Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Nitrokey HSM 2 with Dogtag PKI #4400

Open
l4z41 opened this issue Apr 5, 2023 · 3 comments
Open

Nitrokey HSM 2 with Dogtag PKI #4400

l4z41 opened this issue Apr 5, 2023 · 3 comments

Comments

@l4z41
Copy link

l4z41 commented Apr 5, 2023
edited
Loading

Hello guys,

I'm trying to initialize FreeIPA with Dogtag PKI including a Nitrokey HSM 2 which is my cheap option to experiment with a HSM instead of the expensive Enterprise variants. The Dogtag wiki lists the HSM so I thought to give it try on CentOS 8 Stream!

It uses OpenSC dnf install opensc and supports PKCS#11. After a quick example HSM initialization this one is ready for usage:
$ sc-hsm-tool --initialize --so-pin 3537363231383830 --pin 648219
or
$ pkcs11-tool --module /usr/lib64/opensc-pkcs11.so --init-token --init-pin --so-pin=3537363231383830 --new-pin=648219 --label="test" --pin=648219

New certs can be put in like in example:
$ pkcs11-tool --module /usr/lib64/opensc-pkcs11.so -l --pin 648219 --keypairgen --key-type rsa:1024 --id 10

Key pair generated:
Private Key Object; RSA
  label:      Private Key
  ID:         09
  Usage:      decrypt, sign, unwrap
  Access:     none
Public Key Object; RSA 1024 bits
  label:      Private Key
  ID:         09
  Usage:      encrypt, verify, wrap
  Access:     none

Under modules it will be listed and is ready for usage
$ p11-kit list-modules

p11-kit-trust: p11-kit-trust.so
    library-description: PKCS#11 Kit Trust Module
    library-manufacturer: PKCS#11 Kit
    library-version: 0.23
    token: System Trust
        manufacturer: PKCS#11 Kit
        model: p11-kit-trust
        serial-number: 1
        hardware-version: 0.23
        flags:
               token-initialized
    token: Default Trust
        manufacturer: PKCS#11 Kit
        model: p11-kit-trust
        serial-number: 1
        hardware-version: 0.23
        flags:
               write-protected
               token-initialized
opensc: opensc-pkcs11.so
    library-description: OpenSC smartcard framework
    library-manufacturer: OpenSC Project
    library-version: 0.20
    token: SmartCard-HSM (UserPIN)
        manufacturer: www.CardContact.de
        model: PKCS#15 emulated
        serial-number: DENK0300782
        hardware-version: 24.13
        firmware-version: 3.5
        flags:
               rng
               login-required
               user-pin-initialized
               token-initialized
softhsm2: libsofthsm2.so
    library-description: Implementation of PKCS11
    library-manufacturer: SoftHSM
    library-version: 2.6
    token:
        manufacturer: SoftHSM project
        model: SoftHSM v2
        serial-number:
        hardware-version: 2.6
        firmware-version: 2.6
        flags:
               rng
               login-required
               restore-key-not-needed
               so-pin-locked
               so-pin-to-be-changed

The only documentation I found is Installing CA with HSM which needs a directory service in place
dscreate interactive

Install Directory Server (interactive mode)
===========================================

Enter system's hostname [root-ca.example.de]:

Enter the instance name [root-ca]:

Enter port number [389]:

Create self-signed certificate database [yes]:

Enter secure port number [636]:

Enter Directory Manager DN [cn=Directory Manager]:

Enter the Directory Manager password:
Confirm the Directory Manager Password:

Enter the database suffix (or enter "none" to skip) [dc=root-ca,dc=example,dc=de]:

Create sample entries in the suffix [no]:

Create just the top suffix entry [no]:

Do you want to start the instance after the installation? [yes]:

Are you ready to install? [no]: yes
Starting installation ...
Validate installation settings ...
Create file system structures ...
Create self-signed certificate database ...
Perform SELinux labeling ...
Create database backend: dc=root-ca,dc=example,dc=de ...
Perform post-installation tasks ...
Completed installation for instance: slapd-root

Afterwards the PKI could not be spawned as it fails
$ pkispawn -f /opt/ca.cfg -s CA

Loading deployment configuration from /opt/ca.cfg.
Installation log: /var/log/pki/pki-ca-spawn.20230405221801.log
Installing CA into /var/lib/pki/pki-tomcat.
ERROR: Failed to add module "'SmartCard-HSM (UserPIN)'". Probable cause : "Unknown PKCS #11 error.".
CalledProcessError: Command '['modutil', '-dbdir', '/etc/pki/pki-tomcat/alias', '-nocertdb', '-add', "'SmartCard-HSM (UserPIN)'", '-libfile', '/usr/lib64/opensc-pkcs11.so', '-force']' returned non-zero exit status 22.
  File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 575, in main
    scriptlet.spawn(deployer)
  File "/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/security_databases.py", line 106, in spawn
    deployer.mdict['pki_hsm_libfile'])
  File "/usr/lib/python3.6/site-packages/pki/nssdb.py", line 451, in add_module
    check=True)
  File "/usr/lib64/python3.6/subprocess.py", line 438, in run
    output=stdout, stderr=stderr)


Installation failed: Command failed: modutil -dbdir /etc/pki/pki-tomcat/alias -nocertdb -add 'SmartCard-HSM (UserPIN)' -libfile /usr/lib64/opensc-pkcs11.so -force

Please check pkispawn logs in /var/log/pki/pki-ca-spawn.20230405221801.log

Following configuration file with HSM options were used and the correct pki_ds_password from prior initialization given.

[DEFAULT]
pki_server_database_password=Secret.123

pki_hsm_enable=True
pki_hsm_libfile=/usr/lib64/opensc-pkcs11.so
pki_hsm_modulename='SmartCard-HSM (UserPIN)'
pki_token_name=HSM
pki_token_password=648219

[CA]
[email protected]
pki_admin_name=caadmin
pki_admin_nickname=caadmin
pki_admin_password=Secret.123
pki_admin_uid=caadmin

pki_client_pkcs12_password=Secret.123

pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=de
pki_ds_database=ca
pki_ds_password=Secret.123

pki_security_domain_name=EXAMPLE

pki_ca_signing_nickname=ca_signing
pki_ocsp_signing_nickname=ca_ocsp_signing
pki_audit_signing_nickname=ca_audit_signing
pki_sslserver_nickname=sslserver/pki.example.de
pki_subsystem_nickname=subsystem

It stops at executing following command
modutil -dbdir /etc/pki/pki-tomcat/alias -nocertdb -add 'SmartCard-HSM (UserPIN)' -libfile /usr/lib64/opensc-pkcs11.so -force

WARNING: Manually adding a module while p11-kit is enabled could cause
duplicate module registration in your security database. It is suggested
to configure the module through p11-kit configuration file instead.

Type 'q <enter>' to abort, or <enter> to continue:

ERROR: Failed to add module "SmartCard-HSM (UserPIN)". Probable cause : "Unknown PKCS #11 error.".

Cannot resolve it and through the p11-kit the module is available. Please elaborate how to continue on.
@l4z41
Copy link
Author

l4z41 commented Apr 5, 2023
edited
Loading

Found this similiar bug and this for the ipa-advice

@l4z41
Copy link
Author

l4z41 commented Apr 5, 2023
edited
Loading

Just for further information that modutil -dbdir /etc/pki/pki-tomcat/alias -list on failed execution lists the Nitrokey same as SoftHSM through p11-kit-proxy

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
           uri: pkcs11:library-manufacturer=Mozilla%20Foundation;library-description=NSS%20Internal%20Crypto%20Services;library-version=3.83
         slots: 2 slots attached
        status: loaded

         slot: NSS Internal Cryptographic Services
        token: NSS Generic Crypto Services
          uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203

         slot: NSS User Private Key and Certificate Services
        token: NSS Certificate DB
          uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203

  2. p11-kit-proxy
        library name: p11-kit-proxy.so
           uri: pkcs11:library-manufacturer=PKCS%2311%20Kit;library-description=PKCS%2311%20Kit%20Proxy%20Module;library-version=1.1
         slots: 2 slots attached
        status: loaded

         slot: Nitrokey Nitrokey HSM (DENK03007820000         ) 00 00
        token: SmartCard-HSM (UserPIN)
          uri: pkcs11:token=SmartCard-HSM%20(UserPIN);manufacturer=www.CardContact.de;serial=DENK0300782;model=PKCS%2315%20emulated

         slot: SoftHSM slot ID 0x0
        token:
          uri: pkcs11:manufacturer=SoftHSM%20project;model=SoftHSM%20v2
-----------------------------------------------------------

@l4z41
Copy link
Author

l4z41 commented Apr 9, 2024

I could disable p11-kit for modutil so it doesn't activate twice via /usr/share/p11-kit/modules/opensc.module

module: opensc-pkcs11.so
disable-in: modutil

but for that I'm getting following error

NoSuchTokenException: No such token: SmartCard-HSM (UserPIN)
ERROR: CalledProcessError: Command '['/usr/sbin/runuser', '-u', 'pkiuser', '--', '/usr/lib/jvm/jre-17-openjdk/bin/java', '-classpath', '/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/tomcat-servlet-api.jar:/usr/share/pki/ca/webapps/ca/WEB-INF/lib/*:/var/lib/pki/pki-tomcat/common/lib/*:/usr/share/pki/lib/*', '-Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory', '-Dcatalina.base=/var/lib/pki/pki-tomcat', '-Dcatalina.home=/usr/share/tomcat', '-Djava.endorsed.dirs=', '-Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp', '-Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties', '-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager', '-Dcom.redhat.fips=false', 'org.dogtagpki.server.cli.PKIServerCLI', 'ca-db-remove', '--force']' returned non-zero exit status 255.
  File "/usr/lib/python3.12/site-packages/pki/server/pkispawn.py", line 588, in main
    scriptlet.spawn(deployer)
  File "/usr/lib/python3.12/site-packages/pki/server/deployment/scriptlets/configuration.py", line 198, in spawn
    deployer.setup_database(subsystem)
  File "/usr/lib/python3.12/site-packages/pki/server/deployment/__init__.py", line 788, in setup_database
    subsystem.remove_database(force=True)
  File "/usr/lib/python3.12/site-packages/pki/server/subsystem.py", line 1125, in remove_database
    self.run(cmd, as_current_user=as_current_user)
  File "/usr/lib/python3.12/site-packages/pki/server/subsystem.py", line 1932, in run
    return subprocess.run(
           ^^^^^^^^^^^^^^^
  File "/usr/lib64/python3.12/subprocess.py", line 571, in run
    raise CalledProcessError(retcode, process.args,


Installation failed: Command failed: /usr/sbin/runuser -u pkiuser -- /usr/lib/jvm/jre-17-openjdk/bin/java -classpath /usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/tomcat-servlet-api.jar:/usr/share/pki/ca/webapps/ca/WEB-INF/lib/*:/var/lib/pki/pki-tomcat/common/lib/*:/usr/share/pki/lib/* -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Dcom.redhat.fips=false org.dogtagpki.server.cli.PKIServerCLI ca-db-remove --force

Token is inserted for in pki-tomcat modutil -dbdir /etc/pki/pki-tomcat/alias -list

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
           uri: pkcs11:library-manufacturer=Mozilla%20Foundation;library-description=NSS%20Internal%20Crypto%20Services;library-version=3.98
         slots: 2 slots attached
        status: loaded

         slot: NSS Internal Cryptographic Services
        token: NSS Generic Crypto Services
          uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203

         slot: NSS User Private Key and Certificate Services
        token: NSS Certificate DB
          uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203

  2. nitrohsm
        library name: /usr/lib64/pkcs11/opensc-pkcs11.so
           uri: pkcs11:library-manufacturer=OpenSC%20Project;library-description=OpenSC%20smartcard%20framework;library-version=0.25
         slots: 1 slot attached
        status: loaded

         slot: Nitrokey Nitrokey HSM (DENK03007820000         ) 00 00
        token: SmartCard-HSM (UserPIN)
          uri: pkcs11:token=SmartCard-HSM%20(UserPIN);manufacturer=www.CardContact.de;serial=DENK0300782;model=PKCS%2315%20emulated

  3. p11-kit-proxy
        library name: p11-kit-proxy.so
           uri: pkcs11:library-manufacturer=PKCS%2311%20Kit;library-description=PKCS%2311%20Kit%20Proxy%20Module;library-version=1.1
         slots: There are no slots attached to this module
        status: loaded
-----------------------------------------------------------

Any idea how to move forward in debugging?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@l4z41