pkispawn fails to create a CA with a YubiHSM, in JSS org.mozilla.jss.NoSuchTokenException: No such token: YubiHSM

but the device is accessible by NSS.

details

F33 yubihsm-connector-2.2.0-2.fc33.x86_64 yubihsm-shell-2.0.3-1.fc33.x86_64

mkdir yubihsm2-sdk.f33.dir
cd yubihsm2-sdk.f33.dir
wget https://developers.yubico.com/YubiHSM2/Releases/yubihsm2-sdk-2021-03-fedora33-amd64.tar.gz
tar zxf yubihsm2-sdk-2021-03-fedora33-amd64.tar.gz
yum localinstall -y ./yubihsm2-sdk/*.rpm

# shell 1 - run yubihsm-connector
systemctl stop firewalld.service
yubihsm-connector -l 192.168.7.108:12345 -d

# shell 2 
mkdir /etc/yubico
chmod 755 /etc/yubico
chown root:root /etc/yubico
chcon system_u:object_r:etc_t:s0 /etc/yubico

cat << EOF > /etc/yubico/yubihsm_pkcs11.conf
# This is a sample configuration file for the YubiHSM PKCS#11 module
# Uncomment the various options as needed

# URL of the connector to use. This can be a comma-separated list
connector = http://192.168.7.108:12345

# Enables general debug output in the module
debug

# Enables function tracing (ingress/egress) debug output in the module
dinout

# Enables libyubihsm debug output in the module
libdebug

# Redirects the debug output to a specific file. The file is created
# if it does not exist. The content is appended
debug-file = /var/tmp/yubihsm_pkcs11_debug

# CA certificate to use for HTTPS validation. Point this variable to
# a file containing one or more certificates to use when verifying
# a peer. Currently not supported on Windows
#
# cacert = /tmp/cacert.pem

# Proxy server to use for the connector
# Currently not supported on Windows
#
# proxy = http://proxyserver.local.com:8080

# Timeout in seconds to use for the initial connection to the connector
# timeout = 5
EOF

chcon system_u:object_r:etc_t:s0 /etc/yubico/yubihsm_pkcs11.conf
ls -lZ /etc/yubico/yubihsm_pkcs11.conf
-rw-r--r--. 1 root root system_u:object_r:etc_t:s0 991 Mar 16 15:11 /etc/yubico/yubihsm_pkcs11.conf

cat < EOF >> ~/.bashrc
export YUBIHSM_PKCS11_CONF=/etc/yubico/yubihsm_pkcs11.conf
export YUBIHSM_PKCS11_MODULE=/usr/lib64/pkcs11/yubihsm_pkcs11.so
EOF

. ~/.bashrc

ls -lZ $YUBIHSM_PKCS11_CONF $YUBIHSM_PKCS11_MODULE
-rw-r--r--. 1 root root system_u:object_r:etc_t:s0    991 Mar 16 15:11 /etc/yubico/yubihsm_pkcs11.conf
-rwxr-xr-x. 4 root root system_u:object_r:lib_t:s0 317568 Jan  1  1970 /usr/lib64/pkcs11/yubihsm_pkcs11.so

# test
pkcs11-tool --module /usr/lib64/pkcs11/yubihsm_pkcs11.so --test --pin 0001password
pkcs11-tool --module /usr/lib64/pkcs11/yubihsm_pkcs11.so -l --pin 0001password --list-token-slots
pkcs11-tool --module /usr/lib64/pkcs11/yubihsm_pkcs11.so -l --pin 0001password --list-objects

(
FAIL example - unitialized YUBIHSM_PKCS11_CONF YUBIHSM_PKCS11_MODULE
or missing config file in YUBIHSM_PKCS11_CONF
->
echo $YUBIHSM_PKCS11_CONF $YUBIHSM_PKCS11_MODULE
[root@f33vm1 yubihsm2-sdk]#

pkcs11-tool --module /usr/lib64/pkcs11/yubihsm_pkcs11.so --pin 0001password -t
error: PKCS11 function C_Initialize failed: rv = CKR_FUNCTION_FAILED (0x6)
Aborting.
)

# test
yubihsm-shell --connector http://192.168.7.108:12345
connect
session open 1 password
list objects 0
^c

Setting up PKI:

groupadd -r ldapgroup1
useradd -r -g  ldapgroup1 ldapuser1
grep ldap /etc/passwd /etc/group
dscreate create-template ~/ds.template.txt
sed -e 's/;root_password = .*/root_password = password/g' \
    -e 's/;suffix = .*/suffix = dc=example,dc=test/g'     \
    ~/ds.template.txt > ~/ds.template.inf
dscreate from-file ~/ds.template.inf
lsof -i :389 -i :636
dsctl -l
dsctl slapd-localhost status

alternatives --config java
*+ 1           java-11-openjdk.x86_64 (/usr/lib/jvm/java-11-openjdk-11.0.10.0.9-0.fc33.x86_64/bin/java)

virt guest

cat << EOF > ~/ca1.yubihsm2.cfg
[DEFAULT]
pki_server_database_password=password

# pki_hsm_enable=True
# pki_hsm_libfile=/usr/lib64/pkcs11/libsofthsm2.so
# pki_hsm_modulename=softhsm
# pki_token_name=Dogtag
# pki_token_password=redhat123

pki_hsm_enable=True
pki_hsm_libfile=/usr/lib64/pkcs11/yubihsm_pkcs11.so
pki_hsm_modulename=yubihsm2
pki_token_name=YubiHSM
pki_token_password=0001password

[CA]
pki_admin_email=caadmin@example.test
pki_admin_name=caadmin
pki_admin_nickname=caadmin
pki_admin_password=password
pki_admin_uid=caadmin

pki_client_database_password=password
pki_client_database_purge=False
pki_client_pkcs12_password=password

pki_ds_hostname=f33vm1.example.test
pki_ds_ldap_port=389
pki_ds_bind_dn=cn=Directory Manager
pki_ds_password=password
pki_ds_base_dn=dc=pki,dc=example,dc=test

pki_security_domain_name=ca1hsm

pki_ca_signing_token=YubiHSM
pki_ca_signing_nickname=ca_signing
pki_ocsp_signing_token=YubiHSM
pki_ocsp_signing_nickname=ca_ocsp_signing
pki_audit_signing_token=YubiHSM
pki_audit_signing_nickname=ca_audit_signing
pki_ssl_server_token=internal
pki_sslserver_token=internal
pki_sslserver_nickname=sslserver
pki_subsystem_token=YubiHSM
pki_subsystem_nickname=subsystem

EOF

# if needed
pkidestroy -s CA --force

pkispawn -f /root/ca1.yubihsm2.cfg -s CA --debug 2>&1 | tee ~/ca1.yubihsm2.pkispawn.out.txt
...
INFO: Getting sslserver cert info from CS.cfg
INFO: Getting sslserver cert info from NSS database
DEBUG: Command: certutil -L -d /etc/pki/pki-tomcat/alias -f /tmp/tmppupxfqmt/password.txt -n sslserver -a
DEBUG: Command: certutil -L -d /etc/pki/pki-tomcat/alias -f /tmp/tmpp9in5_bt/password.txt
INFO: Setting up signing certificate
/usr/lib/python3.9/site-packages/urllib3/connection.py:377: SubjectAltNameWarning: Certificate for f33vm1.example.test has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is
 being removed by major browsers and deprecated by RFC 2818. (See https://github.com/urllib3/urllib3/issues/497 for details.)
  warnings.warn(

Installation failed:
<!doctype html><html lang="en"><head><title>HTTP Status 500 – Internal Server Error</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76
;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 500 – Interna
l Server Error</h1><hr class="line" /><p><b>Type</b> Exception Report</p><p><b>Message</b> org.mozilla.jss.NoSuchTokenException: No such token: YubiHSM</p><p><b>Description</b> The server encountered an unexpe
cted condition that prevented it from fulfilling the request.</p><p><b>Exception</b></p><pre>org.jboss.resteasy.spi.UnhandledException: org.mozilla.jss.NoSuchTokenException: No such token: YubiHSM
        org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:78)
        org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:222)
        org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:179)
        org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:422)
        org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213)
        org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228)
        org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
        org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
        javax.servlet.http.HttpServlet.service(HttpServlet.java:733)

less /var/log/pki/pki-ca-spawn.20210316155334.log
2021-03-16 15:53:34 INFO: Connecting to LDAP server at ldap://f33vm1.example.test:389
2021-03-16 15:53:34 INFO: Connecting to LDAP server at ldap://f33vm1.example.test:389
2021-03-16 15:53:34 DEBUG: Installing Maven dependencies: False
2021-03-16 15:53:34 INFO: BEGIN spawning CA subsystem in pki-tomcat instance
2021-03-16 15:53:34 INFO: Loading instance: pki-tomcat
...
2021-03-16 15:53:50 DEBUG: Command: /usr/sbin/runuser -u pkiuser -- /usr/bin/env java -classpath /usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/tomcat-servlet-api.jar:/usr/share/pki/ca/webapps/ca/WEB-INF/lib/*:/var/lib/pki/pki-tomcat/common/lib/*:/usr/share/pki/lib/* -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/etc/pki/pki-tomcat/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Dcom.redhat.fips=false org.dogtagpki.server.cli.PKIServerCLI ca-profile-import --input-folder /usr/share/pki/ca/profiles/ca --debug
2021-03-16 15:53:53 INFO: Starting server
2021-03-16 15:53:53 DEBUG: Command: systemctl start pki-tomcatd@pki-tomcat.service
2021-03-16 15:53:55 INFO: FIPS mode: False
2021-03-16 15:53:56 INFO: Waiting for CA subsystem to start (1s)
2021-03-16 15:53:57 INFO: Waiting for CA subsystem to start (2s)
2021-03-16 15:54:05 INFO: Subsystem status: running
2021-03-16 15:54:05 INFO: Getting sslserver cert info from CS.cfg
2021-03-16 15:54:05 INFO: Getting sslserver cert info from NSS database
2021-03-16 15:54:05 DEBUG: Command: certutil -L -d /etc/pki/pki-tomcat/alias -f /tmp/tmppupxfqmt/password.txt -n sslserver -a
2021-03-16 15:54:06 DEBUG: Command: certutil -L -d /etc/pki/pki-tomcat/alias -f /tmp/tmpp9in5_bt/password.txt
2021-03-16 15:54:06 INFO: Setting up signing certificate
(END)

and the YubiHSM is accessible to the O.S. via pkcs11-tool and modutil:

pkcs11-tool --module /usr/lib64/pkcs11/yubihsm_pkcs11.so --pin 0001password -t
Using slot 0 with a present token (0x0)
C_SeedRandom() and C_GenerateRandom():
  seeding (C_SeedRandom) not supported
  seems to be OK
Digests:
  all 4 digest functions seem to work
  SHA-1: OK
Signatures (currently only for RSA)
Signatures: no private key found in this slot
Verify (currently only for RSA)
  No private key found for testing
Decryption (currently only for RSA)
No errors
[root@f33vm1 yubihsm2-sdk]#

modutil -dbdir /etc/pki/pki-tomcat/alias -rawlist
library= name="NSS Internal PKCS #11 Module" NSS="Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})" parameters="configdir=/etc/pki/pki-tomcat/alias certPrefix= keyPrefix= secmod=secmod.db flags=readOnly "

library="/usr/lib64/pkcs11/yubihsm_pkcs11.so" name="yubihsm2"

modutil -dbdir /etc/pki/pki-tomcat/alias -list

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
           uri: pkcs11:library-manufacturer=Mozilla%20Foundation;library-description=NSS%20Internal%20Crypto%20Services;library-version=3.62
         slots: 2 slots attached
        status: loaded

         slot: NSS Internal Cryptographic Services
        token: NSS Generic Crypto Services
          uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203

         slot: NSS User Private Key and Certificate Services
        token: NSS Certificate DB
          uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203

  2. yubihsm2
        library name: /usr/lib64/pkcs11/yubihsm_pkcs11.so
           uri: pkcs11:library-manufacturer=Yubico%20(www.yubico.com);library-description=YubiHSM%20PKCS%2311%20Library;library-version=2.10
         slots: 1 slot attached
        status: loaded

         slot: YubiHSM Connector 192.168.7.108
        token: YubiHSM
          uri: pkcs11:token=YubiHSM;manufacturer=Yubico%20(www.yubico.com);serial=13200864;model=YubiHSM

  3. p11-kit-proxy
        library name: p11-kit-proxy.so
           uri: pkcs11:library-manufacturer=PKCS%2311%20Kit;library-description=PKCS%2311%20Kit%20Proxy%20Module;library-version=1.1
         slots: 1 slot attached
        status: loaded

         slot: Gemalto Gemplus USB SmartCard Reader 433-Swap [CCID Interface...
        token:
          uri: pkcs11:
-----------------------------------------------------------
[root@f33vm1 yubihsm2-sdk]#

certutil -L -d sql:/var/lib/pki/pki-tomcat/alias -h YubiHSM 

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Enter Password or Pin for "YubiHSM":
[root@f33vm1 src.dir]# 

those 2 keys are from another test with the yubihsm-shell tool, so NSS can access the YubiHSM:

certutil -K -d sql:/var/lib/pki/pki-tomcat/alias -h YubiHSM
certutil: Checking token "YubiHSM" in slot "YubiHSM Connector 192.168.7.108"
Enter Password or Pin for "YubiHSM":
< 0> rsa      0401                                       label_rsa_sign
< 1> ec       0204                                       label_ecdsa_test
[root@f33vm1 src.dir]# 

./jss/org/mozilla/jss/CryptoManager.java
...  
     * Looks up the CryptoToken with the given name.  Searches all
     * loaded cryptographic modules for the token.
     *
     * @param name The name of the token.
     * @return The token.
     * @exception org.mozilla.jss.NoSuchTokenException If no token
     *  is found with the given name.
     */
    public synchronized CryptoToken getTokenByName(String name)
        throws NoSuchTokenException
    {   
        Enumeration<CryptoToken> tokens = getAllTokens();
        CryptoToken token;

        while(tokens.hasMoreElements()) {
            token = tokens.nextElement();
            try {
                if( name.equals(token.getName()) ) {
                    return token;
                }
            } catch( TokenException e ) {
                throw new RuntimeException(e);
            }
        }
        throw new NoSuchTokenException("No such token: " + name);
    }
...

tried to attach jdb with a break point on getTokenByName frm ./jss/org/mozilla/jss/CryptoManager.java but could not connect at thje right moment during pkispawn, there is a conneciton reset once, then can connect a second time, but the application just exited on the exception,

tried several times, but could not attach:

jdb -attach 8000 -sourcepath /root/src.dir/jss/ stop at org.mozilla.jss.getTokenByName:170

(edit: ascheel June 6th, 2022 for formatting)

dogtagpki / jss

pkispawn fails to create a CA with a YubiHSM, in JSS - org.mozilla.jss.NoSuchTokenException: No such token: YubiHSM #682

Setting up PKI: