Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

pkispawn fails to create a CA with a YubiHSM, in JSS - org.mozilla.jss.NoSuchTokenException: No such token: YubiHSM #682

Open
msauton opened this issue Mar 17, 2021 · 1 comment

Comments

@msauton
Copy link

msauton commented Mar 17, 2021

pkispawn fails to create a CA with a YubiHSM, in JSS
org.mozilla.jss.NoSuchTokenException: No such token: YubiHSM

but the device is accessible by NSS.

details

F33
yubihsm-connector-2.2.0-2.fc33.x86_64
yubihsm-shell-2.0.3-1.fc33.x86_64

mkdir yubihsm2-sdk.f33.dir
cd yubihsm2-sdk.f33.dir
wget https://developers.yubico.com/YubiHSM2/Releases/yubihsm2-sdk-2021-03-fedora33-amd64.tar.gz
tar zxf yubihsm2-sdk-2021-03-fedora33-amd64.tar.gz
yum localinstall -y ./yubihsm2-sdk/*.rpm
# shell 1 - run yubihsm-connector
systemctl stop firewalld.service
yubihsm-connector -l 192.168.7.108:12345 -d
# shell 2 
mkdir /etc/yubico
chmod 755 /etc/yubico
chown root:root /etc/yubico
chcon system_u:object_r:etc_t:s0 /etc/yubico

cat << EOF > /etc/yubico/yubihsm_pkcs11.conf
# This is a sample configuration file for the YubiHSM PKCS#11 module
# Uncomment the various options as needed

# URL of the connector to use. This can be a comma-separated list
connector = http://192.168.7.108:12345

# Enables general debug output in the module
debug

# Enables function tracing (ingress/egress) debug output in the module
dinout

# Enables libyubihsm debug output in the module
libdebug

# Redirects the debug output to a specific file. The file is created
# if it does not exist. The content is appended
debug-file = /var/tmp/yubihsm_pkcs11_debug

# CA certificate to use for HTTPS validation. Point this variable to
# a file containing one or more certificates to use when verifying
# a peer. Currently not supported on Windows
#
# cacert = /tmp/cacert.pem

# Proxy server to use for the connector
# Currently not supported on Windows
#
# proxy = http://proxyserver.local.com:8080

# Timeout in seconds to use for the initial connection to the connector
# timeout = 5
EOF

chcon system_u:object_r:etc_t:s0 /etc/yubico/yubihsm_pkcs11.conf
ls -lZ /etc/yubico/yubihsm_pkcs11.conf
-rw-r--r--. 1 root root system_u:object_r:etc_t:s0 991 Mar 16 15:11 /etc/yubico/yubihsm_pkcs11.conf

cat < EOF >> ~/.bashrc
export YUBIHSM_PKCS11_CONF=/etc/yubico/yubihsm_pkcs11.conf
export YUBIHSM_PKCS11_MODULE=/usr/lib64/pkcs11/yubihsm_pkcs11.so
EOF

. ~/.bashrc

ls -lZ $YUBIHSM_PKCS11_CONF $YUBIHSM_PKCS11_MODULE
-rw-r--r--. 1 root root system_u:object_r:etc_t:s0    991 Mar 16 15:11 /etc/yubico/yubihsm_pkcs11.conf
-rwxr-xr-x. 4 root root system_u:object_r:lib_t:s0 317568 Jan  1  1970 /usr/lib64/pkcs11/yubihsm_pkcs11.so

# test
pkcs11-tool --module /usr/lib64/pkcs11/yubihsm_pkcs11.so --test --pin 0001password
pkcs11-tool --module /usr/lib64/pkcs11/yubihsm_pkcs11.so -l --pin 0001password --list-token-slots
pkcs11-tool --module /usr/lib64/pkcs11/yubihsm_pkcs11.so -l --pin 0001password --list-objects

(
FAIL example - unitialized YUBIHSM_PKCS11_CONF YUBIHSM_PKCS11_MODULE
or missing config file in YUBIHSM_PKCS11_CONF
->
echo $YUBIHSM_PKCS11_CONF $YUBIHSM_PKCS11_MODULE
[root@f33vm1 yubihsm2-sdk]#

pkcs11-tool --module /usr/lib64/pkcs11/yubihsm_pkcs11.so --pin 0001password -t
error: PKCS11 function C_Initialize failed: rv = CKR_FUNCTION_FAILED (0x6)
Aborting.
)

# test
yubihsm-shell --connector http://192.168.7.108:12345
connect
session open 1 password
list objects 0
^c

Setting up PKI:

groupadd -r ldapgroup1
useradd -r -g  ldapgroup1 ldapuser1
grep ldap /etc/passwd /etc/group
dscreate create-template ~/ds.template.txt
sed -e 's/;root_password = .*/root_password = password/g' \
    -e 's/;suffix = .*/suffix = dc=example,dc=test/g'     \
    ~/ds.template.txt > ~/ds.template.inf
dscreate from-file ~/ds.template.inf
lsof -i :389 -i :636
dsctl -l
dsctl slapd-localhost status

alternatives --config java
*+ 1           java-11-openjdk.x86_64 (/usr/lib/jvm/java-11-openjdk-11.0.10.0.9-0.fc33.x86_64/bin/java)

virt guest

cat << EOF > ~/ca1.yubihsm2.cfg
[DEFAULT]
pki_server_database_password=password

# pki_hsm_enable=True
# pki_hsm_libfile=/usr/lib64/pkcs11/libsofthsm2.so
# pki_hsm_modulename=softhsm
# pki_token_name=Dogtag
# pki_token_password=redhat123

pki_hsm_enable=True
pki_hsm_libfile=/usr/lib64/pkcs11/yubihsm_pkcs11.so
pki_hsm_modulename=yubihsm2
pki_token_name=YubiHSM
pki_token_password=0001password

[CA]
[email protected]
pki_admin_name=caadmin
pki_admin_nickname=caadmin
pki_admin_password=password
pki_admin_uid=caadmin

pki_client_database_password=password
pki_client_database_purge=False
pki_client_pkcs12_password=password

pki_ds_hostname=f33vm1.example.test
pki_ds_ldap_port=389
pki_ds_bind_dn=cn=Directory Manager
pki_ds_password=password
pki_ds_base_dn=dc=pki,dc=example,dc=test

pki_security_domain_name=ca1hsm

pki_ca_signing_token=YubiHSM
pki_ca_signing_nickname=ca_signing
pki_ocsp_signing_token=YubiHSM
pki_ocsp_signing_nickname=ca_ocsp_signing
pki_audit_signing_token=YubiHSM
pki_audit_signing_nickname=ca_audit_signing
pki_ssl_server_token=internal
pki_sslserver_token=internal
pki_sslserver_nickname=sslserver
pki_subsystem_token=YubiHSM
pki_subsystem_nickname=subsystem

EOF

# if needed
pkidestroy -s CA --force

pkispawn -f /root/ca1.yubihsm2.cfg -s CA --debug 2>&1 | tee ~/ca1.yubihsm2.pkispawn.out.txt
...
INFO: Getting sslserver cert info from CS.cfg
INFO: Getting sslserver cert info from NSS database
DEBUG: Command: certutil -L -d /etc/pki/pki-tomcat/alias -f /tmp/tmppupxfqmt/password.txt -n sslserver -a
DEBUG: Command: certutil -L -d /etc/pki/pki-tomcat/alias -f /tmp/tmpp9in5_bt/password.txt
INFO: Setting up signing certificate
/usr/lib/python3.9/site-packages/urllib3/connection.py:377: SubjectAltNameWarning: Certificate for f33vm1.example.test has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is
 being removed by major browsers and deprecated by RFC 2818. (See https://github.com/urllib3/urllib3/issues/497 for details.)
  warnings.warn(

Installation failed:
<!doctype html><html lang="en"><head><title>HTTP Status 500 – Internal Server Error</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76
;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 500 – Interna
l Server Error</h1><hr class="line" /><p><b>Type</b> Exception Report</p><p><b>Message</b> org.mozilla.jss.NoSuchTokenException: No such token: YubiHSM</p><p><b>Description</b> The server encountered an unexpe
cted condition that prevented it from fulfilling the request.</p><p><b>Exception</b></p><pre>org.jboss.resteasy.spi.UnhandledException: org.mozilla.jss.NoSuchTokenException: No such token: YubiHSM
        org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:78)
        org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:222)
        org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:179)
        org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:422)
        org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213)
        org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228)
        org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
        org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
        javax.servlet.http.HttpServlet.service(HttpServlet.java:733)


less /var/log/pki/pki-ca-spawn.20210316155334.log
2021-03-16 15:53:34 INFO: Connecting to LDAP server at ldap://f33vm1.example.test:389
2021-03-16 15:53:34 INFO: Connecting to LDAP server at ldap://f33vm1.example.test:389
2021-03-16 15:53:34 DEBUG: Installing Maven dependencies: False
2021-03-16 15:53:34 INFO: BEGIN spawning CA subsystem in pki-tomcat instance
2021-03-16 15:53:34 INFO: Loading instance: pki-tomcat
...
2021-03-16 15:53:50 DEBUG: Command: /usr/sbin/runuser -u pkiuser -- /usr/bin/env java -classpath /usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/tomcat-servlet-api.jar:/usr/share/pki/ca/webapps/ca/WEB-INF/lib/*:/var/lib/pki/pki-tomcat/common/lib/*:/usr/share/pki/lib/* -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/etc/pki/pki-tomcat/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Dcom.redhat.fips=false org.dogtagpki.server.cli.PKIServerCLI ca-profile-import --input-folder /usr/share/pki/ca/profiles/ca --debug
2021-03-16 15:53:53 INFO: Starting server
2021-03-16 15:53:53 DEBUG: Command: systemctl start [email protected]
2021-03-16 15:53:55 INFO: FIPS mode: False
2021-03-16 15:53:56 INFO: Waiting for CA subsystem to start (1s)
2021-03-16 15:53:57 INFO: Waiting for CA subsystem to start (2s)
2021-03-16 15:54:05 INFO: Subsystem status: running
2021-03-16 15:54:05 INFO: Getting sslserver cert info from CS.cfg
2021-03-16 15:54:05 INFO: Getting sslserver cert info from NSS database
2021-03-16 15:54:05 DEBUG: Command: certutil -L -d /etc/pki/pki-tomcat/alias -f /tmp/tmppupxfqmt/password.txt -n sslserver -a
2021-03-16 15:54:06 DEBUG: Command: certutil -L -d /etc/pki/pki-tomcat/alias -f /tmp/tmpp9in5_bt/password.txt
2021-03-16 15:54:06 INFO: Setting up signing certificate
(END)


and the YubiHSM is accessible to the O.S. via pkcs11-tool and modutil:

pkcs11-tool --module /usr/lib64/pkcs11/yubihsm_pkcs11.so --pin 0001password -t
Using slot 0 with a present token (0x0)
C_SeedRandom() and C_GenerateRandom():
  seeding (C_SeedRandom) not supported
  seems to be OK
Digests:
  all 4 digest functions seem to work
  SHA-1: OK
Signatures (currently only for RSA)
Signatures: no private key found in this slot
Verify (currently only for RSA)
  No private key found for testing
Decryption (currently only for RSA)
No errors
[root@f33vm1 yubihsm2-sdk]#


modutil -dbdir /etc/pki/pki-tomcat/alias -rawlist
library= name="NSS Internal PKCS #11 Module" NSS="Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})" parameters="configdir=/etc/pki/pki-tomcat/alias certPrefix= keyPrefix= secmod=secmod.db flags=readOnly "

library="/usr/lib64/pkcs11/yubihsm_pkcs11.so" name="yubihsm2"


modutil -dbdir /etc/pki/pki-tomcat/alias -list

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
           uri: pkcs11:library-manufacturer=Mozilla%20Foundation;library-description=NSS%20Internal%20Crypto%20Services;library-version=3.62
         slots: 2 slots attached
        status: loaded

         slot: NSS Internal Cryptographic Services
        token: NSS Generic Crypto Services
          uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203

         slot: NSS User Private Key and Certificate Services
        token: NSS Certificate DB
          uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203

  2. yubihsm2
        library name: /usr/lib64/pkcs11/yubihsm_pkcs11.so
           uri: pkcs11:library-manufacturer=Yubico%20(www.yubico.com);library-description=YubiHSM%20PKCS%2311%20Library;library-version=2.10
         slots: 1 slot attached
        status: loaded

         slot: YubiHSM Connector 192.168.7.108
        token: YubiHSM
          uri: pkcs11:token=YubiHSM;manufacturer=Yubico%20(www.yubico.com);serial=13200864;model=YubiHSM

  3. p11-kit-proxy
        library name: p11-kit-proxy.so
           uri: pkcs11:library-manufacturer=PKCS%2311%20Kit;library-description=PKCS%2311%20Kit%20Proxy%20Module;library-version=1.1
         slots: 1 slot attached
        status: loaded

         slot: Gemalto Gemplus USB SmartCard Reader 433-Swap [CCID Interface...
        token:
          uri: pkcs11:
-----------------------------------------------------------
[root@f33vm1 yubihsm2-sdk]#



certutil -L -d sql:/var/lib/pki/pki-tomcat/alias -h YubiHSM 

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Enter Password or Pin for "YubiHSM":
[root@f33vm1 src.dir]# 


those 2 keys are from another test with the yubihsm-shell tool, so NSS can access the YubiHSM:

certutil -K -d sql:/var/lib/pki/pki-tomcat/alias -h YubiHSM
certutil: Checking token "YubiHSM" in slot "YubiHSM Connector 192.168.7.108"
Enter Password or Pin for "YubiHSM":
< 0> rsa      0401                                       label_rsa_sign
< 1> ec       0204                                       label_ecdsa_test
[root@f33vm1 src.dir]# 



./jss/org/mozilla/jss/CryptoManager.java
...  
     * Looks up the CryptoToken with the given name.  Searches all
     * loaded cryptographic modules for the token.
     *
     * @param name The name of the token.
     * @return The token.
     * @exception org.mozilla.jss.NoSuchTokenException If no token
     *  is found with the given name.
     */
    public synchronized CryptoToken getTokenByName(String name)
        throws NoSuchTokenException
    {   
        Enumeration<CryptoToken> tokens = getAllTokens();
        CryptoToken token;

        while(tokens.hasMoreElements()) {
            token = tokens.nextElement();
            try {
                if( name.equals(token.getName()) ) {
                    return token;
                }
            } catch( TokenException e ) {
                throw new RuntimeException(e);
            }
        }
        throw new NoSuchTokenException("No such token: " + name);
    }
...

tried to attach jdb with a break point on getTokenByName frm ./jss/org/mozilla/jss/CryptoManager.java
but could not connect at thje right moment during pkispawn, there is a conneciton reset once, then can connect a second time, but the application just exited on the exception,

tried several times, but could not attach:

jdb -attach 8000 -sourcepath /root/src.dir/jss/
stop at org.mozilla.jss.getTokenByName:170

(edit: ascheel June 6th, 2022 for formatting)

@robreardon
Copy link

Hi,

Not sure if you ever resolved this but I encountered the same issue and managed to get past it by adding the location of the YubiHSM configuration file to /usr/share/pki/etc/pki.conf:

YUBIHSM_PKCS11_CONF=/etc/yubihsm_pkcs11.conf
export YUBIHSM_PKCS11_CONF

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants