GitLab

Summary

When attempting to generate a ECDSAP256SHA256 key pair from a AEP Keypers HSM dnssec-keyfromlabel exits with a segment fault. For core an binary see RT #17055

BIND version used

BIND 9.16.6 (Stable Release) id:25846cf running on Linux x86_64 3.10.0-1062.12.1.el7.x86_64 #1 SMP Tue Feb 4 23:02:59 UTC 2020 built by make with '--with-openssl=/opt/openssl-versions/openssl-1.1.1g/' '--prefix=/opt/bind-versions/bind-9.16.6' '--with-pkcs11=/opt/Keyper/PKCS11Provider-versions/PKCS11Provider-5.05/pkcs11.so' +'PKG_CONFIG_PATH=/opt/openssl-versions/openssl-1.1.1g/lib/pkgconfig'. compiled by GCC 4.8.5 20150623 (Red Hat 4.8.5-39). compiled with OpenSSL version: OpenSSL 1.1.1g 21 Apr 2020
linked to OpenSSL version: OpenSSL 1.1.1g 21 Apr 2020
compiled with libuv version: 1.38.0
linked to libuv version: 1.38.0
compiled with zlib version: 1.2.7
linked to zlib version: 1.2.7
threads support is enabled

default paths: named configuration: /opt/bind-versions/bind-9.16.6/etc/named.conf rndc configuration: /opt/bind-versions/bind-9.16.6/etc/rndc.conf DNSSEC root key: /opt/bind-versions/bind-9.16.6/etc/bind.keys nsupdate session key: /opt/bind-versions/bind-9.16.6/var/run/named/session.key named PID file: /opt/bind-versions/bind-9.16.6/var/run/named/named.pid named lock file: /opt/bind-versions/bind-9.16.6/var/run/named/named.lock

Steps to reproduce

dnssec-keyfromlabel -E pkcs11 -a ECDSAP256SHA256 -l "token=prod.fr;object=re9166-zsk;pin-value=XXXX"

What is the current bug behavior?

Segmentation fault (core dumped)

What is the expected correct behavior?

Generation of key pair

Relevant configuration files

OpenSSL 1.1.1g 21 Apr 202

OpenSSL configuration:

openssl_conf = openssl_init [...] [ openssl_init ] engines = engine_section

[ engine_section ] pkcs11 = pkcs11_section

[ pkcs11_section ] engine_id = pkcs11
dynamic_path = /opt/bind/engines/pkcs11.so
MODULE_PATH = /opt/Keyper/PKCS11Provider-versions/PKCS11Provider-5.05/pkcs11.so
init = 0