[Pki-devel] Fwd: Issues with recovering private keys with new TPS key recovery Features

John Magne jmagne at redhat.com
Tue Oct 15 21:34:37 UTC 2013 

Hello Niranjan:

Thanks for this observation and all of the info.

Niranjan, you are correct. I was able to verify your results.
I was also able to figure out the cause and a fix.


The problem turns out to be some missing settings from the 

externalRegAddToToken

profile.

Below I will print out what should be the minimum for this to work and will explain in-line:



op.enroll.externalRegAddToToken._000=#########################################
op.enroll.externalRegAddToToken._001=# for externalReg recovering certs/keys only
op.enroll.externalRegAddToToken._002=#########################################
op.enroll.externalRegAddToToken.auth.enable=true
op.enroll.externalRegAddToToken.auth.id=ldap1
op.enroll.externalRegAddToToken.cardmgr_instance=A0000000030000
op.enroll.externalRegAddToToken.issuerinfo.enable=true
op.enroll.externalRegAddToToken.issuerinfo.value=
op.enroll.externalRegAddToToken.loginRequest.enable=true
op.enroll.externalRegAddToToken.pkcs11obj.compress.enable=true
op.enroll.externalRegAddToToken.pkcs11obj.enable=true
op.enroll.externalRegAddToToken.tks.conn=tks1
op.enroll.externalRegAddToToken.update.applet.directory=/usr/share/pki/tps/applets
op.enroll.externalRegAddToToken.update.applet.emptyToken.enable=true
op.enroll.externalRegAddToToken.update.applet.enable=false
op.enroll.externalRegAddToToken.update.applet.encryption=true
op.enroll.externalRegAddToToken.update.applet.requiredVersion=1.4.4d40a449
op.enroll.externalRegAddToToken.update.symmetricKeys.enable=false
op.enroll.externalRegAddToToken.update.symmetricKeys.requiredVersion=1

The following are the missing settings.
These tell TPS what capabilities to grant to the keys on the token:

op.enroll.externalRegAddToToken.keyGen.encryption.private.keyCapabilities.decrypt=true
op.enroll.externalRegAddToToken.keyGen.encryption.private.keyCapabilities.derive=false
op.enroll.externalRegAddToToken.keyGen.encryption.private.keyCapabilities.encrypt=false
op.enroll.externalRegAddToToken.keyGen.encryption.private.keyCapabilities.private=true
op.enroll.externalRegAddToToken.keyGen.encryption.private.keyCapabilities.sensitive=true
op.enroll.externalRegAddToToken.keyGen.encryption.private.keyCapabilities.sign=false
op.enroll.externalRegAddToToken.keyGen.encryption.private.keyCapabilities.signRecover=false
op.enroll.externalRegAddToToken.keyGen.encryption.private.keyCapabilities.token=true
op.enroll.externalRegAddToToken.keyGen.encryption.private.keyCapabilities.unwrap=true
op.enroll.externalRegAddToToken.keyGen.encryption.private.keyCapabilities.verify=false
op.enroll.externalRegAddToToken.keyGen.encryption.private.keyCapabilities.verifyRecover=false
op.enroll.externalRegAddToToken.keyGen.encryption.private.keyCapabilities.wrap=false

We also need the following setting to make sure the label of the token is set properly.
We want what is in the "cn" value in ldap. Your example was giving us the cuid value, which is a fallback.

op.enroll.externalRegAddToToken.keyGen.tokenName=$auth.cn$


I suspect we need similar settings in the deleteISEToken profile as well:

With this config, here is the output of the certutil and the smartcard utility run against my token:
Note: I chose to create this token with ONLY two recovered encryption certs.


certutil -d ./ -K -h "John Magne"
certutil: Checking token "John Magne" in slot "OmniKey CardMan 3121 00 00"
Enter Password or Pin for "John Magne":
< 0> rsa      01                                         encryption key for john c1
< 1> rsa      02                                         encryption key for john c2
[jmagne at localhost tests]$ certutil -d ./ -K -h "John Magne"
certutil: Checking token "John Magne" in slot "OmniKey CardMan 3121 00 00"
Enter Password or Pin for "John Magne":
< 0> rsa      01                                         encryption key for john c1
< 1> rsa      02                                         encryption key for john c2


[jmagne at localhost tests]$ ./smartcard ./
Running Smart Card tests...
Starting thread for Module COOLKEY
Waiting for card insert
SmartCardThread for COOLKEY started
Found Smart cart John Magne. running Tests
Password for John Magne?
-----Found Cert 1: UID=jmagne,O=Token Key User
  KeyType: RSA
  CertID [1] =  01
  KeyID [1] =  01
 Key can encipher... Testing enciphering
**enciphering test succeeded
-----Found Cert 2: UID=jmagne,O=Token Key User
  KeyType: RSA
  CertID [1] =  02
  KeyID [1] =  02
 Key can encipher... Testing enciphering
**enciphering test succeeded






----- Forwarded Message -----
> From: "M.R Niranjan" <mrniranjan at redhat.com>
> To: "Christina Fu" <cfu at redhat.com>
> Cc: "John Magne" <jmagne at redhat.com>, "Asha Akkiangady" <aakkiang at redhat.com>, "Roshni Pattath" <rpattath at redhat.com>
> Sent: Tuesday, October 15, 2013 2:10:57 AM
> Subject: Issues with recovering private keys with new TPS key recovery Features
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Greetings,
> 
> I am facing issues with regard to Private keys recovered on to the token
> using externalRegAddToToken and delegateISEtoken token types.
> 
> Token Type: externalRegAddToToken:
> 
> 1. With the token type externalRegAddToToken, I am able to recover the
> certs specified in the certsToAdd attribute, but I could not list the
> private keys of the Cert recovered on the token
> 
> 
> Example steps:
> 
> 1. Enroll a token testuser-3 with tpsclient
> 2. Create a registration user pkiuser2 to recover testuser-3 on to the token
> 3. Using externalRegAddToToken Enroll smartcard with pkiuser2 credentials,
> 4. Enrollment is successfull and we could see testuser-3 cert on the token
> 5. But when using certutil -K command on the token, private keys are not
> listed. and the same can be confirmed by loading the private key to
> firefox browser and taking backup of the testuser-3 cert from firefox
> which fails.
> 
> I am attaching more detailed steps and logs of my steps for this
> procedure in file: externalRegAddToToken
> 
> 
> Token Type: delegateISEtoken
> 
> 1. Enroll a token testuser-4 with tpsclient
> 2. Create a registration user pkiuser3 to recover testuser-4 on to the token
> 3. Using delegateISEtoken tokentype Enroll smartcard with pkiuser3
> credentials,
> 4. Enrollment is successfull and we could see testuser-4 cert on the token
> 
> 5. with this tokenType, we could see that certs/Keys of the testuser-4
> cert is also recovered but using pk12util i am unable to export it to a
> file.
> 
> I am attaching detailed steps and logs of my steps for this procedure in
> file: delegateISEtoken
> 
> 
> Could you review and let me know if it's something i am missing or is a bug.
> 
> 
> - --
> Regards
> Niranjan
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.13 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> 
> iEYEARECAAYFAlJdBqEACgkQLu3FX2BHx8fEQgCfcVs84Kx1akz2JTSqQ8GogkPy
> 0VYAoI6AwMlK0evmouxyfqa8JFVZgXD/
> =ZJ/s
> -----END PGP SIGNATURE-----
>

More information about the Pki-devel mailing list