Bug 503523 - certicom token "changepw" fails(however strong password we give)
certicom token "changepw" fails(however strong password we give)
Status: CLOSED ERRATA
Product: Dogtag Certificate System
Classification: Community
Component: ECC (Show other bugs)
1.1
All Linux
high Severity high
: ---
: ---
Assigned To: Christina Fu
Chandrasekar Kannan
:
Depends On:
Blocks: 443788
  Show dependency treegraph
 
Reported: 2009-06-01 10:56 EDT by Kashyap Chamarthy
Modified: 2015-01-04 18:38 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-07-22 19:35:54 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Kashyap Chamarthy 2009-06-01 10:56:54 EDT
Environment: RHEL_5.3_64_bit 

Description:
Attempt to change password of the certicom token passwd fails with

ERROR: Unable to change password on token "Certicom FIPS Cert/Key Services".

Expected Results:
Token password should be able to be changed successfully

Actual Results:
ERROR: Unable to change password on token "Certicom FIPS Cert/Key Services".
---------------------------

how to reproduce:
---------

=> here I was able to proceed with libsbcpgse.so

[root@shine ecc]# cp sbp11api_gse1.0-linux_64_x86/lib/libsbcpgse.so /usr/certicom/lib/
[root@shine ecc]# cp sbp11api_gse1.0-linux_64_x86/lib/libsbcpgse.so /usr/lib/

=> loading ECC module succeeds

[root@shine ecc]# modutil -dbdir /var/lib/pki-ca/alias/ -nocertdb -add certicom -libfile /usr/certicom/lib/libsbcpgse.so

WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type
'q <enter>' to abort, or <enter> to continue:

Module "certicom" added to database.

=> listing modules succeds

[root@shine ecc]# modutil -dbdir /var/lib/pki-ca/alias/ -nocertdb -list

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
         slots: 2 slots attached
        status: loaded

         slot: NSS Internal Cryptographic Services
        token: NSS Generic Crypto Services

         slot: NSS User Private Key and Certificate Services
        token: NSS Certificate DB

  2. certicom
        library name: /usr/certicom/lib/libsbcpgse.so
         slots: 2 slots attached
        status: loaded

         slot: FIPS Generic Crypto Services V1.0.1d
        token: Certicom FIPS Crypto Services

         slot: FIPS Certificate/Key Services V1.0.1d
        token: Certicom FIPS Cert/Key Services

=> changing the token password "fails" (with however strong password I gave)

[root@shine ecc]# modutil -dbdir /var/lib/pki-ca/alias/ -changepw "Certicom FIPS Cert/Key Services"

WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type
'q <enter>' to abort, or <enter> to continue:

Enter new password:
Re-enter new password:
ERROR: Unable to change password on token "Certicom FIPS Cert/Key Services".
-----------------------------------------------------------------------------
Comment 1 Kashyap Chamarthy 2009-06-01 11:17:08 EDT
with strace:
--------------
[root@shine ecc]# strace -o strace.log modutil -dbdir /var/lib/pki-ca/alias/ -changepw "Certicom
FIPS Cert/Key Services"

------------------
[root@shine ecc]# tail -30 strace.log 
ioctl(6, SNDCTL_TMR_CONTINUE or TCSETSF, {B38400 opost isig icanon echo ...}) = 0
close(6)                                = 0
munmap(0x2b231c5da000, 4096)            = 0
close(7)                                = 0
munmap(0x2b231c5d9000, 4096)            = 0
open("/root/.certicom/sbcp/sbcppri.db", O_RDONLY|O_NONBLOCK|O_DIRECTORY) = 6
fstat(6, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
fcntl(6, F_SETFD, FD_CLOEXEC)           = 0
close(6)                                = 0
open("/root/.certicom/sbcp/sbcppri.db/x00", O_RDONLY) = 6
fstat(6, {st_mode=S_IFREG|0600, st_size=410, ...}) = 0
fstat(6, {st_mode=S_IFREG|0600, st_size=410, ...}) = 0
read(6, "0\202\1\226\2\1\0030\202\1P\6\t*\206H\206\367\r\1\7\1\240\202\1A\4\202\1=0\202"..., 410) = 410
fstat(6, {st_mode=S_IFREG|0600, st_size=410, ...}) = 0
close(6)                                = 0
open("/root/.certicom/sbcp/sbcpuser.db", O_RDONLY|O_NONBLOCK|O_DIRECTORY) = -1 ENOENT (No such file or directory)
open("/root/.certicom/sbcp/sbcpuser.db", O_RDONLY|O_NONBLOCK|O_DIRECTORY) = -1 ENOENT (No such file or directory)
write(2, "ERROR: Unable to change password"..., 77) = 77
lseek(3, 0, SEEK_SET)                   = 0
write(3, "\0\6\25a\0\0\0\2\0\0\4\322\0\0@\0\0\0\0\16\0\0\1\0\0\0\1\0\0\0\0\10"..., 260) = 260
close(3)                                = 0
lseek(4, 0, SEEK_SET)                   = 0
write(4, "\0\6\25a\0\0\0\2\0\0\4\322\0\0\20\0\0\0\0\f\0\0\1\0\0\0\1\0\0\0\0\10"..., 260) = 260
close(4)                                = 0
munmap(0x2b231c21c000, 2407832)  

-------------------------------
additional info:

 /root/.certicom/sbcp  directory does exist - and it has sbcppri.db , sbcppub.db, sbcpso.db directories. (but not the sbcpuser.db directory)

-- when i created the /root/.certicom/sbcp/sbcpuser.db directory and again try to change the token password - no joy there too.
Comment 2 Christina Fu 2009-06-04 16:15:35 EDT
First, I do not know why it failed.  But I can come up with some thing for you to try.
on a 32 bit machine, create the following directory:
 /root/.certicom/sbcp/sbcpuser.db

sftp to gamma, and cd into the directory with the same path, and get the files over to your 32 bit machine. put them under the same path.

now try your changepw again.  the old password is redhat.
Comment 3 Christina Fu 2009-06-04 16:59:57 EDT
just realized one reason this trick would not work.  The old certicom dbs I have are from the old certicom lib and the token names are different:
	token: Certicom Cert/Key Services
while the new token has name:
        token: Certicom FIPS Cert/Key Services

I think it's best to ask certicom about it.
Comment 4 Christina Fu 2009-06-13 15:56:37 EDT
This is to document what to do once the certicom library is added and initialized (the steps to get to this point will be provided later):

edit file /usr/bin/dtomcat5-<instance name>
e.g.
vim /usr/bin/dtomcat5-pki-ca
At the very beginning of the file, right after the line
  umask 00002
you add
  export NSS_USE_DECODED_CKA_EC_POINT=1
restart the server.

on the client side, at the shell where you wish to start browser, set the same flag:
  export NSS_USE_DECODED_CKA_EC_POINT=1
start browser,
then you need to load the certicom library:
go to Edit, Preferences, Advanced, Security Devices,
then load the certicom module
  certicom
  /usr/lib64/libsbcpgse.so
login to the token:
  Certicom FIPS Cert/Key Services
import the agent cert (presumablely you had configed it in another browser, exported the admin cert)

now you can access both the ee ssl page and the agent page.
Comment 5 Kashyap Chamarthy 2009-06-23 13:18:22 EDT
Verified. token password can be changed using the sample binary provided from certicom.(but the password("userpassword" is hard-coded in the sample.c)

Refer the below bugzilla for configuring CA with certicom ECC module: https://bugzilla.redhat.com/show_bug.cgi?id=507428

Note You need to log in before you can comment on or make changes to this bug.