SCEP protocol is not working

SCEP protocol has started to fails on fedora 40 after nss has been upgraded to version 3.101.

After downgrade the nss it works:

[root@pki ca]# rpm -qa|grep nss
openssl-libs-3.2.1-2.fc40.x86_64
nss-util-3.101.0-1.fc40.x86_64
openssl-3.2.1-2.fc40.x86_64
nss-softokn-freebl-3.101.0-1.fc40.x86_64
nss-softokn-3.101.0-1.fc40.x86_64
nss-sysinit-3.101.0-1.fc40.x86_64
nss-3.101.0-1.fc40.x86_64
nss-tools-3.101.0-1.fc40.x86_64
jansson-2.13.1-9.fc40.x86_64
apr-util-openssl-1.6.3-16.fc40.x86_64
nss-util-devel-3.101.0-1.fc40.x86_64
nss-softokn-freebl-devel-3.101.0-1.fc40.x86_64
nss-softokn-devel-3.101.0-1.fc40.x86_64
nss-devel-3.101.0-1.fc40.x86_64
[root@pki ca]# dnf downgrade nss
Last metadata expiration check: 0:54:14 ago on Thu Jun 20 09:38:54 2024.
Dependencies resolved.
=========================================================================================================================================================================
 Package                                   Architecture                         Version                                       Repository                            Size
=========================================================================================================================================================================
Downgrading:
 nss                                       x86_64                               3.98.0-1.fc40                                 fedora                               702 k
 nss-devel                                 x86_64                               3.98.0-1.fc40                                 fedora                               196 k
 nss-sysinit                               x86_64                               3.98.0-1.fc40                                 fedora                                19 k
 nss-tools                                 x86_64                               3.98.0-1.fc40                                 fedora                               538 k
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Restarting the service and SCEP start working.

I have modified the log message to get the original error and it is:

2024-06-20 10:23:49 [http-nio-8080-exec-2] SEVERE: failed to unwrap PKCS10 Request Subject: CN=172.18.0.4: invalid key
java.security.SignatureException: Request Subject: CN=172.18.0.4: invalid key
        at org.mozilla.jss.netscape.security.pkcs.PKCS10.<init>(PKCS10.java:227)
        at org.mozilla.jss.netscape.security.pkcs.PKCS10.<init>(PKCS10.java:234)
        at com.netscape.cms.servlet.cert.scep.CRSEnrollment.unwrapPKCS10(CRSEnrollment.java:1295)
        at com.netscape.cms.servlet.cert.scep.CRSEnrollment.handlePKCSReq(CRSEnrollment.java:1653)
        at com.netscape.cms.servlet.cert.scep.CRSEnrollment.handlePKIOperation(CRSEnrollment.java:1068)
        at com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CRSEnrollment.java:457)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:623)
        at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
        at java.base/java.lang.reflect.Method.invoke(Method.java:580)
        at org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:222)
        at java.base/java.security.AccessController.doPrivileged(AccessController.java:714)
        at java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:670)
        at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:250)
        at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:142)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:207)
        at org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:137)
        at java.base/java.security.AccessController.doPrivileged(AccessController.java:571)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:136)
        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51)
        at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
        at java.base/java.lang.reflect.Method.invoke(Method.java:580)
        at org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:222)
        at java.base/java.security.AccessController.doPrivileged(AccessController.java:714)
        at java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:670)
        at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:250)
        at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:202)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:176)
        at org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:137)
        at java.base/java.security.AccessController.doPrivileged(AccessController.java:571)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:136)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:168)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:481)
        at com.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:83)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:130)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93)
        at org.apache.catalina.valves.rewrite.RewriteValve.invoke(RewriteValve.java:545)
        at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:670)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
        at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:390)
        at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)
        at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:928)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1794)
        at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)
        at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
        at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.base/java.lang.Thread.run(Thread.java:1583)
Caused by: java.security.InvalidKeyException: Token exception occurred
        at org.mozilla.jss.provider.java.security.JSSSignatureSpi.engineInitVerify(JSSSignatureSpi.java:116)
        at java.base/java.security.Signature$Delegate.engineInitVerify(Signature.java:1333)
        at java.base/java.security.Signature.initVerify(Signature.java:505)
        at org.mozilla.jss.netscape.security.pkcs.PKCS10.<init>(PKCS10.java:218)
        ... 48 more
Caused by: org.mozilla.jss.crypto.TokenException: Unable to create vfy context: (-8011) Unknown error
        at org.mozilla.jss.pkcs11.PK11Signature.initVfyContext(Native Method)
        at org.mozilla.jss.pkcs11.PK11Signature.engineInitVerify(PK11Signature.java:195)
        at org.mozilla.jss.crypto.Signature.initVerify(Signature.java:69)
        at org.mozilla.jss.provider.java.security.JSSSignatureSpi.engineInitVerify(JSSSignatureSpi.java:106)
        ... 51 more

The original error seems from JSS package but other investigation is required.

dogtagpki / pki

SCEP protocol is not working #4786