steps to reproduce: follow these steps on the cisco asa 5510 to perform an scep enrollment enable conf t crypto key generate rsa crypto ca trustpoint Main enrollment url http://10.14.1.151/ca/cgi-bin crl optional exit crypto ca authenticate Main crypto ca enroll Main [ prompts you for password ] show crypto ca certificate Main enable flatfile.txt on /var/lib/pki-ca/conf/flatfile.txt CA throws an exception ... 1. [10/Jun/2009:14:49:46][http-9180-Processor25]: com.netscape.cms.servlet.filter.PassThroughRequestFilter: Excluding filtering on servlet called '/cgi-bin/pkiclient.exe'! 2. [10/Jun/2009:14:49:46][http-9180-Processor25]: operation=PKIOperation 3. [10/Jun/2009:14:49:46][http-9180-Processor25]: message=MIIJjQYJKoZIhvcNAQcCoIIJfjCCCXoCAQExDjAMBggqhkiG9w0CBQUAMIIEgAYJ 4. KoZIhvcNAQcBoIIEcQSCBG0wggRpBgkqhkiG9w0BBwOgggRaMIIEVgIBADGCAWEw 5. ggFdAgEAMEUwQDEeMBwGA1UEChMVRHNkZXZTamNSZWRoYXQgRG9tYWluMR4wHAYD 6. VQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkCAQEwDQYJKoZIhvcNAQEBBQAEggEA 7. IMOtYUplaIITMIFsJkjG1+hs5hvJmOeSneCGFM9Tb7/Ttcxx903Wq5ulPPUqi82q 8. rid3lVp4LgxzYZ5PJasjRPVbU+3QFDFmxX8+9NIhBa8LxT3qRPjiLKteO1I89beE 9. GgbFlQxa9sww/d5CnyPQB5LAJuP4OnEPgc0yYRUQD32ZBYtG5ODFcfe2DAQx2ckg 10. CGa2oHYb6yNDymHra4cS+LkBHjM5r2xO90BfOvKBMsVm/Afkzr6dvt38efaU+32i 11. p3XfwTHnATox0U4CNnKnjXZt+KtLKGZs6c0NdMKRHwJkMIxNgQ080HSVkKK3A/o+ 12. +NF0QjDklx997GqvJX9UgDCCAuoGCSqGSIb3DQEHATARBgUrDgMCBwQIYhA4BMgL 13. uvmAggLI/6A+4DSAXQ+q2v/9SYHBnQ/lJufyBAZcQplXRCmqg9c3EdsTLFlObR8L 14. ndlkM5/+SQWMLiCkw7RH7xTVROM0LZm0i5/bVMGiYEow79/kNm5ycZpKS+gkfwUw 15. UWKMeqkMcr5N1Ceee/U51zxdS8axgbbBeXdA4Z5aolJedvJCfCCTaypwOA6NeoMZ 16. /PIaOD6/z8+q329F16TjHkEZrChX4VQIh6flyNNEM+wvTT4OVv1xUFzKHgYt5Asq 17. TdXPSCwRwzMkpwlnwH/SH9i1zsKguBXwP72ERyiNTcCMyXaClqsR5HDENJSMi4Uo 18. ynGsciettonelgwxp+jDdYevHLzNmQiPO76nMZAjwDql2eTmZWzUOJijpW1/qwgy 19. LFbSjD0Xwh0aDWH1pxtQbUYrgjgIXqTw4gD6/wY5g3AEbmMPSyLRWYehtsAZgXvY 20. RfwaZ3RYyZjNFVi9JtR+7bT4nJ4zv44txKfzEqsAIyE5ZQ/A3hnnAMW+1/LWm1Wi 21. yG5lBdwXTyYYgr5CE99vTpbZw2qxgH+DqKdo5C2qiaycudVCa76kRlaZ1fyVmpdC 22. hXvJtHV3diCKcxYjfS5Plu7OS4kqHtDXYKuX0uZ/SzO0riN0aZnU/IYqk7Pfw0tx 23. ETo7VpYBvpF92MyTUsRetLOYsx26PluX/CkxKjDpn3RmQUzB2OxxNNXGDWgF8+NW 24. f4OV2Hzhnl+edLIF40MMscPNvBt25xW48LzVq6Tyu/xQAPvVKX4mJ9tRuAs35gJ3 25. ZnVXw5CKgV3ABfdYYD6k7F2XxM6J5zo/OkWhV1sfyUbW/4Ser8ncCXZ+fV2cQU0G 26. qfdbfAewnaGlHVR5Q8PRh8amcRvgfy3NJ4NAuXWuo12wiA15FwqXYbViJGFlTVp2 27. dKqQ3ir+YH6wjEJ/APuYSX5/NRLBqHzFEzVcYB0X2mcmKUxjRRxKj5SooYSD9KCC 28. As4wggLKMIIBsqADAgECAiAyY2QwOTc3OGYzNmM4NWFiMjBjMzdmYjQ0ZmNjMzE2 29. YTANBgkqhkiG9w0BAQQFADAZMRcwFQYJKoZIhvcNAQkCFghjaXNjb3ZwbjAeFw0w 30. OTA2MTAyMjQ1MDNaFw0xOTA2MDgyMjQ1MDNaMBkxFzAVBgkqhkiG9w0BCQIWCGNp 31. c2NvdnBuMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArtQzjlRHNESM 32. Lyen6urNdwHahS1t7FzVAUHz9wo0jdtcsEnmfqtAm3wIUjWPgvPYRRQz5Wj9v+5k 33. kw3+mpHyX404Lj7TcCiQ49dBmlSGRYXDwp0JDXk+YZk1F3KyOddmarXAruX6j6yR 34. wG31EzRGo9rbQu4IRgm3ElOnoLOPCem5tve8UZLNKwZQndBzNnLlHmjXHiilzGCq 35. 4Byrssi5WLSRuDVAPmLbLHKDHRKyqdgAxwYK7vQCK4jK8MiS667rUNutwlWFiVFv 36. OIrZkDC52Gka0sWB4cz7oBM0RTbWUVswyz/XCRSCReu6z6oW6VWFiR/djky/NuuH 37. xkpCi0THZQIDAQABMA0GCSqGSIb3DQEBBAUAA4IBAQCfNvQfmSOqIbN/SQzHE2pm 38. 1clPrY1UFWCWJM0I5V1bZ5bKarnTkQ8bcqQoZOTHjpAzlxbK14jouhEFcfUT9lgg 39. 59O3sYfQthKZcOUy9DGlQ8ukHPYVHQD7IU2MtmIkCncr/CQdgj/9CjAz2Jao/4/P 40. itfTg/9DqT2bkwOGuOWP9bLVJrsrAH6XEP9GQJY84lkL5LAzWxC4sejXQ3pq+SGF 41. RQVbd0qOiIN6QyQy97ZkIKkpqWwH/0GDVxPQNZCcVbIfeq/miwU8aNZvDMtpd4me 42. viLLWDhWkn3IAYHV/Ra5JZ5O0WT8sK2rvH+aOR8D+ggKk8UceSYZ+Vj+3t4aIV5c 43. MYICDTCCAgkCAQEwPTAZMRcwFQYJKoZIhvcNAQkCFghjaXNjb3ZwbgIgMmNkMDk3 44. NzhmMzZjODVhYjIwYzM3ZmI0NGZjYzMxNmEwDAYIKoZIhvcNAgUFAKCBozASBgpg 45. hkgBhvhFAQkCMQQTAjE5MBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHwYJKoZI 46. hvcNAQkEMRIEEJDIAkKFBN/Le97GSbvYu2UwIAYKYIZIAYb4RQEJBTESBBCyq8OO 47. uta2h8o48Tn0cY1LMDAGCmCGSAGG+EUBCQcxIhMgMmNkMDk3NzhmMzZjODVhYjIw 48. YzM3ZmI0NGZjYzMxNmEwDQYJKoZIhvcNAQEBBQAEggEACIYGPwFnQpj1tO6HFNsL 49. NnkeBSTRBW/ZrkRAoMgJBxqr8E/tvev4/g/W98GJAIOTqChOYE4m6uSkwOmkLbrK 50. QhMs2Y18CwH64TRIlzcsYy77poO4nOCFpyqIJKlglllF6YExSD1IfN0OWruOdqNO 51. VR7NNJ7kT9eyA3ScAmhCZgeZxe7lr27j/yNm2TUGMPDUYbJ942q5A3WgvP+QYj8K 52. vLEaS/fnej0nkPv0DJpB7UTLIpm0/NwaoN+ZKHxMqmlnuGiG2pUViGJApXm1QbXT 53. cpMTb1Jb6NSBJcuBH65fOhCTUWxXdpoa32ooKToemYBtmju49FVTPqvPCvrd2Xeb 54. Tg== 55. 56. [10/Jun/2009:14:49:46][http-9180-Processor25]: Processing PKCSReq 57. [10/Jun/2009:14:49:46][http-9180-Processor25]: getConn: mNumConns now 2 58. [10/Jun/2009:14:49:46][http-9180-Processor25]: returnConn: mNumConns now 3 59. [10/Jun/2009:14:49:46][http-9180-Processor25]: failed to unwrap PKCS10 org.mozilla.jss.crypto.TokenException: Failed to unwrap key 60. [10/Jun/2009:14:49:46][http-9180-Processor25]: handlePKIMessage exception javax.servlet.ServletException: Couldn't handle CEP request (PKCSReq) - Could not unwrap PKCS10 blob: Failed to unwrap key 61. javax.servlet.ServletException: Couldn't handle CEP request (PKCSReq) - Could not unwrap PKCS10 blob: Failed to unwrap key 62. at com.netscape.cms.servlet.cert.scep.CRSEnrollment.handlePKIOperation(CRSEnrollment.java:698) 63. at com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CRSEnrollment.java:246) 64. at javax.servlet.http.HttpServlet.service(HttpServlet.java:803) 65. at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269) 66. at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) 67. at com.netscape.cms.servlet.filter.PassThroughRequestFilter.doFilter(PassThroughRequestFilter.java:71) 68. at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) 69. at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) 70. at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:210) 71. at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:172) 72. at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) 73. at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117) 74. at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:542) 75. at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108) 76. at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:151) 77. at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:870) 78. at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665) 79. at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528) 80. at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81) 81. at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:685) 82. at java.lang.Thread.run(Thread.java:636) 83. [10/Jun/2009:14:49:46][http-9180-Processor25]: Service exception javax.servlet.ServletException: Failed to process message in CEP servlet: Couldn't handle CEP request (PKCSReq) - Could not unwrap PKCS10 blob: Failed to unwrap key
scep enrollment works just fine when the ca is not connected to nethsm 2000
router has 3des enabled ... (08:14:56) mgalgoci: you have the 3DES/AES feature enabled (08:15:01) ckannan: nice (08:15:18) mgalgoci: VPN-DES : Enabled (08:15:18) mgalgoci: VPN-3DES-AES : Enabled
just reporting some findings: The nethsm log shows something like: 2009-06-29 13:41:32 [18436] t901b5792: pkcs11: 000008CD Application error: DES key parity wrong 2009-06-29 13:41:32 [18436] t901b5792: pkcs11: 000008CD < *phObject 0x00000000 2009-06-29 13:41:32 [18436] t901b5792: pkcs11: 000008CD < rv 0x00000013 (CKR_ATTRIBUTE_VALUE_INVALID) While NSPR debug log for the nfast pkcs11 module shows: -1839785072[8b13990]: C_UnwrapKey -1839785072[8b13990]: hSession = 0x8cd -1839785072[8b13990]: pMechanism = 0x9257070c -1839785072[8b13990]: hUnwrappingKey = 0x469 -1839785072[8b13990]: pWrappedKey = 0x87844c0 -1839785072[8b13990]: ulWrappedKeyLen = 256 -1839785072[8b13990]: pTemplate = 0x92570640 -1839785072[8b13990]: ulAttributeCount = 3 -1839785072[8b13990]: phKey = 0x87845cc -1839785072[8b13990]: CKA_CLASS = CKO_SECRET_KEY [4] -1839785072[8b13990]: CKA_KEY_TYPE = 0x13 [4] -1839785072[8b13990]: CKA_DECRYPT = CK_TRUE [1] -1839785072[8b13990]: mechanism = CKM_RSA_PKCS -1839785072[8b13990]: *phKey = 0x0 (CK_INVALID_HANDLE) -1839785072[8b13990]: rv = CKR_WRAPPED_KEY_INVALID According to Relyea: "It seems pretty clear. The nethsm does not like the key that SCEP is sending. DES keys have redundant bits which are set to parity values to detect if a bad key was transmitted. Softoken does not generally require the parity to be set correctly on input, but always makes sure DES keys have the proper parity on output." So far, we have tried unsetting all protection on the hsm: /opt/nfast/cknfastrc: CKNFAST_OVERRIDE_SECURITY_ASSURANCES=all and still failed in the same fashion. I don't know if there is a way to get the cisco router to produce more legit keys.
This not CS bug. HSM does not accept DES keys with bad parity generated by Cisco router.
Release notes: http://docs.redhat.com/docs/en-US/Red_Hat_Certificate_System/8.1/html/Release_Notes/Release_Notes-Known_Issues-new.html
Changing old ON_QA bugs to closed (since they've long since been published.)