1393668 – certutil failed when importing certificate into HSM in FIPS mode

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1393668 - certutil failed when importing certificate into HSM in FIPS mode

Summary: certutil failed when importing certificate into HSM in FIPS mode

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	nss
Sub Component:
Version:	7.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	low
Severity:	low
Target Milestone:	rc
Target Release:	---
Assignee:	Bob Relyea
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-11-10 06:21 UTC by Endi Sukma Dewata
Modified:	2023-08-06 07:28 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-08-06 07:28:16 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-130341	0	None	None	None	2022-08-04 22:29:23 UTC

Internal Links: 1531622

Description Endi Sukma Dewata 2016-11-10 06:21:43 UTC

The certutil failed when importing a certificate into an NSS database connected to an HSM. This operation is needed to set up RHCS with externally signed CA certificate. The test was done on a FIPS-enabled RHEL 7.3 machine, but it's not clear if FIPS is a factor.

Steps to Reproduce:

1. Make sure the machine is connected to an HSM (e.g. Luna SA or nFast).

2. Store the NSS database password (which is the same as the HSM password) into password.txt.

3. Create the NSS database with the password file:
$ certutil -N -d nssdb -f password.txt

4. Add the appropriate HSM module:
$ modutil -dbdir nssdb -add <module> -libfile <library> -force

5. Import an existing certificate into HSM:
$ certutil -A -d nssdb -h <token> -f password.txt -n test -i test.crt -t "CT,C,C"

Actual results: The certificate was added into the HSM, but certutil failed with the following error:

certutil: could not change trust on certificate: SEC_ERROR_TOKEN_NOT_LOGGED_IN: The operation failed because the PKCS#11 token is not logged in.

Expected results: The certutil should complete successfully and the trust flags should be set properly. Since the trust flags are stored in the internal token, the certificate may need to be added into the internal token as well.

Questions:

1. Assuming the problem is fixed, will the certificate be added into both the HSM and internal token in the same operation? Or does it need to be added into the internal token separately?

2. If the NSS database password is different from the HSM password, which password should be specified in the command?

Comment 2 Kai Engert (:kaie) (inactive account) 2016-11-10 13:34:34 UTC

Bob, do you know why NSS succeeds to import the certificate into the external token, but fails to set the trust on the internal token?

Would you be able to work on a patch to fix this issue?

Comment 3 Endi Sukma Dewata 2016-11-12 00:57:49 UTC

FYI, the problem does not happen on another machine with FIPS disabled.

Comment 4 Bob Relyea 2016-11-14 19:26:27 UTC

So apparently the issue is that the certificate is imported into the HSM and the trust is imported into the token. In non-fips mode, you can import trust without logging into the token, but in FIPS mode you do need log into the token to import trust.

You also need to log into the HSM to import trust. If you don't supply the -f password.txt, do you get prompted for both tokens?

If so, and you need to do this from scripts, you many need to import the cert into both the HSM and the internal token in 2 separate steps. Don't try to set the trust when importing into the HSM.

bob

Comment 5 Endi Sukma Dewata 2016-11-14 22:04:49 UTC

Thanks Bob,

I tried importing the certificate as in step #5 without the password file, but I only got prompted for the HSM password and the command still failed with the same error message (i. not logged in).

However, I was able to import the certificate successfully using the two-steps workaround.

First (the order does matter), import the certificate into the HSM without the trust flags (the -t option is still required, but the HSM password is not):

 $ certutil -A -d nssdb -h hsm -n test -i test.crt -t ""

 $ certutil -L -d nssdb -h hsm
 
 Certificate Nickname                                         Trust Attributes
                                                              SSL,S/MIME,JAR/XPI
 
 Enter Password or Pin for "hsm":
 hsm:test                                                     ,,

Second, import the certificate into the internal token with the correct trust flags (the internal token password is required):

 $ certutil -A -d nssdb -n test -i test.crt -t "CT,C,C"
 Enter Password or Pin for "NSS FIPS 140-2 Certificate DB":

 $ certutil -L -d nssdb
 
 Certificate Nickname                                         Trust Attributes
                                                              SSL,S/MIME,JAR/XPI
 
 test                                                         CT,C,C

 $ certutil -L -d nssdb -h hsm
 
 Certificate Nickname                                         Trust Attributes
                                                              SSL,S/MIME,JAR/XPI
 
 Enter Password or Pin for "hsm":
 hsm:test                                                     CT,C,C

So I think the RHCS can be modified to use the two-step workaround, but do you think the certutil error in step #5 will eventually get fixed? I think there are several possibilities:

* The command in step #5 could generate a different error message explaining that the import needs to be done in two steps.
* Instead of generating an error, the command could just ignore the specified trust flags and simply return silently after importing the certificate into the HSM. The second step is still required.
* The command can take the internal token password and import the certificate into both HSM and internal token in a single step. As shown above, the HSM password is not required for import. But this option could be confusing since the -h and the -f options will refer to different tokens.

Comment 6 Endi Sukma Dewata 2016-11-15 15:32:14 UTC

In the first step of the workaround, apparently if the certificate key is stored in the HSM the HSM password is required (and the command still fails even without the trust flags). If the certificate key is not stored in the HSM the HSM password is not required (and the command will complete successfully without the trust flags).

Comment 7 Endi Sukma Dewata 2016-11-17 18:56:16 UTC

The workaround for RHCS was implemented in bug #1395817.

Comment 10 Rob Crittenden 2022-08-04 22:21:47 UTC

Re-opening for tracking. Potential solution created upstream at https://bugzilla.mozilla.org/show_bug.cgi?id=1782980

certutil can support multiple passwords but it won't try to authenticate to the internal token when setting trust, even if it has the softokn password.

Comment 15 RHEL Program Management 2023-02-04 07:27:46 UTC

After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.

Comment 17 Bob Relyea 2023-02-06 20:08:16 UTC

reopenning and setting the stale date to the new NSS rebase.

Comment 19 RHEL Program Management 2023-08-06 07:28:16 UTC

After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.

Note You need to log in before you can comment on or make changes to this bug.