2106452 – softhsm2: Unable to create cert: Private key not found

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2106452 - softhsm2: Unable to create cert: Private key not found

Summary: softhsm2: Unable to create cert: Private key not found

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	pki-core
Sub Component:
Version:	9.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	unspecified
Target Milestone:	rc
Target Release:	9.2
Assignee:	Endi Sukma Dewata
QA Contact:	idm-cs-qe-bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2184506
TreeView+	depends on / blocked

Reported:	2022-07-12 17:30 UTC by Rob Crittenden
Modified:	2023-05-09 08:56 UTC (History)
CC List:	7 users (show)
Fixed In Version:	pki-core-11.3.0-0.2.beta1.el9
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	2184506 (view as bug list)
Environment:
Last Closed:	2023-05-09 07:43:41 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:
Flags:	pm-rhel: mirror+

Attachments	(Terms of Use)
pki.ini (4.76 KB, text/plain) 2022-07-12 17:30 UTC, Rob Crittenden	no flags	Details
View All

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHCS-3227	None	None	None	2022-09-02 11:48:51 UTC
Red Hat Issue Tracker	RHELPLAN-127520	None	None	None	2022-07-12 17:37:12 UTC
Red Hat Product Errata	RHSA-2023:2293	None	None	None	2023-05-09 07:44:35 UTC

Description Rob Crittenden 2022-07-12 17:30:45 UTC

Created attachment 1896454 [details]
pki.ini

Description of problem:

Due to https://bugzilla.redhat.com/show_bug.cgi?id=2087105 the HSM and CA database PINs must be the same.

pkispawn fails using softhsm2 as an HSM because it cannot find the private key.

2022-07-08 15:13:02 [https-jsse-nio-8443-exec-4] INFO: CAInstallerService: Creating cert
2022-07-08 15:13:02 [https-jsse-nio-8443-exec-4] INFO: CAInstallerService: - request ID: 0x54f4013c0938c76ac2277ac32e7ced4c
2022-07-08 15:13:02 [https-jsse-nio-8443-exec-4] INFO: CAInstallerService: - request type: pkcs10
2022-07-08 15:13:02 [https-jsse-nio-8443-exec-4] INFO: CAInstallerService: - subject: CN=Certificate Authority,O=EXAMPLE.TEST
2022-07-08 15:13:02 [https-jsse-nio-8443-exec-4] INFO: CAInstallerService: - cert ID: 0x696cc771a24ff37d8dd6cd11a0b51131
2022-07-08 15:13:02 [https-jsse-nio-8443-exec-4] INFO: CAInstallerService: - cert type: selfsign
2022-07-08 15:13:02 [https-jsse-nio-8443-exec-4] INFO: CAInstallerService: - profile: caCert.profile
2022-07-08 15:13:02 [https-jsse-nio-8443-exec-4] INFO: CAInstallerService: - key algorithm: SHA256withRSA
2022-07-08 15:13:02 [https-jsse-nio-8443-exec-4] INFO: CAInstallerService: - token: softhsm_token
2022-07-08 15:13:02 [https-jsse-nio-8443-exec-4] INFO: CAInstallerService: - key ID: 0x68c9b3e73c837e7d296687bda73bc4054685f384
2022-07-08 15:13:02 [https-jsse-nio-8443-exec-4] SEVERE: Unable to create cert: Private key not found: 0x68c9b3e73c837e7d296687bda73bc4054685f384
java.lang.Exception: Private key not found: 0x68c9b3e73c837e7d296687bda73bc4054685f384
        at org.dogtagpki.server.ca.rest.CAInstallerService.createCert(CAInstallerService.java:225)

The key exists in the token.

# certutil -K -d /etc/pki/pki-tomcat/alias -h softhsm_token 
certutil: Checking token "softhsm_token" in slot "SoftHSM slot ID 0x2946501a"
Enter Password or Pin for "softhsm_token":
< 0> rsa      68c9b3e73c837e7d296687bda73bc4054685f384   (orphan)
< 1> rsa      3f54c7aab3d77ff80ed0a4b62d8eefb42a11b889   (orphan)
< 2> rsa      fc815ee36c6194f2ebb3f1b73b740ce0c9ac6d64   (orphan)
< 3> rsa      97592505120f6867651939eaa5082035359633b1   (orphan)
< 4> rsa      a4e12920617b53673f17ba0d9e46faeeae1dc6c9   (orphan)


Version-Release number of selected component (if applicable):
idm-pki-ca-11.2.0-1.el9.noarch

Additional info:

Upstream ticket https://github.com/dogtagpki/pki/issues/3204 states that softhsm2 worked at some point with some workarounds and this is asking that this be automated.

I followed the instructions at https://www.dogtagpki.org/wiki/SoftHSM regarding permissions, groups, etc. No AVCs are reported.

Comment 1 Endi Sukma Dewata 2022-07-12 17:40:14 UTC

Just FYI, this is mainly caused by a permission problem. Initially
pkispawn creates the key as root, so the key file in SoftHSM is owned
by root too, but later pkispawn tries to find the key again as pkiuser,
so it could not find it. This problem is only affecting SoftHSM.
Hardware-based HSM should not have this problem.

Comment 2 Rob Crittenden 2022-07-12 20:06:35 UTC

Yes, permissions are the problem. New files within the token are created as root:root rather than pkiuser:pkiuser.

https://www.dogtagpki.org/wiki/SoftHSM indicates that this worked with self-signed CAs at one time. IPA developers in the recent past were able to get past this point, as well as another IPA user: https://magnus-k-karlsson.blogspot.com/2019/08/installing-dogtag-on-fedora-30-with.html

Adding a chown -R of the softhsm token directory after each certutil -A (more or less) the installation proceeds. I'm prompted several times for the token password to import a certificate into the token database during the pkispawn.

Deployment fails because the Server-Cert private key is not in the token database. I haven't yet investigated this, though the blog user reported that he had to force Server-Cert to remain in the NSS database.

Comment 3 Endi Sukma Dewata 2022-07-13 18:05:19 UTC

Yes, this used to work in the past, but it has been broken since 2019,
likely due to changes in the installation process. I'm not sure whether
SoftHSM is officially supported, but for sure it has not been officially
tested in RHEL, so it never got fixed.

The workaround is probably to use a two-step installation process and fix
the permissions manually, or to add SoftHSM-specific code into pkispawn
to fix the permissions.

The proper fix is probably to execute the commands that creates the keys
and certs in pkispawn as pkiuser so the SoftHSM files will get created
with the right permissions.

Comment 4 Rob Crittenden 2022-07-13 21:43:11 UTC

I've managed to hack nssdb.py enough so that the certs and keys are generated and installed into the token and permissions are fine. pkispawn succeeds and the CA is able to start. All the certs/keys are stored in the token which is something that wasn't working in 2019 so there's some progress.

Port 8080 works but the TLS port throws a trace in the journal. Seems it can't apply the cert and/or key to a connection.

SEVERE: Error running socket processor
java.lang.RuntimeException: Unable to configure certificate and key on model SSL PRFileDesc proxy: SEC_ERROR_NO_MEMORY (-8173)
        at org.mozilla.jss.ssl.javax.JSSEngine.getServerTemplate(JSSEngine.java:1106)
        at org.mozilla.jss.ssl.javax.JSSEngineReferenceImpl.createBufferFD(JSSEngineReferenceImpl.java:332)
        at org.mozilla.jss.ssl.javax.JSSEngineReferenceImpl.init(JSSEngineReferenceImpl.java:262)
        at org.mozilla.jss.ssl.javax.JSSEngineReferenceImpl.beginHandshake(JSSEngineReferenceImpl.java:646)
        at org.apache.tomcat.util.net.SecureNioChannel.processSNI(SecureNioChannel.java:334)
        at org.apache.tomcat.util.net.SecureNioChannel.handshake(SecureNioChannel.java:154)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1708)
        at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
        at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
        at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.base/java.lang.Thread.run(Thread.java:833)

The cert is readable by the CA and passes the CA selfsign tests. A manual verification looks like:

# runuser -u pkiuser -- certutil -V -u V -d /etc/pki/pki-tomcat/alias -n 'softhsm_token:Server-Cert cert-pki-ca' -e
Enter Password or Pin for "NSS Certificate DB":
Enter Password or Pin for "softhsm_token":
certutil: certificate is valid

I set the log level of the token to DEBUG and it's doing some work like creating a session and doing some minor decryption but it logs no errors. strace against the CA confirms that the CA is able to access the files. It's unfortunate that softhsm doesn't log the PKCS#11 API calls directly as it might be easier to see what is going on.

I've tried in rawhide as well but still have the 11.2.0 beta2 bits because I haven't updated to python 3.11 yet.

I'm not sure how to trace things from here.

Comment 5 Rob Crittenden 2022-07-14 13:41:08 UTC

It fails the same way using the unsupported selfserv tool so the problem lies either in NSS or softhsm2:

# /usr/lib64/nss/unsupported-tools/selfserv -d /etc/pki/pki-tomcat/alias -n 'softhsm_token:Server-Cert cert-pki-ca' -p 9443 -v
Enter Password or Pin for "softhsm_token":
selfserv: SSL_ConfigServerCert returned error -8173:
security library: memory allocation failure.

Comment 6 Rob Crittenden 2022-07-14 15:09:25 UTC

Using gdb I traced this within NSS to copying the private key (PK11_CopyKey) for Server-Cert from softhsm. The C_CopyObject call returns CKR_ARGUMENTS_BAD which is unexpected but I think what they mean is that the private key cannot be retrieved.

I set the token in my ini file to internal and pkispawn was successful to the point where the CA was restarted. The problem was that server.xml included the softhsm token name in it Connector definition. Removing that and the CA starts fine and is accessible from clients.

Comment 7 Rob Crittenden 2022-07-28 18:29:51 UTC

I have standalone installation and IPA server installations working for my simple use-case. My changes don't cover every possible use of nssdb.NSSDatabase() so its likely I missed something.

Ideally all calls to NSSDatabase.nssdb() would include user and group so that proper chown can be done on the files and directories being created, and the effective uid/gid can be set when executing calls in conjunction with prefixing commands with runuser -u <user> --. By doing this the token file ownership is all fine.

I've also seen a second problem. The pki nss-import-cert always fails importing the caSigningCert certificate into the token with SEC_ERROR_TOKEN_NOT_LOGGED_IN. This is an issue in certutil AFAICT. I tried working around the error by calling certutil directly, once to import the cert and trust into the NSS softokn and once to import it into the softhsm token but it still fails. I ignore the failure.

I have a hard time tracing the python/java boundaries as sometimes it seems like python code calls the pki command which calls more python.

I don't know if this will affect all HSMs or just these.

Another part of my workaround was to use the same password for the NSS database as the token database per comment#0. Otherwise lots more invasive changes are needed.

Comment 11 Endi Sukma Dewata 2022-10-25 20:25:52 UTC

Additional changes by Rob in the master branch:
- https://github.com/dogtagpki/pki/commit/3a79ffd87991482004a1ee39ca9abca5db19e55b
- https://github.com/dogtagpki/pki/commit/a4c2f89b07cd39c8b375aa24fa66bc71cca5e84c

Comment 12 Endi Sukma Dewata 2022-11-10 16:45:05 UTC

Additional changes by Rob in the master branch:
- https://github.com/dogtagpki/pki/commit/7e05fa4a011cdcdd0f1656dd8acc114011c2db47
- https://github.com/dogtagpki/pki/commit/67872a70be88f0430b4a0f3c2c1ed2f328def766

Comment 33 errata-xmlrpc 2023-05-09 07:43:41 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: pki-core security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:2293

Note You need to log in before you can comment on or make changes to this bug.