Bug 505200

Summary: scep enrollment : cisco asa 5510 not working when ca is connected to nethsm
Product: [Retired] Dogtag Certificate System Reporter: Chandrasekar Kannan <ckannan>
Component: SCEPAssignee: Deon Ballard <dlackey>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: urgent    
Version: unspecifiedCC: benl, cfu, jgalipea, jmagne
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-02-24 17:32:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 443788    

Description Chandrasekar Kannan 2009-06-10 23:31:55 UTC
steps to reproduce:

follow these steps on the cisco asa 5510 to perform an scep enrollment

enable 
conf t
crypto key generate rsa 
crypto ca trustpoint Main
  enrollment url http://10.14.1.151/ca/cgi-bin
  crl optional
  exit
crypto ca authenticate Main
crypto ca enroll Main [ prompts you for password ]
show crypto ca certificate Main

enable flatfile.txt on /var/lib/pki-ca/conf/flatfile.txt

CA throws an exception ...

   1.
      [10/Jun/2009:14:49:46][http-9180-Processor25]: com.netscape.cms.servlet.filter.PassThroughRequestFilter: Excluding filtering on servlet called '/cgi-bin/pkiclient.exe'!
   2.
      [10/Jun/2009:14:49:46][http-9180-Processor25]: operation=PKIOperation
   3.
      [10/Jun/2009:14:49:46][http-9180-Processor25]: message=MIIJjQYJKoZIhvcNAQcCoIIJfjCCCXoCAQExDjAMBggqhkiG9w0CBQUAMIIEgAYJ
   4.
      KoZIhvcNAQcBoIIEcQSCBG0wggRpBgkqhkiG9w0BBwOgggRaMIIEVgIBADGCAWEw
   5.
      ggFdAgEAMEUwQDEeMBwGA1UEChMVRHNkZXZTamNSZWRoYXQgRG9tYWluMR4wHAYD
   6.
      VQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkCAQEwDQYJKoZIhvcNAQEBBQAEggEA
   7.
      IMOtYUplaIITMIFsJkjG1+hs5hvJmOeSneCGFM9Tb7/Ttcxx903Wq5ulPPUqi82q
   8.
      rid3lVp4LgxzYZ5PJasjRPVbU+3QFDFmxX8+9NIhBa8LxT3qRPjiLKteO1I89beE
   9.
      GgbFlQxa9sww/d5CnyPQB5LAJuP4OnEPgc0yYRUQD32ZBYtG5ODFcfe2DAQx2ckg
  10.
      CGa2oHYb6yNDymHra4cS+LkBHjM5r2xO90BfOvKBMsVm/Afkzr6dvt38efaU+32i
  11.
      p3XfwTHnATox0U4CNnKnjXZt+KtLKGZs6c0NdMKRHwJkMIxNgQ080HSVkKK3A/o+
  12.
      +NF0QjDklx997GqvJX9UgDCCAuoGCSqGSIb3DQEHATARBgUrDgMCBwQIYhA4BMgL
  13.
      uvmAggLI/6A+4DSAXQ+q2v/9SYHBnQ/lJufyBAZcQplXRCmqg9c3EdsTLFlObR8L
  14.
      ndlkM5/+SQWMLiCkw7RH7xTVROM0LZm0i5/bVMGiYEow79/kNm5ycZpKS+gkfwUw
  15.
      UWKMeqkMcr5N1Ceee/U51zxdS8axgbbBeXdA4Z5aolJedvJCfCCTaypwOA6NeoMZ
  16.
      /PIaOD6/z8+q329F16TjHkEZrChX4VQIh6flyNNEM+wvTT4OVv1xUFzKHgYt5Asq
  17.
      TdXPSCwRwzMkpwlnwH/SH9i1zsKguBXwP72ERyiNTcCMyXaClqsR5HDENJSMi4Uo
  18.
      ynGsciettonelgwxp+jDdYevHLzNmQiPO76nMZAjwDql2eTmZWzUOJijpW1/qwgy
  19.
      LFbSjD0Xwh0aDWH1pxtQbUYrgjgIXqTw4gD6/wY5g3AEbmMPSyLRWYehtsAZgXvY
  20.
      RfwaZ3RYyZjNFVi9JtR+7bT4nJ4zv44txKfzEqsAIyE5ZQ/A3hnnAMW+1/LWm1Wi
  21.
      yG5lBdwXTyYYgr5CE99vTpbZw2qxgH+DqKdo5C2qiaycudVCa76kRlaZ1fyVmpdC
  22.
      hXvJtHV3diCKcxYjfS5Plu7OS4kqHtDXYKuX0uZ/SzO0riN0aZnU/IYqk7Pfw0tx
  23.
      ETo7VpYBvpF92MyTUsRetLOYsx26PluX/CkxKjDpn3RmQUzB2OxxNNXGDWgF8+NW
  24.
      f4OV2Hzhnl+edLIF40MMscPNvBt25xW48LzVq6Tyu/xQAPvVKX4mJ9tRuAs35gJ3
  25.
      ZnVXw5CKgV3ABfdYYD6k7F2XxM6J5zo/OkWhV1sfyUbW/4Ser8ncCXZ+fV2cQU0G
  26.
      qfdbfAewnaGlHVR5Q8PRh8amcRvgfy3NJ4NAuXWuo12wiA15FwqXYbViJGFlTVp2
  27.
      dKqQ3ir+YH6wjEJ/APuYSX5/NRLBqHzFEzVcYB0X2mcmKUxjRRxKj5SooYSD9KCC
  28.
      As4wggLKMIIBsqADAgECAiAyY2QwOTc3OGYzNmM4NWFiMjBjMzdmYjQ0ZmNjMzE2
  29.
      YTANBgkqhkiG9w0BAQQFADAZMRcwFQYJKoZIhvcNAQkCFghjaXNjb3ZwbjAeFw0w
  30.
      OTA2MTAyMjQ1MDNaFw0xOTA2MDgyMjQ1MDNaMBkxFzAVBgkqhkiG9w0BCQIWCGNp
  31.
      c2NvdnBuMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArtQzjlRHNESM
  32.
      Lyen6urNdwHahS1t7FzVAUHz9wo0jdtcsEnmfqtAm3wIUjWPgvPYRRQz5Wj9v+5k
  33.
      kw3+mpHyX404Lj7TcCiQ49dBmlSGRYXDwp0JDXk+YZk1F3KyOddmarXAruX6j6yR
  34.
      wG31EzRGo9rbQu4IRgm3ElOnoLOPCem5tve8UZLNKwZQndBzNnLlHmjXHiilzGCq
  35.
      4Byrssi5WLSRuDVAPmLbLHKDHRKyqdgAxwYK7vQCK4jK8MiS667rUNutwlWFiVFv
  36.
      OIrZkDC52Gka0sWB4cz7oBM0RTbWUVswyz/XCRSCReu6z6oW6VWFiR/djky/NuuH
  37.
      xkpCi0THZQIDAQABMA0GCSqGSIb3DQEBBAUAA4IBAQCfNvQfmSOqIbN/SQzHE2pm
  38.
      1clPrY1UFWCWJM0I5V1bZ5bKarnTkQ8bcqQoZOTHjpAzlxbK14jouhEFcfUT9lgg
  39.
      59O3sYfQthKZcOUy9DGlQ8ukHPYVHQD7IU2MtmIkCncr/CQdgj/9CjAz2Jao/4/P
  40.
      itfTg/9DqT2bkwOGuOWP9bLVJrsrAH6XEP9GQJY84lkL5LAzWxC4sejXQ3pq+SGF
  41.
      RQVbd0qOiIN6QyQy97ZkIKkpqWwH/0GDVxPQNZCcVbIfeq/miwU8aNZvDMtpd4me
  42.
      viLLWDhWkn3IAYHV/Ra5JZ5O0WT8sK2rvH+aOR8D+ggKk8UceSYZ+Vj+3t4aIV5c
  43.
      MYICDTCCAgkCAQEwPTAZMRcwFQYJKoZIhvcNAQkCFghjaXNjb3ZwbgIgMmNkMDk3
  44.
      NzhmMzZjODVhYjIwYzM3ZmI0NGZjYzMxNmEwDAYIKoZIhvcNAgUFAKCBozASBgpg
  45.
      hkgBhvhFAQkCMQQTAjE5MBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHwYJKoZI
  46.
      hvcNAQkEMRIEEJDIAkKFBN/Le97GSbvYu2UwIAYKYIZIAYb4RQEJBTESBBCyq8OO
  47.
      uta2h8o48Tn0cY1LMDAGCmCGSAGG+EUBCQcxIhMgMmNkMDk3NzhmMzZjODVhYjIw
  48.
      YzM3ZmI0NGZjYzMxNmEwDQYJKoZIhvcNAQEBBQAEggEACIYGPwFnQpj1tO6HFNsL
  49.
      NnkeBSTRBW/ZrkRAoMgJBxqr8E/tvev4/g/W98GJAIOTqChOYE4m6uSkwOmkLbrK
  50.
      QhMs2Y18CwH64TRIlzcsYy77poO4nOCFpyqIJKlglllF6YExSD1IfN0OWruOdqNO
  51.
      VR7NNJ7kT9eyA3ScAmhCZgeZxe7lr27j/yNm2TUGMPDUYbJ942q5A3WgvP+QYj8K
  52.
      vLEaS/fnej0nkPv0DJpB7UTLIpm0/NwaoN+ZKHxMqmlnuGiG2pUViGJApXm1QbXT
  53.
      cpMTb1Jb6NSBJcuBH65fOhCTUWxXdpoa32ooKToemYBtmju49FVTPqvPCvrd2Xeb
  54.
      Tg==
  55.
  56.
      [10/Jun/2009:14:49:46][http-9180-Processor25]: Processing PKCSReq
  57.
      [10/Jun/2009:14:49:46][http-9180-Processor25]: getConn: mNumConns now 2
  58.
      [10/Jun/2009:14:49:46][http-9180-Processor25]: returnConn: mNumConns now 3
  59.
      [10/Jun/2009:14:49:46][http-9180-Processor25]: failed to unwrap PKCS10 org.mozilla.jss.crypto.TokenException: Failed to unwrap key
  60.
      [10/Jun/2009:14:49:46][http-9180-Processor25]: handlePKIMessage exception javax.servlet.ServletException: Couldn't handle CEP request (PKCSReq) - Could not unwrap PKCS10 blob: Failed to unwrap key
  61.
      javax.servlet.ServletException: Couldn't handle CEP request (PKCSReq) - Could not unwrap PKCS10 blob: Failed to unwrap key
  62.
      at com.netscape.cms.servlet.cert.scep.CRSEnrollment.handlePKIOperation(CRSEnrollment.java:698)
  63.
      at com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CRSEnrollment.java:246)
  64.
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
  65.
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269)
  66.
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
  67.
      at com.netscape.cms.servlet.filter.PassThroughRequestFilter.doFilter(PassThroughRequestFilter.java:71)
  68.
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
  69.
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
  70.
      at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:210)
  71.
      at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:172)
  72.
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
  73.
      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
  74.
      at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:542)
  75.
      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
  76.
      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:151)
  77.
      at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:870)
  78.
      at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665)
  79.
      at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528)
  80.
      at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)
  81.
      at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:685)
  82.
      at java.lang.Thread.run(Thread.java:636)
  83.
      [10/Jun/2009:14:49:46][http-9180-Processor25]: Service exception javax.servlet.ServletException: Failed to process message in CEP servlet: Couldn't handle CEP request (PKCSReq) - Could not unwrap PKCS10 blob: Failed to unwrap key

Comment 1 Chandrasekar Kannan 2009-06-13 13:42:49 UTC
scep enrollment works just fine when the ca is not connected to nethsm 2000

Comment 2 Chandrasekar Kannan 2009-06-30 15:34:42 UTC
router has 3des enabled ...
(08:14:56) mgalgoci: you have the 3DES/AES feature enabled
(08:15:01) ckannan: nice
(08:15:18) mgalgoci: VPN-DES                      : Enabled   
(08:15:18) mgalgoci: VPN-3DES-AES                 : Enabled

Comment 3 Christina Fu 2009-06-30 15:41:19 UTC
just reporting some findings:

The nethsm log shows something like:
2009-06-29 13:41:32 [18436] t901b5792: pkcs11: 000008CD Application error: DES key parity wrong
2009-06-29 13:41:32 [18436] t901b5792: pkcs11: 000008CD <    *phObject 0x00000000
2009-06-29 13:41:32 [18436] t901b5792: pkcs11: 000008CD <    rv 0x00000013 (CKR_ATTRIBUTE_VALUE_INVALID) 


While NSPR debug log for the nfast pkcs11 module shows:
-1839785072[8b13990]: C_UnwrapKey
-1839785072[8b13990]:   hSession = 0x8cd
-1839785072[8b13990]:   pMechanism = 0x9257070c
-1839785072[8b13990]:   hUnwrappingKey = 0x469
-1839785072[8b13990]:   pWrappedKey = 0x87844c0
-1839785072[8b13990]:   ulWrappedKeyLen = 256
-1839785072[8b13990]:   pTemplate = 0x92570640
-1839785072[8b13990]:   ulAttributeCount = 3
-1839785072[8b13990]:   phKey = 0x87845cc
-1839785072[8b13990]:     CKA_CLASS = CKO_SECRET_KEY [4]
-1839785072[8b13990]:     CKA_KEY_TYPE = 0x13 [4]
-1839785072[8b13990]:     CKA_DECRYPT = CK_TRUE [1]
-1839785072[8b13990]:       mechanism = CKM_RSA_PKCS
-1839785072[8b13990]:   *phKey = 0x0 (CK_INVALID_HANDLE)
-1839785072[8b13990]:   rv = CKR_WRAPPED_KEY_INVALID 

According to Relyea:
"It seems pretty clear. The nethsm does not like the key that SCEP is sending.
DES keys have redundant bits which are set to parity values to detect if a bad key was transmitted. Softoken does not generally require the parity to be set correctly on input, but always makes sure DES keys have the proper parity on output."

So far, we have tried unsetting all protection on the hsm:
/opt/nfast/cknfastrc:
CKNFAST_OVERRIDE_SECURITY_ASSURANCES=all
and still failed in the same fashion.

I don't know if there is a way to get the cisco router to produce more legit keys.

Comment 4 Andrew Wnuk 2009-07-01 16:29:17 UTC
This not CS bug. HSM does not accept DES keys with bad parity generated by Cisco router.

Comment 11 Deon Ballard 2016-02-24 17:32:35 UTC
Changing old ON_QA bugs to closed (since they've long since been published.)