From ad01bca9fd5594f774c88b5343bd4b855ec0a4ee Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Thu, 11 Nov 2021 09:37:33 +0100 Subject: [PATCH 1/7] Add CHANGES for keyfromlabel test --- CHANGES | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGES b/CHANGES index 9e82be8c27..96dcdf82a6 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +5798. [test] Add system test to test dnssec-keyfromlabel. [GL #3092] + 5797. [bug] A failed view configuration during a named reconfiguration procedure could cause inconsistencies in BIND internal structures, causing a crash or other From 0725fcad38457bfd7e8549bbdba30ae8f8c55f6e Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Mon, 13 Dec 2021 17:10:56 +0100 Subject: [PATCH 2/7] Remove prepare-softhsm2.sh from runtime test This script is obsoleted because SoftHSM2 is now installed in the image. --- bin/tests/system/runtime/tests.sh | 2 -- 1 file changed, 2 deletions(-) diff --git a/bin/tests/system/runtime/tests.sh b/bin/tests/system/runtime/tests.sh index ddba6390e9..50355e6912 100644 --- a/bin/tests/system/runtime/tests.sh +++ b/bin/tests/system/runtime/tests.sh @@ -228,8 +228,6 @@ if [ "$(id -u)" -eq 0 ]; then TEMP_NAMED_DIR=$(mktemp -d "$(pwd)/ns2/tmp.XXXXXXXX") if [ "$?" -eq 0 ]; then copy_setports ns2/named-alt9.conf.in "${TEMP_NAMED_DIR}/named-alt9.conf" - export SOFTHSM2_CONF="${TEMP_NAMED_DIR}/softhsm2.conf" - sh "$TOP_SRCDIR/bin/tests/prepare-softhsm2.sh" chown -R nobody: "${TEMP_NAMED_DIR}" chmod 0700 "${TEMP_NAMED_DIR}" testpid=$(run_named "${TEMP_NAMED_DIR}" "${TEMP_NAMED_DIR}/named$n.run" -u nobody -c named-alt9.conf) From 221e1bc2a360cdbc935ca8e57616556380b2aa92 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Thu, 11 Nov 2021 09:35:46 +0100 Subject: [PATCH 3/7] Update .gitlab-ci.yml with openssl setup GitLab CI needs to know about some environment variables that will tell where OpenSSL and SoftHSM2 is installed. This is done in the image, making the prepare-softhsm2.sh script obsolete. The SoftHSM2 module location is system specific. --- .gitlab-ci.yml | 15 ++++++++------- bin/tests/Makefile.am | 2 -- bin/tests/prepare-softhsm2.sh | 22 ---------------------- 3 files changed, 8 insertions(+), 31 deletions(-) delete mode 100755 bin/tests/prepare-softhsm2.sh diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 6ebad9ab73..043968b93f 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -7,6 +7,9 @@ variables: CI_REGISTRY_IMAGE: registry.gitlab.isc.org/isc-projects/images/bind9 CCACHE_DIR: "/ccache" SOFTHSM2_CONF: "/var/tmp/softhsm2/softhsm2.conf" + OPENSSL_ENGINES: "/usr/lib/x86_64-linux-gnu/engines-1.1" + DEFAULT_OPENSSL_CONF: "/etc/ssl/openssl.cnf" + OPENSSL_CONF: "/var/tmp/etc/openssl.cnf" GIT_DEPTH: 1 BUILD_PARALLEL_JOBS: 6 @@ -309,15 +312,10 @@ stages: sudo sh -x bin/tests/system/ifconfig.sh up; fi -.setup_softhsm: &setup_softhsm - - export SLOT=$(sh -x bin/tests/prepare-softhsm2.sh) - - test -n "${SLOT}" && test "${SLOT}" -gt 0 - .system_test_common: &system_test_common <<: *default_triggering_rules stage: system before_script: - - *setup_softhsm - *retrieve_out_of_tree_workspace - *setup_interfaces script: @@ -358,7 +356,6 @@ stages: <<: *default_triggering_rules stage: unit before_script: - - *setup_softhsm - *retrieve_out_of_tree_workspace script: - make -j${TEST_PARALLEL_JOBS:-1} -k unit V=1 @@ -932,11 +929,14 @@ gcc:asan: CC: gcc CFLAGS: "${CFLAGS_COMMON} -fsanitize=address,undefined" LDFLAGS: "-fsanitize=address,undefined" + SOFTHSM2_MODULE: "/lib64/libsofthsm2.so" EXTRA_CONFIGURE: "--with-libidn2 --without-jemalloc" <<: *fedora_35_amd64_image <<: *build_job system:gcc:asan: + variables: + SOFTHSM2_MODULE: "/lib64/libsofthsm2.so" <<: *fedora_35_amd64_image <<: *system_test_job needs: @@ -980,12 +980,14 @@ gcc:tsan: CC: gcc CFLAGS: "${CFLAGS_COMMON} -fsanitize=thread" LDFLAGS: "-fsanitize=thread" + SOFTHSM2_MODULE: "/lib64/libsofthsm2.so" EXTRA_CONFIGURE: "--with-libidn2 --enable-pthread-rwlock --without-jemalloc" <<: *fedora_35_amd64_image <<: *build_job system:gcc:tsan: variables: + SOFTHSM2_MODULE: "/lib64/libsofthsm2.so" TSAN_OPTIONS: ${TSAN_OPTIONS_COMMON} <<: *fedora_35_amd64_image <<: *system_test_tsan_job @@ -1297,7 +1299,6 @@ respdiff-third-party: script: - *configure - *setup_interfaces - - *setup_softhsm - make -j${BUILD_PARALLEL_JOBS:-1} -k all V=1 - make DESTDIR="${INSTALL_PATH}" install - git clone --depth 1 https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.isc.org/isc-private/bind-qa.git diff --git a/bin/tests/Makefile.am b/bin/tests/Makefile.am index 5366cc4496..7c2ebe27d5 100644 --- a/bin/tests/Makefile.am +++ b/bin/tests/Makefile.am @@ -31,5 +31,3 @@ wire_test_CPPFLAGS = \ wire_test_LDADD = \ $(LIBISC_LIBS) \ $(LIBDNS_LIBS) - -EXTRA_DIST = prepare-softhsm2.sh diff --git a/bin/tests/prepare-softhsm2.sh b/bin/tests/prepare-softhsm2.sh deleted file mode 100755 index f1fa19433d..0000000000 --- a/bin/tests/prepare-softhsm2.sh +++ /dev/null @@ -1,22 +0,0 @@ -#!/bin/sh - -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# SPDX-License-Identifier: MPL-2.0 -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, you can obtain one at https://mozilla.org/MPL/2.0/. -# -# See the COPYRIGHT file distributed with this work for additional -# information regarding copyright ownership. - -if [ -n "${SOFTHSM2_CONF}" ] && command -v softhsm2-util >/dev/null; then - SOFTHSM2_DIR=$(dirname "$SOFTHSM2_CONF") - mkdir -p "${SOFTHSM2_DIR}/tokens" - echo "directories.tokendir = ${SOFTHSM2_DIR}/tokens" > "${SOFTHSM2_CONF}" - echo "objectstore.backend = file" >> "${SOFTHSM2_CONF}" - echo "log.level = DEBUG" >> "${SOFTHSM2_CONF}" - softhsm2-util --init-token --free --pin 1234 --so-pin 1234 --label "softhsm2" | awk '/^The token has been initialized and is reassigned to slot/ { print $NF }' -fi -exit 0 From eba66665a52a5ee6c600cb87ec1d9b8d881956bd Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Mon, 15 Nov 2021 10:23:04 +0100 Subject: [PATCH 4/7] Add system test for dnssec-keyfromlabel Add missing system test for dnssec-keyfromlabel. Test for various algorithms that we can generate key files from a key that is stored in a HSM, and that those keys can be used for signing with dnssec-signzone. --- bin/tests/system/Makefile.am | 1 + bin/tests/system/conf.sh.in | 1 + bin/tests/system/keyfromlabel/clean.sh | 27 ++++++ bin/tests/system/keyfromlabel/prereq.sh | 21 +++++ bin/tests/system/keyfromlabel/setup.sh | 22 +++++ bin/tests/system/keyfromlabel/template.db.in | 24 ++++++ bin/tests/system/keyfromlabel/tests.sh | 88 ++++++++++++++++++++ bin/tests/system/run.sh.in | 16 +++- 8 files changed, 199 insertions(+), 1 deletion(-) create mode 100644 bin/tests/system/keyfromlabel/clean.sh create mode 100644 bin/tests/system/keyfromlabel/prereq.sh create mode 100644 bin/tests/system/keyfromlabel/setup.sh create mode 100644 bin/tests/system/keyfromlabel/template.db.in create mode 100644 bin/tests/system/keyfromlabel/tests.sh diff --git a/bin/tests/system/Makefile.am b/bin/tests/system/Makefile.am index da153d6615..b6a855f45e 100644 --- a/bin/tests/system/Makefile.am +++ b/bin/tests/system/Makefile.am @@ -125,6 +125,7 @@ TESTS += \ hooks \ journal \ keepalive \ + keyfromlabel \ legacy \ limits \ logfileconfig \ diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in index da9a934ca0..cad051c5b9 100644 --- a/bin/tests/system/conf.sh.in +++ b/bin/tests/system/conf.sh.in @@ -85,6 +85,7 @@ dnssec dyndb filter-aaaa kasp +keyfromlabel keymgr2kasp legacy logfileconfig diff --git a/bin/tests/system/keyfromlabel/clean.sh b/bin/tests/system/keyfromlabel/clean.sh new file mode 100644 index 0000000000..39082d4ce2 --- /dev/null +++ b/bin/tests/system/keyfromlabel/clean.sh @@ -0,0 +1,27 @@ +#!/bin/sh +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. ../conf.sh + +set -e + +rm -f K* +rm -f pin +rm -f dsset-* +rm -f *.example.db *.example.db.signed +rm -f keyfromlabel.out.* +rm -f pkcs11-tool.out.* +rm -f signer.out.* + +softhsm2-util --delete-token --token "softhsm2" || echo_i "softhsm2 token not found" diff --git a/bin/tests/system/keyfromlabel/prereq.sh b/bin/tests/system/keyfromlabel/prereq.sh new file mode 100644 index 0000000000..296452b402 --- /dev/null +++ b/bin/tests/system/keyfromlabel/prereq.sh @@ -0,0 +1,21 @@ +#!/bin/sh -e +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +. ../conf.sh + +if [ -n "${SOFTHSM2_MODULE}" ] && command -v softhsm2-util >/dev/null; then + exit 0 +fi + +echo_i "skip: softhsm2-util not available" +exit 255 diff --git a/bin/tests/system/keyfromlabel/setup.sh b/bin/tests/system/keyfromlabel/setup.sh new file mode 100644 index 0000000000..9f06a71faf --- /dev/null +++ b/bin/tests/system/keyfromlabel/setup.sh @@ -0,0 +1,22 @@ +#!/bin/sh +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. ../conf.sh + +set -e + +softhsm2-util --init-token --free --pin 1234 --so-pin 1234 --label "softhsm2" | awk '/^The token has been initialized and is reassigned to slot/ { print $NF }' + +printf '%s' "${HSMPIN:-1234}" > pin +PWD=$(pwd) diff --git a/bin/tests/system/keyfromlabel/template.db.in b/bin/tests/system/keyfromlabel/template.db.in new file mode 100644 index 0000000000..7941903808 --- /dev/null +++ b/bin/tests/system/keyfromlabel/template.db.in @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns root ( + 2000082401 ; serial + 1800 ; refresh (30 minutes) + 1800 ; retry (30 minutes) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.1 + +txt TXT "test" + diff --git a/bin/tests/system/keyfromlabel/tests.sh b/bin/tests/system/keyfromlabel/tests.sh new file mode 100644 index 0000000000..9764bf4606 --- /dev/null +++ b/bin/tests/system/keyfromlabel/tests.sh @@ -0,0 +1,88 @@ +#!/bin/sh +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. ../conf.sh + +PWD=$(pwd) + +keygen() { + type="$1" + bits="$2" + zone="$3" + id="$4" + + pkcs11-tool --module $SOFTHSM2_MODULE -l -k --key-type $type:$bits --label "${id}-${zone}" --pin $(cat $PWD/pin) > pkcs11-tool.out.$zone.$id || return 1 +} + +keyfromlabel() { + alg="$1" + zone="$2" + id="$3" + shift 3 + + $KEYFRLAB -E pkcs11 -a $alg -l "token=softhsm2;object=${id}-${zone};pin-source=$PWD/pin" "$@" $zone >> keyfromlabel.out.$zone.$id 2>> /dev/null || return 1 + cat keyfromlabel.out.$zone.$id +} + +infile="template.db.in" +for algtypebits in rsasha256:rsa:2048 rsasha512:rsa:2048 \ + ecdsap256sha256:EC:prime256v1 ecdsap384sha384:EC:prime384v1 + # Edwards curves are not yet supported by OpenSC + # ed25519:EC:edwards25519 ed448:EC:edwards448 +do + alg=$(echo "$algtypebits" | cut -f 1 -d :) + type=$(echo "$algtypebits" | cut -f 2 -d :) + bits=$(echo "$algtypebits" | cut -f 3 -d :) + + if $SHELL ../testcrypto.sh $alg; then + zone="$alg.example" + zonefile="zone.$alg.example.db" + ret=0 + + echo_i "Generate keys $alg $type:$bits for zone $zone" + keygen $type $bits $zone keyfromlabel-zsk || ret=1 + keygen $type $bits $zone keyfromlabel-ksk || ret=1 + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) + + # Skip dnssec-keyfromlabel if key generation failed. + test $ret == 0 || continue + + echo_i "Get ZSK $alg $id-$zone $type:$bits" + ret=0 + zsk=$(keyfromlabel $alg $zone keyfromlabel-zsk) + test -z "$zsk" && ret=1 + + echo_i "Get KSK $alg $id-$zone $type:$bits" + ret=0 + ksk=$(keyfromlabel $alg $zone keyfromlabel-ksk -f KSK) + test -z "$ksk" && ret=1 + + test "$ret" -eq 0 || echo_i "failed (zsk=$zsk ksk=$ksk)" + status=$((status+ret)) + + # Skip signing if dnssec-keyfromlabel failed. + test $ret == 0 || continue + + echo_i "Sign zone with $ksk $zsk" + ret=0 + cat "$infile" "$ksk.key" "$zsk.key" > "$zonefile" + $SIGNER -E pkcs11 -S -a -g -o "$zone" "$zonefile" > signer.out.$zone || ret=1 + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) + fi +done + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/run.sh.in b/bin/tests/system/run.sh.in index 51399a79c5..9c529d0286 100644 --- a/bin/tests/system/run.sh.in +++ b/bin/tests/system/run.sh.in @@ -74,7 +74,21 @@ if ! $do_run; then if [ "$baseport" -eq 0 ]; then log_flags="$log_flags -p 5300" fi - env - SYSTEMTEST_FORCE_COLOR="$SYSTEMTEST_FORCE_COLOR" SYSTEMTEST_NO_CLEAN="$SYSTEMTEST_NO_CLEAN" SLOT="$SLOT" SOFTHSM2_CONF="$SOFTHSM2_CONF" PATH="$PATH" ${LD_LIBRARY_PATH:+"LD_LIBRARY_PATH=${LD_LIBRARY_PATH}"} TESTS="$*" TEST_SUITE_LOG=run.log LOG_DRIVER_FLAGS="--verbose yes --color-tests yes" LOG_FLAGS="$log_flags" TEST_LARGE_MAP="${TEST_LARGE_MAP}" make -e check + env - \ + SYSTEMTEST_FORCE_COLOR="$SYSTEMTEST_FORCE_COLOR" \ + SYSTEMTEST_NO_CLEAN="$SYSTEMTEST_NO_CLEAN" \ + SLOT="$SLOT" \ + OPENSSL_CONF="$OPENSSL_CONF" \ + SOFTHSM2_CONF="$SOFTHSM2_CONF" \ + SOFTHSM2_MODULE="$SOFTHSM2_MODULE" \ + PATH="$PATH" \ + ${LD_LIBRARY_PATH:+"LD_LIBRARY_PATH=${LD_LIBRARY_PATH}"} \ + TESTS="$*" \ + TEST_SUITE_LOG=run.log \ + LOG_DRIVER_FLAGS="--verbose yes --color-tests yes" \ + LOG_FLAGS="$log_flags" \ + TEST_LARGE_MAP="${TEST_LARGE_MAP}" \ + make -e check exit $? fi From 8a4f098dee9056cec29366424d74ef78eea81184 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Wed, 22 Dec 2021 16:53:30 +0100 Subject: [PATCH 5/7] Suppressing memory leaks procuded by LeakSanitizer These memory leaks are a known issue in libp11: From Timo Teras: The relevant code is: https://github.com/OpenSC/libp11/blob/master/src/eng_front.c#L114-L123 The authors of libp11 did not get the locking right and decided that having intentional memory leaks is better than risking a deadlock. The leak logs indicate that it is the cached structures that should have been freed. These are not a run-time leaks, so suppressing these leaks is probably okay. --- .gitlab-ci.yml | 1 + suppr-lsan.txt | 26 ++++++++++++++++++++++++++ 2 files changed, 27 insertions(+) create mode 100644 suppr-lsan.txt diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 043968b93f..2816466c65 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -937,6 +937,7 @@ gcc:asan: system:gcc:asan: variables: SOFTHSM2_MODULE: "/lib64/libsofthsm2.so" + LSAN_OPTIONS: "suppressions=/builds/isc-projects/bind9/suppr-lsan.txt" <<: *fedora_35_amd64_image <<: *system_test_job needs: diff --git a/suppr-lsan.txt b/suppr-lsan.txt new file mode 100644 index 0000000000..050b86e9ae --- /dev/null +++ b/suppr-lsan.txt @@ -0,0 +1,26 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# These are known leaks in libp11. +leak:BN_MONT_CTX_new +leak:C_LoadModule +leak:ctx_new +leak:ctx_try_load_object +leak:dlfcn_name_converter +leak:EC_GROUP_set_seed +leak:CRYPTO_strdup +leak:CRYPTO_zalloc +leak:pkcs11_check_token +leak:pkcs11_CTX_new +leak:pkcs11_enumerate_slots +leak:pkcs11_getattr_alloc +leak:pkcs11_init_key +leak:pkcs11_strdup From 0af8bbd49bc8821945e92f3cb0a36f50e0acd96e Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Tue, 11 Jan 2022 09:04:55 +0100 Subject: [PATCH 6/7] Create keys with pkcs11-tool --id The keyfromlabel system ECDSA tests sometimes fail. When this happens the ZSK and KSK key id values differ by 1, which is an indication that the same key is used for both DNSKEY records. When the private key is retrieved with 'ENGINE_load_private_key()', the public key is already set. But sometimes that key differs from the key which was retrieved with 'ENGINE_load_public_key()'. The libp11 source code uses id to find the key and without IDs all the keys are "equal", so it is returning the first key in the array of the enumerated keys instead of the matching key. In our test we didn't use '--id', just '--label'. With this change, the system test should no longer fail intermittently. Note this is only an issue for ECDSA keys, not RSA keys. --- bin/tests/system/keyfromlabel/tests.sh | 4 +++- doc/arm/pkcs11.rst | 14 +++++++++++++- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/bin/tests/system/keyfromlabel/tests.sh b/bin/tests/system/keyfromlabel/tests.sh index 9764bf4606..0bbbe1be3b 100644 --- a/bin/tests/system/keyfromlabel/tests.sh +++ b/bin/tests/system/keyfromlabel/tests.sh @@ -22,7 +22,9 @@ keygen() { zone="$3" id="$4" - pkcs11-tool --module $SOFTHSM2_MODULE -l -k --key-type $type:$bits --label "${id}-${zone}" --pin $(cat $PWD/pin) > pkcs11-tool.out.$zone.$id || return 1 + label="${id}-${zone}" + p11id=$(echo "${label}" | sha1sum - | awk '{print $1}') + pkcs11-tool --module $SOFTHSM2_MODULE -l -k --key-type $type:$bits --label "${label}" --id "${p11id//$'\n'/}" --pin $(cat $PWD/pin) > pkcs11-tool.out.$zone.$id || return 1 } keyfromlabel() { diff --git a/doc/arm/pkcs11.rst b/doc/arm/pkcs11.rst index 690c1a0120..5132a3b229 100644 --- a/doc/arm/pkcs11.rst +++ b/doc/arm/pkcs11.rst @@ -145,7 +145,7 @@ We need to generate at least two RSA keys: :: pkcs11-tool --module -l -k --key-type rsa:2048 --label example.net-ksk --pin - pkcs11-tool --module -l -k --key-type rsa:2048 --label example.net-ksk --pin + pkcs11-tool --module -l -k --key-type rsa:2048 --label example.net-zsk --pin Remember that each key should have unique label and we are going to use that label to reference the private key. @@ -197,6 +197,18 @@ The output should look like this (the second number will be different): Kexample.net.+008+42231.key Kexample.net.+008+42231.private +A note on generating ECDSA keys: there is a bug in libp11 when looking up a key, +that function compares keys only on their ID, not the label. So when looking up +a key it returns the first key, rather than the matching key. The workaround for +this is when creating ECDSA keys, you should specify a unique ID: + +:: + + ksk=$(echo "example.net-ksk" | sha1sum - | awk '{print $1}') + zsk=$(echo "example.net-zsk" | sha1sum - | awk '{print $1}') + pkcs11-tool --module -l -k --key-type EC:prime256v1 --id $ksk --label example.net-ksk --pin + pkcs11-tool --module -l -k --key-type EC:prime256v1 --id $zsk --label example.net-zsk --pin + Specifying the Engine on the Command Line ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From a90f4c4ffa7567930e4007971170d1c35a758c3e Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Fri, 14 Jan 2022 11:30:06 +0100 Subject: [PATCH 7/7] Update pkcs11 documentation on openssl_conf The user should make sure there are no other 'openssl_conf = ...' lines in the file. --- doc/arm/pkcs11.rst | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/doc/arm/pkcs11.rst b/doc/arm/pkcs11.rst index 5132a3b229..07a59dafbc 100644 --- a/doc/arm/pkcs11.rst +++ b/doc/arm/pkcs11.rst @@ -113,7 +113,9 @@ brackets) are defined: openssl_conf = openssl_init -And add following lines at the bottom of the file: +And make sure there are no other 'openssl_conf = ...' lines in the file. + +Add following lines at the bottom of the file: ::