>
> Any tool which can do key import from file into PKCS#11 token should work, in
> theory.
I've tried pkcs11-tool from the OpenSC project and p11tool from GnuTLS.
p11tool seems to be able to take some (undocumented?) flags from the
command line when importing, but p11tool does not seem to work with
SoftHSM. So I've tried the procedure you suggested:
>
> If you do not find any such tool, it will be easiest to patch softhsm2-util to
> set the flag to TRUE on import. I'm attaching quick and dirty patch which
> should do the job (for softhsm compiled against OpenSSL).
>
> 1. Get the sources:
> $ git clone https://github.com/opendnssec/SoftHSMv2.git
>
> 2. Apply the patch:
> git am 0001-HACK-for-OpenSSL-version-import-all-keys-with-CKA_EX.patch
>
> 3. Use how-to
> https://github.com/opendnssec/SoftHSMv2/#installation
> to compile the tool.
>
> 4. You do not need to install the library into system paths, just execute the
> softhsm2-util binary from the build directory to do import and use standard
> library as before.
>
> I hope it will help. Please let me know your findings so I can submit improved
> patch upstream (if we were successful).
>
Your patch was not sufficient enough. I've added a patch (to be applied
on top of your patch), which extends your patch to set the extractable flag.
Now, after a new import, the keys are indeed marked as extractable in
SoftHSM and (automatically) copied into the LDAP subtree
cn=keys,cn=sec,cn=dns.
I've noticed that the following flags of the keys still differ in the
output of "python2
/usr/lib/python2.*/site-packages/ipapython/dnssec/localhsm.py":
'ipk11alwayssensitive': True for keys generated by IPA, False for
imported keys
'ipk11local': True for keys generated by IPA, False for imported keys
I do not know, if these flags are important for the whole process to
work, but I also do not know how to set these flags.
The imported keys are still not used by BIND: The keys are not added to
the zone subtree (cn=keys,idnsname=myzone.com,cn=dns) in LDAP, but the
command "sudo -u ods SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf
ods-ksmutil key list --verbose" shows, that the newly imported key (I've
carried out tests only with the KSK so far) is assigned to the zone and
is in state "active".
-Guido
>From 942aaa6db6c03ce83e1b62dbc289385e8e116d07 Mon Sep 17 00:00:00 2001
From: Guido Schmitz <g.schm...@gtrs.de>
Date: Tue, 16 Aug 2016 14:10:56 +0200
Subject: [PATCH] HACK for OpenSSL version: import all keys with
CKA_EXTRACTABLE = TRUE
---
src/bin/util/softhsm2-util-ossl.cpp | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/bin/util/softhsm2-util-ossl.cpp b/src/bin/util/softhsm2-util-ossl.cpp
index 8e06e9f..4931e2d 100644
--- a/src/bin/util/softhsm2-util-ossl.cpp
+++ b/src/bin/util/softhsm2-util-ossl.cpp
@@ -260,7 +260,7 @@ int crypto_save_rsa
{ CKA_SENSITIVE, &ckTrue, sizeof(ckTrue) },
{ CKA_TOKEN, &ckTrue, sizeof(ckTrue) },
{ CKA_PRIVATE, &ckTrue, sizeof(ckTrue) },
- { CKA_EXTRACTABLE, &ckFalse, sizeof(ckTrue) },
+ { CKA_EXTRACTABLE, &ckTrue, sizeof(ckTrue) },
{ CKA_PUBLIC_EXPONENT, keyMat->bigE, keyMat->sizeE },
{ CKA_MODULUS, keyMat->bigN, keyMat->sizeN },
{ CKA_PRIVATE_EXPONENT, keyMat->bigD, keyMat->sizeD },
@@ -421,7 +421,7 @@ int crypto_save_dsa
{ CKA_SENSITIVE, &ckTrue, sizeof(ckTrue) },
{ CKA_TOKEN, &ckTrue, sizeof(ckTrue) },
{ CKA_PRIVATE, &ckTrue, sizeof(ckTrue) },
- { CKA_EXTRACTABLE, &ckFalse, sizeof(ckTrue) },
+ { CKA_EXTRACTABLE, &ckTrue, sizeof(ckTrue) },
{ CKA_PRIME, keyMat->bigP, keyMat->sizeP },
{ CKA_SUBPRIME, keyMat->bigQ, keyMat->sizeQ },
{ CKA_BASE, keyMat->bigG, keyMat->sizeG },
@@ -556,7 +556,7 @@ int crypto_save_ecdsa
{ CKA_SENSITIVE, &ckTrue, sizeof(ckTrue) },
{ CKA_TOKEN, &ckTrue, sizeof(ckTrue) },
{ CKA_PRIVATE, &ckTrue, sizeof(ckTrue) },
- { CKA_EXTRACTABLE, &ckFalse, sizeof(ckTrue) },
+ { CKA_EXTRACTABLE, &ckTrue, sizeof(ckTrue) },
{ CKA_EC_PARAMS, keyMat->derParams, keyMat->sizeParams },
{ CKA_VALUE, keyMat->bigD, keyMat->sizeD }
};
--
2.5.5
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
