I'd like to say a big THANK YOU for the work you are doing on this. I've made a couple of half-hearted attempts at doing exactly what you are doing and never had the time to complete the task - or to document where I got.
Once it's all working (and documented), I'll be more than happy to run a server in this mode. 8-) I'd also like to see ISC make BIND more functional in this "HSM functioning as an HSM only" mode in the mainline code. AlanC On 5/26/16, 5:20 AM, "FUSTE Emmanuel" <bind-users-boun...@lists.isc.org on behalf of emmanuel.fu...@thalesgroup.com> wrote: >Le 25/05/2016 16:27, FUSTE Emmanuel a écrit : >> Le 25/05/2016 14:29, FUSTE Emmanuel a écrit : >>> Le 24/05/2016 16:36, FUSTE Emmanuel a écrit : >>>> Le 23/05/2016 16:40, FUSTE Emmanuel a écrit : >>>>> Hello, >>>>> >>>>> I'm trying to use a smartcard-hsm usb stick (v1.2) with BIND >>>>>9.10.3-P4. >>>>> This stick is working with powerdns and support all crypto operations >>>>> required for basic DNSSEC support. >>>>> >>>>> But I get this warning/error: >>>>> "PKCS#11 provider has no digest service". >>>>> "This HSM will not work with BIND 9 using native PKCS#11." >>>>> >>>>> Bind version: >>>>> BIND 9.10.3-P4-Debian <id:ebd72b3> >>>>> built by make with '--prefix=/usr' '--mandir=/usr/share/man' >>>>> '--libdir=/usr/lib/i386-linux-gnu' '--infodir=/usr/share/info' >>>>> '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' >>>>> '--enable-threads' '--enable-largefile' '--with-libtool' >>>>> '--enable-shared' '--enable-static' '--with-openssl=/usr' >>>>> '--with-gssapi=/usr' '--with-gnu-ld' '--with-geoip=/usr' >>>>>'--with-atf=no' >>>>> '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' >>>>> '--enable-native-pkcs11' >>>>> '--with-pkcs11=/usr/lib/i386-linux-gnu/softhsm/libsofthsm2.so' >>>>> 'CFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat >>>>> -Werror=format-security -fno-strict-aliasing >>>>> -fno-delete-null-pointer-checks -DNO_VERSION_DATE' 'LDFLAGS=-fPIE >>>>>-pie >>>>> -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2 >>>>> -DDIG_SIGCHASE' >>>>> compiled by GCC 5.3.1 20160429 >>>>> compiled with OpenSSL version: OpenSSL 1.0.2h 3 May 2016 >>>>> linked to OpenSSL version: OpenSSL 1.0.2h 3 May 2016 >>>>> compiled with libxml2 version: 2.9.3 >>>>> linked to libxml2 version: 20903 >>>>> >>>>> pkcs11-torens informations: >>>>> pkcs11-tokens -m /usr/lib/i386-linux-gnu/opensc-pkcs11.so >>>>> Warning: PKCS#11 provider has no digest service >>>>> This HSM will not work with BIND 9 using native PKCS#11. >>>>> >>>>> DEFAULTS >>>>> rand_token=0x80300368 >>>>> best_rsa_token=0x80300368 >>>>> best_dsa_token=(nil) >>>>> best_dh_token=(nil) >>>>> digest_token=(nil) >>>>> best_ec_token=(nil) >>>>> best_gost_token=(nil) >>>>> aes_token=(nil) >>>>> >>>>> TOKEN >>>>> address=0x80300368 >>>>> slotID=0 >>>>> label=SmartCard-HSM (UserPIN) >>>>> manufacturerID=www.CardContact.de >>>>> model=PKCS#15 emulated >>>>> serialNumber=DECC0100872 >>>>> supported operations=0x6 (RAND,RSA) >>>>> >>>>> PKCS11 mechanism returned by pkcs11-tool: >>>>> pkcs11-tool -M >>>>> Using slot 0 with a present token (0x0) >>>>> Supported mechanisms: >>>>> SHA-1, digest >>>>> SHA256, digest >>>>> SHA384, digest >>>>> SHA512, digest >>>>> MD5, digest >>>>> RIPEMD160, digest >>>>> GOSTR3411, digest >>>>> ECDSA, keySize={192,320}, hw, sign, other flags=0x1d00000 >>>>> ECDSA-SHA1, keySize={192,320}, hw, sign, other flags=0x1d00000 >>>>> ECDH1-COFACTOR-DERIVE, keySize={192,320}, hw, derive, other >>>>> flags=0x1d00000 >>>>> ECDH1-DERIVE, keySize={192,320}, hw, derive, other >>>>>flags=0x1d00000 >>>>> ECDSA-KEY-PAIR-GEN, keySize={192,320}, hw, generate_key_pair, >>>>>other >>>>> flags=0x1d00000 >>>>> RSA-X-509, keySize={1024,2048}, hw, decrypt, sign, verify >>>>> RSA-PKCS, keySize={1024,2048}, hw, decrypt, sign, verify >>>>> SHA1-RSA-PKCS, keySize={1024,2048}, sign, verify >>>>> SHA256-RSA-PKCS, keySize={1024,2048}, sign, verify >>>>> SHA384-RSA-PKCS, keySize={1024,2048}, sign, verify >>>>> SHA512-RSA-PKCS, keySize={1024,2048}, sign, verify >>>>> MD5-RSA-PKCS, keySize={1024,2048}, sign, verify >>>>> RIPEMD160-RSA-PKCS, keySize={1024,2048}, sign, verify >>>>> RSA-PKCS-KEY-PAIR-GEN, keySize={1024,2048}, generate_key_pair >>>>> >>>>> Perhaps Bind require more, but all needed digest services are here. >>>>> Is something that will be fixed ? How could I help to get it fixed ? >>>>> Does anyone have any insights or suggestions? >>>>> >>>>> Thanks, >>>>> >>>>> Emmanuel. >>>> >>>> Ok, digging into docs and code give me some answers: >>>> >>>> In native PKCS11 mode, all crypto operations are offhanded to the HSM. >>>> This is totally crazy nowadays. HSM are HSM not PKCS11 crypto >>>> accelerators, a concept from the past on actual hardware for 99.99% of >>>> real use. >>>> If something like "sign-only" and "crypto-accelerator" OpenSSL-based >>>> PKCS#11 is not implemented too in the future, native-pkcs11 is a dead >>>> end. Option that should be select-able at runtime and which eventually >>>> permit to chose what to offload to the device in the >>>>crypto-accelerator >>>> mode (and perhaps on different devices etc ...). >>>> >>>> Will try to compile a modified openssl in sign-only mode for my token. >>>> I already successfully created keys with the pkcs11-keygen command and >>>> the used debian/ubuntu package already include native pkcs11 and >>>>openssl >>>> versions of named and dnssec tools (-pkcs11 variants). >>>> I was misguided by the "named -V" command which return the >>>> --enable-native-pkcs11 flag on the two binary but they are linked with >>>> different >>>> libisc libraries (cosmetic packaging problem). >>>> >>>> Will report results. >>>> >>>> Emmanuel. >>>> >>> >>> Latest progress: >>> >>> OpenSSL PKCS#11 patch does not permit to build a shared version of the >>> "pkcs11" engine. >>> Will try now do do that manually. >>> >>> In the mean time, I try to use native mode with p11-kit. >>> The idea was to use softhsm2 pkcs11 lib as the main provider and my >>> token via opensc-pkcs11 for the sign operations. >>> Bind would use openssl for all it crypto operations via softhsm and >>> pkcs11 uri would transparently point to my token via opensc-pkcs11 for >>> sign operations. >>> But neither pkcs11 commands or dnssec- command work with >>> p11-kit-proxy.so : "fatal: could not initialize dst: PKCS#11 >>> initialization failed" or "Unrecoverable error initializing PKCS#11: >>> PKCS#11 initialization failed" >>> >>> As a last resort, if the dynamic engine is a dead end, I will try to >>> build rebuild bind with a static version of openssl before giving up. >>> Not an appealing thing from a maintenance point of view, but it will >>> permit to validate if bind could work NOW one way or another in >>> auto-dnssec maintain mode with a smartcard-hsm. >>> >>> Emmanuel. >>> >> >> Dynamic engine support is broken and disabled in the code. >> When re-enabling I get segfault: >> Starting program: /opt/pkcs11/usr/bin/openssl >> [Thread debugging using libthread_db enabled] >> Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1". >> OpenSSL> engine -pre SO_PATH:/opt/pkcs11/usr/lib/engines/libhw_pk11so.so >> -pre LOAD >> (dynamic) Dynamic engine loading support >> [Success]: SO_PATH:/opt/pkcs11/usr/lib/engines/libhw_pk11so.so >> [Failure]: LOAD >> >> Program received signal SIGSEGV, Segmentation fault. >> __strlen_sse2_bsf () at >>../sysdeps/i386/i686/multiarch/strlen-sse2-bsf.S:62 >> 62 ../sysdeps/i386/i686/multiarch/strlen-sse2-bsf.S: No such file >> or directory. >> (gdb) bt >> #0 __strlen_sse2_bsf () at >> ../sysdeps/i386/i686/multiarch/strlen-sse2-bsf.S:62 >> #1 0xb7e0b718 in _dopr () from /opt/pkcs11/usr/lib/libcrypto.so.1.0.0 >> #2 0xb7e0bf14 in BIO_vsnprintf () from >> /opt/pkcs11/usr/lib/libcrypto.so.1.0.0 >> #3 0xb7e0bf75 in BIO_snprintf () from >> /opt/pkcs11/usr/lib/libcrypto.so.1.0.0 >> #4 0xb7e16d6a in ERR_print_errors_cb () from >> /opt/pkcs11/usr/lib/libcrypto.so.1.0.0 >> #5 0xb7e16e1f in ERR_print_errors () from >> /opt/pkcs11/usr/lib/libcrypto.so.1.0.0 >> #6 0x080a3dba in util_do_cmds.isra () >> #7 0x080a412c in engine_main () >> #8 0x0805b7cd in do_cmd () >> #9 0x0805b4a4 in main () >> >> Even if it is surely fixable, I don't have skills to fix it in a timely >> manner. >> >> So next plan Z: static patched openssl and bind rebuild. >> >> Emmanuel. >> > >New day, new progress: >Static patched openssl build in sign-only mode. >Old school 'congigure/make/make install' Bind9 builded and installed in >/usr/local > >Key generation : no problem as before. >dnssec-keyfromlabel segfault ..... new bug in the openssl engine : >(gdb) r >The program being debugged has been started already. >Start it from the beginning? (y or n) y >Starting program: /usr/local/sbin/dnssec-keyfromlabel -l test -f KSK >fuste.org >[Thread debugging using libthread_db enabled] >Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1". >Enter PIN: >Enter PIN: >Kfuste.org.+005+03032 >[Inferior 1 (process 4187) exited normally] >(gdb) r >Starting program: /usr/local/sbin/dnssec-keyfromlabel -l test -f KSK >fuste.org >[Thread debugging using libthread_db enabled] >Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1". >Enter PIN: > >Program received signal SIGSEGV, Segmentation fault. >0x081922db in RSA_free () >(gdb) bt >#0 0x081922db in RSA_free () >#1 0x081a438c in EVP_PKEY_free () >#2 0x081ec557 in pk11so_load_pubkey () >#3 0x081983d9 in ENGINE_load_public_key () >#4 0x08179a6c in opensslrsa_fromlabel (key=0xb5b3b008, engine=0x82acbf3 >"pkcs11", label=0xb5b37058 "pkcs11:test", pin=0x0) at >opensslrsa_link.c:1414 >#5 0x08112a12 in dst_key_fromlabel (name=0xbffff5c4, alg=5, flags=257, >protocol=3, rdclass=1, engine=0x82acbf3 "pkcs11", label=0xb5b37058 >"pkcs11:test", > pin=0x0, mctx=0x8443a10, keyp=0xbffff458) at dst_api.c:892 >#6 0x0805218f in main (argc=6, argv=0xbffffc74) at >dnssec-keyfromlabel.c:570 > > >As you could see, before finding the culprid, the workaround is to enter >a blank pin and next the real pin. >Key extraction is OK when the RSA_free don't segfault: > >#cat Kfuste.org.+005+03032.private >Private-key-format: v1.3 >Algorithm: 5 (RSASHA1) >Modulus: >phXlRn4tqEcZBmams1fnhmFmxJqJGp+e0s1hUHTsNJt3QT84J8CKv8FHPv1JP5v4j2Wua9rXq/ >vlmqsRs70Rk6ojQ+dorkegxZQBJqHBxNtuOPQq53c3EZMCf4EpmQ8eqbQFePOEP4yKFtm5lImK >+sxZEjkjXyq3+29VhDQ787U= >PublicExponent: AQAB >Engine: cGtjczExAA== >Label: cGtjczExOnRlc3QA >Created: 20160526095813 >Publish: 20160526095813 >Activate: 20160526095813 > ># cat Kfuste.org.+005+03032.key >; This is a key-signing key, keyid 3032, for fuste.org. >; Created: 20160526095813 (Thu May 26 11:58:13 2016) >; Publish: 20160526095813 (Thu May 26 11:58:13 2016) >; Activate: 20160526095813 (Thu May 26 11:58:13 2016) >fuste.org. IN DNSKEY 257 3 5 >AwEAAaYV5UZ+LahHGQZmprNX54ZhZsSaiRqfntLNYVB07DSbd0E/OCfA >ir/BRz79ST+b+I9lrmva16v75ZqrEbO9EZOqI0PnaK5HoMWUASahwcTb >bjj0Kud3NxGTAn+BKZkPHqm0BXjzhD+MihbZuZSJivrMWRI5I18qt/tv VYQ0O/O1 > >Next to come: manual zone signing. >If the same bug is hit, will try to rebuild all with other openssl/patch >as it compromise auto-dnssec maintain mode. I should have done something >wrong. > >Emmanuel. >_______________________________________________ >Please visit https://lists.isc.org/mailman/listinfo/bind-users to >unsubscribe from this list > >bind-users mailing list >bind-users@lists.isc.org >https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users