CC: undisclosed-recipients: ; MIME-Version: 1.0 In-Reply-To: Content-Disposition: inline References: <530E0424.1030407@redhat.com> <20140226160929.GC38980@isc.org> <530E2021.5040409@redhat.com> Message-ID: <20140226183103.GD38980@isc.org> Content-Type: text/plain; charset="utf-8" X-RT-Original-Encoding: utf-8 Received: from bikeshed.isc.org (bikeshed.isc.org [149.20.48.19]) by bugs.isc.org (Postfix) with ESMTP id DA3812D20051 for ; Wed, 26 Feb 2014 18:31:03 +0000 (UTC) Received: by bikeshed.isc.org (Postfix, from userid 10292) id CCB4A216C31; Wed, 26 Feb 2014 18:31:03 +0000 (UTC) Delivered-To: bind9-bugs@bugs.isc.org User-Agent: Mutt/1.4.2.3i Subject: Re: [ISC-Bugs #35465] --enable-native-pkcs11 doesn't work with SoftHSM Return-Path: X-Original-To: bind9-bugs@bugs.isc.org Date: Wed, 26 Feb 2014 18:31:03 +0000 To: Petr Spacek via RT From: Evan Hunt RT-Message-ID: Content-Length: 889 > I tried BIND 9.10.0b1 with latest SoftHSM v2 and I have hit another problem: [...] > $ dnssec-keyfromlabel -l test-ksk -f KSK -v 10 -a NSEC3RSASHA1 test. Take note of section 4.11.7 of the ARM: the format for labels changes when you're using native PKCS#11 mode. They're now pkcs11: URI's. It'll be something like "pkcs11:object=test-ksk;pin-source=". The pin-source is optional. If you specify it, it's a file that contains the PIN, with no newline at the end, so: $ echo -n "1234" > pinfile ...will work. Assuming your PIN is 1234, that is. Which, let's admit it, it probably is. ;) After building BIND, try this: $ cd bin/tests/system $ sudo sh ifconfig.sh up $ sh run.sh pcks11 ...if the test passes, then SoftHSM is working, and you can use the pkcs11 system test for guidance on how to get it working. We clearly need to work on better error messages.