Report information
The Basics
Id:
35465
Status:
resolved
Priority:
Medium/Medium
Queue:
bind9-public
People
Owner:
Nobody in particular
Requestors:
Cc:
AdminCc:
BugTracker
Version Fixed:
(no value)
Version Found:
(no value)
Versions Affected:
(no value)
Versions Planned:
(no value)
Priority:
(no value)
Severity:
(no value)
CVSS Score:
(no value)
CVE ID:
(no value)
Component:
(no value)
Area:
(no value)
Dates
Created:Wed, 26 Feb 2014 10:11:58 -0500
Updated:Fri, 07 Jul 2017 20:52:28 -0400
Closed:Fri, 28 Feb 2014 11:07:51 -0500

This bug tracker is no longer active.

Please go to our Gitlab to submit issues (both feature requests and bug reports) for active projects maintained by Internet Systems Consortium (ISC).

Due to security and confidentiality requirements, full access is limited to the primary maintainers.

History
  Wed, 26 Feb 2014 10:11:58 -0500 Petr Spacek <pspacek@redhat.com> - Ticket created
Subject: --enable-native-pkcs11 doesn't work with SoftHSM
Date: Wed, 26 Feb 2014 16:11:32 +0100
To: bind9-bugs@isc.org
From: Petr Spacek <pspacek@redhat.com>

Hello, I'm trying to test BIND 9.10.0b1 with SoftHSM 1.3.3-4.fc20.x86_64 and it doesn't work. I'm trying to make it work for some time now but it seems like regression introduced some time after BIND 9.9.4-P2 to me. SoftHSM seems initialized: $ softhsm --show-slots Available slots: Slot 0 Token present: yes Token initialized: yes User PIN initialized: yes Token label: OpenDNSSEC But pkcs11-list fails: $ pkcs11-list Enter Pin: pk11.c:315: fatal error: Can't find digest service Aborted $ ltrace pkcs11-list __libc_start_main(0x400ca0, 1, 0x7fffef224088, 0x4013e0 <unfinished ...> isc_commandline_parse(1, 0x7fffef224088, 0x4015ea, 0x4013e0) = 0xffffffff getpass("Enter Pin: "Enter Pin: ) = "1234" pk11_get_session(0x7fffef223cd0, 0, 0, 1pk11.c:315: fatal error: Can't find digest service <no return ...> --- SIGABRT (Aborted) --- The same version of SoftHSM works with pkcs11-list from BIND 9.9.4-P2: $ pkcs11-list Enter Pin: object[0]: handle 6 class 2 label[10] 'sample-zsk' id[0] object[1]: handle 5 class 3 label[10] 'sample-zsk' id[0] object[2]: handle 4 class 2 label[10] 'sample-ksk' id[0] object[3]: handle 3 class 3 label[10] 'sample-ksk' id[0] object[4]: handle 2 class 2 label[10] 'OpenDNSSEC' id[0] object[5]: handle 1 class 3 label[10] 'OpenDNSSEC' id[0] $ ltrace -a0 pkcs11-list __libc_start_main(0x400950, 1, 0x7fffc8a02bf8, 0x401680 <unfinished ...> getenv("PKCS11_PROVIDER") = "/usr/lib64/softhsm/libsofthsm.so"... getopt(1, 0x7fffc8a02bf8, ":m:s:i:l:p:P") = -1 dlopen("/usr/lib64/softhsm/libsofthsm.so"..., 2) = 0x1894040 dlsym(0x1894040, "C_Initialize") = 0x7f6c0bd57ac0 dlsym(0x1894040, "C_OpenSession") = 0x7f6c0bd56a30 getpass("Enter Pin: "Enter Pin: ) = "1234" dlsym(0x1894040, "C_Login") = 0x7f6c0bd56b00 memset(0x18e4330, '\0', 4) = 0x18e4330 dlsym(0x1894040, "C_FindObjectsInit") = 0x7f6c0bd56c20 dlsym(0x1894040, "C_FindObjects") = 0x7f6c0bd56c50 dlsym(0x1894040, "C_GetAttributeValue") = 0x7f6c0bd56bc0 __printf_chk(1, 0x4019c0, 0, 6) = 57 putchar(10, 0x372bdbaa10, 57, 0x7fffffc8object[0]: handle 6 class 2 label[10] 'sample-zsk' id[0] ) = 10 dlsym(0x1894040, "C_GetAttributeValue") = 0x7f6c0bd56bc0 __printf_chk(1, 0x4019c0, 1, 5) = 57 putchar(10, 0x372bdbaa10, 57, 0x7fffffc8object[1]: handle 5 class 3 label[10] 'sample-zsk' id[0] ) = 10 dlsym(0x1894040, "C_GetAttributeValue") = 0x7f6c0bd56bc0 __printf_chk(1, 0x4019c0, 2, 4) = 57 putchar(10, 0x372bdbaa10, 57, 0x7fffffc8object[2]: handle 4 class 2 label[10] 'sample-ksk' id[0] ) = 10 dlsym(0x1894040, "C_GetAttributeValue") = 0x7f6c0bd56bc0 __printf_chk(1, 0x4019c0, 3, 3) = 57 putchar(10, 0x372bdbaa10, 57, 0x7fffffc8object[3]: handle 3 class 3 label[10] 'sample-ksk' id[0] ) = 10 dlsym(0x1894040, "C_GetAttributeValue") = 0x7f6c0bd56bc0 __printf_chk(1, 0x4019c0, 4, 2) = 57 putchar(10, 0x372bdbaa10, 57, 0x7fffffc8object[4]: handle 2 class 2 label[10] 'OpenDNSSEC' id[0] ) = 10 dlsym(0x1894040, "C_GetAttributeValue") = 0x7f6c0bd56bc0 __printf_chk(1, 0x4019c0, 5, 1) = 57 putchar(10, 0x372bdbaa10, 57, 0x7fffffc8object[5]: handle 1 class 3 label[10] 'OpenDNSSEC' id[0] ) = 10 dlsym(0x1894040, "C_FindObjects") = 0x7f6c0bd56c50 dlsym(0x1894040, "C_FindObjectsFinal") = 0x7f6c0bd56dd0 dlsym(0x1894040, "C_CloseSession") = 0x7f6c0bd56a70 dlsym(0x1894040, "C_Finalize") = 0x7f6c0bd57a50 exit(0 <no return ...> Have a nice day! -- Petr^2 Spacek
  Wed, 26 Feb 2014 11:09:30 -0500 Evan Hunt <each@isc.org> - Correspondence added
CC: undisclosed-recipients: ;
Subject: Re: [ISC-Bugs #35465] --enable-native-pkcs11 doesn't work with SoftHSM
Date: Wed, 26 Feb 2014 16:09:29 +0000
To: Petr Spacek via RT <bind9-bugs@isc.org>
From: Evan Hunt <each@isc.org>

Native PKCS#11 requires SoftHSM version 2, which you can clone from their git repository at https://github.com/opendnssec/SoftHSMv2.git. To use SoftHSM version 1, you need to use the old-style PKCS#11 code with the OpenSSL shim. If OpenSSL-based PKCS#11 isn't working with version 1 and/or native isn't working with version 2, then we do have a problem. Can you confirm whether those combinations are failing?
Wed, 26 Feb 2014 11:09:30 -0500 The RT System itself - Status changed from 'new' to 'open'
  Wed, 26 Feb 2014 12:11:14 -0500 Petr Spacek <pspacek@redhat.com> - Correspondence added
Subject: Re: [ISC-Bugs #35465] --enable-native-pkcs11 doesn't work with SoftHSM
Date: Wed, 26 Feb 2014 18:10:57 +0100
To: bind9-bugs@isc.org
From: Petr Spacek <pspacek@redhat.com>

On 26.2.2014 17:09, Evan Hunt via RT wrote: > > Native PKCS#11 requires SoftHSM version 2, which you can clone from > their git repository at https://github.com/opendnssec/SoftHSMv2.git. > > To use SoftHSM version 1, you need to use the old-style PKCS#11 > code with the OpenSSL shim. > > If OpenSSL-based PKCS#11 isn't working with version 1 and/or native > isn't working with version 2, then we do have a problem. Can you > confirm whether those combinations are failing? I tried BIND 9.10.0b1 with latest SoftHSM v2 and I have hit another problem: $ /usr/local/bin/softhsm-util --show-slots Available slots: Slot 0 Slot info: Description: SoftHSM slot 0 Manufacturer ID: SoftHSM project Hardware version: 2.0 Firmware version: 2.0 Token present: yes Token info: Manufacturer ID: SoftHSM project Model: SoftHSM v2 Hardware version: 2.0 Firmware version: 2.0 Serial number: 9b3699ce01c3512f Initialized: yes User PIN init.: yes Label: OpenDNSSEC $ pkcs11-list Enter Pin: object[0]: handle 2 class 2 label[8] 'test-ksk' id[0] object[1]: handle 3 class 3 label[8] 'test-zsk' id[0] object[2]: handle 4 class 2 label[8] 'test-zsk' id[0] object[3]: handle 5 class 3 label[8] 'test-ksk' id[0] (Keys were generated via pkcs11-keygen as described in Bv9ARM.ch04.html.) $ dnssec-keyfromlabel -l test-ksk -f KSK -v 10 -a NSEC3RSASHA1 test. pk11.c:601: fatal error: pkcs_C_Login: Error = 0x000000A0 $ ltrace -a0 dnssec-keyfromlabel -E "$PKCS11_PROVIDER" -l test-ksk -f KSK -v 10 -a NSEC3RSASHA1 test. __libc_start_main(0x4032e0, 12, 0x7fff95f189a8, 0x4091f0 <unfinished ...> isc_mem_create(0, 0, 0x7fff95f180d8, 0x4091f0) = 0 dns_result_register(0x7fe84b486f00, 0, 0x7fe84b486f00, 0x1593d80) = 0 isc_stdtime_get(0x7fff95f180b0, 129, 0x7fffffff, -1) = 0x530e1fdd isc_commandline_parse(12, 0x7fff95f189a8, 0x409b70, -1) = 69 isc_commandline_parse(12, 0x7fff95f189a8, 0x409b70, 0x7fe84b4860ec) = 108 isc__mem_strdup(0x1589030, 0x7fff95f1a858, 0x409394, 219) = 0x7fe84ba47018 isc_commandline_parse(12, 0x7fff95f189a8, 0x409b70, 0x6b736b2d74736574) = 102 __ctype_toupper_loc() = 0x7fe84ba88790 isc_commandline_parse(12, 0x7fff95f189a8, 0x409b70, 0x7fe84b4860ec) = 118 strtol(0x7fff95f1a86b, 0x7fff95f180c8, 0, 0x7fe84b4860ec) = 10 isc_commandline_parse(12, 0x7fff95f189a8, 0x409b70, 0) = 97 isc_commandline_parse(12, 0x7fff95f189a8, 0x409b70, 0x7fe84b4860ec) = 0xffffffff isc_entropy_create(0x1589030, 0x7fff95f180e8, 0x7fff95f180e8, 0x7fe84b4860ec) = 0 isc_entropy_usebestsource(0x7fe84ba48010, 0x7fff95f17fb8, 0, 3) = 0 dst_lib_init2(0x1589030, 0x7fe84ba48010, 0x7fff95f1a830, 5) = 0 isc_log_create(0x1589030, 0x7fff95f17f88, 0x7fff95f17f80, 0xdededededededede) = 0 isc_log_setcontext(0x15a7c40, 0, 0x7fe84ba4b010, 32) = 0x7fe84b486e60 dns_log_init(0x15a7c40, 0, 0x7fe84ba4b010, 32) = 35 dns_log_setcontext(0x15a7c40, 0x7fe84b86ea40, 36, 0x7fe84b4861a0) = 0x7fe84b872748 isc_log_settag(0x7fe84ba4b010, 0x409638, 36, 0x7fe84b4861a0) = 0 isc_log_createchannel(0x7fe84ba4b010, 0x40a1ac, 4, 9) = 0 isc_log_usechannel(0x7fe84ba4b010, 0x40a1ac, 0, 0) = 0 strchr("test-ksk", ':') = nil isc__mem_allocate(0x1589030, 16, 0x409394, 324) = 0x7fe84ba47078 snprintf("pkcs11:test-ksk", 16, "pkcs11:%s", "test-ksk") = 15 isc__mem_free(0x1589030, 0x7fe84ba47018, 0x409394, 328) = 0 strcasecmp("NSEC3RSASHA1", "RSA") = -4 dns_secalg_fromtext(0x7fff95f180af, 0x7fff95f180f0, 0x7fe8499b3b80, 12) = 0 dns_name_init(0x7fff95f18260, 0x7fff95f182b0, 7, 16) = -1 isc__buffer_init(0x7fff95f18330, 0x7fff95f18368, 255, 16) = -1 dns_name_setbuffer(0x7fff95f18260, 0x7fff95f18330, 255, 16) = -1 isc__buffer_init(0x7fff95f18120, 0x7fff95f1a87e, 5, 6) = 0 isc__buffer_add(0x7fff95f18120, 5, 11, 6) = 0 dns_name_fromtext(0x7fff95f18260, 0x7fff95f18120, 0x7fe84b86ec20, 0) = 0 isc__buffer_init(0x7fff95f18120, 0x7fff95f18160, 254, 0x7fff95f1a87e) = 0 dst_key_fromlabel(0x7fff95f18260, 7, 257, 3pk11.c:601: fatal error: pkcs_C_Login: Error = 0x000000A0 It is interesting that I don't see any pkcs_C call in output from ltrace. Did it gave up even before calling PKCS#11 interface? I don't know. -- Petr^2 Spacek
  Wed, 26 Feb 2014 13:31:04 -0500 Evan Hunt <each@isc.org> - Correspondence added
CC: undisclosed-recipients: ;
Subject: Re: [ISC-Bugs #35465] --enable-native-pkcs11 doesn't work with SoftHSM
Date: Wed, 26 Feb 2014 18:31:03 +0000
To: Petr Spacek via RT <bind9-bugs@isc.org>
From: Evan Hunt <each@isc.org>

> I tried BIND 9.10.0b1 with latest SoftHSM v2 and I have hit another problem: [...] > $ dnssec-keyfromlabel -l test-ksk -f KSK -v 10 -a NSEC3RSASHA1 test. Take note of section 4.11.7 of the ARM: the format for labels changes when you're using native PKCS#11 mode. They're now pkcs11: URI's. It'll be something like "pkcs11:object=test-ksk;pin-source=<filename>". The pin-source is optional. If you specify it, it's a file that contains the PIN, with no newline at the end, so: $ echo -n "1234" > pinfile ...will work. Assuming your PIN is 1234, that is. Which, let's admit it, it probably is. ;) After building BIND, try this: $ cd bin/tests/system $ sudo sh ifconfig.sh up $ sh run.sh pcks11 ...if the test passes, then SoftHSM is working, and you can use the pkcs11 system test for guidance on how to get it working. We clearly need to work on better error messages.
  Thu, 27 Feb 2014 09:14:14 -0500 Petr Spacek <pspacek@redhat.com> - Correspondence added
Subject: Re: [ISC-Bugs #35465] --enable-native-pkcs11 doesn't work with SoftHSM
Date: Thu, 27 Feb 2014 15:13:57 +0100
To: bind9-bugs@isc.org
From: Petr Spacek <pspacek@redhat.com>

On 26.2.2014 19:31, Evan Hunt via RT wrote: >> I tried BIND 9.10.0b1 with latest SoftHSM v2 and I have hit another problem: > [...] >> $ dnssec-keyfromlabel -l test-ksk -f KSK -v 10 -a NSEC3RSASHA1 test. > > Take note of section 4.11.7 of the ARM: the format for labels changes > when you're using native PKCS#11 mode. They're now pkcs11: URI's. > It'll be something like "pkcs11:object=test-ksk;pin-source=<filename>". > > The pin-source is optional. If you specify it, it's a file that contains > the PIN, with no newline at the end, so: > > $ echo -n "1234" > pinfile > > ...will work. Assuming your PIN is 1234, that is. Which, let's admit > it, it probably is. ;) > > After building BIND, try this: > > $ cd bin/tests/system > $ sudo sh ifconfig.sh up > $ sh run.sh pcks11 > > ...if the test passes, then SoftHSM is working, and you can use > the pkcs11 system test for guidance on how to get it working. > > We clearly need to work on better error messages. The test passed so I can play with it a bit more. Thank you very much for your time! -- Petr^2 Spacek
Thu, 27 Feb 2014 14:10:27 -0500 Evan Hunt <Evan_Hunt@isc.org> - Given to Francis Dupont <Francis_Dupont@isc.org>
  Thu, 27 Feb 2014 15:35:14 -0500 Francis Dupont <Francis_Dupont@isc.org> - Correspondence added

On Wed Feb 26 15:11:58 2014, pspacek@redhat.com wrote: > I'm trying to test BIND 9.10.0b1 with SoftHSM 1.3.3-4.fc20.x86_64 > and it doesn't work. => it can't work: SoftHSM v1 (vs v2) doesn't implement some required PKCS#11 mechanisms. BTW the pkcs11-tokens application was created to check this point. > I'm trying to make it work for some time now but it seems like > regression introduced some time after BIND 9.9.4-P2 to me. => native PKCS#11 support was introduced only in 9.10 so there is no regression. BTW the OpenSSL PKCS#11 engine (in the sign-only mode) should still work with SoftHSMv1. > $ ltrace pkcs11-list => the PKCS#11 support is now included in the ISC library when --with-pkcs11 in configured so the initialisation failure is common. > The same version of SoftHSM works with pkcs11-list from BIND 9.9.4-P2: => BIND 9.9.4 has no native PKCS#11 support so can't be wrongly configured with a too incomplete PKCS#11 provider... A question: do you believe we should covert the failure into a warning for PKCS#11 tools? It could be more user friendly but at another hand if someone ignores the warning it won't change the fact that *all* other tools will fail...
Thu, 27 Feb 2014 15:35:39 -0500 Francis Dupont <Francis_Dupont@isc.org> - Given to Nobody in particular
  Thu, 27 Feb 2014 15:47:57 -0500 Francis Dupont <Francis_Dupont@isc.org> - Correspondence added

On Wed Feb 26 17:11:14 2014, pspacek@redhat.com wrote: > $ dnssec-keyfromlabel -l test-ksk -f KSK -v 10 -a NSEC3RSASHA1 test. > pk11.c:601: fatal error: pkcs_C_Login: Error = 0x000000A0 => CKR_PIN_INCORRECT (perhaps a side-effect of the new URI stuff, BTW I guess you don't set an empty password so "test-ksk" is no enough).
Thu, 27 Feb 2014 21:00:41 -0500 Evan Hunt <Evan_Hunt@isc.org> - Status changed from 'open' to 'resolved'
  Fri, 28 Feb 2014 07:24:36 -0500 Petr Spacek <pspacek@redhat.com> - Correspondence added
Subject: Re: [ISC-Bugs #35465] --enable-native-pkcs11 doesn't work with SoftHSM
Date: Fri, 28 Feb 2014 13:24:19 +0100
To: bind9-bugs@isc.org
From: Petr Spacek <pspacek@redhat.com>

On 27.2.2014 21:35, Francis Dupont via RT wrote: > On Wed Feb 26 15:11:58 2014, pspacek@redhat.com wrote: >> I'm trying to test BIND 9.10.0b1 with SoftHSM 1.3.3-4.fc20.x86_64 >> and it doesn't work. > > => it can't work: SoftHSM v1 (vs v2) doesn't implement > some required PKCS#11 mechanisms. > BTW the pkcs11-tokens application was created to check > this point. Great! I think this deserves *big fat* note in release notes. >> The same version of SoftHSM works with pkcs11-list from BIND 9.9.4-P2: > > => BIND 9.9.4 has no native PKCS#11 support so > can't be wrongly configured with a too incomplete > PKCS#11 provider... This could be also mentioned in release notes... > A question: do you believe we should covert > the failure into a warning for PKCS#11 tools? > It could be more user friendly but at another hand > if someone ignores the warning it won't change the > fact that *all* other tools will fail... Personally, I like verbose error messages. I think that it is not necessary to hide the underlying error code etc. Simply some additional text would help. Thank you for your time! -- Petr^2 Spacek
Fri, 28 Feb 2014 07:24:36 -0500 The RT System itself - Status changed from 'resolved' to 'open'
Fri, 28 Feb 2014 11:07:51 -0500 Evan Hunt <Evan_Hunt@isc.org> - Status changed from 'open' to 'resolved'
Fri, 07 Jul 2017 20:52:28 -0400 Vicky Risk <vicky@isc.org> - Queue changed from #6 to bind9-public