dnssec-keyfromfile core dump
Summary
dnssec-keyfromlable core dumps.
pkcs-keygen works fine, pkcs-list works fine, dnssec-keyfromlable core dumps.
We are currently trying to integrate our HSM into bind9 by using native PKCS#11 R2. We setup our HSM and configured P11. We followed the bind9 documentation in chapter "PKCS#11 (Cryptoki) Support"
The core dump occurs on any of the bind versions mentioned below and presumably comes up because the application does not ask for a PIN.
My environment:
OS: Ubuntu 18.04, linux kernel 4.15.0-43-generic (running in Oracle VM Virtualbox, 6.0.0r127566)
GCC: gcc (Ubuntu 7.3.0-27ubuntu1~18.04) 7.3.0
Make: GNU Make 4.1 Built for x86_64-pc-linux-gnu
BIND version used
9.11.5-P1 built from bind-9.11.5-P1.tar.gz
9.12.3-P1 built from bind-9.12.3-P1.tar.gz
9.13.5-W1 built from bind-9.13.5-W1.tar.gz
built by make with '--enable-native-pkcs11' and '--with-pkcs11=/home/bind/Software/Linux/x86-64/Crypto_APIs/PKCS11_R2/lib/libcs_pkcs11_R2.so'
compiled by GCC 7.3.0
threads support is enabled
Steps to reproduce
Download bind-9.11.5-P1.tar.gz | bind-9.12.3-P1.tar.gz | bind-9.13.5-W1.tar.gz from your homepage, run the configure script and make.
1.) bind-9.11.5-P1.tar.gz
bind@ubuntu1804:/bind-9.11.5-P1$ ./configure --enable-native-pkcs11 --with-pkcs11=/Software/Linux/x86-64/Crypto_APIs/PKCS11_R2/lib/libcs_pkcs11_R2.so
bind@ubuntu1804:~/bind-9.11.5-P1$ make
bind@ubuntu1804:~/bind-9.11.5-P1/bin/pkcs11$ ./pkcs11-keygen -b 2048 -l sample-ksk
Enter Pin:
Key pair generation complete.
bind@ubuntu1804:~/bind-9.11.5-P1/bin/pkcs11$ ./pkcs11-list
Enter Pin:
object[0]: handle 2 class 3 label[10] 'sample-ksk' id[0] E:never
object[1]: handle 1 class 2 label[10] 'sample-ksk' id[0]
bind@ubuntu1804:~/bind-9.11.5-P1/bin/dnssec$ ./dnssec-keyfromlabel -l sample-ksk -f KSK example.net
md5.c:124: fatal error: pkcs_C_DigestUpdate: Error = 0x00000101
Aborted (core dumped)
PKCS11-LOG:
31.12.2018 15:39:47 | [0000402A:0000402A] C_OpenSession | D: Insert session 0x01a82b72.
31.12.2018 15:39:47 | [0000402A:0000402A] log | D: Size: 1
31.12.2018 15:39:47 | [0000402A:0000402A] log | D: Index: 0x01a82b72
31.12.2018 15:39:47 | [0000402A:0000402A] C_OpenSession | T: leave...
31.12.2018 15:39:47 | [0000402A:0000402A] C_DigestInit | T: enter...
31.12.2018 15:39:47 | [0000402A:0000402A] C_DigestInit | T: leave...
31.12.2018 15:39:47 | [0000402A:0000402A] C_DigestUpdate | T: enter...
31.12.2018 15:39:47 | [0000402A:0000402A] C_DigestUpdate | E: Error CKR_USER_NOT_LOGGED_IN occurred.
31.12.2018 15:39:47 | [0000402A:0000402A] C_DigestUpdate | T: leave...
According to the P11 standard CKR_USER_NOT_LOGGED_IN is defined as 0x00000101
2.) bind-9.12.3-P1.tar.gz
bind@ubuntu1804:/bind-9.12.3-P1$ ./configure --enable-native-pkcs11 --with-pkcs11=/Software/Linux/x86-64/Crypto_APIs/PKCS11_R2/lib/libcs_pkcs11_R2.so
bind@ubuntu1804:~/bind-9.12.3-P1$ make
bind@ubuntu1804:~/bind-9.12.3-P1/bin/pkcs11$ ./pkcs11-keygen -b 2048 -l sample-ksk
Enter Pin:
Key pair generation complete.
bind@ubuntu1804:~/bind-9.12.3-P1/bin/pkcs11$ ./pkcs11-list
Enter Pin:
object[0]: handle 2 class 3 label[10] 'sample-ksk' id[0] E:never
object[1]: handle 1 class 2 label[10] 'sample-ksk' id[0]
bind@ubuntu1804:~/bind-9.12.3-P1/bin/dnssec$ ./dnssec-keyfromlabel -l sample-ksk -f KSK example.net
md5.c:120: fatal error: pkcs_C_DigestUpdate: Error = 0x00000101
Aborted (core dumped)
PKCS11-LOG:
31.12.2018 15:42:07 | [0000403A:0000403A] C_OpenSession | D: Insert session 0x017b4ae5.
31.12.2018 15:42:07 | [0000403A:0000403A] log | D: Size: 1
31.12.2018 15:42:07 | [0000403A:0000403A] log | D: Index: 0x017b4ae5
31.12.2018 15:42:07 | [0000403A:0000403A] C_OpenSession | T: leave...
31.12.2018 15:42:07 | [0000403A:0000403A] C_DigestInit | T: enter...
31.12.2018 15:42:07 | [0000403A:0000403A] C_DigestInit | T: leave...
31.12.2018 15:42:07 | [0000403A:0000403A] C_DigestUpdate | T: enter...
31.12.2018 15:42:07 | [0000403A:0000403A] C_DigestUpdate | E: Error CKR_USER_NOT_LOGGED_IN occurred.
31.12.2018 15:42:07 | [0000403A:0000403A] C_DigestUpdate | T: leave...
According to the P11 standard CKR_USER_NOT_LOGGED_IN is defined as 0x00000101
3.) bind-9.13.5-W1.tar.gz
Note: bind-9.13.5-W1:
configure without option '--with-python' or with option '--with-python=/usr/bin/python' results in an error: ..
checking for Python support... no
configure: error: Python required for dnssec-keymgr
bind@ubuntu1804:/bind-9.13.5-W1$ ./configure --with-python=no --enable-native-pkcs11 --with-pkcs11=/Software/Linux/x86-64/Crypto_APIs/PKCS11_R2/lib/libcs_pkcs11_R2.so
bind@ubuntu1804:~/bind-9.13.5-W1$ make
bind@ubuntu1804:~/bind-9.13.5-W1/bin/pkcs11$ ./pkcs11-keygen -b 2048 -l sample-ksk
Enter Pin:
Key pair generation complete.
bind@ubuntu1804:~/bind-9.13.5-W1/bin/pkcs11$ ./pkcs11-list
Enter Pin:
object[0]: handle 2 class 3 label[10] 'sample-ksk' id[0] E:never
object[1]: handle 1 class 2 label[10] 'sample-ksk' id[0]
bind@ubuntu1804:~/bind-9.13.5-W1/bin/dnssec$ ./dnssec-keyfromlabel -a RSASHA1 -l sample-ksk -f KSK example.net
pk11.c:445: fatal error: pkcs_C_Login: Error = 0x000000A0
Aborted (core dumped)
PKCS11-LOG:
31.12.2018 15:46:59 | [00004088:00004088] C_OpenSession | D: Insert session 0x013442d6.
31.12.2018 15:46:59 | [00004088:00004088] log | D: Size: 1
31.12.2018 15:46:59 | [00004088:00004088] log | D: Index: 0x013442d6
31.12.2018 15:46:59 | [00004088:00004088] C_OpenSession | T: leave...
31.12.2018 15:46:59 | [00004088:00004088] C_Login | T: enter...
31.12.2018 15:46:59 | [00004088:00004088] C_Login | D: session handle: 0x013442d6
31.12.2018 15:46:59 | [00004088:00004088] C_Login | D: user type: 0x00000001
31.12.2018 15:46:59 | [00004088:00004088] C_Login | E: Error CKR_PIN_INCORRECT occurred.
31.12.2018 15:46:59 | [00004088:00004088] C_Login | T: leave...
According to the P11 standard CKR_PIN_INCORRECT is defined as 0x000000A0
What is the current bug behavior?
dnssec-keyfromlable never asks for PIN and core dumps.
What is the expected correct behavior?
dnssec-keyfromlabel should log in via p11 to the HSM, asking for the PIN and then create the pair of BIND9 key files.
Relevant configuration files
Relevant logs and/or screenshots
Possible fixes
Make dnssec-key-fromlabel ask for the PIN to authenticate and thus being able to use keys in the HSM.