RHEL, Centos, Fedora rpm 9.10.4-P1
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 http://www.five-ten-sg.com/mapper/bind contains links to the source rpms, and build instructions. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) iEYEAREKAAYFAldHAYsACgkQL6j7milTFsFY/QCdHoaZfVad+GZgxoKPOa5v4hIL 5noAnAwiq2r/RVOibbtWhRbuZ+P/8t6T =vvRq -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: native-pkcs11 and smartcard-hsm
I'd like to say a big THANK YOU for the work you are doing on this.
I've made a couple of half-hearted attempts at doing exactly what you are
doing and never had the time to complete the task - or to document where I
got.
Once it's all working (and documented), I'll be more than happy to run a
server in this mode. 8-)
I'd also like to see ISC make BIND more functional in this "HSM
functioning as an HSM only" mode in the mainline code.
AlanC
On 5/26/16, 5:20 AM, "FUSTE Emmanuel" wrote:
>Le 25/05/2016 16:27, FUSTE Emmanuel a écrit :
>> Le 25/05/2016 14:29, FUSTE Emmanuel a écrit :
>>> Le 24/05/2016 16:36, FUSTE Emmanuel a écrit :
Le 23/05/2016 16:40, FUSTE Emmanuel a écrit :
> Hello,
>
> I'm trying to use a smartcard-hsm usb stick (v1.2) with BIND
>9.10.3-P4.
> This stick is working with powerdns and support all crypto operations
> required for basic DNSSEC support.
>
> But I get this warning/error:
> "PKCS#11 provider has no digest service".
> "This HSM will not work with BIND 9 using native PKCS#11."
>
> Bind version:
> BIND 9.10.3-P4-Debian
> built by make with '--prefix=/usr' '--mandir=/usr/share/man'
> '--libdir=/usr/lib/i386-linux-gnu' '--infodir=/usr/share/info'
> '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/'
> '--enable-threads' '--enable-largefile' '--with-libtool'
> '--enable-shared' '--enable-static' '--with-openssl=/usr'
> '--with-gssapi=/usr' '--with-gnu-ld' '--with-geoip=/usr'
>'--with-atf=no'
> '--enable-ipv6' '--enable-rrl' '--enable-filter-'
> '--enable-native-pkcs11'
> '--with-pkcs11=/usr/lib/i386-linux-gnu/softhsm/libsofthsm2.so'
> 'CFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat
> -Werror=format-security -fno-strict-aliasing
> -fno-delete-null-pointer-checks -DNO_VERSION_DATE' 'LDFLAGS=-fPIE
>-pie
> -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2
> -DDIG_SIGCHASE'
> compiled by GCC 5.3.1 20160429
> compiled with OpenSSL version: OpenSSL 1.0.2h 3 May 2016
> linked to OpenSSL version: OpenSSL 1.0.2h 3 May 2016
> compiled with libxml2 version: 2.9.3
> linked to libxml2 version: 20903
>
> pkcs11-torens informations:
> pkcs11-tokens -m /usr/lib/i386-linux-gnu/opensc-pkcs11.so
> Warning: PKCS#11 provider has no digest service
> This HSM will not work with BIND 9 using native PKCS#11.
>
> DEFAULTS
> rand_token=0x80300368
> best_rsa_token=0x80300368
> best_dsa_token=(nil)
> best_dh_token=(nil)
> digest_token=(nil)
> best_ec_token=(nil)
> best_gost_token=(nil)
> aes_token=(nil)
>
> TOKEN
> address=0x80300368
> slotID=0
> label=SmartCard-HSM (UserPIN)
> manufacturerID=www.CardContact.de
> model=PKCS#15 emulated
> serialNumber=DECC0100872
> supported operations=0x6 (RAND,RSA)
>
> PKCS11 mechanism returned by pkcs11-tool:
> pkcs11-tool -M
> Using slot 0 with a present token (0x0)
> Supported mechanisms:
>SHA-1, digest
>SHA256, digest
>SHA384, digest
>SHA512, digest
>MD5, digest
>RIPEMD160, digest
>GOSTR3411, digest
>ECDSA, keySize={192,320}, hw, sign, other flags=0x1d0
>ECDSA-SHA1, keySize={192,320}, hw, sign, other flags=0x1d0
>ECDH1-COFACTOR-DERIVE, keySize={192,320}, hw, derive, other
> flags=0x1d0
>ECDH1-DERIVE, keySize={192,320}, hw, derive, other
>flags=0x1d0
>ECDSA-KEY-PAIR-GEN, keySize={192,320}, hw, generate_key_pair,
>other
> flags=0x1d0
>RSA-X-509, keySize={1024,2048}, hw, decrypt, sign, verify
>RSA-PKCS, keySize={1024,2048}, hw, decrypt, sign, verify
>SHA1-RSA-PKCS, keySize={1024,2048}, sign, verify
>SHA256-RSA-PKCS, keySize={1024,2048}, sign, verify
>SHA384-RSA-PKCS, keySize={1024,2048}, sign, verify
>SHA512-RSA-PKCS, keySize={1024,2048}, sign, verify
>MD5-RSA-PKCS, keySize={1024,2048}, sign, verify
>RIPEMD160-RSA-PKCS, keySize={1024,2048}, sign, verify
>RSA-PKCS-KEY-PAIR-GEN, keySize={1024,2048}, generate_key_pair
>
> Perhaps Bind require more, but all needed digest services are here.
> Is something that will be fixed ? How could I help to get it fixed ?
> Does anyone have any insights or suggestions?
>
> Thanks,
>
> Emmanuel.
Ok, digging into docs and code give me some answers:
In native PKCS11 mode, all crypto operations are offhanded to the HSM.
This is totally crazy nowadays. HSM are HSM not PKCS11 crypto
accelerators, a concept from
Re: native-pkcs11 and smartcard-hsm
Le 26/05/2016 12:20, FUSTE Emmanuel a écrit :
> Le 25/05/2016 16:27, FUSTE Emmanuel a écrit :
>> Le 25/05/2016 14:29, FUSTE Emmanuel a écrit :
>>> Le 24/05/2016 16:36, FUSTE Emmanuel a écrit :
Le 23/05/2016 16:40, FUSTE Emmanuel a écrit :
> Hello,
>
> I'm trying to use a smartcard-hsm usb stick (v1.2) with BIND 9.10.3-P4.
> This stick is working with powerdns and support all crypto operations
> required for basic DNSSEC support.
>
> But I get this warning/error:
> "PKCS#11 provider has no digest service".
> "This HSM will not work with BIND 9 using native PKCS#11."
>
> Bind version:
> BIND 9.10.3-P4-Debian
> built by make with '--prefix=/usr' '--mandir=/usr/share/man'
> '--libdir=/usr/lib/i386-linux-gnu' '--infodir=/usr/share/info'
> '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/'
> '--enable-threads' '--enable-largefile' '--with-libtool'
> '--enable-shared' '--enable-static' '--with-openssl=/usr'
> '--with-gssapi=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no'
> '--enable-ipv6' '--enable-rrl' '--enable-filter-'
> '--enable-native-pkcs11'
> '--with-pkcs11=/usr/lib/i386-linux-gnu/softhsm/libsofthsm2.so'
> 'CFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat
> -Werror=format-security -fno-strict-aliasing
> -fno-delete-null-pointer-checks -DNO_VERSION_DATE' 'LDFLAGS=-fPIE -pie
> -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2
> -DDIG_SIGCHASE'
> compiled by GCC 5.3.1 20160429
> compiled with OpenSSL version: OpenSSL 1.0.2h 3 May 2016
> linked to OpenSSL version: OpenSSL 1.0.2h 3 May 2016
> compiled with libxml2 version: 2.9.3
> linked to libxml2 version: 20903
>
> pkcs11-torens informations:
> pkcs11-tokens -m /usr/lib/i386-linux-gnu/opensc-pkcs11.so
> Warning: PKCS#11 provider has no digest service
> This HSM will not work with BIND 9 using native PKCS#11.
>
> DEFAULTS
> rand_token=0x80300368
> best_rsa_token=0x80300368
> best_dsa_token=(nil)
> best_dh_token=(nil)
> digest_token=(nil)
> best_ec_token=(nil)
> best_gost_token=(nil)
> aes_token=(nil)
>
> TOKEN
> address=0x80300368
> slotID=0
> label=SmartCard-HSM (UserPIN)
> manufacturerID=www.CardContact.de
> model=PKCS#15 emulated
> serialNumber=DECC0100872
> supported operations=0x6 (RAND,RSA)
>
> PKCS11 mechanism returned by pkcs11-tool:
> pkcs11-tool -M
> Using slot 0 with a present token (0x0)
> Supported mechanisms:
> SHA-1, digest
> SHA256, digest
> SHA384, digest
> SHA512, digest
> MD5, digest
> RIPEMD160, digest
> GOSTR3411, digest
> ECDSA, keySize={192,320}, hw, sign, other flags=0x1d0
> ECDSA-SHA1, keySize={192,320}, hw, sign, other flags=0x1d0
> ECDH1-COFACTOR-DERIVE, keySize={192,320}, hw, derive, other
> flags=0x1d0
> ECDH1-DERIVE, keySize={192,320}, hw, derive, other flags=0x1d0
> ECDSA-KEY-PAIR-GEN, keySize={192,320}, hw, generate_key_pair,
> other
> flags=0x1d0
> RSA-X-509, keySize={1024,2048}, hw, decrypt, sign, verify
> RSA-PKCS, keySize={1024,2048}, hw, decrypt, sign, verify
> SHA1-RSA-PKCS, keySize={1024,2048}, sign, verify
> SHA256-RSA-PKCS, keySize={1024,2048}, sign, verify
> SHA384-RSA-PKCS, keySize={1024,2048}, sign, verify
> SHA512-RSA-PKCS, keySize={1024,2048}, sign, verify
> MD5-RSA-PKCS, keySize={1024,2048}, sign, verify
> RIPEMD160-RSA-PKCS, keySize={1024,2048}, sign, verify
> RSA-PKCS-KEY-PAIR-GEN, keySize={1024,2048}, generate_key_pair
>
> Perhaps Bind require more, but all needed digest services are here.
> Is something that will be fixed ? How could I help to get it fixed ?
> Does anyone have any insights or suggestions?
>
> Thanks,
>
> Emmanuel.
Ok, digging into docs and code give me some answers:
In native PKCS11 mode, all crypto operations are offhanded to the HSM.
This is totally crazy nowadays. HSM are HSM not PKCS11 crypto
accelerators, a concept from the past on actual hardware for 99.99% of
real use.
If something like "sign-only" and "crypto-accelerator" OpenSSL-based
PKCS#11 is not implemented too in the future, native-pkcs11 is a dead
end. Option that should be select-able at runtime and which eventually
permit to chose what to offload to the device in the crypto-accelerator
mode (and perhaps on different devices etc ...).
Will try t
Re: native-pkcs11 and smartcard-hsm
Le 25/05/2016 16:27, FUSTE Emmanuel a écrit :
> Le 25/05/2016 14:29, FUSTE Emmanuel a écrit :
>> Le 24/05/2016 16:36, FUSTE Emmanuel a écrit :
>>> Le 23/05/2016 16:40, FUSTE Emmanuel a écrit :
Hello,
I'm trying to use a smartcard-hsm usb stick (v1.2) with BIND 9.10.3-P4.
This stick is working with powerdns and support all crypto operations
required for basic DNSSEC support.
But I get this warning/error:
"PKCS#11 provider has no digest service".
"This HSM will not work with BIND 9 using native PKCS#11."
Bind version:
BIND 9.10.3-P4-Debian
built by make with '--prefix=/usr' '--mandir=/usr/share/man'
'--libdir=/usr/lib/i386-linux-gnu' '--infodir=/usr/share/info'
'--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/'
'--enable-threads' '--enable-largefile' '--with-libtool'
'--enable-shared' '--enable-static' '--with-openssl=/usr'
'--with-gssapi=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no'
'--enable-ipv6' '--enable-rrl' '--enable-filter-'
'--enable-native-pkcs11'
'--with-pkcs11=/usr/lib/i386-linux-gnu/softhsm/libsofthsm2.so'
'CFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat
-Werror=format-security -fno-strict-aliasing
-fno-delete-null-pointer-checks -DNO_VERSION_DATE' 'LDFLAGS=-fPIE -pie
-Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2
-DDIG_SIGCHASE'
compiled by GCC 5.3.1 20160429
compiled with OpenSSL version: OpenSSL 1.0.2h 3 May 2016
linked to OpenSSL version: OpenSSL 1.0.2h 3 May 2016
compiled with libxml2 version: 2.9.3
linked to libxml2 version: 20903
pkcs11-torens informations:
pkcs11-tokens -m /usr/lib/i386-linux-gnu/opensc-pkcs11.so
Warning: PKCS#11 provider has no digest service
This HSM will not work with BIND 9 using native PKCS#11.
DEFAULTS
rand_token=0x80300368
best_rsa_token=0x80300368
best_dsa_token=(nil)
best_dh_token=(nil)
digest_token=(nil)
best_ec_token=(nil)
best_gost_token=(nil)
aes_token=(nil)
TOKEN
address=0x80300368
slotID=0
label=SmartCard-HSM (UserPIN)
manufacturerID=www.CardContact.de
model=PKCS#15 emulated
serialNumber=DECC0100872
supported operations=0x6 (RAND,RSA)
PKCS11 mechanism returned by pkcs11-tool:
pkcs11-tool -M
Using slot 0 with a present token (0x0)
Supported mechanisms:
SHA-1, digest
SHA256, digest
SHA384, digest
SHA512, digest
MD5, digest
RIPEMD160, digest
GOSTR3411, digest
ECDSA, keySize={192,320}, hw, sign, other flags=0x1d0
ECDSA-SHA1, keySize={192,320}, hw, sign, other flags=0x1d0
ECDH1-COFACTOR-DERIVE, keySize={192,320}, hw, derive, other
flags=0x1d0
ECDH1-DERIVE, keySize={192,320}, hw, derive, other flags=0x1d0
ECDSA-KEY-PAIR-GEN, keySize={192,320}, hw, generate_key_pair, other
flags=0x1d0
RSA-X-509, keySize={1024,2048}, hw, decrypt, sign, verify
RSA-PKCS, keySize={1024,2048}, hw, decrypt, sign, verify
SHA1-RSA-PKCS, keySize={1024,2048}, sign, verify
SHA256-RSA-PKCS, keySize={1024,2048}, sign, verify
SHA384-RSA-PKCS, keySize={1024,2048}, sign, verify
SHA512-RSA-PKCS, keySize={1024,2048}, sign, verify
MD5-RSA-PKCS, keySize={1024,2048}, sign, verify
RIPEMD160-RSA-PKCS, keySize={1024,2048}, sign, verify
RSA-PKCS-KEY-PAIR-GEN, keySize={1024,2048}, generate_key_pair
Perhaps Bind require more, but all needed digest services are here.
Is something that will be fixed ? How could I help to get it fixed ?
Does anyone have any insights or suggestions?
Thanks,
Emmanuel.
>>>
>>> Ok, digging into docs and code give me some answers:
>>>
>>> In native PKCS11 mode, all crypto operations are offhanded to the HSM.
>>> This is totally crazy nowadays. HSM are HSM not PKCS11 crypto
>>> accelerators, a concept from the past on actual hardware for 99.99% of
>>> real use.
>>> If something like "sign-only" and "crypto-accelerator" OpenSSL-based
>>> PKCS#11 is not implemented too in the future, native-pkcs11 is a dead
>>> end. Option that should be select-able at runtime and which eventually
>>> permit to chose what to offload to the device in the crypto-accelerator
>>> mode (and perhaps on different devices etc ...).
>>>
>>> Will try to compile a modified openssl in sign-only mode for my token.
>>> I already successfully created keys with the pkcs11-keygen command and
>>> the used debian/ubuntu package already include native pkcs1
