On 26.2.2014 17:09, Evan Hunt via RT wrote: > > Native PKCS#11 requires SoftHSM version 2, which you can clone from > their git repository at https://github.com/opendnssec/SoftHSMv2.git. > > To use SoftHSM version 1, you need to use the old-style PKCS#11 > code with the OpenSSL shim. > > If OpenSSL-based PKCS#11 isn't working with version 1 and/or native > isn't working with version 2, then we do have a problem. Can you > confirm whether those combinations are failing? I tried BIND 9.10.0b1 with latest SoftHSM v2 and I have hit another problem: $ /usr/local/bin/softhsm-util --show-slots Available slots: Slot 0 Slot info: Description: SoftHSM slot 0 Manufacturer ID: SoftHSM project Hardware version: 2.0 Firmware version: 2.0 Token present: yes Token info: Manufacturer ID: SoftHSM project Model: SoftHSM v2 Hardware version: 2.0 Firmware version: 2.0 Serial number: 9b3699ce01c3512f Initialized: yes User PIN init.: yes Label: OpenDNSSEC $ pkcs11-list Enter Pin: object[0]: handle 2 class 2 label[8] 'test-ksk' id[0] object[1]: handle 3 class 3 label[8] 'test-zsk' id[0] object[2]: handle 4 class 2 label[8] 'test-zsk' id[0] object[3]: handle 5 class 3 label[8] 'test-ksk' id[0] (Keys were generated via pkcs11-keygen as described in Bv9ARM.ch04.html.) $ dnssec-keyfromlabel -l test-ksk -f KSK -v 10 -a NSEC3RSASHA1 test. pk11.c:601: fatal error: pkcs_C_Login: Error = 0x000000A0 $ ltrace -a0 dnssec-keyfromlabel -E "$PKCS11_PROVIDER" -l test-ksk -f KSK -v 10 -a NSEC3RSASHA1 test. __libc_start_main(0x4032e0, 12, 0x7fff95f189a8, 0x4091f0 isc_mem_create(0, 0, 0x7fff95f180d8, 0x4091f0) = 0 dns_result_register(0x7fe84b486f00, 0, 0x7fe84b486f00, 0x1593d80) = 0 isc_stdtime_get(0x7fff95f180b0, 129, 0x7fffffff, -1) = 0x530e1fdd isc_commandline_parse(12, 0x7fff95f189a8, 0x409b70, -1) = 69 isc_commandline_parse(12, 0x7fff95f189a8, 0x409b70, 0x7fe84b4860ec) = 108 isc__mem_strdup(0x1589030, 0x7fff95f1a858, 0x409394, 219) = 0x7fe84ba47018 isc_commandline_parse(12, 0x7fff95f189a8, 0x409b70, 0x6b736b2d74736574) = 102 __ctype_toupper_loc() = 0x7fe84ba88790 isc_commandline_parse(12, 0x7fff95f189a8, 0x409b70, 0x7fe84b4860ec) = 118 strtol(0x7fff95f1a86b, 0x7fff95f180c8, 0, 0x7fe84b4860ec) = 10 isc_commandline_parse(12, 0x7fff95f189a8, 0x409b70, 0) = 97 isc_commandline_parse(12, 0x7fff95f189a8, 0x409b70, 0x7fe84b4860ec) = 0xffffffff isc_entropy_create(0x1589030, 0x7fff95f180e8, 0x7fff95f180e8, 0x7fe84b4860ec) = 0 isc_entropy_usebestsource(0x7fe84ba48010, 0x7fff95f17fb8, 0, 3) = 0 dst_lib_init2(0x1589030, 0x7fe84ba48010, 0x7fff95f1a830, 5) = 0 isc_log_create(0x1589030, 0x7fff95f17f88, 0x7fff95f17f80, 0xdededededededede) = 0 isc_log_setcontext(0x15a7c40, 0, 0x7fe84ba4b010, 32) = 0x7fe84b486e60 dns_log_init(0x15a7c40, 0, 0x7fe84ba4b010, 32) = 35 dns_log_setcontext(0x15a7c40, 0x7fe84b86ea40, 36, 0x7fe84b4861a0) = 0x7fe84b872748 isc_log_settag(0x7fe84ba4b010, 0x409638, 36, 0x7fe84b4861a0) = 0 isc_log_createchannel(0x7fe84ba4b010, 0x40a1ac, 4, 9) = 0 isc_log_usechannel(0x7fe84ba4b010, 0x40a1ac, 0, 0) = 0 strchr("test-ksk", ':') = nil isc__mem_allocate(0x1589030, 16, 0x409394, 324) = 0x7fe84ba47078 snprintf("pkcs11:test-ksk", 16, "pkcs11:%s", "test-ksk") = 15 isc__mem_free(0x1589030, 0x7fe84ba47018, 0x409394, 328) = 0 strcasecmp("NSEC3RSASHA1", "RSA") = -4 dns_secalg_fromtext(0x7fff95f180af, 0x7fff95f180f0, 0x7fe8499b3b80, 12) = 0 dns_name_init(0x7fff95f18260, 0x7fff95f182b0, 7, 16) = -1 isc__buffer_init(0x7fff95f18330, 0x7fff95f18368, 255, 16) = -1 dns_name_setbuffer(0x7fff95f18260, 0x7fff95f18330, 255, 16) = -1 isc__buffer_init(0x7fff95f18120, 0x7fff95f1a87e, 5, 6) = 0 isc__buffer_add(0x7fff95f18120, 5, 11, 6) = 0 dns_name_fromtext(0x7fff95f18260, 0x7fff95f18120, 0x7fe84b86ec20, 0) = 0 isc__buffer_init(0x7fff95f18120, 0x7fff95f18160, 254, 0x7fff95f1a87e) = 0 dst_key_fromlabel(0x7fff95f18260, 7, 257, 3pk11.c:601: fatal error: pkcs_C_Login: Error = 0x000000A0 It is interesting that I don't see any pkcs_C call in output from ltrace. Did it gave up even before calling PKCS#11 interface? I don't know. -- Petr^2 Spacek