search

dogtagpki / pki

The Dogtag Certificate System is an enterprise-class Certificate Authority (CA) which supports all aspects of certificate lifecycle management, including key archival, OCSP and smartcard management.
https://www.dogtagpki.org
GNU General Public License v2.0
374 stars 137 forks source link

pkispawn cannot deploy with a HSM using a different password than the NSS database password #4052

Closed rcritten closed 2 years ago

rcritten commented 2 years ago

Quite a lot of methods in base/common/python/pki/nssdb.py contain code like this to generate the pki command:

        elif self.password_file:
            cmd.extend(['-C', self.password_file])

password_file is generated in __init__() with the NSS database password.

Instead the password file should be generated based on the token requested.

        tmpdir = tempfile.mkdtemp()
        password_file = self.get_password_file(tmpdir, token)

Note that there is also self.token which I didn't dig into whether this makes a difference or not. Many methods take token as an argument.

This, for example, will fail early in pkispawn trying to generate the CA signing key stored in an HSM because the token password will be wrong unless it is the same as the NSS database password.

rcritten commented 2 years ago

I'm using dogtag-pki-ca-11.2.0-0.3.beta2.fc37 but the code looks the same in master.

edewata commented 2 years ago

https://bugzilla.redhat.com/show_bug.cgi?id=2087105

edewata commented 2 years ago

It depends on how the NSSDatabase object is created. If it's created specifically for a particular token, it will only need a single password which is for that token only. If it's created for multiple tokens, it will need the passwords for all tokens. If you have a stack trace we can take a look what's going on.

Please note that the issue that you reported in the Bugzilla above might be caused by the lack of SoftHSM support: https://github.com/dogtagpki/pki/issues/3204

rcritten commented 2 years ago

I'm not creating the NSSDatabase object, pkispawn is.

INFO: Getting signing cert info from NSS database
DEBUG: NSSDatabase.get_cert_info(caSigningCert cert-pki-ca) begins
DEBUG: NSSDatabase.get_cert(caSigningCert cert-pki-ca) begins
DEBUG: Command: certutil -L -d /etc/pki/pki-tomcat/alias -h softhsm_token -f /tmp/tmpcvo0bwtf/password.txt -n softhsm_token:caSigningCert cert-pki-ca -a
DEBUG: Cert not found: caSigningCert cert-pki-ca
DEBUG: PKIDeployer.setup_system_cert()
DEBUG: NSSDatabase.get_cert_info(caSigningCert cert-pki-ca) begins
DEBUG: NSSDatabase.get_cert(caSigningCert cert-pki-ca) begins
DEBUG: Command: certutil -L -d /etc/pki/pki-tomcat/alias -h softhsm_token -f /tmp/tmpo70084pc/password.txt -n softhsm_token:caSigningCert cert-pki-ca -a
DEBUG: Cert not found: caSigningCert cert-pki-ca
INFO: signing cert does not exist in NSS database
INFO: Creating signing key
DEBUG: Command: pki -d /etc/pki/pki-tomcat/alias -C /tmp/tmpu335ortf/password.txt --token softhsm_token nss-key-create --output-format json --key-type RSA --key-size 3072 --debug
CalledProcessError: Command '['pki', '-d', '/etc/pki/pki-tomcat/alias', '-C', '/tmp/tmpu335ortf/password.txt', '--token', 'softhsm_token', 'nss-key-create', '--output-format', 'json', '--key-type', 'RSA', '--key-size', '3072', '--debug']' returned non-zero exit status 255.
  File "/usr/lib/python3.10/site-packages/pki/server/pkispawn.py", line 589, in main
    scriptlet.spawn(deployer)
  File "/usr/lib/python3.10/site-packages/pki/server/deployment/scriptlets/configuration.py", line 639, in spawn
    system_certs = deployer.setup_system_certs(nssdb, subsystem)
  File "/usr/lib/python3.10/site-packages/pki/server/deployment/__init__.py", line 1557, in setup_system_certs
    self.setup_system_cert(nssdb, subsystem, tag, system_cert, request)
  File "/usr/lib/python3.10/site-packages/pki/server/deployment/__init__.py", line 1430, in setup_system_cert
    request.systemCert.keyID = self.create_cert_key(subsystem, tag, request)
  File "/usr/lib/python3.10/site-packages/pki/server/deployment/__init__.py", line 1043, in create_cert_key
    result = nssdb.create_key(
  File "/usr/lib/python3.10/site-packages/pki/nssdb.py", line 557, in create_key
    result = self.run(cmd, capture_output=True, check=True, text=True)
  File "/usr/lib/python3.10/site-packages/pki/nssdb.py", line 236, in run
    return subprocess.run(
  File "/usr/lib64/python3.10/subprocess.py", line 524, in run
    raise CalledProcessError(retcode, process.args,

Installation failed: Command failed: pki -d /etc/pki/pki-tomcat/alias -C /tmp/tmpu335ortf/password.txt --token softhsm_token nss-key-create --output-format json --key-type RSA --key-size 3072 --debug

The value in /tmp/tmpu335ortf/password.txt is the NSS database password, not the token password.

rcritten commented 2 years ago

I'm going to mark this as done due to fd19666e0655975c2d30feba63753ef40005b1b8