pki-server ca-clone-prepare -i pki-RootCA-CMC1 --pkcs12-file ca_backup_keys.p12 --pkcs12-password Secret.123 TokenException: PK11_RawPBEKeyGen: failed to generate key ERROR: Command '['pki', '-d', '/var/lib/pki/pki-RootCA-CMC1/alias', '-C', '/tmp/tmp9n2xiQ/password.txt', '--token', 'NHSM-GKAPOOR-SOFTCARD', 'pkcs12-cert-add', '--pkcs12-file', 'ca_backup_keys.p12', '--pkcs12-password-file', '/tmp/tmpCanogG/pkcs12_password.txt', '--new-file', 'subsystemCert cert-pki-RootCA-CMC1']' returned non-zero exit status 255
Actual results:
[root@pki1 ~]# pki -v -d /var/lib/pki/pki-RootCA-CMC1/alias -C pass --token NHSM-GKAPOOR-SOFTCARD pkcs12-cert-add --pkcs12-file ca_backup_keys.p12 --pkcs12-password-file pass --new-file subsystemCert cert-pki-RootCA-CMC1 PKI options: -v -d /var/lib/pki/pki-RootCA-CMC1/alias -C pass --token NHSM-GKAPOOR-SOFTCARD PKI command: pkcs12-cert-add pkcs12-cert-add --pkcs12-file ca_backup_keys.p12 --pkcs12-password-file pass --new-file subsystemCert cert-pki-RootCA-CMC1 Java command: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java -Djava.ext.dirs=/usr/share/pki/lib -Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties com.netscape.cmstools.cli.MainCLI -d /var/lib/pki/pki-RootCA-CMC1/alias -C pass --token NHSM-GKAPOOR-SOFTCARD --verbose pkcs12-cert-add --pkcs12-file ca_backup_keys.p12 --pkcs12-password-file pass --new-file subsystemCert cert-pki-RootCA-CMC1 Server URI: http://csqa4-guest04.idm.lab.eng.rdu.redhat.com:8080 Client security database: /var/lib/pki/pki-RootCA-CMC1/alias Message format: null Command: pkcs12-cert-add --pkcs12-file ca_backup_keys.p12 --pkcs12-password-file pass --new-file subsystemCert cert-pki-RootCA-CMC1 Initializing security database Logging into security token Module: pkcs12 Module: cert Module: add org.mozilla.jss.crypto.TokenException: PK11_RawPBEKeyGen: failed to generate key at org.mozilla.jss.pkcs11.PK11KeyGenerator.generatePBE(Native Method) at org.mozilla.jss.pkcs11.PK11KeyGenerator.generate(PK11KeyGenerator.java:181) at org.mozilla.jss.pkcs12.MacData.<init>(MacData.java:99) at org.mozilla.jss.pkcs12.PFX.computeMacData(PFX.java:210) at netscape.security.pkcs.PKCS12Util.generatePFX(PKCS12Util.java:338) at netscape.security.pkcs.PKCS12Util.storeIntoFile(PKCS12Util.java:345) at com.netscape.cmstools.pkcs12.PKCS12CertAddCLI.execute(PKCS12CertAddC LI.java:149) at com.netscape.cmstools.cli.CLI.execute(CLI.java:344) at com.netscape.cmstools.cli.CLI.execute(CLI.java:344) at com.netscape.cmstools.cli.CLI.execute(CLI.java:344) at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:628) at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:664) ERROR: Command '['/usr/lib/jvm/jre-1.8.0-openjdk/bin/java', '-Djava.ext.dirs=/usr/share/pki/lib', '-Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties', 'com.netscape.cmstools.cli.MainCLI', '-d', '/var/lib/pki/pki-RootCA-CMC1/alias', '-C', 'pass', '--token', 'NHSM-GKAPOOR-SOFTCARD', '--verbose', 'pkcs12-cert-add', '--pkcs12-file', 'ca_backup_keys.p12', '--pkcs12-password-file', 'pass', '--new-file', 'subsystemCert', 'cert-pki-RootCA-CMC1']' returned non-zero exit status 255
Metadata Update from @mharmsen: - Custom field component adjusted to General - Custom field feature adjusted to '' - Custom field origin adjusted to Community - Custom field proposedmilestone adjusted to '' - Custom field proposedpriority adjusted to '' - Custom field reviewer adjusted to '' - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1459269 - Custom field type adjusted to defect - Custom field version adjusted to '' - Issue set to the milestone: 10.5
Can you please upload or email me the offending PKCS #12 file? (and, if you want, the passphrase; but I mainly just want to look at what algorithms are being used for the encrypted private key data and I don't need the passphrase for that).
To my understanding the above pki pkcs12-cert-add command was supposed to export a certificate and its key from HSM (assuming the key is extractable) into a new PKCS #12 file. The PKCS #12 file doesn't exist yet when the command was executed.
The problem is the command failed with CKR_USER_NOT_LOGGED_IN error code in the C_GenerateKey operation, which seems to indicate that the token login operation was not done properly. Please see the linked Bugzilla ticket for more details.
Metadata Update from @mharmsen: - Issue priority set to: major
[20171025] - Offline Triage ==> 10.6
Metadata Update from @mharmsen: - Issue set to the milestone: 10.6 (was: 10.5)
Per 10.5.x/10.6 Triage: FUTURE
RHBZ: CLOSED UPSTREAM
alee: invalid case. Not clear if this is supposed to be a jss/nss bug?
Metadata Update from @mharmsen: - Custom field rhbz reset (from https://bugzilla.redhat.com/show_bug.cgi?id=1459269) - Issue set to the milestone: FUTURE (was: 10.6)
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2853
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Metadata Update from @dmoluguw: - Issue close_status updated to: migrated - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.