>>Hi Steve,
>> I think I had a similar issue and I solved it by editing the crypto.yaml
>> file of the realm as shown below.
Tried the modifications and went over my logic to make sure I wasn’t missing
something obvious,
no matter what I do, I always get the same error: Encryption key needed to
decrypt password safe entry is unavailable
I dont see where the problem lies, error is that file can't be found in the
catchall. I feel this is one of those "you're missing something simple"
errors…or in the database somewhere?
- setup the realm
- setup the tokens
- setup the secrets
- confirmed the key matches the cert
Cert Tree
. Root (ADCS)
- | SubCA (OpenSSL)
- | Data Vault
- | SCEP
== import logic
echo "Starting server before running import ... "
openxpkictl start
echo "Running import ... "
openxpkiadm certificate import --file "${ROOT_CA_CERTIFICATE}"
# all certs issued under SubCA need to have SubCA imported first
openxpkiadm certificate import --file "${ISSUING_CA_CERTIFICATE}" --realm
"${REALM}"
#Datavault and SCEP Issued under SubCA
openxpkiadm certificate import --file "${DATAVAULT_CERTIFICATE}" --realm
"${REALM}" --token datasafe --key ${DATAVAULT_KEY}
###
# Generates error, key never gets created, same for SCEP
# per
https://openxpki.readthedocs.io/en/stable/operation/tokenconfig.html#issuing-certificate
###
cp ${ISSUING_CA_KEY} /etc/openxpki/ca/${REALM}/ca-signer-1.pem
chown openxpki:openxpki /etc/openxpki/ca/${REALM}/ca-signer-1.pem
###
#link key to SubCA cert
openxpkiadm alias --realm "${REALM}" --token certsign --file
"${ISSUING_CA_CERTIFICATE}" --key ${ISSUING_CA_KEY}
sleep 1;
openxpkiadm certificate import --file "${SCEP_CERTIFICATE}" --realm "${REALM}"
--token scep --key ${SCEP_KEY}
==== Output of each step
== first import data vault, fails, to replicate logic of sampleconfig.sh
root@can-lx-intca-01:~# openxpkiadm certificate import --file
"${DATAVAULT_CERTIFICATE}" --realm "${REALM}" --token datasafe --key
${DATAVAULT_KEY}
Starting import
2020/10/12 10:33:50 Unable to find issuer; __query__ => $VAR1 = {
'subject_key_identifier' =>
'72:17:D7:42:FE:73:DE:09:B9:7D:58:B5:16:98:E6:2E:24:B0:8D:B3'
};
Unable to find issuer
__query__: $VAR1 = {
'subject_key_identifier' =>
'72:17:D7:42:FE:73:DE:09:B9:7D:58:B5:16:98:E6:2E:24:B0:8D:B3'
};
=== import SubCA
root@can-lx-intca-01:~# openxpkiadm alias --realm "${REALM}" --file
"${ISSUING_CA_CERTIFICATE}"
Successfully created alias in realm dev:
Alias : ca-signer-1
Identifier: 6j87PRoXumH_EEamEXfVGfgidzk
NotBefore : 2020-10-09 22:53:09
NotAfter : 2041-10-09 23:03:09
Token is certsign, looking for root...
Creating alias for root ca:
Alias : root-1
Identifier: VkBjvHQvHV6Flt0T-ESDSm3Av4g
NotBefore : 2020-10-05 11:52:00
NotAfter : 2050-10-06 11:52:00
== import data vault, ket gets created on FS per crypto.yaml
root@can-lx-intca-01:~# openxpkiadm certificate import --file
"${DATAVAULT_CERTIFICATE}" --realm "${REALM}" --token datasafe --key
${DATAVAULT_KEY}
Starting import
Successfully imported certificate into database:
Subject: CN=DEV LinuxCA Internal DataVault
Issuer: CN=Enterprises DEV Intermediate Linux CA,OU=PKI,O=Enterprises,C=CA
Identifier: f9BVEDgua8xsUVKBpPzD_JpQeHA
Realm: dev
Successfully created alias in realm dev:
Alias : vault-1
Identifier: f9BVEDgua8xsUVKBpPzD_JpQeHA
NotBefore : 2020-10-09 23:27:14
NotAfter : 2030-10-12 23:27:14
Successfully wrote key to /etc/openxpki/ca/vault-1.pem
=== link issuing CA, import key.
=root@can-lx-intca-01:~# openxpkiadm alias --realm "${REALM}" --token certsign
--file "${ISSUING_CA_CERTIFICATE}" --key ${ISSUING_CA_KEY}
Successfully created alias in realm lawl_dev:
Alias : ca-signer-1
Identifier: 6j87PRoXumH_EEamEXfVGfgidzk
NotBefore : 2020-10-09 22:53:09
NotAfter : 2041-10-09 23:03:09
2020/10/12 13:07:30 Encryption key needed to decrypt password safe entry is
unavailable
Error running command: Encryption key needed to decrypt password safe entry is
unavailable at /usr/share/perl5/OpenXPKI/Client/Simple.pm line 352.
=== tail /var/log/openxpki/catchall.log
2020/10/12 13:07:20 openxpki.auth.INFO Login successful using authentication
stack '_System' (user: 'anonymous', role: 'System') [pid=33186|sid=Y1Dz]
2020/10/12 13:07:30 openxpki.auth.INFO Login successful using authentication
stack '_System' (user: 'anonymous', role: 'System') [pid=33188|sid=ZsEI]
2020/10/12 13:07:30 openxpki.system.ERROR OpenSSL error:
140438229632128:error:08064066:object identifier routines:OBJ_create:oid
exists:../crypto/objects/obj_dat.c:709:
unable to load signing key file
140438229632128:error:0D0AE0AB:asn1 encoding routines:oid_module_init:adding
object:../crypto/asn1/asn_moid.c:38:
140438229632128:error:0E07606D:configuration file routines:module_run:module
initialization error:../crypto/conf/conf_mod.c:177:module=oid_section,
value=new_oids, retcode=-1
140438229632128:error:06065064:digital envelope
routines:EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:570:
140438229632128:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12
cipherfinal error:../crypto/pkcs12/p12_decr.c:63:
140438229632128:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12
pbe crypt error:../crypto/pkcs12/p12_decr.c:94:
140438229632128:error:0907B00D:PEM routines:PEM_read_bio_PrivateKey:ASN1
lib:../crypto/pem/pem_pkey.c:88:
[pid=33188|user=anonymous|role=System|sid=ZsEI]
2020/10/12 13:07:30 openxpki.system.ERROR
I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ => 512
[pid=33188|user=anonymous|role=System|sid=ZsEI]
2020/10/12 13:07:30 openxpki.system.ERROR I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED;
__COMMAND__ => OpenXPKI::Crypto::Backend::OpenSSL::Command::pkcs7_decrypt,
__ERRVAL__ => I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ => 512
[pid=33188|user=anonymous|role=System|sid=ZsEI]
2020/10/12 13:07:30 openxpki.system.ERROR Encryption key needed to decrypt
password safe entry is unavailable; __token_id__ => vault-1
[pid=33188|user=anonymous|role=System|sid=ZsEI]
=== Validation of key/cert
root@can-lx-intca-01:~# openssl pkey -in ${ISSUING_CA_KEY} -pubout -passin
file:${ISSUING_CA_KEY_PASSWORD} | openssl md5
(stdin)= e1e9fc0f95f7d0efa4f327a27b405b7a
root@can-lx-intca-01:~# openssl x509 -pubkey -in ${ISSUING_CA_CERTIFICATE}
-noout | openssl md5
(stdin)= e1e9fc0f95f7d0efa4f327a27b405b7a
openssl ec -in ${ISSUING_CA_KEY} -text -passin
file:"${ISSUING_CA_KEY_PASSWORD}"
read EC key
Private-Key: (384 bit)
priv:
e0:...c8
pub:
04:...:b5
ASN1 OID: secp384r1
NIST CURVE: P-384
===== config
root@can-lx-intca-01:~# cat /etc/openxpki/config.d/realm/test1/crypto.yaml
#Sample Mockup Config for Token config of a single realm
# The left side are fixed aliases used in the code, the right side
# are aribtrary chosen names, referencing the tokens below.
type:
certsign: ca-signer
datasafe: vault
scep: scep
# The actual token setup, based on current token.xml
token:
default:
backend: OpenXPKI::Crypto::Backend::OpenSSL
# Template to create key, available vars are
# ALIAS (ca-signer-1), GROUP (ca-signer), GENERATION (1)
key: /etc/openxpki/ca/[% PKI_REALM %]/[% ALIAS %].pem
# possible values are OpenSSL, nCipher, LunaCA
engine: OpenSSL
engine_section: ''
engine_usage: ''
key_store: OPENXPKI
# OpenSSL binary location
shell: /usr/bin/openssl
# OpenSSL binary call gets wrapped with this command
wrapper: ''
# random file to use for OpenSSL
randfile: /var/openxpki/rand
# Default value for import, recorded in database, can be overriden
#secret: default
# ca-signer:
# inherit: default
# key_store: DATAPOOL
# key: "[% ALIAS %]"
# vault:
# inherit: default
# key: /etc/openxpki/ca/[% ALIAS %].pem
# scep:
# inherit: default
# backend: OpenXPKI::Crypto::Tool::LibSCEP
# key_store: DATAPOOL
# key: "[% ALIAS %]"
ca-signer:
inherit: default
key_store: DATAPOOL
key: "[% ALIAS %]"
secret: ca-signer
vault:
inherit: default
key: /etc/openxpki/ca/[% ALIAS %].pem
secret: vault
scep:
inherit: default
backend: OpenXPKI::Crypto::Tool::LibSCEP
key_store: DATAPOOL
key: "[% ALIAS %]"
secret: scep
# Define the secret groups
#Static Passwords for PEM at rest
#KeyNanny for HSM
secret:
default:
# this let OpenXPKI use the secret of the same name from system.crypto
# if you do not want to share the secret just replace this line with
# the config found in system.crypto. You can create additional secrets
# by adding similar blocks with another key
import: 1
ca-signer:
label: CA signer group
export: 0
method: literal
value: AOP..eUM=
vault:
label: Vault group
method: literal
value: 9f..TAM=
scep:
label: SCEP group
method: literal
value: QUc..MQ=
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
