dnssec-keyfromlabel ECDSAP256SHA256 error on AEP Keypers HSM
Summary
When attempting to generate a ECDSAP256SHA256 key pair from a AEP Keypers HSM dnssec-keyfromlabel exits with a segment fault. For core an binary see RT #17055
BIND version used
BIND 9.16.6 (Stable Release) id:25846cf
running on Linux x86_64 3.10.0-1062.12.1.el7.x86_64 #1 SMP Tue Feb 4 23:02:59 UTC 2020
built by make with '--with-openssl=/opt/openssl-versions/openssl-1.1.1g/' '--prefix=/opt/bind-versions/bind-9.16.6' '--with-pkcs11=/opt/Keyper/PKCS11Provider-versions/PKCS11Provider-5.05/pkcs11.so'
+'PKG_CONFIG_PATH=/opt/openssl-versions/openssl-1.1.1g/lib/pkgconfig'.
compiled by GCC 4.8.5 20150623 (Red Hat 4.8.5-39).
compiled with OpenSSL version: OpenSSL 1.1.1g 21 Apr 2020
linked to OpenSSL version: OpenSSL 1.1.1g 21 Apr 2020
compiled with libuv version: 1.38.0
linked to libuv version: 1.38.0
compiled with zlib version: 1.2.7
linked to zlib version: 1.2.7
threads support is enabled
default paths: named configuration: /opt/bind-versions/bind-9.16.6/etc/named.conf rndc configuration: /opt/bind-versions/bind-9.16.6/etc/rndc.conf DNSSEC root key: /opt/bind-versions/bind-9.16.6/etc/bind.keys nsupdate session key: /opt/bind-versions/bind-9.16.6/var/run/named/session.key named PID file: /opt/bind-versions/bind-9.16.6/var/run/named/named.pid named lock file: /opt/bind-versions/bind-9.16.6/var/run/named/named.lock
Steps to reproduce
dnssec-keyfromlabel -E pkcs11 -a ECDSAP256SHA256 -l "token=prod.fr;object=re9166-zsk;pin-value=XXXX"
What is the current bug behavior?
Segmentation fault (core dumped)
What is the expected correct behavior?
Generation of key pair
Relevant configuration files
OpenSSL 1.1.1g 21 Apr 202
OpenSSL configuration:
openssl_conf = openssl_init [...] [ openssl_init ] engines = engine_section
[ engine_section ] pkcs11 = pkcs11_section
[ pkcs11_section ]
engine_id = pkcs11
dynamic_path = /opt/bind/engines/pkcs11.so
MODULE_PATH = /opt/Keyper/PKCS11Provider-versions/PKCS11Provider-5.05/pkcs11.so
init = 0