X-Scanned-BY: MIMEDefang 2.68 on 10.5.11.22 MIME-Version: 1.0 In-Reply-To: X-Spam-Status: No, score=-4.2 required=5.0 tests=AWL,BAYES_00,RP_MATCHES_RCVD, SPF_HELO_PASS,SPF_PASS autolearn=ham version=3.3.1 References: <530E0424.1030407@redhat.com> <20140226160929.GC38980@isc.org> Message-ID: <530E2021.5040409@redhat.com> Content-Type: text/plain; charset=UTF-8; format=flowed Organization: Red Hat X-RT-Original-Encoding: utf-8 Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) by bugs.isc.org (Postfix) with ESMTP id 549E82D20051 for ; Wed, 26 Feb 2014 17:11:14 +0000 (UTC) Received: from mx.pao1.isc.org (localhost [127.0.0.1]) by mx.pao1.isc.org (Postfix) with ESMTP id A5BC4C94DD for ; Wed, 26 Feb 2014 17:11:00 +0000 (UTC) (envelope-from pspacek@redhat.com) Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.pao1.isc.org (Postfix) with ESMTP for ; Wed, 26 Feb 2014 17:11:00 +0000 (UTC) (envelope-from pspacek@redhat.com) Received: from int-mx09.intmail.prod.int.phx2.redhat.com (int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s1QHAxOw027045 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Wed, 26 Feb 2014 12:10:59 -0500 Received: from pspacek.brq.redhat.com (vpn1-4-54.ams2.redhat.com [10.36.4.54]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id s1QHAv5Z018048 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO) for ; Wed, 26 Feb 2014 12:10:58 -0500 X-DCC-X.dcc-Servers-Metrics: post.isc.org 104; Body=1 Fuz1=1 Fuz2=1 Delivered-To: bind9-bugs@bugs.isc.org Subject: Re: [ISC-Bugs #35465] --enable-native-pkcs11 doesn't work with SoftHSM User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 Return-Path: X-Original-To: bind9-bugs@bugs.isc.org Date: Wed, 26 Feb 2014 18:10:57 +0100 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mx.pao1.isc.org To: bind9-bugs@isc.org Content-Transfer-Encoding: 7bit From: Petr Spacek RT-Message-ID: Content-Length: 4252 On 26.2.2014 17:09, Evan Hunt via RT wrote: > > Native PKCS#11 requires SoftHSM version 2, which you can clone from > their git repository at https://github.com/opendnssec/SoftHSMv2.git. > > To use SoftHSM version 1, you need to use the old-style PKCS#11 > code with the OpenSSL shim. > > If OpenSSL-based PKCS#11 isn't working with version 1 and/or native > isn't working with version 2, then we do have a problem. Can you > confirm whether those combinations are failing? I tried BIND 9.10.0b1 with latest SoftHSM v2 and I have hit another problem: $ /usr/local/bin/softhsm-util --show-slots Available slots: Slot 0 Slot info: Description: SoftHSM slot 0 Manufacturer ID: SoftHSM project Hardware version: 2.0 Firmware version: 2.0 Token present: yes Token info: Manufacturer ID: SoftHSM project Model: SoftHSM v2 Hardware version: 2.0 Firmware version: 2.0 Serial number: 9b3699ce01c3512f Initialized: yes User PIN init.: yes Label: OpenDNSSEC $ pkcs11-list Enter Pin: object[0]: handle 2 class 2 label[8] 'test-ksk' id[0] object[1]: handle 3 class 3 label[8] 'test-zsk' id[0] object[2]: handle 4 class 2 label[8] 'test-zsk' id[0] object[3]: handle 5 class 3 label[8] 'test-ksk' id[0] (Keys were generated via pkcs11-keygen as described in Bv9ARM.ch04.html.) $ dnssec-keyfromlabel -l test-ksk -f KSK -v 10 -a NSEC3RSASHA1 test. pk11.c:601: fatal error: pkcs_C_Login: Error = 0x000000A0 $ ltrace -a0 dnssec-keyfromlabel -E "$PKCS11_PROVIDER" -l test-ksk -f KSK -v 10 -a NSEC3RSASHA1 test. __libc_start_main(0x4032e0, 12, 0x7fff95f189a8, 0x4091f0 isc_mem_create(0, 0, 0x7fff95f180d8, 0x4091f0) = 0 dns_result_register(0x7fe84b486f00, 0, 0x7fe84b486f00, 0x1593d80) = 0 isc_stdtime_get(0x7fff95f180b0, 129, 0x7fffffff, -1) = 0x530e1fdd isc_commandline_parse(12, 0x7fff95f189a8, 0x409b70, -1) = 69 isc_commandline_parse(12, 0x7fff95f189a8, 0x409b70, 0x7fe84b4860ec) = 108 isc__mem_strdup(0x1589030, 0x7fff95f1a858, 0x409394, 219) = 0x7fe84ba47018 isc_commandline_parse(12, 0x7fff95f189a8, 0x409b70, 0x6b736b2d74736574) = 102 __ctype_toupper_loc() = 0x7fe84ba88790 isc_commandline_parse(12, 0x7fff95f189a8, 0x409b70, 0x7fe84b4860ec) = 118 strtol(0x7fff95f1a86b, 0x7fff95f180c8, 0, 0x7fe84b4860ec) = 10 isc_commandline_parse(12, 0x7fff95f189a8, 0x409b70, 0) = 97 isc_commandline_parse(12, 0x7fff95f189a8, 0x409b70, 0x7fe84b4860ec) = 0xffffffff isc_entropy_create(0x1589030, 0x7fff95f180e8, 0x7fff95f180e8, 0x7fe84b4860ec) = 0 isc_entropy_usebestsource(0x7fe84ba48010, 0x7fff95f17fb8, 0, 3) = 0 dst_lib_init2(0x1589030, 0x7fe84ba48010, 0x7fff95f1a830, 5) = 0 isc_log_create(0x1589030, 0x7fff95f17f88, 0x7fff95f17f80, 0xdededededededede) = 0 isc_log_setcontext(0x15a7c40, 0, 0x7fe84ba4b010, 32) = 0x7fe84b486e60 dns_log_init(0x15a7c40, 0, 0x7fe84ba4b010, 32) = 35 dns_log_setcontext(0x15a7c40, 0x7fe84b86ea40, 36, 0x7fe84b4861a0) = 0x7fe84b872748 isc_log_settag(0x7fe84ba4b010, 0x409638, 36, 0x7fe84b4861a0) = 0 isc_log_createchannel(0x7fe84ba4b010, 0x40a1ac, 4, 9) = 0 isc_log_usechannel(0x7fe84ba4b010, 0x40a1ac, 0, 0) = 0 strchr("test-ksk", ':') = nil isc__mem_allocate(0x1589030, 16, 0x409394, 324) = 0x7fe84ba47078 snprintf("pkcs11:test-ksk", 16, "pkcs11:%s", "test-ksk") = 15 isc__mem_free(0x1589030, 0x7fe84ba47018, 0x409394, 328) = 0 strcasecmp("NSEC3RSASHA1", "RSA") = -4 dns_secalg_fromtext(0x7fff95f180af, 0x7fff95f180f0, 0x7fe8499b3b80, 12) = 0 dns_name_init(0x7fff95f18260, 0x7fff95f182b0, 7, 16) = -1 isc__buffer_init(0x7fff95f18330, 0x7fff95f18368, 255, 16) = -1 dns_name_setbuffer(0x7fff95f18260, 0x7fff95f18330, 255, 16) = -1 isc__buffer_init(0x7fff95f18120, 0x7fff95f1a87e, 5, 6) = 0 isc__buffer_add(0x7fff95f18120, 5, 11, 6) = 0 dns_name_fromtext(0x7fff95f18260, 0x7fff95f18120, 0x7fe84b86ec20, 0) = 0 isc__buffer_init(0x7fff95f18120, 0x7fff95f18160, 254, 0x7fff95f1a87e) = 0 dst_key_fromlabel(0x7fff95f18260, 7, 257, 3pk11.c:601: fatal error: pkcs_C_Login: Error = 0x000000A0 It is interesting that I don't see any pkcs_C call in output from ltrace. Did it gave up even before calling PKCS#11 interface? I don't know. -- Petr^2 Spacek