Open l4z41 opened 1 year ago
Found this similiar bug and this for the ipa-advice
Just for further information that modutil -dbdir /etc/pki/pki-tomcat/alias -list
on failed execution lists the Nitrokey same as SoftHSM through p11-kit-proxy
Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal PKCS #11 Module
uri: pkcs11:library-manufacturer=Mozilla%20Foundation;library-description=NSS%20Internal%20Crypto%20Services;library-version=3.83
slots: 2 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
2. p11-kit-proxy
library name: p11-kit-proxy.so
uri: pkcs11:library-manufacturer=PKCS%2311%20Kit;library-description=PKCS%2311%20Kit%20Proxy%20Module;library-version=1.1
slots: 2 slots attached
status: loaded
slot: Nitrokey Nitrokey HSM (DENK03007820000 ) 00 00
token: SmartCard-HSM (UserPIN)
uri: pkcs11:token=SmartCard-HSM%20(UserPIN);manufacturer=www.CardContact.de;serial=DENK0300782;model=PKCS%2315%20emulated
slot: SoftHSM slot ID 0x0
token:
uri: pkcs11:manufacturer=SoftHSM%20project;model=SoftHSM%20v2
-----------------------------------------------------------
I could disable p11-kit for modutil so it doesn't activate twice via /usr/share/p11-kit/modules/opensc.module
module: opensc-pkcs11.so
disable-in: modutil
but for that I'm getting following error
NoSuchTokenException: No such token: SmartCard-HSM (UserPIN)
ERROR: CalledProcessError: Command '['/usr/sbin/runuser', '-u', 'pkiuser', '--', '/usr/lib/jvm/jre-17-openjdk/bin/java', '-classpath', '/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/tomcat-servlet-api.jar:/usr/share/pki/ca/webapps/ca/WEB-INF/lib/*:/var/lib/pki/pki-tomcat/common/lib/*:/usr/share/pki/lib/*', '-Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory', '-Dcatalina.base=/var/lib/pki/pki-tomcat', '-Dcatalina.home=/usr/share/tomcat', '-Djava.endorsed.dirs=', '-Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp', '-Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties', '-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager', '-Dcom.redhat.fips=false', 'org.dogtagpki.server.cli.PKIServerCLI', 'ca-db-remove', '--force']' returned non-zero exit status 255.
File "/usr/lib/python3.12/site-packages/pki/server/pkispawn.py", line 588, in main
scriptlet.spawn(deployer)
File "/usr/lib/python3.12/site-packages/pki/server/deployment/scriptlets/configuration.py", line 198, in spawn
deployer.setup_database(subsystem)
File "/usr/lib/python3.12/site-packages/pki/server/deployment/__init__.py", line 788, in setup_database
subsystem.remove_database(force=True)
File "/usr/lib/python3.12/site-packages/pki/server/subsystem.py", line 1125, in remove_database
self.run(cmd, as_current_user=as_current_user)
File "/usr/lib/python3.12/site-packages/pki/server/subsystem.py", line 1932, in run
return subprocess.run(
^^^^^^^^^^^^^^^
File "/usr/lib64/python3.12/subprocess.py", line 571, in run
raise CalledProcessError(retcode, process.args,
Installation failed: Command failed: /usr/sbin/runuser -u pkiuser -- /usr/lib/jvm/jre-17-openjdk/bin/java -classpath /usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/tomcat-servlet-api.jar:/usr/share/pki/ca/webapps/ca/WEB-INF/lib/*:/var/lib/pki/pki-tomcat/common/lib/*:/usr/share/pki/lib/* -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Dcom.redhat.fips=false org.dogtagpki.server.cli.PKIServerCLI ca-db-remove --force
Token is inserted for in pki-tomcat modutil -dbdir /etc/pki/pki-tomcat/alias -list
Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal PKCS #11 Module
uri: pkcs11:library-manufacturer=Mozilla%20Foundation;library-description=NSS%20Internal%20Crypto%20Services;library-version=3.98
slots: 2 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
2. nitrohsm
library name: /usr/lib64/pkcs11/opensc-pkcs11.so
uri: pkcs11:library-manufacturer=OpenSC%20Project;library-description=OpenSC%20smartcard%20framework;library-version=0.25
slots: 1 slot attached
status: loaded
slot: Nitrokey Nitrokey HSM (DENK03007820000 ) 00 00
token: SmartCard-HSM (UserPIN)
uri: pkcs11:token=SmartCard-HSM%20(UserPIN);manufacturer=www.CardContact.de;serial=DENK0300782;model=PKCS%2315%20emulated
3. p11-kit-proxy
library name: p11-kit-proxy.so
uri: pkcs11:library-manufacturer=PKCS%2311%20Kit;library-description=PKCS%2311%20Kit%20Proxy%20Module;library-version=1.1
slots: There are no slots attached to this module
status: loaded
-----------------------------------------------------------
Any idea how to move forward in debugging?
Hello guys,
I'm trying to initialize FreeIPA with Dogtag PKI including a Nitrokey HSM 2 which is my cheap option to experiment with a HSM instead of the expensive Enterprise variants. The Dogtag wiki lists the HSM so I thought to give it try on CentOS 8 Stream!
It uses OpenSC
dnf install opensc
and supports PKCS#11. After a quick example HSM initialization this one is ready for usage:$ sc-hsm-tool --initialize --so-pin 3537363231383830 --pin 648219
or$ pkcs11-tool --module /usr/lib64/opensc-pkcs11.so --init-token --init-pin --so-pin=3537363231383830 --new-pin=648219 --label="test" --pin=648219
New certs can be put in like in example:
$ pkcs11-tool --module /usr/lib64/opensc-pkcs11.so -l --pin 648219 --keypairgen --key-type rsa:1024 --id 10
Under modules it will be listed and is ready for usage
$ p11-kit list-modules
The only documentation I found is Installing CA with HSM which needs a directory service in place
dscreate interactive
Afterwards the PKI could not be spawned as it fails
$ pkispawn -f /opt/ca.cfg -s CA
Following configuration file with HSM options were used and the correct
pki_ds_password
from prior initialization given.It stops at executing following command
modutil -dbdir /etc/pki/pki-tomcat/alias -nocertdb -add 'SmartCard-HSM (UserPIN)' -libfile /usr/lib64/opensc-pkcs11.so -force
Cannot resolve it and through the p11-kit the module is available. Please elaborate how to continue on.