so.6 No symbol table info available. #16 0x000055555555e14e in ?? () No symbol table info available.
Can you file a bug against softhsm with this backtrace? They will be better at diagnosing whether the private key is somehow bad or if the bug is theirs.
https://github.com/opendnssec/SoftHSMv2/issues/502
To copy some info from the ticket, it was fixed in https://github.com/opendnssec/SoftHSMv2/pull/450 . The fix not tagged into a release yet. The commit id is 5b8f7474347bd56221bf7203bacb1f568548c410
Perhaps we can file a bug against Fedora to get this pulled into 2.5.0.
Great! I missed the github mail (had filter to separate folder). How do I do that?
What package version of softhsm do you have? It looks like the upstream patch has been applied in 2.5.0-4
Sorry Version : 2.5.0 Release : 3.fc30.1 Fedora release 30 (Thirty)
# yum repolist Last metadata expiration check: 0:02:28 ago on Sat 14 Sep 2019 09:52:27 AM CEST. repo id repo name status copr:copr.fedorainfracloud.org:rcritten:certmonger Copr repo for certmonger owned by rcritten 4 *fedora Fedora 30 - x86_64 56,582 *fedora-modular Fedora Modular 30 - x86_64 135 *updates Fedora 30 - x86_64 - Updates 12,574 *updates-modular Fedora Modular 30 - x86_64 - Updates 144
How do I upgrade?
FYI I wrote a small JSS (Java for NSS) program which loops through all certificates and keys in the dogtag nss db (after certmonger update) and then checks the keys by signing (private key) and then verify signature (public key in certificates). And it all looks good. So for the certmonger part things looks good. https://magnus-k-karlsson.blogspot.com/2019/09/reading-nss-db-with-softhsm-token-with.html
Metadata Update from @magnuskkarlsson: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.