Error in pkcs11_generate:1355: PKCS #11 user error - pkcs#11

I'm trying to generate a public/private keypair in softHSM, for this I have installed a provider in openssl.
Using these commands I end up in a "user error"
+ softhsm2-util --init-token --free --label token-label --so-pin mysopin1 --pin mysecret1
Slot 0 has a free/uninitialized token.
The token has been initialized and is reassigned to slot 251791662
++ p11tool --list-token-urls
++ grep token-label
+ export 'TOKEN=pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=95c88c090f02092e;token=token-label'
+ TOKEN='pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=95c88c090f02092e;token=token-label'
+ p11tool --set-so-pin=mysopin1 --initialize 'pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=95c88c090f02092e;token=token-label' --label token-label
Initializing token... done
Token was successfully initialized; use --initialize-pin and --initialize-so-pin to set or reset PINs
+ p11tool --login --set-so-pin=mysopin1 --generate-privkey=Ed25519 --bits 1024 --set-pin=mysecret1 --outfile MyNewKey.pub 'pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=95c88c090f02092e;token=token-label' --label token-label
Generating an EdDSA (Ed25519) key...
Error in pkcs11_generate:1355: PKCS #11 user error
I have searched up a number of examples of using p11tool and they all say this is the way to run the commands, and Generating an EdDSA (Ed25519) key... indicates that something works.
This also puzzles me, but adding --initialize-pin and --initialize-so-pin does not help.
Token was successfully initialized; use --initialize-pin and --initialize-so-pin to set or reset PINs
This is how I install the tools with a Dockerfile
FROM ubuntu:22.04
USER root
RUN apt update
RUN apt install -y opensc git build-essential automake libtool libengine-pkcs11-openssl libp11-kit-dev libp11-dev gnutls-bin libcppunit-dev libssl-dev softhsm
COPY openssl.cnf /etc/ssl/openssl.cnf
RUN openssl engine pkcs11 -t
The full example with a Dockerfile can be seen here: https://gitlab.com/kjeld.flarup/softhsmdemo

The error goes away if I run this first:
pkcs11-tool --module /usr/lib/softhsm/libsofthsm2.so --login --login-type so --so-pin mysecret1 --init-pin --new-pin mysecret1

Related

bootstrap fails due to a certificate mismatch

When running ./bootstrap in a freshly-cloned repository (https://github.com/coreutils/coreutils), it seems to either
not find some files it wants to or doesn't trust https://translationproject.org.
./bootstrap: Bootstrapping from checked-out coreutils sources...
./bootstrap: consider installing git-merge-changelog from gnulib
./bootstrap: getting gnulib files...
Submodule 'gnulib' (git://git.sv.gnu.org/gnulib.git) registered for path 'gnulib'
Cloning into '/home/vagrant/coreutils/gnulib'...
Submodule path 'gnulib': checked out '0ac98783691bbf8212537ebe18ddb68feb22a760'
./bootstrap: getting translations into po/.reference for coreutils...
ERROR: The certificate of 'translationproject.org' is not trusted.
ERROR: The certificate of 'translationproject.org' has expired.
So what I am going to do to make the certificate be trusted by my system and make it compilatioin successfully?
First, to get the certificate:
wget --mirror --level=1 -nd -v -A.po -P 'po/.reference' https://translationproject.org/latest/coreutils/
and then make the certificate trusted:
a) ask openssl to trust:
openssl s_client -connect translationproject.org:443 -CApath /etc/ssl/certs -showcerts </dev/null 2>/dev/null
b) ask cert tool to trust
certtool --verbose --verify --infile=/tmp/translationproject.org.certs
Finally, you can use ./bootstrap sucessfully.

configure: error: Need pkg-config to enable libusb support

I'm new to yocto, my goal is to add a printer driver to the yocto image of imx6 so that we can access the priter from the board. i was trying a build, following the instructions at IMXLXYOCTOUG.PDF.
$ DISTRO=fsl-imx-xwayland MACHINE=imx6qsabresd source fsl-setup-release.sh -b build_dir
$ source setup-environment build_dir
$ bitbake fsl-image-qt5-validation-imx
the basic build was successful, i brought up the board with gui, things were fine.
i wanted to add printer support to the image, so ive added meta-printing (https://github.com/rossburton/meta-printing) layer. i've updated bblayer.conf
BBFILES ?= ""
BBLAYERS = " \
${BSPDIR}/sources/poky/meta \
${BSPDIR}/sources/poky/meta-poky \
\
${BSPDIR}/sources/meta-openembedded/meta-oe \
${BSPDIR}/sources/meta-openembedded/meta-multimedia \
\
${BSPDIR}/sources/meta-freescale \
${BSPDIR}/sources/meta-freescale-3rdparty \
${BSPDIR}/sources/meta-freescale-distro \
**${BSPDIR}/sources/meta-printing \**
as per the instruction in README from github.
Later after booting i was not able to access lp command to print some sample file with the printer. so i added
IMAGE_INSTALL_append = " cups"
in local.conf file which is giving me this error below..
| checking for posix_spawn... yes
| checking for tm_gmtoff member in tm structure... yes
| checking for st_gen member in stat structure... no
| checking for removefile... no
| configure: error: Need pkg-config to enable libusb support.
| NOTE: The following config.log files may provide further information.
| NOTE: /home/jifri/on_board/yocto/imx-yocto-bsp/build_dir/tmp/work/cortexa9hf-neon-poky-linux-gnueabi/cups/2.1.4-r0/cups-2.1.4/config.log
| ERROR: configure failed
| WARNING: exit code 1 from a shell command.
| ERROR: Function failed: do_configure (log file is located at /home/jifri/on_board/yocto/imx-yocto-bsp/build_dir/tmp/work/cortexa9hf-neon-poky-linux-gnueabi/cups/2.1.4-r0/temp/log.do_configure.8342)
ERROR: Task (/home/jifri/on_board/yocto/imx-yocto-bsp/sources/meta-printing/recipes-printing/cups/cups_2.1.4.bb:do_configure) failed with exit code '1'
NOTE: Tasks Summary: Attempted 5414 tasks of which 5399 didn't need to be rerun and 2 failed.
Summary: 2 tasks failed:
/home/jifri/on_board/yocto/imx-yocto-bsp/sources/meta-epson/recipes-epson/bbepson/bbepson_0.1.bb:do_compile
/home/jifri/on_board/yocto/imx-yocto-bsp/sources/meta-printing/recipes-printing/cups/cups_2.1.4.bb:do_configure
Summary: There were 4 ERROR messages shown, returning a non-zero exit code.
i have the pkg-config installed on my host PC
$ pkg-config --version
0.29.1
$ sudo apt-get install libusb-0.1-4
Reading package lists... Done
Building dependency tree
Reading state information... Done
libusb-0.1-4 is already the newest version (2:0.1.12-28).
The following packages were automatically installed and are no longer required:
snap-confine snapd-login-service
Use 'sudo apt autoremove' to remove them.
0 upgraded, 0 newly installed, 0 to remove and 45 not upgraded.
$ sudo apt-get install libusb-1.0-0-dev
[sudo] password for eldaas:
Reading package lists... Done
Building dependency tree
Reading state information... Done
libusb-1.0-0-dev is already the newest version (2:1.0.20-1).
The following packages were automatically installed and are no longer required:
snap-confine snapd-login-service
Use 'sudo apt autoremove' to remove them.
0 upgraded, 0 newly installed, 0 to remove and 45 not upgraded.
Any idea why
configure: error: Need pkg-config to enable libusb support.
is happening.
or
is it the right way / is there any better methord to get the lp command running on imx6 through yocto. so that i can access the printer..
any input is apretiated..
Thank you.
I've solved the same. actually I've added meta-printing layer to get the access to cups. but cups were already existing along with the meta layer in poky (imx-yocto-bsp/sources/poky/meta/recipes-extended/cups). so I removed meta-printing layer & then updated build/conf/local.conf with
IMAGE_INSTALL_append = " cups"
This worked for me and after booting I was able to use lp, lpadmin etc.. commands on my imx6 board.

Exporting https certificate fails with 'dotnet dev-certs' tool

I am trying to use the 'dotnet dev-certs' tool to export an https certificate to include with a Docker image. Right now I am using:
dotnet dev-certs https -v -ep $(HOME)\.aspnet\https -p <password>
and I get the error:
Exporting the certificate including the private key.
Writing exported certificate to path 'xxx\.aspnet\https'.
Failed writing the certificate to the target path
Exception message: Access to the path 'xxx\.aspnet\https' is denied.
An error ocurred exporting the certificate.
Exception message: Access to the path 'xxx\.aspnet\https' is denied.
There was an error exporting HTTPS developer certificate to a file.
The problem I see is that no matter what path I supply to export the certificate to I get the same 'Access to the path is denied' error. What am I missing? I know this command has been suggested in numerous places. But I cannot seem to get it to work.
Thank you.
The export path should specify a file, not a directory. This fixed the issue for me on Mac:
dotnet dev-certs https -v -ep ${HOME}/.aspnet/https/aspnetapp.pfx -p <password>
For Ubuntu users:
install libnss3-tools:
sudo apt-get update -y
sudo apt-get install -y libnss3-tools
create or verify if the folder below exists on machine:
$HOME/.pki/nssdb
export the certificate:
dotnet dev-certs https -v -ep ${HOME}/.aspnet/https/aspnetapp.pfx
Run the following commands:
certutil -d sql:$HOME/.pki/nssdb -A -t "P,," -n localhost -i /home/<REPLACE_WITH_YOUR_USER>/.aspnet/https/aspnetapp.pfx
certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n localhost -i /home/<REPLACE_WITH_YOUR_USER>/.aspnet/https/aspnetapp.pfx
exit and restart the browser
Source: https://learn.microsoft.com/en-us/aspnet/core/security/enforcing-ssl?view=aspnetcore-5.0&tabs=visual-studio#ssl-linux
For me the problem was I was using .Net 5 under CentOS 7.8. Uninstalling .Net 5 and using .Net Core 3.1 SDK instead solved the problem.

Skip wget certificate checking in opam

I just updated to opam 2, on a very old MacBook which I cannot update (running OS X 10.6.8), and which is missing some important packages related to certificate validation (and due to missing tools, I cannot even update Homebrew, because it requires certification... kind of a circular problem).
I would like to update opam without checking certificates, since otherwise I get the following error:
<><> Updating package repositories ><><><><><><><><><><><><><><><><><><><><> 🐫
[ERROR] Could not update repository "default":
OpamDownload.Download_fail(_, "Download command failed:
\"/usr/local/bin/wget --content-disposition -t 3 -O
/private/tmp/opam-17621-5a61c5/index.tar.gz.part
https://opam.ocaml.org/1.2.2/index.tar.gz -U opam/2.0.0\"
exited with code 5
\"ERROR: cannot verify opam.ocaml.org's certificate, issued by
'CN=Let\\'s Encrypt Authority X3,O=Let\\'s Encrypt,C=US':\"")
I was just able to upgrade from 1.2.2 to opam 2.0.0, but now I cannot do opam update. And without it, there's not much I can do.
Is there a way to pass option --no-check-certificate to the wget command used by opam without having to recompile it myself?
Fix your wget instead. Looks like it's missing a recent CA bundle.
First, check where it looks for the bundle -
$ strace wget -O /dev/null https://github.com 2>&1 | grep cert
read(3, "eting an end user certificate as"..., 4096) = 2806
read(5, "eting an end user certificate as"..., 4096) = 2806
openat(AT_FDCWD, "/usr/lib/ssl/cert.pem", O_RDONLY) = -1 ENOENT (No such file or directory)
Then copy Mozilla's .pem bundle to match the expected .pem path.
If you're on a system that lacks strace or there's simply no mention of a CA bundle location in the output, then try creating a .wgetrc, and add
ca_certificate = /path/to/your/ca-bundle.pem
Save as $HOME/.wgetrc.
wget should then be able to validate the Let's Encrypt cert.
More on .wgetrc at http://gnu.org/software/wget/manual/html_node/Wgetrc-Commands.html

Github peer not authenticated when I issue g8 command

I am using red hat linux. I am trying to run this command:
g8 typesafehub/play-scala
And I am getting this response:
Exception fetching from github peer not authenticated
But when I check the connection using
openssl s_client -connect github.com:443
I get this:
Verify return code: 0 (ok)
Which means that I am able to connect with github. Why doesn't this command work?
g8 typesafehub/play-scala
I also ran into this issue on an RHEL 5 VM image where I am using openjdk 6. It was the other note to look at TrustManager clued me in on a fix. I tweak the invocation to add a trust setting for github; in my situation it resolves the peer authentication issue.
First grab the github certificate using openssl and keytool to make it accessible to java.
echo "" | openssl s_client -connect www.github.com:443 \
-showcerts 2>/dev/null | openssl x509 -out github.cert
keytool -import -alias github \
-file github.cert -storepass g8g8g8 \
-keystore $HOME/g8.truststore
Now to rewrite the invocation with a script I call "G8":
g8 \
\ -Djavax.net.ssl.trustStore=$HOME/g8.truststore \
\ -Djavax.net.ssl.trustStorePassword=g8g8g8 \
$*
Now try executing G8 -v typesafehub/akka-scala-sbt and I see things are much happier now. I imagine setting a systemwide default truststore would may be better but I haven't figured that one out yet.
If it really is an authentication issue, check your ~/.g8/config file for authentication purpose, but you shouldn't need it for anonymous access.
Note that, according to issue 32 of giter8, it can also depends on the Java you are using.
For instance:
Sorry, that preview release of openjdk 7 is not fit for general use. (There's also giter8 issue #27 specific to openjdk on mac.) I have tested openjdk 7~b147-2.0-0ubuntu0.11.10.1 with giter8 and that worked fine, so when there is a final release available for mac you should be able to use it.
For now, please try with jdk 6 and reopen if you are still having trouble.
Another JDK (openjdk) might end up using the wrong TrustManager, as described in "Avoiding the "javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated" with HttpClient"
I had the same issue as B Evans (thanks for this!), but in Windows, so here is the equivalent code in case someone else has this issue and doesn't know how to do it from windows cmd. I also had to get openssl from http://www.openssl.org/related/binaries.html
openssl s_client -connect www.github.com:443 -showcerts > out.txt
openssl x509 -out github.cert < out.txt
keytool -import -alias github -file github.cert \
-storepass g8g8g8 -keystore C:\tmp\g8.truststore
Then add the same to JAVA_OPTS (I also had to deal with our corporate firewall and hence proxy as well...)
SET JAVA_OPTS=-Dhttp.proxyHost=our.proxy.com -Dhttp.proxyPort=8080 \
-Dhttps.proxyHost=our.proxy.com -Dhttps.proxyPort=8080 \
-Djavax.net.ssl.trustStore=C:\tmp\g8.truststore \
-Djavax.net.ssl.trustStorePassword=g8g8g8