KeyMaster messages in Liberator’s event log

The following messages relating to KeyMaster authentication can appear in the Liberator event log file (var/event-rttpd.log):

INFO: Token <[token]> is validated for <[key_id]> testkey

The specified user credentials token called [token] has been successfully validated.

NOTIFY: Signature expired for key_id [key id] - [timestamp] denying login

A KeyMaster token’s timestamp is older than the number of seconds specified in the signature-validtime config item or the timeout option of the add-sigkey configuration item in rttpd.conf.

Make sure that clock on the server running the Liberator is synchronised with the clock on the server where KeyMaster Signature Generator is running. If the clocks on these two servers are set to different times, the Liberator may falsely decide that a user credentials token has expired (it is likely to reject all user credentials tokens for this reason).

ERROR: Cannot load keyfile <[filename]>

The DER format public key file called [filename], specified in rttpd.conf, is missing, corrupt or in the wrong format.

Check that the key file configuration is specified correctly in rttpd.conf. Look at the key-id configuration option in the add-sigkey item group.

ERROR: Could not find key_id [key id]

When the Auth Module asked for a check on a user credentials token, the key-id was found to be unknown.

Check that the key-id options match between rttpd.conf and the Auth Module configuration file (for example the users.xml file). Look in rttpd.conf at the key-id configuration item in the add-sigkey item group; in users.xml look at the sigkey-id attribute for each <USER> tag.

ERROR: Malformed token <[KeyMaster token]> for key_id [key id]

The user credentials token provided to the Liberator is in the wrong format. In Standard KeyMaster it has the following format: <base64 encoded signature><timestamp><sequence number>

ERROR: Token verification failed for key_id [key id] <[token]>

The user credentials token failed to verify upon decryption. Either the key used to decrypt the signature does not match the key that KeyMaster used to encrypt it, or the token has been tampered with or corrupted in some way.

ERROR: Malformed timestamp for key_id [key id] <[token]>

The timestamp in the user credentials token is badly formed. It should have the format YYYYMMDDHHMMSS (for example, 20050126122011).

ERROR: Token [token] has already logged in for key_id [key id]

The user credentials token has already been used; a token can only be used once.

CRITICAL: Could not locate key file <etc/publickey1.der> for add-sigkey/key-id < testkey >

The entry in the rttpd.conf file for the public key could not be mapped to a DER public key file in the specified (or default) directory. Either the rttpd.conf entry is invalid, or the key file is missing.

Look in rttpd.conf at the keyfile configuration item in the add-sigkey item group. Check that the specified name and directory of the DER public key file match the name and location of the actual file.

Check that the key file is actually present in the specified location.

The Liberator will fail to start if this error occurs (the Liberator displays the error message on the screen as well as logging it).
CRITICAL: No keyfile defined for add-sigkey/key-id < testkey >

The entry in the rttpd.conf file for the public key does not specify a key file.

Look in rttpd.conf at the add-sigkey configuration item group; make sure that there is a keyfile configuration item in this group (see Modifying the Liberator configuration file ).

The Liberator will fail to start if this error occurs (the Liberator displays the error message on the screen as well as logging it).
CRITICAL: No key-id for an add-sigkey configuration group

The entry in the rttpd.conf file for the public key does not specify a key id.

Look in rttpd.conf at the add-sigkey configuration item group; make sure that there is a key-id configuration item in this group (see Modifying the Liberator configuration file ).

The Liberator will fail to start if this error occurs (the Liberator displays the error message on the screen as well as logging it).
ERROR: 4012903328:error:0407006A: rsa routines: RSA_padding_check_PKCS1_type_1: block type is not 01:rsa_pk1.c:100: ERROR:4012903328:error:04067072: rsa routines: RSA_EAY_PUBLIC_DECRYPT: padding check failed: rsa_eay.c:699: ERROR: Token verification failed for key_id <testkey>

The public / private key token verification has failed.

Verify that the private and public keys used in KeyMaster and the Liberator Auth Module are valid.

Check that the publickey.der file referenced in the rttpd.conf add-sigkey configuration item group is not corrupt. This is a binary file which can be corrupted if it is transferred via ftp in ASCII mode.