certmonger

Clone

#125 Certmonger fails to read token in HSM
Closed: fixed 4 years ago by magnuskkarlsson. Opened 4 years ago by magnuskkarlsson.

Closed: fixed
Reopen Issue

I'm helping to add HSM support for FreeIPA.

I have disabled p11-kit https://pagure.io/freeipa/issue/7810
$ rm -f /etc/crypto-policies/local.d/nss-p11-kit.config && update-crypto-policies
$ reboot

Modified the FreeIPA python scripts so that internal (mostly dogtag) certificate is stored in HSM (I'm using SoftHSM for development)

$ modutil -dbdir /etc/pki/pki-tomcat/alias -list

Listing of PKCS 11 Modules

  1. NSS Internal PKCS 11 Module
    uri: pkcs11:library-manufacturer=Mozilla%20Foundation;library-description=NSS%20Internal%20Crypto%20Services;library-version=3.44
    slots: 2 slots attached
    status: loaded

    slot: NSS Internal Cryptographic Services
    token: NSS Generic Crypto Services
    uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203

    slot: NSS User Private Key and Certificate Services
    token: NSS Certificate DB
    uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203

  2. softhsm
    library name: /usr/lib64/pkcs11/libsofthsm2.so
    uri: pkcs11:library-manufacturer=SoftHSM;library-description=Implementation%20of%20PKCS11;library-version=2.5
    slots: 2 slots attached
    status: loaded

    slot: SoftHSM slot ID 0x1e204b1f
    token: Dogtag
    uri: pkcs11:token=Dogtag;manufacturer=SoftHSM%20project;serial=2e2e45569e204b1f;model=SoftHSM%20v2

    slot: SoftHSM slot ID 0x1
    token:
    uri: pkcs11:manufacturer=SoftHSM%20project;model=SoftHSM%20v2

$ certutil -L -d /etc/pki/pki-tomcat/alias -h all

Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI

Enter Password or Pin for "Dogtag":
Server-Cert cert-pki-ca u,u,u
auditSigningCert cert-pki-ca u,u,Pu
caSigningCert cert-pki-ca CTu,Cu,Cu
Dogtag:caSigningCert cert-pki-ca CTu,Cu,Cu
Dogtag:auditSigningCert cert-pki-ca u,u,Pu
Dogtag:ocspSigningCert cert-pki-ca u,u,u
Dogtag:subsystemCert cert-pki-ca u,u,u

$ certutil -K -d /etc/pki/pki-tomcat/alias -h all
certutil: Checking token "NSS Generic Crypto Services" in slot "NSS Internal Cryptographic Services"
certutil: no keys found
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
Enter Password or Pin for "NSS Certificate DB":
< 0> rsa a6793d9d3d8333c7c0de32d8ed8fe974b109f137 NSS Certificate DB:Server-Cert cert-pki-ca
certutil: Checking token "Dogtag" in slot "SoftHSM slot ID 0x1e204b1f"
Enter Password or Pin for "Dogtag":
< 0> rsa 87f899a34660a00bc8db2df813200d80254bb8cd ocspSigningCert cert-pki-ca
< 1> rsa a15e8133b16a6a194225274283c95f90b2edfebf auditSigningCert cert-pki-ca
< 2> rsa d722c8de0c89b73fd7adbc9329ede583e7c5428a caSigningCert cert-pki-ca
< 3> rsa f9d9e20d507d236f762a4a4102bc6b55cc6fedb3 subsystemCert cert-pki-ca

But ran into problem that certmonger will not found above token 'Dogtag'

Stop dogtag, so that certmonger can get read/write lock on nss db
$ systemctl stop pki-tomcatd@pki-tomcat.service

Manually add certmonger tracking (which is the same that is done in freeipa python script)
$ getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'ocspSigningCert cert-pki-ca' -t 'Dogtag' -P redhat123 -r -c dogtag-ipa-ca-renew-agent -S -B /usr/libexec/ipa/certmonger/stop_pkicad -C "/usr/libexec/ipa/certmonger/renew_ca_cert 'ocspSigningCert cert-pki-ca'"

But the token 'Dogtag' is never found
$ journalctl -f -t certmonger
Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [7909] Pending GetConnectionUnixUser serial 5804
Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [7909] Pending GetConnectionUnixProcessID serial 5805
Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [7909] Queuing FD 7 for Read for 0x5598c2efcd30:0x5598c2f1ed30.
Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [7909] Dequeuing FD 7 for Read for 0x5598c2efcd30:0x5598c2f1ed30.
Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [7909] Handling D-Bus traffic (Read) on FD 7 for 0x5598c2efcd30.
Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [7909] message 0x5598c2efcd30(method_return)->5804->4294967295
Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [7909] message 0x5598c2efcd30(method_return)->5805->4294967295
Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [7909] User ID 0 PID 8390 called /org/fedorahosted/certmonger:org.fedorahosted.certmonger.add_request.
Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [8391] Read value "0" from "/proc/sys/crypto/fips_enabled".
Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [8391] Not attempting to set NSS FIPS mode.
Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [8391] Skipping NSS internal slot (NSS Generic Crypto Services).
Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [8391] Found token 'NSS Certificate DB'.
Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [8391] Token is named "NSS Certificate DB", not "Dogtag", skipping.
Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [8391] Error locating a key.
Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [8392] Read value "0" from "/proc/sys/crypto/fips_enabled".
Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [8392] Not attempting to set NSS FIPS mode.
Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [8392] Found token 'NSS Generic Crypto Services'.
Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [8392] Token is named "NSS Generic Crypto Services", not "Dogtag", skipping.
Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [8392] Found token 'NSS Certificate DB'.
Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [8392] Token is named "NSS Certificate DB", not "Dogtag", skipping.
Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [8392] Error locating certificate.
Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [7909] Request11('20190822103540') starts in state 'NEWLY_ADDED'
Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [7909] Request11('20190822103540') taking writing lock
Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [7909] Request11('20190822103540') moved to state 'NEWLY_ADDED_START_READING_KEYINFO'
Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [7909] Will revisit Request11('20190822103540') now.
Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [7909] Started Request11('20190822103540').
Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [7909] Queuing FD 7 for Read for 0x5598c2efcd30:0x5598c2f0a420.
Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [7909] Request11('20190822103540') moved to state 'NEWLY_ADDED_READING_KEYINFO'
Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [7909] Will revisit Request11('20190822103540') on traffic from 11.
Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [7909] Dequeuing FD 7 for Read for 0x5598c2efcd30:0x5598c2f0a420.
Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [7909] Handling D-Bus traffic (Read) on FD 7 for 0x5598c2efcd30.
Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [7909] message 0x5598c2efcd30(method_call)->org.fedorahosted.certmonger:/org/fedorahosted/certmonger/requests/Request11:org.fedorahosted.certmonger.request.get_nickname
Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [7909] Pending GetConnectionUnixUser serial 5809
Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [7909] Pending GetConnectionUnixProcessID serial 5810
Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [7909] Queuing FD 7 for Read for 0x5598c2efcd30:0x5598c2f1bd90.
Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [7909] Dequeuing FD 7 for Read for 0x5598c2efcd30:0x5598c2f1bd90.
Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [7909] Handling D-Bus traffic (Read) on FD 7 for 0x5598c2efcd30.
Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [7909] message 0x5598c2efcd30(method_return)->5809->4294967295
Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [7909] message 0x5598c2efcd30(method_return)->5810->4294967295
Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [7909] User ID 0 PID 8390 called /org/fedorahosted/certmonger/requests/Request11:org.fedorahosted.certmonger.request.get_nickname.
Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [7909] Queuing FD 7 for Read for 0x5598c2efcd30:0x5598c2f0a420.
Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [8393] Read value "0" from "/proc/sys/crypto/fips_enabled".
Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [8393] Not attempting to set NSS FIPS mode.
Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [8393] Skipping NSS internal slot (NSS Generic Crypto Services).
Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [8393] Found token 'NSS Certificate DB'.
Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [8393] Token is named "NSS Certificate DB", not "Dogtag", skipping.
Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [8393] Error locating a key.
Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [7909] Request11('20190822103540') releasing writing lock
Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [7909] Request11('20190822103540') moved to state 'NEWLY_ADDED_NEED_KEYINFO_READ_TOKEN'
Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [7909] Will revisit Request11('20190822103540') now.
Aug 22 12:35:40 freeipa-fedora30-master-hsm.magnuskkarlsson.local certmonger[7909]: 2019-08-22 12:35:40 [7909] Waiting for instructions for Request11('20190822103540').

The NSS function PK11_GetAllTokens() doesn't seem to be returning the Dogtag token.

Can you look for SELinux AVCs? Maybe certmonger can't load the pkcs#11 module or can't read the backed files.

Thanks for your reply!
No, tested already
$ setenforce Permissive
before start-tracking, no SELinux problem.

Also maxed file permission for softhsm
$ chmod 777 /var/lib/softhsm -Rv

I do not know if this is relevant, but I have disabled p11-kit. The visibility of p11-kit then differs.
As root at a non existing NSS DB

# modutil -nocertdb -list

Listing of PKCS #11 Modules
  1. NSS Internal PKCS #11 Module
       uri: pkcs11:library-manufacturer=Mozilla%20Foundation;library-description=NSS%20Internal%20Crypto%20Services;library-version=3.44
     slots: 2 slots attached
    status: loaded

     slot: NSS Internal Cryptographic Services
    token: NSS Generic Crypto Services
      uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203

     slot: NSS User Private Key and Certificate Services
    token: NSS Certificate DB
      uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203

But as root on specific NSS DB

# certutil -U -d /etc/pki/pki-tomcat/alias

    slot: NSS Internal Cryptographic Services
   token: NSS Generic Crypto Services
     uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203

    slot: NSS User Private Key and Certificate Services
   token: NSS Certificate DB
     uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203

    slot: SoftHSM slot ID 0x1e204b1f
   token: Dogtag
     uri: pkcs11:token=Dogtag;manufacturer=SoftHSM%20project;serial=2e2e45569e204b1f;model=SoftHSM%20v2

I have also tried to re enable the p11-kit (default Fedora 30 installation) and then rebooted, but with no effect.
Edited 4 years ago by magnuskkarlsson

I cannot find the API documentation for PK11_GetAllTokens, but maybe you need to supply token password when listing hsm tokens. Here null passed in.

    mech = CKM_RSA_X_509;
    slotlist = PK11_GetAllTokens(mech, PR_FALSE, PR_FALSE, NULL);

I think you're onto something. Looks like a the token PIN is required to list the certificates at all. I'll need to try to simplify this and reproduce.

Metadata Update from @rcritten:
- Issue assigned to rcritten
4 years ago

I duplicated it by creating an IPA service, generating a cert for it in an NSS database, exporting that to PKCS12, deleting it from the db, creating a new softhsm token and importing the PKCS12 into that token, then start tracking on it.

On Fedora 30 also.

ipa service-add test/`hostname`
certutil -d /etc/pki/nssdb/ -R -a -o ipa.csr -s CN=`hostname`
ipa cert-request --principal test/`hostname` --certificate-out test.pem ipa.csr
certutil -A -d /etc/pki/nssdb -n test -a -i test.pem -t u,u,u
pk12util -o test.p12 -d /etc/pki/nssdb -n test
modutil -dbdir /etc/pki/nssdb/ -add softhsm -libfile /usr/lib64/softhsm/libsofthsm.so
softhsm2-util --init-token --label "test" --pin 123456 --so-pin 123456 --free
certutil -F -d /etc/pki/nssdb/ -n test
pk12util -i test.p12 -d /etc/pki/nssdb/ -h test
certutil -A -d /etc/pki/nssdb/ -n 'IPA CA' -t CT,, -a -i /etc/ipa/ca.crt
certutil -V -u V -e -d /etc/pki/nssdb/ -h test -n test:test
ipa-getcert start-tracking -d /etc/pki/nssdb/ -n test -t test -P 123456

I've figured out part of the issue. The NSS context is created with NSS_INIT_NOMODDB so it wasn't seeing the tokens at all. The investigation continues.

I'd have sworn token handling was working in master, with softhsm no less. There seem to be multiple issues affecting cert and key finding. I don't know if NSS changes its semantics or perhaps it wasn't working as well as I thought.

I have cert loading working so one can successfully start tracking a cert in a token. Renewal is the next thing to fix.

I think I have it working now but I'm not completely satisfied with it. I've got a query into the NSS team to see if anything changed regarding the NOMODDB flag.

If you want to give it a test-run I did a copr build at
https://copr.fedorainfracloud.org/coprs/rcritten/certmonger/

Thanks! Tested and the first tests ran fine. Will do a few more.

I ran my reproducer on F27 and it couldn't handle tracking an imported token either. I manually upgraded to certmonger-0.79.7-1 to pick up the previous token work.

Let me know how your additional testing goes and if everything seems to be working I'll go ahead and get this merged.

Metadata Update from @rcritten:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1746543
4 years ago

Issue linked to Bugzilla: Bug 1746543

A little of the topic question, what is the default behavior for certmonger when renewing the certificate, to resubmit (reusing same key pair) or rekey (generating new key pair)?

It should re-use the existing key. There does seem to be an issue when renewing an imported key, https://pagure.io/certmonger/issue/124 . Are you seeing that behavior?

Metadata Update from @rcritten:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)
4 years ago

Hi, I tested the fix and it seemed to work, but after running resubmit and using certutil to list private keys in NSS DB, certutil core dumped.

# getenforce 
Permissive

# certutil -K -d /etc/pki/pki-tomcat/alias -h all
certutil: Checking token "NSS Generic Crypto Services" in slot "NSS Internal Cryptographic Services"
certutil: no keys found
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
Enter Password or Pin for "NSS Certificate DB":
< 0> rsa      a6793d9d3d8333c7c0de32d8ed8fe974b109f137   NSS Certificate DB:Server-Cert cert-pki-ca
certutil: Checking token "Dogtag" in slot "SoftHSM slot ID 0x1e204b1f"
Enter Password or Pin for "Dogtag":
< 0> rsa      87f899a34660a00bc8db2df813200d80254bb8cd   ocspSigningCert cert-pki-ca
< 1> rsa      a15e8133b16a6a194225274283c95f90b2edfebf   auditSigningCert cert-pki-ca
< 2> rsa      d722c8de0c89b73fd7adbc9329ede583e7c5428a   caSigningCert cert-pki-ca
< 3> rsa      f9d9e20d507d236f762a4a4102bc6b55cc6fedb3   subsystemCert cert-pki-ca

# getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'ocspSigningCert cert-pki-ca' -t 'Dogtag' -P redhat123 -r -c dogtag-ipa-ca-renew-agent -S -B /usr/libexec/ipa/certmonger/stop_pkicad 

# getcert resubmit -i 20190912141910

# certutil -K -d /etc/pki/pki-tomcat/alias -h all
certutil: Checking token "NSS Generic Crypto Services" in slot "NSS Internal Cryptographic Services"
certutil: no keys found
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
Enter Password or Pin for "NSS Certificate DB":
< 0> rsa      a6793d9d3d8333c7c0de32d8ed8fe974b109f137   NSS Certificate DB:Server-Cert cert-pki-ca
certutil: Checking token "Dogtag" in slot "SoftHSM slot ID 0x1e204b1f"
Enter Password or Pin for "Dogtag":
/usr/include/c++/9/bits/stl_vector.h:1027: std::vector<_Tp, _Alloc>::const_reference std::vector<_Tp, _Alloc>::operator[](std::vector<_Tp, _Alloc>::size_type) const [with _Tp = unsigned char; _Alloc = SecureAllocator<unsigned char>; std::vector<_Tp, _Alloc>::const_reference = const unsigned char&; std::vector<_Tp, _Alloc>::size_type = long unsigned int]: Assertion '__builtin_expect(__n < this->size(), true)' failed.
Aborted (core dumped)

var-log-messages
Edited 4 years ago by magnuskkarlsson

Metadata Update from @magnuskkarlsson:
- Issue status updated to: Open (was: Closed)
4 years ago

Can you try to get a stacktrace out of certutil?

 
(gdb) run -K -d /etc/pki/pki-tomcat/alias -h all
Starting program: /usr/bin/certutil -K -d /etc/pki/pki-tomcat/alias -h all
warning: Loadable section ".note.gnu.property" outside of ELF segments
warning: Loadable section ".note.gnu.property" outside of ELF segments
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
warning: Loadable section ".note.gnu.property" outside of ELF segments
certutil: Checking token "NSS Generic Crypto Services" in slot "NSS Internal Cryptographic Services"
certutil: no keys found
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
Enter Password or Pin for "NSS Certificate DB":
< 0> rsa      a6793d9d3d8333c7c0de32d8ed8fe974b109f137   NSS Certificate DB:Server-Cert cert-pki-ca
certutil: Checking token "Dogtag" in slot "SoftHSM slot ID 0x1e204b1f"
Enter Password or Pin for "Dogtag":
/usr/include/c++/9/bits/stl_vector.h:1027: std::vector<_Tp, _Alloc>::const_reference std::vector<_Tp, _Alloc>::operator[](std::vector<_Tp, _Alloc>::size_type) const [with _Tp = unsigned char; _Alloc = SecureAllocator<unsigned char>; std::vector<_Tp, _Alloc>::const_reference = const unsigned char&; std::vector<_Tp, _Alloc>::size_type = long unsigned int]: Assertion '__builtin_expect(__n < this->size(), true)' failed.

Program received signal SIGABRT, Aborted.
0x00007ffff7bd6e75 in raise () from /lib64/libc.so.6
(gdb) thread apply all bt full

Thread 1 (Thread 0x7ffff7b8bb80 (LWP 1195)):
#0  0x00007ffff7bd6e75 in raise () from /lib64/libc.so.6
No symbol table info available.
#1  0x00007ffff7bc1895 in abort () from /lib64/libc.so.6
No symbol table info available.
#2  0x00007ffff77f4ab8 in ?? () from /usr/lib64/pkcs11/libsofthsm2.so
No symbol table info available.
#3  0x00007ffff77f37c5 in ?? () from /usr/lib64/pkcs11/libsofthsm2.so
No symbol table info available.
#4  0x00007ffff77f3a89 in ?? () from /usr/lib64/pkcs11/libsofthsm2.so
No symbol table info available.
#5  0x00007ffff779c850 in ?? () from /usr/lib64/pkcs11/libsofthsm2.so
No symbol table info available.
#6  0x00007ffff779e7e9 in ?? () from /usr/lib64/pkcs11/libsofthsm2.so
No symbol table info available.
#7  0x00007ffff77d1b5c in ?? () from /usr/lib64/pkcs11/libsofthsm2.so
No symbol table info available.
#8  0x00007ffff778ff33 in C_GetAttributeValue () from /usr/lib64/pkcs11/libsofthsm2.so
No symbol table info available.
#9  0x00007ffff7dd0ad8 in ?? () from /lib64/libnss3.so
No symbol table info available.
#10 0x00007ffff7dd0fcc in ?? () from /lib64/libnss3.so
No symbol table info available.
#11 0x0000555555564ac7 in ?? ()
No symbol table info available.
#12 0x00005555555679a0 in ?? ()
No symbol table info available.
#13 0x000055555555e100 in ?? ()
No symbol table info available.
#14 0x00007ffff7bc2f33 in __libc_start_main () from /lib64/libc.so.6
No symbol table info available.
#15 0x000055555555e14e in ?? ()
No symbol table info available.

Thanks. If you install the debuginfo package for softhsm2 it will include more information in the trace but this is pretty clearly blowing up inside softhsm itself. Given that certmonger/NSS only communicate via the PKCS#11 interface I'd say this is a bug in softhsm.

Right

(gdb) run -K -d /etc/pki/pki-tomcat/alias -h all
Starting program: /usr/bin/certutil -K -d /etc/pki/pki-tomcat/alias -h all
warning: Loadable section ".note.gnu.property" outside of ELF segments
warning: Loadable section ".note.gnu.property" outside of ELF segments
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
warning: Loadable section ".note.gnu.property" outside of ELF segments
warning: Loadable section ".note.gnu.property" outside of ELF segments
warning: Loadable section ".note.gnu.property" outside of ELF segments
certutil: Checking token "NSS Generic Crypto Services" in slot "NSS Internal Cryptographic Services"
certutil: no keys found
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
Enter Password or Pin for "NSS Certificate DB":
< 0> rsa      a6793d9d3d8333c7c0de32d8ed8fe974b109f137   NSS Certificate DB:Server-Cert cert-pki-ca
certutil: Checking token "Dogtag" in slot "SoftHSM slot ID 0x1e204b1f"
Enter Password or Pin for "Dogtag":
/usr/include/c++/9/bits/stl_vector.h:1027: std::vector<_Tp, _Alloc>::const_reference std::vector<_Tp, _Alloc>::operator[](std::vector<_Tp, _Alloc>::size_type) const [with _Tp = unsigned char; _Alloc = SecureAllocator<unsigned char>; std::vector<_Tp, _Alloc>::const_reference = const unsigned char&; std::vector<_Tp, _Alloc>::size_type = long unsigned int]: Assertion '__builtin_expect(__n < this->size(), true)' failed.

Program received signal SIGABRT, Aborted.
0x00007ffff7bd6e75 in raise () from /lib64/libc.so.6
(gdb) thread apply all bt full

Thread 1 (Thread 0x7ffff7b8bb80 (LWP 1208)):
#0  0x00007ffff7bd6e75 in raise () from /lib64/libc.so.6
No symbol table info available.
#1  0x00007ffff7bc1895 in abort () from /lib64/libc.so.6
No symbol table info available.
#2  0x00007ffff77f4ab8 in std::__replacement_assert (__file=__file@entry=0x7ffff7812490 "/usr/include/c++/9/bits/stl_vector.h", __line=__line@entry=1027, __function=__function@entry=0x7ffff7814e10 "std::vector<_Tp, _Alloc>::const_reference std::vector<_Tp, _Alloc>::operator[](std::vector<_Tp, _Alloc>::size_type) const [with _Tp = unsigned char; _Alloc = SecureAllocator<unsigned char>; std::vecto"..., __condition=__condition@entry=0x7ffff7812358 "__builtin_expect(__n < this->size(), true)") at /usr/include/c++/9/x86_64-redhat-linux/bits/c++config.h:2493
No locals.
#3  0x00007ffff77f37c5 in std::vector<unsigned char, SecureAllocator<unsigned char> >::operator[] (__n=<optimized out>, this=<optimized out>) at ByteString.cpp:194
        __PRETTY_FUNCTION__ = <optimized out>
#4  ByteString::const_byte_str (this=0x7fffffffdd10) at ByteString.cpp:196
No locals.
#5  0x00007ffff77f3a89 in ByteString::const_byte_str (this=this@entry=0x7fffffffdd10) at /usr/include/c++/9/bits/stl_vector.h:1025
No locals.
#6  0x00007ffff779c850 in P11Attribute::retrieve (this=<optimized out>, token=token@entry=0x555555694960, isPrivate=isPrivate@entry=true, pValue=0x5555556a7130, pulValueLen=pulValueLen@entry=0x7fffffffdf50) at P11Attributes.cpp:343
        value = {_vptr.ByteString = 0x7ffff783ce60 <vtable for ByteString+16>, byteString = std::vector of length 0, capacity 32}
        attrPtr = <optimized out>
        rv = 0
        __func__ = "retrieve"
        attr = {_vptr.OSAttribute = 0x7ffff783b980 <vtable for OSAttribute+16>, attributeType = OSAttribute::BYTESTR, boolValue = false, ulongValue = 0, byteStrValue = {_vptr.ByteString = 0x7ffff783ce60 <vtable for ByteString+16>, byteString = std::vector of length 32, capacity 32 = {202 '\312', 130 '\202', 149 '\225', 14 '\016', 5 '\005', 66 'B', 198 '\306', 225 '\341', 8 '\b', 161 '\241', 211 '\323', 37 '%', 209 '\321', 252 '\374', 220 '\334', 126 '~', 255 '\377', 121 'y', 137 '\211', 126 '~', 177 '\261', 214 '\326', 4 '\004', 248 '\370', 240 '\360', 151 '\227', 255 '\377', 112 'p', 38 '&', 126 '~', 232 '\350', 232 '\350'}}, mechSetValue = std::set with 0 elements, attrMapValue = std::map with 0 elements}
        attrSize = 0
#7  0x00007ffff779e7e9 in P11Object::loadTemplate (this=0x5555556a74b0, token=token@entry=0x555555694960, pTemplate=pTemplate@entry=0x7fffffffdf40, ulAttributeCount=ulAttributeCount@entry=1) at P11Objects.cpp:161
        attr = <optimized out>
        retrieve_rv = <optimized out>
        i = 0
        isPrivate = true
        invalid = false
        sensitive = false
        buffer_too_small = false
#8  0x00007ffff77d1b5c in SoftHSM::C_GetAttributeValue (this=<optimized out>, hSession=<optimized out>, hObject=<optimized out>, pTemplate=0x7fffffffdf40, ulCount=1) at SoftHSM.cpp:1753
        session = 0x555555677890
        token = 0x555555694960
        object = 0x55555567d630
        isOnToken = 1 '\001'
        isPrivate = <optimized out>
        rv = <optimized out>
        __func__ = "C_GetAttributeValue"
        p11object = 0x5555556a74b0
#9  0x00007ffff778ff33 in C_GetAttributeValue (hSession=1, hObject=2, pTemplate=0x7fffffffdf40, ulCount=1) at main.cpp:497
No locals.
#10 0x00007ffff7dd0ad8 in ?? () from /lib64/libnss3.so
No symbol table info available.
#11 0x00007ffff7dd0fcc in ?? () from /lib64/libnss3.so
No symbol table info available.
#12 0x0000555555564ac7 in ?? ()
No symbol table info available.
#13 0x00005555555679a0 in ?? ()
No symbol table info available.
#14 0x000055555555e100 in ?? ()
No symbol table info available.
#15 0x00007ffff7bc2f33 in __libc_start_main () from /lib64/libc.so.6
No symbol table info available.
#16 0x000055555555e14e in ?? ()
No symbol table info available.

Can you file a bug against softhsm with this backtrace? They will be better at diagnosing whether the private key is somehow bad or if the bug is theirs.

To copy some info from the ticket, it was fixed in https://github.com/opendnssec/SoftHSMv2/pull/450 . The fix not tagged into a release yet. The commit id is 5b8f7474347bd56221bf7203bacb1f568548c410

Perhaps we can file a bug against Fedora to get this pulled into 2.5.0.

Great! I missed the github mail (had filter to separate folder). How do I do that?

What package version of softhsm do you have? It looks like the upstream patch has been applied in 2.5.0-4

Sorry
Version : 2.5.0
Release : 3.fc30.1
Fedora release 30 (Thirty)

# yum repolist
Last metadata expiration check: 0:02:28 ago on Sat 14 Sep 2019 09:52:27 AM CEST.
repo id                                              repo name                                    status
copr:copr.fedorainfracloud.org:rcritten:certmonger   Copr repo for certmonger owned by rcritten        4
*fedora                                              Fedora 30 - x86_64                           56,582
*fedora-modular                                      Fedora Modular 30 - x86_64                      135
*updates                                             Fedora 30 - x86_64 - Updates                 12,574
*updates-modular                                     Fedora Modular 30 - x86_64 - Updates            144

How do I upgrade?

FYI I wrote a small JSS (Java for NSS) program which loops through all certificates and keys in the dogtag nss db (after certmonger update) and then checks the keys by signing (private key) and then verify signature (public key in certificates). And it all looks good. So for the certmonger part things looks good.
https://magnus-k-karlsson.blogspot.com/2019/09/reading-nss-db-with-softhsm-token-with.html

Metadata Update from @magnuskkarlsson:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)
4 years ago

Login to comment on this ticket.

Metadata
None
None
None
None
None
None
None
None
None
None
Attachments 1
var-log-messages
Attached 4 years ago View Comment
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.