Hi Steve,
1) if you sign the DataVault token from a SubCA you need to import the
CA chain as certificates first - this is why you get an error on the
first call to load the DV token. It is totally fine to use a self-signed
certificate for the DV as it is only a wrapper around the key material.
2) I can see different realms dev and lawl_dev in the outputs - you need
to register the DV alias for each realm to make the token available. See
the alias command on the website.
Sidenote: In v3.8 which will be released within the next days the
openxpkiadm command has been reworked to make alias handling somewhat
easier.
Oliver
Am 12.10.20 um 19:29 schrieb Steve Downey via OpenXPKI-users:
>>> Hi Steve,
>>> I think I had a similar issue and I solved it by editing the crypto.yaml
>>> file of the realm as shown below.
> Tried the modifications and went over my logic to make sure I wasn’t missing
> something obvious,
>
>
> no matter what I do, I always get the same error: Encryption key needed to
> decrypt password safe entry is unavailable
>
>
> I dont see where the problem lies, error is that file can't be found in the
> catchall. I feel this is one of those "you're missing something simple"
> errors…or in the database somewhere?
>
>
> - setup the realm
> - setup the tokens
> - setup the secrets
> - confirmed the key matches the cert
>
>
> Cert Tree
>
>
> . Root (ADCS)
> - | SubCA (OpenSSL)
> - | Data Vault
> - | SCEP
>
>
> == import logic
>
>
> echo "Starting server before running import ... "
> openxpkictl start
> echo "Running import ... "
> openxpkiadm certificate import --file "${ROOT_CA_CERTIFICATE}"
> # all certs issued under SubCA need to have SubCA imported first
> openxpkiadm certificate import --file "${ISSUING_CA_CERTIFICATE}" --realm
> "${REALM}"
> #Datavault and SCEP Issued under SubCA
> openxpkiadm certificate import --file "${DATAVAULT_CERTIFICATE}" --realm
> "${REALM}" --token datasafe --key ${DATAVAULT_KEY}
> ###
> # Generates error, key never gets created, same for SCEP
> # per
> https://openxpki.readthedocs.io/en/stable/operation/tokenconfig.html#issuing-certificate
> ###
> cp ${ISSUING_CA_KEY} /etc/openxpki/ca/${REALM}/ca-signer-1.pem
> chown openxpki:openxpki /etc/openxpki/ca/${REALM}/ca-signer-1.pem
> ###
> #link key to SubCA cert
> openxpkiadm alias --realm "${REALM}" --token certsign --file
> "${ISSUING_CA_CERTIFICATE}" --key ${ISSUING_CA_KEY}
> sleep 1;
> openxpkiadm certificate import --file "${SCEP_CERTIFICATE}" --realm
> "${REALM}" --token scep --key ${SCEP_KEY}
>
>
>
>
> ==== Output of each step
>
>
> == first import data vault, fails, to replicate logic of sampleconfig.sh
>
>
> root@can-lx-intca-01:~# openxpkiadm certificate import --file
> "${DATAVAULT_CERTIFICATE}" --realm "${REALM}" --token datasafe --key
> ${DATAVAULT_KEY}
> Starting import
> 2020/10/12 10:33:50 Unable to find issuer; __query__ => $VAR1 = {
> 'subject_key_identifier' =>
> '72:17:D7:42:FE:73:DE:09:B9:7D:58:B5:16:98:E6:2E:24:B0:8D:B3'
> };
> Unable to find issuer
> __query__: $VAR1 = {
> 'subject_key_identifier' =>
> '72:17:D7:42:FE:73:DE:09:B9:7D:58:B5:16:98:E6:2E:24:B0:8D:B3'
> };
>
>
> === import SubCA
>
>
> root@can-lx-intca-01:~# openxpkiadm alias --realm "${REALM}" --file
> "${ISSUING_CA_CERTIFICATE}"
> Successfully created alias in realm dev:
> Alias : ca-signer-1
> Identifier: 6j87PRoXumH_EEamEXfVGfgidzk
> NotBefore : 2020-10-09 22:53:09
> NotAfter : 2041-10-09 23:03:09
>
>
> Token is certsign, looking for root...
> Creating alias for root ca:
> Alias : root-1
> Identifier: VkBjvHQvHV6Flt0T-ESDSm3Av4g
> NotBefore : 2020-10-05 11:52:00
> NotAfter : 2050-10-06 11:52:00
>
>
> == import data vault, ket gets created on FS per crypto.yaml
>
>
> root@can-lx-intca-01:~# openxpkiadm certificate import --file
> "${DATAVAULT_CERTIFICATE}" --realm "${REALM}" --token datasafe --key
> ${DATAVAULT_KEY}
> Starting import
> Successfully imported certificate into database:
> Subject: CN=DEV LinuxCA Internal DataVault
> Issuer: CN=Enterprises DEV Intermediate Linux
> CA,OU=PKI,O=Enterprises,C=CA
> Identifier: f9BVEDgua8xsUVKBpPzD_JpQeHA
> Realm: dev
>
>
> Successfully created alias in realm dev:
> Alias : vault-1
> Identifier: f9BVEDgua8xsUVKBpPzD_JpQeHA
> NotBefore : 2020-10-09 23:27:14
> NotAfter : 2030-10-12 23:27:14
>
>
> Successfully wrote key to /etc/openxpki/ca/vault-1.pem
>
>
>
>
> === link issuing CA, import key.
>
>
> =root@can-lx-intca-01:~# openxpkiadm alias --realm "${REALM}" --token
> certsign --file "${ISSUING_CA_CERTIFICATE}" --key ${ISSUING_CA_KEY}
> Successfully created alias in realm lawl_dev:
> Alias : ca-signer-1
> Identifier: 6j87PRoXumH_EEamEXfVGfgidzk
> NotBefore : 2020-10-09 22:53:09
> NotAfter : 2041-10-09 23:03:09
>
>
> 2020/10/12 13:07:30 Encryption key needed to decrypt password safe entry is
> unavailable
> Error running command: Encryption key needed to decrypt password safe entry
> is unavailable at /usr/share/perl5/OpenXPKI/Client/Simple.pm line 352.
>
>
> === tail /var/log/openxpki/catchall.log
>
>
> 2020/10/12 13:07:20 openxpki.auth.INFO Login successful using authentication
> stack '_System' (user: 'anonymous', role: 'System') [pid=33186|sid=Y1Dz]
> 2020/10/12 13:07:30 openxpki.auth.INFO Login successful using authentication
> stack '_System' (user: 'anonymous', role: 'System') [pid=33188|sid=ZsEI]
> 2020/10/12 13:07:30 openxpki.system.ERROR OpenSSL error:
> 140438229632128:error:08064066:object identifier routines:OBJ_create:oid
> exists:../crypto/objects/obj_dat.c:709:
> unable to load signing key file
> 140438229632128:error:0D0AE0AB:asn1 encoding routines:oid_module_init:adding
> object:../crypto/asn1/asn_moid.c:38:
> 140438229632128:error:0E07606D:configuration file routines:module_run:module
> initialization error:../crypto/conf/conf_mod.c:177:module=oid_section,
> value=new_oids, retcode=-1
> 140438229632128:error:06065064:digital envelope
> routines:EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:570:
> 140438229632128:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12
> cipherfinal error:../crypto/pkcs12/p12_decr.c:63:
> 140438229632128:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12
> pbe crypt error:../crypto/pkcs12/p12_decr.c:94:
> 140438229632128:error:0907B00D:PEM routines:PEM_read_bio_PrivateKey:ASN1
> lib:../crypto/pem/pem_pkey.c:88:
> [pid=33188|user=anonymous|role=System|sid=ZsEI]
> 2020/10/12 13:07:30 openxpki.system.ERROR
> I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ => 512
> [pid=33188|user=anonymous|role=System|sid=ZsEI]
> 2020/10/12 13:07:30 openxpki.system.ERROR
> I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ =>
> OpenXPKI::Crypto::Backend::OpenSSL::Command::pkcs7_decrypt, __ERRVAL__ =>
> I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ => 512
> [pid=33188|user=anonymous|role=System|sid=ZsEI]
> 2020/10/12 13:07:30 openxpki.system.ERROR Encryption key needed to decrypt
> password safe entry is unavailable; __token_id__ => vault-1
> [pid=33188|user=anonymous|role=System|sid=ZsEI]
>
>
> === Validation of key/cert
>
>
> root@can-lx-intca-01:~# openssl pkey -in ${ISSUING_CA_KEY} -pubout -passin
> file:${ISSUING_CA_KEY_PASSWORD} | openssl md5
> (stdin)= e1e9fc0f95f7d0efa4f327a27b405b7a
> root@can-lx-intca-01:~# openssl x509 -pubkey -in ${ISSUING_CA_CERTIFICATE}
> -noout | openssl md5
> (stdin)= e1e9fc0f95f7d0efa4f327a27b405b7a
>
>
> openssl ec -in ${ISSUING_CA_KEY} -text -passin
> file:"${ISSUING_CA_KEY_PASSWORD}"
> read EC key
> Private-Key: (384 bit)
> priv:
> e0:...c8
> pub:
> 04:...:b5
> ASN1 OID: secp384r1
> NIST CURVE: P-384
>
>
>
>
> ===== config
>
>
> root@can-lx-intca-01:~# cat /etc/openxpki/config.d/realm/test1/crypto.yaml
> #Sample Mockup Config for Token config of a single realm
> # The left side are fixed aliases used in the code, the right side
> # are aribtrary chosen names, referencing the tokens below.
> type:
> certsign: ca-signer
> datasafe: vault
> scep: scep
>
>
> # The actual token setup, based on current token.xml
> token:
> default:
> backend: OpenXPKI::Crypto::Backend::OpenSSL
>
>
> # Template to create key, available vars are
> # ALIAS (ca-signer-1), GROUP (ca-signer), GENERATION (1)
> key: /etc/openxpki/ca/[% PKI_REALM %]/[% ALIAS %].pem
>
>
> # possible values are OpenSSL, nCipher, LunaCA
> engine: OpenSSL
> engine_section: ''
> engine_usage: ''
> key_store: OPENXPKI
>
>
> # OpenSSL binary location
> shell: /usr/bin/openssl
>
>
> # OpenSSL binary call gets wrapped with this command
> wrapper: ''
>
>
> # random file to use for OpenSSL
> randfile: /var/openxpki/rand
>
>
> # Default value for import, recorded in database, can be overriden
> #secret: default
>
>
> # ca-signer:
> # inherit: default
> # key_store: DATAPOOL
> # key: "[% ALIAS %]"
>
>
> # vault:
> # inherit: default
> # key: /etc/openxpki/ca/[% ALIAS %].pem
>
>
> # scep:
> # inherit: default
> # backend: OpenXPKI::Crypto::Tool::LibSCEP
> # key_store: DATAPOOL
> # key: "[% ALIAS %]"
>
>
> ca-signer:
> inherit: default
> key_store: DATAPOOL
> key: "[% ALIAS %]"
> secret: ca-signer
>
>
> vault:
> inherit: default
> key: /etc/openxpki/ca/[% ALIAS %].pem
> secret: vault
>
>
> scep:
> inherit: default
> backend: OpenXPKI::Crypto::Tool::LibSCEP
> key_store: DATAPOOL
> key: "[% ALIAS %]"
> secret: scep
>
>
> # Define the secret groups
> #Static Passwords for PEM at rest
> #KeyNanny for HSM
>
>
> secret:
> default:
> # this let OpenXPKI use the secret of the same name from system.crypto
> # if you do not want to share the secret just replace this line with
> # the config found in system.crypto. You can create additional secrets
> # by adding similar blocks with another key
> import: 1
>
>
> ca-signer:
> label: CA signer group
> export: 0
> method: literal
> value: AOP..eUM=
>
>
> vault:
> label: Vault group
> method: literal
> value: 9f..TAM=
>
>
> scep:
> label: SCEP group
> method: literal
> value: QUc..MQ=
>
>
>
>
> _______________________________________________
> OpenXPKI-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
