Bug 167197

Summary: private key certificate
Product: [Fedora] Fedora Reporter: Jorge I. Davila L. <davila>
Component: opensslAssignee: Tomas Mraz <tmraz>
Status: CLOSED NOTABUG QA Contact: Brian Brock <bbrock>
Severity: high Docs Contact:
Priority: medium    
Version: 3CC: riel, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-08-31 22:27:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jorge I. Davila L. 2005-08-31 14:44:21 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050720 Fedora/1.0.6-1.1.fc3 Firefox/1.0.6

Description of problem:
I'm running fedora core 3 inside a xen virtual machine. After works fine at least 2 months openssl is failing signing certificates. Openssl appears to be unable to read the private key of the certification authority.

Version-Release number of selected component (if applicable):
openssl-0.9.7a-42.1

How reproducible:
Always

Steps to Reproduce:
At this point I don't know the source of the problem or how reproduce, simply openssl become unable to read the private key of the certification authority.
  

Actual Results:  #> openssl rsa -in /usr/local/OpenCA/NiagaraCA/var/crypto/keys/cakey.pem -text -noout
Enter pass phrase for /usr/local/OpenCA/NiagaraCA/var/crypto/keys/cakey.pem:
unable to load Private Key
4821:error:06065064:digital envelope routines:EVP_DecryptFinal:bad decrypt:evp_enc.c:438:
4821:error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c:421:

Expected Results:  A new certificate.

Additional info:

The system is in a xen virtual machine.

Comment 1 Tomas Mraz 2005-08-31 14:49:33 UTC
Sorry, this doesn't belong to OpenSSL, I'm reassigning it to XEN however it
could be most probably a hardware problem or admin error.


Comment 2 Jorge I. Davila L. 2005-08-31 14:55:01 UTC
uhm... I tried read the private key in other boxes with the same result and
searching in google other people has reported the error with no references to xen

Comment 3 Rik van Riel 2005-08-31 15:04:58 UTC
If the bug also happens without Xen, it is probably an openssl issue.

If the bug does not happen with Xen on another computer, it could be a memory
corruption issue.

If the bug only happens under Xen, regardless of hardware, it's probably a Xen bug.

Jorge, could you please try running the same openssl command on another
computer, and/or without Xen, to try reproducing the problem?

Comment 4 Jorge I. Davila L. 2005-08-31 15:12:56 UTC
The openssl command was executed in other two boxes without xen and I receive
the same error:

# openssl rsa -in cakey.pem -out keyout.pem
Enter pass phrase for cakey.pem:
unable to load Private Key
6755:error:06065064:digital envelope routines:EVP_DecryptFinal:bad
decrypt:evp_enc.c:438:
6755:error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c:421:

The error is critical for me because there are several boxes that use
certificates emited by the Certification Authority and I'm unable to do my work
because of this error. 

Comment 5 Tomas Mraz 2005-08-31 15:27:52 UTC
The problem is the private key got most probably corrupted somehow. Do you have
backup? You should.

The Xen could be the culprit if you used the key only from the Xen virtual
machine when it got corrupted.

But it's now very hard to say what corrupted the key.

Does the cakey.pem file look normal?

And are you sure you just didn't forget the passphrase?


Comment 6 Jorge I. Davila L. 2005-08-31 15:40:13 UTC
I have a backup. Doing a diff with the file in the backup agains the file in the
xen virtual machine I obtain:

# diff cakey.pem backup_cakey.pem -s
Files cakey.pem and backup_cakey.pem are identical

The passphrase is ok. I'm pretty sure that I don't lost the passphrase .. 

Comment 7 Tomas Mraz 2005-08-31 15:57:08 UTC
Could you try to downgrade openssl to the version from the FC-3 vanilla (not
updated) - openssl-0.9.7a-40? Of course this could be the culprit only if it
stopped working just after the upgrade from updates.

If the downgrade doesn't help I think that the problem is surely with the
passphrase.


Comment 8 Jorge I. Davila L. 2005-08-31 16:35:47 UTC
The downgrade does not work ... but the problem is not the passphrase. Well, I
can sign the request but I can generate a new certificate.

Comment 9 Jorge I. Davila L. 2005-08-31 16:47:55 UTC
sorry .. I can NOT generate a new cert but I CAN generate the certificate request.

Comment 10 Tomas Mraz 2005-08-31 17:10:07 UTC
By "The downgrade does not work" you mean that you downgraded OpenSSL and it
didn't help? If so then it is certainly problem with the passphrase or both your
cakey.pem and backup are corrupted. There is simply no other possibility.

Certificate request generation works because it doesn't use the CA private key.


Comment 11 Jorge I. Davila L. 2005-08-31 17:42:50 UTC
I don't have any reason for bring me to a bad situation. 

Comment 12 Jorge I. Davila L. 2005-08-31 18:30:44 UTC
I don't have any reason for bring me to a bad situation. 

Comment 13 Tomas Mraz 2005-08-31 22:27:17 UTC
I'm sorry but there is simply no way how it could be OpenSSL's fault if:

1. Downgrade didn't help.
2. Backup is from the time when it worked fine and is identical to the current key.
3. The key doesn't work on another machines.

The only non sci-fi reasons remaining are:
1. bad passphrase because you forgot it
2. bad passphrase because some evil attacker replaced both your key and your
backup with different key


Comment 14 Jorge I. Davila L. 2005-08-31 22:32:47 UTC
This post in other place hit at the same point:

http://openvpn.net/archive/openvpn-users/2005-07/msg00149.html

Comment 15 Tomas Mraz 2005-09-01 05:52:52 UTC
This is absolutely unrelated problem with openssl misconfiguration, sorry.


Comment 16 Jorge I. Davila L. 2005-09-02 02:43:08 UTC
Was a forgotten password. I'm very embarrased. Thanks for your help.