dnssec-keyfromlabel error "pk11.c:564: fatal error: pkcs_C_Login: Error = 0x000000A0" could be more helpful (#830) · Issues · ISC Open Source Projects / BIND

dnssec-keyfromlabel error "pk11.c:564: fatal error: pkcs_C_Login: Error = 0x000000A0" could be more helpful

The problem in this instance was that the pin code was incorrect. But at this point the problem could have been several - for example that the pkcs#11 library wasn't accessible or something like that. After heading off on the wrong track for quite some time, we eventually uncovered where the issue was.

# dnssec-keyfromlabel -v 5 -a RSASHA256 -l 'pkcs11:pin-source=/etc/named/hsmpin;object=sample_ksk' -K /etc/named/keys -f KSK example.com
pk11.c:564: fatal error: pkcs_C_Login: Error = 0x000000A0

I suspect that it's out of our hands to be able to interpret an error passed back to us by another lib, but what might be more helpful could be a summary of how far dnssec-key-label had got, so we know where not to look for the problem and maybe some suggestions for further troubleshooting?

In the above example, the PKCS#11 provider libs had been loaded OK, but the pin was wrong. Perhaps the error could indicate what the BIND code was trying to do (at a higher level) when it all went wrong?

(From Support ticket #14117 )

The problem in this instance was that the pin code was incorrect.  But at this point the problem could have been several - for example that the pkcs#11 library wasn't accessible or something like that.  After heading off on the wrong track for quite some time, we eventually uncovered where the issue was.

```
# dnssec-keyfromlabel -v 5 -a RSASHA256 -l 'pkcs11:pin-source=/etc/named/hsmpin;object=sample_ksk' -K /etc/named/keys -f KSK example.com
pk11.c:564: fatal error: pkcs_C_Login: Error = 0x000000A0
```

I suspect that it's out of our hands to be able to interpret an error passed back to us by another lib, but what might be more helpful could be a summary of how far dnssec-key-label had got, so we know where *not* to look for the problem and maybe some suggestions for further troubleshooting?

In the above example, the PKCS#11 provider libs had been loaded OK, but the pin was wrong.  Perhaps the error could indicate what the BIND code was trying to do (at a higher level) when it all went wrong?

(From Support ticket [#14117](https://support.isc.org/Ticket/Display.html?id=14117) )

Discussion
Designs

The one place for your designs

To enable design management, you'll need to meet the requirements. If you need help, reach out to our support team for assistance.