You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
# shell 2
mkdir /etc/yubico
chmod 755 /etc/yubico
chown root:root /etc/yubico
chcon system_u:object_r:etc_t:s0 /etc/yubico
cat << EOF > /etc/yubico/yubihsm_pkcs11.conf
# This is a sample configuration file for the YubiHSM PKCS#11 module
# Uncomment the various options as needed
# URL of the connector to use. This can be a comma-separated list
connector = http://192.168.7.108:12345
# Enables general debug output in the module
debug
# Enables function tracing (ingress/egress) debug output in the module
dinout
# Enables libyubihsm debug output in the module
libdebug
# Redirects the debug output to a specific file. The file is created
# if it does not exist. The content is appended
debug-file = /var/tmp/yubihsm_pkcs11_debug
# CA certificate to use for HTTPS validation. Point this variable to
# a file containing one or more certificates to use when verifying
# a peer. Currently not supported on Windows
#
# cacert = /tmp/cacert.pem
# Proxy server to use for the connector
# Currently not supported on Windows
#
# proxy = http://proxyserver.local.com:8080
# Timeout in seconds to use for the initial connection to the connector
# timeout = 5
EOF
chcon system_u:object_r:etc_t:s0 /etc/yubico/yubihsm_pkcs11.conf
ls -lZ /etc/yubico/yubihsm_pkcs11.conf
-rw-r--r--. 1 root root system_u:object_r:etc_t:s0 991 Mar 16 15:11 /etc/yubico/yubihsm_pkcs11.conf
cat < EOF >> ~/.bashrc
export YUBIHSM_PKCS11_CONF=/etc/yubico/yubihsm_pkcs11.conf
export YUBIHSM_PKCS11_MODULE=/usr/lib64/pkcs11/yubihsm_pkcs11.so
EOF
. ~/.bashrc
ls -lZ $YUBIHSM_PKCS11_CONF $YUBIHSM_PKCS11_MODULE
-rw-r--r--. 1 root root system_u:object_r:etc_t:s0 991 Mar 16 15:11 /etc/yubico/yubihsm_pkcs11.conf
-rwxr-xr-x. 4 root root system_u:object_r:lib_t:s0 317568 Jan 1 1970 /usr/lib64/pkcs11/yubihsm_pkcs11.so
# test
pkcs11-tool --module /usr/lib64/pkcs11/yubihsm_pkcs11.so --test --pin 0001password
pkcs11-tool --module /usr/lib64/pkcs11/yubihsm_pkcs11.so -l --pin 0001password --list-token-slots
pkcs11-tool --module /usr/lib64/pkcs11/yubihsm_pkcs11.so -l --pin 0001password --list-objects
(
FAIL example - unitialized YUBIHSM_PKCS11_CONF YUBIHSM_PKCS11_MODULE
or missing config file in YUBIHSM_PKCS11_CONF
->
echo $YUBIHSM_PKCS11_CONF $YUBIHSM_PKCS11_MODULE
[root@f33vm1 yubihsm2-sdk]#
pkcs11-tool --module /usr/lib64/pkcs11/yubihsm_pkcs11.so --pin 0001password -t
error: PKCS11 function C_Initialize failed: rv = CKR_FUNCTION_FAILED (0x6)
Aborting.
)
# test
yubihsm-shell --connector http://192.168.7.108:12345
connect
session open 1 password
list objects 0
^c
Setting up PKI:
groupadd -r ldapgroup1
useradd -r -g ldapgroup1 ldapuser1
grep ldap /etc/passwd /etc/group
dscreate create-template ~/ds.template.txt
sed -e 's/;root_password = .*/root_password = password/g' \
-e 's/;suffix = .*/suffix = dc=example,dc=test/g' \
~/ds.template.txt > ~/ds.template.inf
dscreate from-file ~/ds.template.inf
lsof -i :389 -i :636
dsctl -l
dsctl slapd-localhost status
alternatives --config java
*+ 1 java-11-openjdk.x86_64 (/usr/lib/jvm/java-11-openjdk-11.0.10.0.9-0.fc33.x86_64/bin/java)
virt guest
cat << EOF > ~/ca1.yubihsm2.cfg
[DEFAULT]
pki_server_database_password=password
# pki_hsm_enable=True
# pki_hsm_libfile=/usr/lib64/pkcs11/libsofthsm2.so
# pki_hsm_modulename=softhsm
# pki_token_name=Dogtag
# pki_token_password=redhat123
pki_hsm_enable=True
pki_hsm_libfile=/usr/lib64/pkcs11/yubihsm_pkcs11.so
pki_hsm_modulename=yubihsm2
pki_token_name=YubiHSM
pki_token_password=0001password
[CA]
[email protected]
pki_admin_name=caadmin
pki_admin_nickname=caadmin
pki_admin_password=password
pki_admin_uid=caadmin
pki_client_database_password=password
pki_client_database_purge=False
pki_client_pkcs12_password=password
pki_ds_hostname=f33vm1.example.test
pki_ds_ldap_port=389
pki_ds_bind_dn=cn=Directory Manager
pki_ds_password=password
pki_ds_base_dn=dc=pki,dc=example,dc=test
pki_security_domain_name=ca1hsm
pki_ca_signing_token=YubiHSM
pki_ca_signing_nickname=ca_signing
pki_ocsp_signing_token=YubiHSM
pki_ocsp_signing_nickname=ca_ocsp_signing
pki_audit_signing_token=YubiHSM
pki_audit_signing_nickname=ca_audit_signing
pki_ssl_server_token=internal
pki_sslserver_token=internal
pki_sslserver_nickname=sslserver
pki_subsystem_token=YubiHSM
pki_subsystem_nickname=subsystem
EOF
# if needed
pkidestroy -s CA --force
pkispawn -f /root/ca1.yubihsm2.cfg -s CA --debug 2>&1 | tee ~/ca1.yubihsm2.pkispawn.out.txt
...
INFO: Getting sslserver cert info from CS.cfg
INFO: Getting sslserver cert info from NSS database
DEBUG: Command: certutil -L -d /etc/pki/pki-tomcat/alias -f /tmp/tmppupxfqmt/password.txt -n sslserver -a
DEBUG: Command: certutil -L -d /etc/pki/pki-tomcat/alias -f /tmp/tmpp9in5_bt/password.txt
INFO: Setting up signing certificate
/usr/lib/python3.9/site-packages/urllib3/connection.py:377: SubjectAltNameWarning: Certificate for f33vm1.example.test has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is
being removed by major browsers and deprecated by RFC 2818. (See https://github.com/urllib3/urllib3/issues/497 for details.)
warnings.warn(
Installation failed:
<!doctype html><html lang="en"><head><title>HTTP Status 500 – Internal Server Error</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76
;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 500 – Interna
l Server Error</h1><hr class="line" /><p><b>Type</b> Exception Report</p><p><b>Message</b> org.mozilla.jss.NoSuchTokenException: No such token: YubiHSM</p><p><b>Description</b> The server encountered an unexpe
cted condition that prevented it from fulfilling the request.</p><p><b>Exception</b></p><pre>org.jboss.resteasy.spi.UnhandledException: org.mozilla.jss.NoSuchTokenException: No such token: YubiHSM
org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:78)
org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:222)
org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:179)
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:422)
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213)
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228)
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
javax.servlet.http.HttpServlet.service(HttpServlet.java:733)
less /var/log/pki/pki-ca-spawn.20210316155334.log
2021-03-16 15:53:34 INFO: Connecting to LDAP server at ldap://f33vm1.example.test:389
2021-03-16 15:53:34 INFO: Connecting to LDAP server at ldap://f33vm1.example.test:389
2021-03-16 15:53:34 DEBUG: Installing Maven dependencies: False
2021-03-16 15:53:34 INFO: BEGIN spawning CA subsystem in pki-tomcat instance
2021-03-16 15:53:34 INFO: Loading instance: pki-tomcat
...
2021-03-16 15:53:50 DEBUG: Command: /usr/sbin/runuser -u pkiuser -- /usr/bin/env java -classpath /usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/tomcat-servlet-api.jar:/usr/share/pki/ca/webapps/ca/WEB-INF/lib/*:/var/lib/pki/pki-tomcat/common/lib/*:/usr/share/pki/lib/* -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/etc/pki/pki-tomcat/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Dcom.redhat.fips=false org.dogtagpki.server.cli.PKIServerCLI ca-profile-import --input-folder /usr/share/pki/ca/profiles/ca --debug
2021-03-16 15:53:53 INFO: Starting server
2021-03-16 15:53:53 DEBUG: Command: systemctl start [email protected]
2021-03-16 15:53:55 INFO: FIPS mode: False
2021-03-16 15:53:56 INFO: Waiting for CA subsystem to start (1s)
2021-03-16 15:53:57 INFO: Waiting for CA subsystem to start (2s)
2021-03-16 15:54:05 INFO: Subsystem status: running
2021-03-16 15:54:05 INFO: Getting sslserver cert info from CS.cfg
2021-03-16 15:54:05 INFO: Getting sslserver cert info from NSS database
2021-03-16 15:54:05 DEBUG: Command: certutil -L -d /etc/pki/pki-tomcat/alias -f /tmp/tmppupxfqmt/password.txt -n sslserver -a
2021-03-16 15:54:06 DEBUG: Command: certutil -L -d /etc/pki/pki-tomcat/alias -f /tmp/tmpp9in5_bt/password.txt
2021-03-16 15:54:06 INFO: Setting up signing certificate
(END)
and the YubiHSM is accessible to the O.S. via pkcs11-tool and modutil:
pkcs11-tool --module /usr/lib64/pkcs11/yubihsm_pkcs11.so --pin 0001password -t
Using slot 0 with a present token (0x0)
C_SeedRandom() and C_GenerateRandom():
seeding (C_SeedRandom) not supported
seems to be OK
Digests:
all 4 digest functions seem to work
SHA-1: OK
Signatures (currently only for RSA)
Signatures: no private key found in this slot
Verify (currently only for RSA)
No private key found for testing
Decryption (currently only for RSA)
No errors
[root@f33vm1 yubihsm2-sdk]#
modutil -dbdir /etc/pki/pki-tomcat/alias -rawlist
library= name="NSS Internal PKCS #11 Module" NSS="Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})" parameters="configdir=/etc/pki/pki-tomcat/alias certPrefix= keyPrefix= secmod=secmod.db flags=readOnly "
library="/usr/lib64/pkcs11/yubihsm_pkcs11.so" name="yubihsm2"
modutil -dbdir /etc/pki/pki-tomcat/alias -list
Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal PKCS #11 Module
uri: pkcs11:library-manufacturer=Mozilla%20Foundation;library-description=NSS%20Internal%20Crypto%20Services;library-version=3.62
slots: 2 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
2. yubihsm2
library name: /usr/lib64/pkcs11/yubihsm_pkcs11.so
uri: pkcs11:library-manufacturer=Yubico%20(www.yubico.com);library-description=YubiHSM%20PKCS%2311%20Library;library-version=2.10
slots: 1 slot attached
status: loaded
slot: YubiHSM Connector 192.168.7.108
token: YubiHSM
uri: pkcs11:token=YubiHSM;manufacturer=Yubico%20(www.yubico.com);serial=13200864;model=YubiHSM
3. p11-kit-proxy
library name: p11-kit-proxy.so
uri: pkcs11:library-manufacturer=PKCS%2311%20Kit;library-description=PKCS%2311%20Kit%20Proxy%20Module;library-version=1.1
slots: 1 slot attached
status: loaded
slot: Gemalto Gemplus USB SmartCard Reader 433-Swap [CCID Interface...
token:
uri: pkcs11:
-----------------------------------------------------------
[root@f33vm1 yubihsm2-sdk]#
certutil -L -d sql:/var/lib/pki/pki-tomcat/alias -h YubiHSM
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Enter Password or Pin for "YubiHSM":
[root@f33vm1 src.dir]#
those 2 keys are from another test with the yubihsm-shell tool, so NSS can access the YubiHSM:
certutil -K -d sql:/var/lib/pki/pki-tomcat/alias -h YubiHSM
certutil: Checking token "YubiHSM" in slot "YubiHSM Connector 192.168.7.108"
Enter Password or Pin for "YubiHSM":
< 0> rsa 0401 label_rsa_sign
< 1> ec 0204 label_ecdsa_test
[root@f33vm1 src.dir]#
./jss/org/mozilla/jss/CryptoManager.java
...
* Looks up the CryptoToken with the given name. Searches all
* loaded cryptographic modules for the token.
*
* @param name The name of the token.
* @return The token.
* @exception org.mozilla.jss.NoSuchTokenException If no token
* is found with the given name.
*/
public synchronized CryptoToken getTokenByName(String name)
throws NoSuchTokenException
{
Enumeration<CryptoToken> tokens = getAllTokens();
CryptoToken token;
while(tokens.hasMoreElements()) {
token = tokens.nextElement();
try {
if( name.equals(token.getName()) ) {
return token;
}
} catch( TokenException e ) {
throw new RuntimeException(e);
}
}
throw new NoSuchTokenException("No such token: " + name);
}
...
tried to attach jdb with a break point on getTokenByName frm ./jss/org/mozilla/jss/CryptoManager.java
but could not connect at thje right moment during pkispawn, there is a conneciton reset once, then can connect a second time, but the application just exited on the exception,
tried several times, but could not attach:
jdb -attach 8000 -sourcepath /root/src.dir/jss/
stop at org.mozilla.jss.getTokenByName:170
(edit: ascheel June 6th, 2022 for formatting)
The text was updated successfully, but these errors were encountered:
Not sure if you ever resolved this but I encountered the same issue and managed to get past it by adding the location of the YubiHSM configuration file to /usr/share/pki/etc/pki.conf:
pkispawn fails to create a CA with a YubiHSM, in JSS
org.mozilla.jss.NoSuchTokenException: No such token: YubiHSM
but the device is accessible by NSS.
details
F33
yubihsm-connector-2.2.0-2.fc33.x86_64
yubihsm-shell-2.0.3-1.fc33.x86_64
Setting up PKI:
tried to attach jdb with a break point on getTokenByName frm ./jss/org/mozilla/jss/CryptoManager.java
but could not connect at thje right moment during pkispawn, there is a conneciton reset once, then can connect a second time, but the application just exited on the exception,
tried several times, but could not attach:
jdb -attach 8000 -sourcepath /root/src.dir/jss/
stop at org.mozilla.jss.getTokenByName:170
(edit: ascheel June 6th, 2022 for formatting)
The text was updated successfully, but these errors were encountered: