From 4895b10884d60c9ac41ecfbfa093e282b602d1fd Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Tue, 11 Jan 2022 09:04:55 +0100 Subject: [PATCH] Create keys with pkcs11-tool --id The keyfromlabel system ECDSA tests sometimes fail. When this happens the ZSK and KSK key id values differ by 1, which is an indication that the same key is used for both DNSKEY records. When the private key is retrieved with 'ENGINE_load_private_key()', the public key is already set. But sometimes that key differs from the key which was retrieved with 'ENGINE_load_public_key()'. The libp11 source code uses id to find the key and without IDs all the keys are "equal", so it is returning the first key in the array of the enumerated keys instead of the matching key. In our test we didn't use '--id', just '--label'. With this change, the system test should no longer fail intermittently. Note this is only an issue for ECDSA keys, not RSA keys. (cherry picked from commit 0af8bbd49bc8821945e92f3cb0a36f50e0acd96e) --- bin/tests/system/keyfromlabel/tests.sh | 4 +++- doc/arm/pkcs11.rst | 14 +++++++++++++- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/bin/tests/system/keyfromlabel/tests.sh b/bin/tests/system/keyfromlabel/tests.sh index 9764bf4606..0bbbe1be3b 100644 --- a/bin/tests/system/keyfromlabel/tests.sh +++ b/bin/tests/system/keyfromlabel/tests.sh @@ -22,7 +22,9 @@ keygen() { zone="$3" id="$4" - pkcs11-tool --module $SOFTHSM2_MODULE -l -k --key-type $type:$bits --label "${id}-${zone}" --pin $(cat $PWD/pin) > pkcs11-tool.out.$zone.$id || return 1 + label="${id}-${zone}" + p11id=$(echo "${label}" | sha1sum - | awk '{print $1}') + pkcs11-tool --module $SOFTHSM2_MODULE -l -k --key-type $type:$bits --label "${label}" --id "${p11id//$'\n'/}" --pin $(cat $PWD/pin) > pkcs11-tool.out.$zone.$id || return 1 } keyfromlabel() { diff --git a/doc/arm/pkcs11.rst b/doc/arm/pkcs11.rst index 690c1a0120..5132a3b229 100644 --- a/doc/arm/pkcs11.rst +++ b/doc/arm/pkcs11.rst @@ -145,7 +145,7 @@ We need to generate at least two RSA keys: :: pkcs11-tool --module -l -k --key-type rsa:2048 --label example.net-ksk --pin - pkcs11-tool --module -l -k --key-type rsa:2048 --label example.net-ksk --pin + pkcs11-tool --module -l -k --key-type rsa:2048 --label example.net-zsk --pin Remember that each key should have unique label and we are going to use that label to reference the private key. @@ -197,6 +197,18 @@ The output should look like this (the second number will be different): Kexample.net.+008+42231.key Kexample.net.+008+42231.private +A note on generating ECDSA keys: there is a bug in libp11 when looking up a key, +that function compares keys only on their ID, not the label. So when looking up +a key it returns the first key, rather than the matching key. The workaround for +this is when creating ECDSA keys, you should specify a unique ID: + +:: + + ksk=$(echo "example.net-ksk" | sha1sum - | awk '{print $1}') + zsk=$(echo "example.net-zsk" | sha1sum - | awk '{print $1}') + pkcs11-tool --module -l -k --key-type EC:prime256v1 --id $ksk --label example.net-ksk --pin + pkcs11-tool --module -l -k --key-type EC:prime256v1 --id $zsk --label example.net-zsk --pin + Specifying the Engine on the Command Line ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~