pkcs11 slot number relation to dnssec-keyfromlabel URI
Description
I were unable to configure automated testing of system test pkcs11. Both pkcs11 and pkcs11ssl failed in my testing. dnssec-keylabel with --enable-native-pkcs11 accepts pkcs11 URI, which is great. However, support pkcs11 tool pkcs11-keygen accepts only slot number. When I was scripting our pkcs11 build with custom patch and helper softhsm script, I failed to find correct parameters.
I think my issue is there is no slot 0 initialized by the script. That can be overriden by SLOT environment variable. However, if I have one initialized token and one unintialized, dnssec-keyfromlabel does not know which one to use. I did not find way to specify token in pkcs11 URI by slot number.
Better way would be to support pkcs11 uri to select token in pkcs11 tools too.
$ p11tool --list-all
pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=*;token=Petr%20Mensik
pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=*;token=DNS
pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=*;token=test
Is there way to use $SLOT
variable that I did not find? It fails to generate private key, because it cannot find correct token.
Request
- Support PKCS11 URI in all tools if possible
- Document way to specify slot number to dnssec-keygen in compatible way with pkcs11 tools, if there is any
- Provide clear token not found return code or message in pkcs11-* tools
- Provide login failed message in pkcs11-* tools on bad HSM pin
- Ignore uninitialized tokens altogether
Links / references
- Fedora guidelines demands PKCS11 URI support for any tool working with tokens. Fedora Packaging policy of PKCS#11. Would like to provide support for p11-kit integration when I find enough time for it.
- Found no way to supply setup parameters of pkcs11 setup
- Softhsm setup script