Bug 2167138

Summary: NSS should generate descriptive error at install when trying to add a softhsm module fails
Product: Red Hat Enterprise Linux 9 Reporter: Gilbert Kimetto <gkimetto>
Component: nssAssignee: Bob Relyea <rrelyea>
Status: NEW --- QA Contact: Alexander Sosedkin <asosedki>
Severity: unspecified Docs Contact:
Priority: low    
Version: 9.2CC: edewata, hkario, rrelyea
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Gilbert Kimetto 2023-02-05 04:50:32 UTC 
Description of problem:

NSS should generate a more descriptive error message,
> e.g. "Module already exists"?
Instead of the generic "Unknown PKCS #11 error." When running pkispawn command 
and its trying to add the softhsm module.




Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
[ + ] Setup the repos
      ----------------
     vi /etc/yum.repos.d/rh92.repo

[ + ] Install nexcessary packages
       yum install vim wget 389-ds-base
[ + ] Set hostname and /etc/hosts
       hostnamectl hostname pki1.example.com
      vim /etc/hosts

      yum install pki-ca pki-kra
      yum install softhsm

[ + ] Verify that NSS recognizes the library: 
      ---------------------------------------
 
      ll  /usr/lib64/pkcs11/libsofthsm2.so

-rwxr-xr-x. 1 root root 962472 Aug 10  2021 /usr/lib64/pkcs11/libsofthsm2.so

[ + ] Check for SoftHSM library name: p11-kit-proxy.so
      -----------------------------------------------

   modutil -nocertdb -list

[ + ] Grant Permissions to PKI System User
      ------------------------------

usermod pkiuser -a -G ods
$ chmod 755 /var/lib/softhsm
$ chmod 1777 /var/lib/softhsm/tokens

[ + ] List SoftHSM tokens for the current user:
      ------------------------------
runuser -u pkiuser -- softhsm2-util --show-slots
  --> Verify only token has a blank label

[ + ] Create a SoftHSM token for the current user:
      ------------------------------

runuser -u pkiuser -- softhsm2-util --init-token --label HSM --so-pin SECret.123 --pin SECret.123 --free

Slot 0 has a free/uninitialized token.
The token has been initialized and is reassigned to slot 334664273


[ + ] Check tokens
      ------------------------------
runuser -u pkiuser -- softhsm2-util --show-slots

You should now have one with the label HSM


dscreate interactive

[ + ] Install Directory Server (interactive mode)
      ===========================================


Enter system's hostname [pki1.example.com]: 

Enter the instance name [pki1]: 

Enter port number [389]: 

Create self-signed certificate database [yes]: 

Enter secure port number [636]: 

Enter Directory Manager DN [cn=Directory Manager]: 

Enter the Directory Manager password: 
Confirm the Directory Manager Password: 

Enter the database suffix (or enter "none" to skip) [dc=pki1,dc=example,dc=com]: 

Create sample entries in the suffix [no]: yes

Do you want to start the instance after the installation? [yes]: 

Are you ready to install? [no]: yes
Starting installation ...
Validate installation settings ...
Create file system structures ...
Create self-signed certificate database ...
Perform SELinux labeling ...
Create database backend: dc=pki1,dc=example,dc=com ...
Perform post-installation tasks ...
Completed installation for instance: slapd-pki1


# dsctl `dsctl -l` status
Instance "pki1" is running

[ + ] Create CA config file as Follows:
      ------------------------------

[DEFAULT]
pki_server_database_password=SECret.123

pki_hsm_enable=True
pki_hsm_libfile=/usr/lib64/pkcs11/libsofthsm2.so
pki_hsm_modulename=softhsm
pki_token_name=HSM
pki_token_password=SECret.123

[CA]
pki_admin_email=caadmin
pki_admin_name=caadmin
pki_admin_nickname=caadmin
pki_admin_password=SECret.123
pki_admin_uid=caadmin

pki_client_pkcs12_password=SECret.123

pki_ds_base_dn=dc=ca,dc=pki1,dc=example,dc=com
pki_ds_database=pki1
pki_ds_password=SECret.123

pki_security_domain_name=example.com

pki_ca_signing_nickname=ca_signing
pki_ocsp_signing_nickname=ca_ocsp_signing
pki_audit_signing_nickname=ca_audit_signing
pki_sslserver_nickname=sslserver/pki.example.com
pki_subsystem_nickname=subsystem


Execute pkispawn command:
--------------------------

[root@gk-soft-hsm-92 ~]# pkispawn -f ca_enda.cfg -s CA -D pki_ds_hostname=pki1.example.com -D pki_ds_ldap_port=389 -D pki_hsm_enable=True -D pki_token_name=HSM -D pki_token_password=SECret.123 -D pki_server_database_password=SECret.123 -D pki_ca_signing_token=HSM -D pki_ocsp_signing_token=HSM -D pki_audit_signing_token=HSM -D pki_subsystem_token=HSM -D pki_sslserver_token=internal -D pki_cert_id_generator=random -D pki_request_id_generator=random -v
Actual results:

Actual:

pkispawn fails with a generic error that could be more descriptive
INFO: Output: library= name="NSS Internal PKCS #11 Module" NSS="Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})" parameters="configdir=/etc/pki/pki-tomcat/alias certPrefix= keyPrefix= secmod=secmod.db flags=readOnly "
INFO: Adding module softhsm: /usr/lib64/pkcs11/libsofthsm2.so
ERROR: Failed to add module "softhsm". Probable cause : "Unknown PKCS #11 error.".
ERROR: CalledProcessError: Command '['modutil', '-dbdir', '/etc/pki/pki-tomcat/alias', '-nocertdb', '-add', 'softhsm', '-libfile', '/usr/lib64/pkcs11/libsofthsm2.so', '-force']' returned non-zero exit status 22.
  File "/usr/lib/python3.9/site-packages/pki/server/pkispawn.py", line 589, in main
    scriptlet.spawn(deployer)
  File "/usr/lib/python3.9/site-packages/pki/server/deployment/scriptlets/security_databases.py", line 105, in spawn
    nssdb.add_module(
  File "/usr/lib/python3.9/site-packages/pki/nssdb.py", line 521, in add_module
    self.run(
  File "/usr/lib/python3.9/site-packages/pki/nssdb.py", line 259, in run
    result = subprocess.run(
  File "/usr/lib64/python3.9/subprocess.py", line 528, in run
    raise CalledProcessError(retcode, process.args,


Installation failed: Command failed: modutil -dbdir /etc/pki/pki-tomcat/alias -nocertdb -add softhsm -libfile /usr/lib64/pkcs11/libsofthsm2.so -force
[root@gk-soft-hsm-92 ~]#

Expected results:

Expected a more descriptive message like: "Module already exists"?

If you run the command manually you get a warning about potentially conflicting with p11-kit-prxy

WARNING: Manually adding a module while p11-kit is enabled could cause
duplicate module registration in your security database. It is suggested 
to configure the module through p11-kit configuration file instead.

I don't know why it returns a generic PKCS11 error. It can be hard inside of NSS to bubble up the right error message at times.


Additional info:
Comment 1 Endi Sukma Dewata 2023-02-06 15:28:22 UTC 
Moving to NSS component. The test can be simplified into:

1. Install SoftHSM
2. Create an NSS database
3. Run modutil -dbdir <NSS database> -nocertdb -add softhsm -libfile /usr/lib64/pkcs11/libsofthsm2.so -force

So it's not necessary to install DS or PKI.