Bug 1092913

Summary: The default nss database created by ipsec can not be used
Product: Red Hat Enterprise Linux 6 Reporter: Patrik Kis <pkis>
Component: openswanAssignee: Paul Wouters <pwouters>
Status: CLOSED ERRATA QA Contact: Aleš Mareček <amarecek>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.5CC: amarecek, eparis, jaster, pwouters
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-14 08:19:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Patrik Kis 2014-04-30 08:57:17 UTC 
Description of problem:
Openswan created a clean NSS database at the first ipsec daemon start, but the database can not be used, and it needs to be recreated by certutil. This should be working out of the box.

Version-Release number of selected component (if applicable):
openswan-2.6.32-27.3.el6_5

How reproducible:
always

Steps to Reproduce:

[root@rhel6 ~]# rpm -q openswan
openswan-2.6.32-27.3.el6_5.x86_64
[root@rhel6 ~]# 
[root@rhel6 ~]# ls -la /etc/ipsec.d/
total 12
drwx------.  3 root root 4096 Apr 30 10:46 .
drwxr-xr-x. 82 root root 4096 Apr 30 10:46 ..
drwx------.  2 root root 4096 Apr 30 10:46 policies
[root@rhel6 ~]# 
[root@rhel6 ~]# service ipsec start
ipsec_setup: Starting Openswan IPsec U2.6.32/K2.6.32-431.1.2.el6.x86_64...
ipsec_setup: multiple ip addresses, using  192.168.100.60 on eth0
[root@rhel6 ~]# ls -la /etc/ipsec.d/
total 72
drwx------.  3 root root  4096 Apr 30 10:47 .
drwxr-xr-x. 82 root root  4096 Apr 30 10:46 ..
-rw-------.  1 root root 65536 Apr 30 10:47 cert8.db
-rw-------.  1 root root 16384 Apr 30 10:47 key3.db
drwx------.  2 root root  4096 Apr 30 10:46 policies
-rw-------.  1 root root 16384 Apr 30 10:47 secmod.db
[root@rhel6 ~]# 
[root@rhel6 ~]# certutil -K -d /etc/ipsec.d/
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
certutil: could not authenticate to token NSS Certificate DB.: SEC_ERROR_IO: An I/O error occurred during security authorization.
[root@rhel6 ~]# 
[root@rhel6 ~]# ipsec newhostkey --configdir /etc/ipsec.d --output /etc/ipsec.secrets --bits 4096 --random /dev/urandom
ipsec rsasigkey: key pair generation failed: "-8037"
[root@rhel6 ~]# 
[root@rhel6 ~]# ipsec showhostkey --list
ipsec showhostkey nss directory showhostkey: /etc/ipsec.d
ipsec showhostkey "/etc/ipsec.secrets" line 2: Modulus keyword not found where expected in RSA key
[root@rhel6 ~]# cat /etc/ipsec.secrets 
: RSA	{
	}
# do not change the indenting of that "}"
[root@rhel6 ~]# 
[root@rhel6 ~]# rm -f /etc/ipsec.d/cert8.db 
[root@rhel6 ~]# certutil -N -d /etc/ipsec.d/
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.

Enter new password: 
Re-enter password: 
[root@rhel6 ~]# certutil -K -d /etc/ipsec.d/
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
certutil: no keys found
[root@rhel6 ~]# 
[root@rhel6 ~]# ipsec newhostkey --configdir /etc/ipsec.d --output /etc/ipsec.secrets --bits 4096 --random /dev/urandom
Generated RSA key pair using the NSS database
[root@rhel6 ~]# certutil -K -d /etc/ipsec.d/
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
< 0> rsa      5e288cf023374b156566945386a5f803c2fe2835   (orphan)
[root@rhel6 ~]# certutil -L -d /etc/ipsec.d/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

[root@rhel6 ~]# ipsec showhostkey --list
ipsec showhostkey nss directory showhostkey: /etc/ipsec.d
1(1): RSA keyid: AQOy2WVqU with id: (none)
1(2): RSA keyid: AQOy2WVqU with id: (none)
[root@rhel6 ~]# 


Actual results:
New keys can not be created.

Expected results:
New keys should be created.
Comment 2 Paul Wouters 2014-04-30 14:53:11 UTC 
Ok, the following snippet of code should be added to the spec file in the %post section:

if [ ! -f %{_sysconfdir}/ipsec.d/cert8.db ] ; then
    TEMPFILE=$(/bin/mktemp %{_sysconfdir}/ipsec.d/nsspw.XXXXXXX)
    [ $? -gt 0 ] && TEMPFILE=%{_sysconfdir}/ipsec.d/nsspw.$$
    echo > ${TEMPFILE}
    certutil -N -f ${TEMPFILE} -d %{_sysconfdir}/ipsec.d
    restorecon %{_sysconfdir}/ipsec.d/*db 2>/dev/null || :
    rm -f ${TEMPFILE}
fi
Comment 6 Jaroslav Aster 2014-07-24 10:16:48 UTC 
I can confirm it. Problem is that bug was fixed in spec file only, so after install openswan, db files are ok, but if you remove db files and openswan is restarted, broken files are created.
Comment 7 Paul Wouters 2014-07-31 00:33:46 UTC 
this is now fixed within the _plutorun script with the new "ipsec --checknss" option.
Comment 10 errata-xmlrpc 2014-10-14 08:19:30 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1588.html