Bug 167197 - private key certificate
private key certificate
Product: Fedora
Classification: Fedora
Component: openssl (Show other bugs)
i386 Linux
medium Severity high
: ---
: ---
Assigned To: Tomas Mraz
Brian Brock
Depends On:
  Show dependency treegraph
Reported: 2005-08-31 10:44 EDT by Jorge I. Davila L.
Modified: 2007-11-30 17:11 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-08-31 18:27:17 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jorge I. Davila L. 2005-08-31 10:44:21 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050720 Fedora/1.0.6-1.1.fc3 Firefox/1.0.6

Description of problem:
I'm running fedora core 3 inside a xen virtual machine. After works fine at least 2 months openssl is failing signing certificates. Openssl appears to be unable to read the private key of the certification authority.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
At this point I don't know the source of the problem or how reproduce, simply openssl become unable to read the private key of the certification authority.

Actual Results:  #> openssl rsa -in /usr/local/OpenCA/NiagaraCA/var/crypto/keys/cakey.pem -text -noout
Enter pass phrase for /usr/local/OpenCA/NiagaraCA/var/crypto/keys/cakey.pem:
unable to load Private Key
4821:error:06065064:digital envelope routines:EVP_DecryptFinal:bad decrypt:evp_enc.c:438:
4821:error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c:421:

Expected Results:  A new certificate.

Additional info:

The system is in a xen virtual machine.
Comment 1 Tomas Mraz 2005-08-31 10:49:33 EDT
Sorry, this doesn't belong to OpenSSL, I'm reassigning it to XEN however it
could be most probably a hardware problem or admin error.
Comment 2 Jorge I. Davila L. 2005-08-31 10:55:01 EDT
uhm... I tried read the private key in other boxes with the same result and
searching in google other people has reported the error with no references to xen
Comment 3 Rik van Riel 2005-08-31 11:04:58 EDT
If the bug also happens without Xen, it is probably an openssl issue.

If the bug does not happen with Xen on another computer, it could be a memory
corruption issue.

If the bug only happens under Xen, regardless of hardware, it's probably a Xen bug.

Jorge, could you please try running the same openssl command on another
computer, and/or without Xen, to try reproducing the problem?
Comment 4 Jorge I. Davila L. 2005-08-31 11:12:56 EDT
The openssl command was executed in other two boxes without xen and I receive
the same error:

# openssl rsa -in cakey.pem -out keyout.pem
Enter pass phrase for cakey.pem:
unable to load Private Key
6755:error:06065064:digital envelope routines:EVP_DecryptFinal:bad
6755:error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c:421:

The error is critical for me because there are several boxes that use
certificates emited by the Certification Authority and I'm unable to do my work
because of this error. 
Comment 5 Tomas Mraz 2005-08-31 11:27:52 EDT
The problem is the private key got most probably corrupted somehow. Do you have
backup? You should.

The Xen could be the culprit if you used the key only from the Xen virtual
machine when it got corrupted.

But it's now very hard to say what corrupted the key.

Does the cakey.pem file look normal?

And are you sure you just didn't forget the passphrase?
Comment 6 Jorge I. Davila L. 2005-08-31 11:40:13 EDT
I have a backup. Doing a diff with the file in the backup agains the file in the
xen virtual machine I obtain:

# diff cakey.pem backup_cakey.pem -s
Files cakey.pem and backup_cakey.pem are identical

The passphrase is ok. I'm pretty sure that I don't lost the passphrase .. 
Comment 7 Tomas Mraz 2005-08-31 11:57:08 EDT
Could you try to downgrade openssl to the version from the FC-3 vanilla (not
updated) - openssl-0.9.7a-40? Of course this could be the culprit only if it
stopped working just after the upgrade from updates.

If the downgrade doesn't help I think that the problem is surely with the
Comment 8 Jorge I. Davila L. 2005-08-31 12:35:47 EDT
The downgrade does not work ... but the problem is not the passphrase. Well, I
can sign the request but I can generate a new certificate.
Comment 9 Jorge I. Davila L. 2005-08-31 12:47:55 EDT
sorry .. I can NOT generate a new cert but I CAN generate the certificate request.
Comment 10 Tomas Mraz 2005-08-31 13:10:07 EDT
By "The downgrade does not work" you mean that you downgraded OpenSSL and it
didn't help? If so then it is certainly problem with the passphrase or both your
cakey.pem and backup are corrupted. There is simply no other possibility.

Certificate request generation works because it doesn't use the CA private key.
Comment 11 Jorge I. Davila L. 2005-08-31 13:42:50 EDT
I don't have any reason for bring me to a bad situation. 
Comment 12 Jorge I. Davila L. 2005-08-31 14:30:44 EDT
I don't have any reason for bring me to a bad situation. 
Comment 13 Tomas Mraz 2005-08-31 18:27:17 EDT
I'm sorry but there is simply no way how it could be OpenSSL's fault if:

1. Downgrade didn't help.
2. Backup is from the time when it worked fine and is identical to the current key.
3. The key doesn't work on another machines.

The only non sci-fi reasons remaining are:
1. bad passphrase because you forgot it
2. bad passphrase because some evil attacker replaced both your key and your
backup with different key
Comment 14 Jorge I. Davila L. 2005-08-31 18:32:47 EDT
This post in other place hit at the same point:

Comment 15 Tomas Mraz 2005-09-01 01:52:52 EDT
This is absolutely unrelated problem with openssl misconfiguration, sorry.
Comment 16 Jorge I. Davila L. 2005-09-01 22:43:08 EDT
Was a forgotten password. I'm very embarrased. Thanks for your help. 

Note You need to log in before you can comment on or make changes to this bug.