Skip to content

GitLab

  • Menu
Projects Groups Snippets
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • BIND BIND
  • Project information
    • Project information
    • Activity
    • Labels
    • Planning hierarchy
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 532
    • Issues 532
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 101
    • Merge requests 101
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Monitor
    • Monitor
    • Incidents
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • ISC Open Source Projects
  • BINDBIND
  • Issues
  • #975

Closed
Open
Created Apr 08, 2019 by Petr Menšík@pemensikContributor

pkcs11 slot number relation to dnssec-keyfromlabel URI

Description

I were unable to configure automated testing of system test pkcs11. Both pkcs11 and pkcs11ssl failed in my testing. dnssec-keylabel with --enable-native-pkcs11 accepts pkcs11 URI, which is great. However, support pkcs11 tool pkcs11-keygen accepts only slot number. When I was scripting our pkcs11 build with custom patch and helper softhsm script, I failed to find correct parameters.

I think my issue is there is no slot 0 initialized by the script. That can be overriden by SLOT environment variable. However, if I have one initialized token and one unintialized, dnssec-keyfromlabel does not know which one to use. I did not find way to specify token in pkcs11 URI by slot number.

Better way would be to support pkcs11 uri to select token in pkcs11 tools too.

$ p11tool --list-all
pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=*;token=Petr%20Mensik
pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=*;token=DNS
pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=*;token=test

Is there way to use $SLOT variable that I did not find? It fails to generate private key, because it cannot find correct token.

Request

  • Support PKCS11 URI in all tools if possible
  • Document way to specify slot number to dnssec-keygen in compatible way with pkcs11 tools, if there is any
  • Provide clear token not found return code or message in pkcs11-* tools
  • Provide login failed message in pkcs11-* tools on bad HSM pin
  • Ignore uninitialized tokens altogether

Links / references

  • Fedora guidelines demands PKCS11 URI support for any tool working with tokens. Fedora Packaging policy of PKCS#11. Would like to provide support for p11-kit integration when I find enough time for it.
  • Found no way to supply setup parameters of pkcs11 setup
  • Softhsm setup script
Assignee
Assign to
Time tracking