[Pki-users] Error 7 in SOkey enrollment

Christina Fu cfu at redhat.com
Thu Jul 16 04:01:37 UTC 2009 

Adewumi, Julius-p99373 wrote:
>
> Has anyone familiarity with the following VFY_CreateContext()  failure 
> or the verifyProof  failure
> who can shed some light on what is going on, config or software 
> release version --suspect is certEnroll()?
>
The proof verification is for proving that the token does have the 
private key that goes with the public key in the cert request.  Like you 
have observed, the userKey profile's encryption cert by default has the 
server generate the keys, therefore does not need the proof 
verification.  The signing cert does generate keys on the token itself, 
thus causes the proof verification.  And you can see the success proof 
verification like the following:

[2009-07-15 15:53:55] a3c21b8 CertEnroll::verifyProof - verify proof begins
[2009-07-15 15:53:55] a3c21b8 CertEnroll::verifyProof - 
VFY_CreateContext() succeeded
[2009-07-15 15:53:55] a3c21b8 CertEnroll::verifyProof -  VFY_End() 
returned 0

If you try changing the userKey profile's encryption cert to generate 
the keys on the token instead, such as:
op.enroll.userKey.keyGen.encryption.serverKeygen.enable=false
You will notice now that you have both signing and encryption cert 
requests going through the verifyProof (2 sets of the above messages in 
log).

It seems like in the security officer case, the proof somehow is 
incorrect, thus failed the verifyProof check on TPS.
Further investigation is needed.

Christina

> Here is a section of the log:
>
> -------------------------------------------
> [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 
> Successfully read public key buffer
> [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 
> public_key =  (length='271')
> [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 00 
> 8b 00 01 04 00 00 80 8d aa
> [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - cc 
> 88 8d f5 b5 ae 93 72 9c ec
> [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 60 
> c7 3c a8 65 f8 09 62 65 b7
> [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 95 
> 8a fe 5e 75 7e 00 2c ad 06
> [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 15 
> c3 ad 3f 96 39 c9 78 d8 73
> [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 07 
> 92 3e 39 d9 3e 88 63 3b 18
> [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - de 
> 76 6d 33 ec 49 53 25 ce 9c
> [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 5b 
> 55 70 fe 4b 60 a0 f9 8a 75
> [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 29 
> 9e 90 ac 87 9e fc 2b 1a 55
> [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - c9 
> 04 00 21 ea 5c e1 f0 2f 0d
> [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 72 
> 49 38 47 96 51 3d f2 ab 06
> [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 6e 
> 9f e8 93 e6 22 9b dc ab 3a
> [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - eb 
> 80 d1 8d 5b 68 b1 6f 66 1b
> [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 3a 
> 3d 5d 75 e9 87 00 03 01 00
> [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 01 
> 00 80 5f a0 76 96 30 ff 55
> [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - db 
> d5 4e b5 ed 4e 82 c9 8c d9
> [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - a7 
> 56 0b bd fd e7 b2 34 c9 50
> [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - fa 
> 2a 19 88 99 89 a6 80 39 5c
> [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - ed 
> 89 a8 c8 17 52 b7 04 eb 25
> [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 91 
> b9 35 bd d9 e8 6e 5c 0b 7c
> [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 0a 
> 80 bd 3f fc f4 20 a8 b6 61
> [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 49 
> 0b 9f 0e c6 8b a5 8c 60 e7
> [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - d2 
> 46 91 86 93 2f 6c 9d 56 62
> [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 30 
> 33 79 84 ba 4d b5 60 14 87
> [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 03 
> 8d cd 17 85 a0 bc 02 21 ff
> [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 5c 
> fe 71 cf fd f2 2b 7f 68 bb
> [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 1e 
> 38 26 33 96 ff e2 48 66 ef
> [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 57
> [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 
> challenge size=16
> [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::process - challenge 
> =  (length='16')
> [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::process - c9 1f 72 
> 35 21 17 90 5a ed ce
> [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::process - dd a5 c6 
> 9d ad 51
> [2009-07-01 16:35:52] b5b5710 AP_Session::WriteMsg - Sent 
> 's=69&msg_type=14&current_state=73&next_task_name=PROGRESS_PARSE_PUBLIC_KEY'
>
> [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 
> About to Parse Public Key
> [2009-07-01 16:35:52] b5b5710 CertEnroll::verifyProof - 
> VFY_CreateContext() failed
> [2009-07-01 16:35:52] b5b5710 CertEnroll::ParsePublicKeyBlob - verify 
> proof failed
> [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 
> Failed to parse public key
> [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::GenerateCertificate 
> - Got a status error from DoEnrollment:  7
> [2009-07-01 16:35:53] b5b5710 AP_Session::WriteMsg - Sent 
> 's=42&msg_type=13&operation=1&result=1&message=7'
>
>
> ----------------------------------------
>
> The config seems to show that Private Key is to be generated on the 
> Token for SO mode (Security Officer Mode enrollment).  It is during 
> this Private Key generation that this failure occurs each time.  Any 
> input will help.   The lkast line of the log is where Error 7 was spawned.
>
>
> /From: Julius Adewumi/
> /@GDC4S.com/
> /Ph:480-441-6768/
> /Contract Corp:MTSI/
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>

More information about the Pki-users mailing list