Hello everyone, I am still in the beginning stages of setting up OpenXPKI, currently struggling just with the datasafe token, so please excuse my unfamiliarity with it and with some cryptographic concepts. I've imported my data vault certificate with openxpkiadm certificate import -file <filename>.crt, then aliased it as vault-1 using openxpkiadm alias -realm <realm name> --token datasafe -file <filename>.crt. I placed the corresponding private key in /etc/openxpki/ca/vault-1.pem, which is the correct path according to my realm's crypto.yaml. Some important context, the key is an ECC key (signed by an ECC CA), which I believe is the reason I'm having issues, since I tried the same thing with an RSA key and it worked OK. I've confirmed just about everything else: the file permissions are 400, the owner is openxpki:openxpki, the ownership of the realm configuration is openxpki:root, I've tried leaving the key unencrypted and encrypting it with "root" and a custom password. I even followed a suggestion from another thread about enabling the Key Agreement key usage on certificates (which I believe was not related). No matter what I do, however, vault-1 token will not change from "OFFLINE." Looking into the catchall log, this is the error I see:
2020/08/07 05:47:13 openxpki.system.ERROR OpenSSL error: Error creating PKCS#7 structure 139844568491136:error:08064066:object identifier routines:OBJ_create:oid exists:../crypto/objects/obj_dat.c:709: 139844568491136:error:0D0AE0AB:asn1 encoding routines:oid_module_init:adding object:../crypto/asn1/asn_moid.c:38: 139844568491136:error:0E07606D:configuration file routines:module_run:module initialization error:../crypto/conf/conf_mod.c:177:module=oid_section, value=new_oids, retcode=-1 139844568491136:error:21082096:PKCS7 routines:PKCS7_RECIP_INFO_set:encryption not supported for this key type:../crypto/pkcs7/pk7_lib.c:488: 139844568491136:error:21073078:PKCS7 routines:PKCS7_encrypt:error adding recipient:../crypto/pkcs7/pk7_smime.c:458: [pid=3681|sid=ubbU] 2020/08/07 05:47:13 openxpki.system.ERROR I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ => 768 [pid=3681|sid=ubbU] 2020/08/07 05:47:13 openxpki.system.ERROR I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ => OpenXPKI::Crypto::Backend::OpenSSL::Command::pkcs7_encrypt, __ERRVAL__ => I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ => 768 [pid=3681|sid=ubbU] 2020/08/07 05:47:13 openxpki.system.ERROR OpenSSL error: Error creating PKCS#7 structure 140593297159296:error:08064066:object identifier routines:OBJ_create:oid exists:../crypto/objects/obj_dat.c:709: 140593297159296:error:0D0AE0AB:asn1 encoding routines:oid_module_init:adding object:../crypto/asn1/asn_moid.c:38: 140593297159296:error:0E07606D:configuration file routines:module_run:module initialization error:../crypto/conf/conf_mod.c:177:module=oid_section, value=new_oids, retcode=-1 140593297159296:error:21082096:PKCS7 routines:PKCS7_RECIP_INFO_set:encryption not supported for this key type:../crypto/pkcs7/pk7_lib.c:488: 140593297159296:error:21073078:PKCS7 routines:PKCS7_encrypt:error adding recipient:../crypto/pkcs7/pk7_smime.c:458: [pid=3681|sid=ubbU] 2020/08/07 05:47:13 openxpki.system.ERROR I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ => 768 [pid=3681|sid=ubbU] 2020/08/07 05:47:13 openxpki.system.ERROR I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ => OpenXPKI::Crypto::Backend::OpenSSL::Command::pkcs7_encrypt, __ERRVAL__ => I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ => 768 [pid=3681|sid=ubbU] "Error creating PKCS#7 structure" and "encryption not supported for this key type" brings me to a thread<https://sourceforge.net/p/openxpki/mailman/message/36732467/> about ECC-based S/MIME failing in a token validation check (which I understand is not supported<https://mta.openssl.org/pipermail/openssl-dev/2016-May/007241.html>). However, if I read the thread correctly, this issue was fixed back in version 2.5.5, yet the logs are eerily similar. I've also tried importing signing certificates using a similar method, but face what I believe is only an issue with the datavault key not working in that openxpkiadm alias -realm <realm name> --token certsign -file <filename>.crt -key <filename>.key results in an I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED error after successfully creating an alias (I assume that is the step attempting to import the private key into the datapool). This is the /etc/openxpki/ca/ directory: drwxr-xr-x 2 openxpki openxpki 4096 Aug 3 05:50 <realm name> -r-------- 1 openxpki openxpki 912 Aug 7 04:57 vault-1.crt -r-------- 1 openxpki openxpki 4 Aug 7 05:44 vault-1.pass -r-------- 1 openxpki openxpki 379 Aug 7 05:43 vault-1.pem And the crypto.yaml: type: certsign: ca-signer datasafe: vault scep: scep # The actual token setup, based on current token.xml token: default: backend: OpenXPKI::Crypto::Backend::OpenSSL # Template to create key, available vars are # ALIAS (ca-signer-1), GROUP (ca-signer), GENERATION (1) key: /etc/openxpki/ca/[% PKI_REALM %]/[% ALIAS %].pem # possible values are OpenSSL, nCipher, LunaCA engine: OpenSSL engine_section: '' engine_usage: '' key_store: OPENXPKI # OpenSSL binary location shell: /usr/bin/openssl # OpenSSL binary call gets wrapped with this command wrapper: '' # random file to use for OpenSSL randfile: /var/openxpki/rand # Default value for import, recorded in database, can be overriden secret: default ca-signer: inherit: default key_store: DATAPOOL key: "[% ALIAS %]" vault: inherit: default key: /etc/openxpki/ca/[% ALIAS %].pem scep: inherit: default backend: OpenXPKI::Crypto::Tool::LibSCEP key_store: DATAPOOL key: "[% ALIAS %]" # Define the secret groups secret: default: # this let OpenXPKI use the secret of the same name from system.crypto # if you do not want to share the secret just replace this line with # the config found in system.crypto. You can create additional secrets # by adding similar blocks with another key #import: 1 label: Default method: literal value: root To actually ask a question, does OpenXPKI actually support ECC keys, or do only parts have limited support? I'm also fairly new to more complicated PKI so perhaps my understanding of it is not up to snuff and I'm missing something obvious. P.S.: Are there plans to update the documentation? It's incredibly patchy, with some information seemingly missing from some locations, e.g. the quickstart doesn't mention anything about key encryption, but the realm configuration<https://openxpki.readthedocs.io/en/stable/reference/configuration/realm.html#token-setup> explains that the key must be encrypted, so I'm not sure which it is. There are TODOs in many areas as well, unfortunately in places where more detail would be useful. Best, Danny
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
