upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-06-10 18:10:00 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Create keys with pkcs11-tool --id

Browse source 
The keyfromlabel system ECDSA tests sometimes fail. When this happens
the ZSK and KSK key id values differ by 1, which is an indication that
the same key is used for both DNSKEY records.

When the private key is retrieved with 'ENGINE_load_private_key()', the
public key is already set. But sometimes that key differs from the key
which was retrieved with 'ENGINE_load_public_key()'.

The libp11 source code uses id to find the key and without IDs all the
keys are "equal", so it is returning the first key in the array of the
enumerated keys instead of the matching key. In our test we didn't use
'--id', just '--label'. With this change, the system test should no
longer fail intermittently.

Note this is only an issue for ECDSA keys, not RSA keys.

(cherry picked from commit 0af8bbd49b)
This commit is contained in:
Matthijs Mekking 2022-01-11 09:04:55 +01:00
parent c3f35147a3
commit 4895b10884
2 changed files with 16 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
bin/tests/system/keyfromlabel/tests.sh
View file

@ -22,7 +22,9 @@ keygen() {
zone="$3"
id="$4"
pkcs11-tool --module $SOFTHSM2_MODULE -l -k --key-type $type:$bits --label "${id}-${zone}" --pin $(cat $PWD/pin) > pkcs11-tool.out.$zone.$id || return 1
label="${id}-${zone}"
p11id=$(echo "${label}" | sha1sum - | awk '{print $1}')
pkcs11-tool --module $SOFTHSM2_MODULE -l -k --key-type $type:$bits --label "${label}" --id "${p11id//$'\n'/}" --pin $(cat $PWD/pin) > pkcs11-tool.out.$zone.$id || return 1
}
keyfromlabel() {

14
doc/arm/pkcs11.rst
View file

@ -145,7 +145,7 @@ We need to generate at least two RSA keys:
::
pkcs11-tool --module <FULL_PATH_TO_HSM_MODULE> -l -k --key-type rsa:2048 --label example.net-ksk --pin <PIN>
pkcs11-tool --module <FULL_PATH_TO_HSM_MODULE> -l -k --key-type rsa:2048 --label example.net-ksk --pin <PIN>
pkcs11-tool --module <FULL_PATH_TO_HSM_MODULE> -l -k --key-type rsa:2048 --label example.net-zsk --pin <PIN>
Remember that each key should have unique label and we are going to use that
label to reference the private key.
@ -197,6 +197,18 @@ The output should look like this (the second number will be different):
Kexample.net.+008+42231.key
Kexample.net.+008+42231.private
A note on generating ECDSA keys: there is a bug in libp11 when looking up a key,
that function compares keys only on their ID, not the label. So when looking up
a key it returns the first key, rather than the matching key. The workaround for
this is when creating ECDSA keys, you should specify a unique ID:
::
ksk=$(echo "example.net-ksk" | sha1sum - | awk '{print $1}')
zsk=$(echo "example.net-zsk" | sha1sum - | awk '{print $1}')
pkcs11-tool --module <FULL_PATH_TO_HSM_MODULE> -l -k --key-type EC:prime256v1 --id $ksk --label example.net-ksk --pin <PIN>
pkcs11-tool --module <FULL_PATH_TO_HSM_MODULE> -l -k --key-type EC:prime256v1 --id $zsk --label example.net-zsk --pin <PIN>
Specifying the Engine on the Command Line
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~