Hi,
I'll follow your advice ans postpone the use of SoftHSM2 for the time being.
Anyway, thanks for your help!
Gérard
Le 04/12/2023 à 14:31, Ondřej Surý a écrit :
Hi,
the guide was written for OpenSSL 1.1.x and tested with that version
and the engines support in OpenSSL 3.x is deprecated, so most probably
something got broken along the way.
Everything works properly with OpenSSL 1.1.x (for example on Ubuntu focal).
There's a new provider for OpenSSL 3.x here:
https://github.com/latchset/pkcs11-provider
The catch is that OpenSSL Provider can't really be used with SoftHSM 2,
because that SoftHSM2 is itself broken when used with providers:
https://github.com/latchset/pkcs11-provider/discussions/68#discussioncomment-3860124
You can try using /usr/lib/x86_64-linux-gnu/libsoftokn3.so
<http://libsoftokn3.so/> from libnss3 as PKCS#11 library
instead of SoftHSM2, but unless you have a specific reason to use PKCS#11 I
would
suggest to simply avoid it until the dust settles.
Adding SoftHSM2 on top of BIND 9 doesn't really increase security as the user
under named
runs has to have access to the private key data anyway.
Ondrej
--
Ondřej Surý (He/Him)
ond...@isc.org
My working hours and your working hours may be different. Please do not feel
obligated to reply outside your normal working hours.
On 4. 12. 2023, at 0:43, Gérard Parat via bind-users <bind-users@lists.isc.org>
wrote:
Hi,
Weird behavior with /opt/bind9/etc/openssl.cnf.
The only difference with /etc/ssl/openssl.cnf is the pkcs11 engine:
[openssl_init]
engines=engine_section
[engine_section]
pkcs11 = pkcs11_section
[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/lib/x86_64-linux-gnu/engines-3/pkcs11.so
MODULE_PATH = /usr/lib/softhsm/libsofthsm2.so
init = 0
For example, dig is not working with environment variable OPENSSL_CONF:
$ dig www.internet.nl +short
04-Dec-2023 00:39:24.280 EVP_PKEY_fromdata_init failed (crypto failure)
04-Dec-2023 00:39:24.280 error:03000096:digital envelope routines::operation
not supported for this keytype:../crypto/evp/pmeth_gn.c:354:
dig: dst_lib_init: crypto failure
It works if OPENSSL_CONF is undefined:
$ OPENSSL_CONF= dig www.internet.nl +short
proloprod.internet.nl.
62.204.66.10
Issue seems wider than only relative to dnssec-keyfromlabel.
Gérard
Le 03/12/2023 à 18:40, Gérard Parat via bind-users a écrit :
Hi,
I used this tutorial as reference to setup DNSSEC with SoftHSM2:
https://kb.isc.org/docs/bind-9-pkcs11
I installed the Debian package instead of building libp11:
libengine-pkcs11-openssl:amd64 0.4.12-0.1
It works until reaching this command:
$ dnssec-keyfromlabel \
-E pkcs11 \
-a RSASHA256 \
-l "token=bind9object=example.net-ksk" \
-f KSK example.net
dnssec-keyfromlabel: fatal: could not initialize dst: crypto failure
Trying directly from OpenSSL works:
$ openssl pkey \
-in "pkcs11:token=bind9;object=example.net-ksk" \
-inform ENGINE \
-engine pkcs11 \
-text \
-pubin
Engine "pkcs11" set.
-----BEGIN PUBLIC KEY-----
MIG/MA0GCSqGSIb3DQEBAQUAA4GtADCBqQKBoQCmhO41MX09L/BiJiU7ygXt6D7J
ujmZFMBB7tb/LJBazNp+Xd5TLHZvp1MxFBBW39swTU6oynLnp8IOIuWQNap6kyQ5
hkGusvZ/JsrwHLZ1phPBKsdEd2ClB9EfF+ReabhXRVbqrw9yz22mLdlajmkLTx2d
V6EsjJue+aSX1nxFmna6qNrZBA5ifClpKH7R/0ztQb1RlYA11RG1RGrsRSJnAgMB
AAE=
-----END PUBLIC KEY-----
RSA Public-Key: (1280 bit)
Modulus:
00:a6:84:ee:35:31:7d:3d:2f:f0:62:26:25:3b:ca:
05:ed:e8:3e:c9:ba:39:99:14:c0:41:ee:d6:ff:2c:
90:5a:cc:da:7e:5d:de:53:2c:76:6f:a7:53:31:14:
10:56:df:db:30:4d:4e:a8:ca:72:e7:a7:c2:0e:22:
e5:90:35:aa:7a:93:24:39:86:41:ae:b2:f6:7f:26:
ca:f0:1c:b6:75:a6:13:c1:2a:c7:44:77:60:a5:07:
d1:1f:17:e4:5e:69:b8:57:45:56:ea:af:0f:72:cf:
6d:a6:2d:d9:5a:8e:69:0b:4f:1d:9d:57:a1:2c:8c:
9b:9e:f9:a4:97:d6:7c:45:9a:76:ba:a8:da:d9:04:
0e:62:7c:29:69:28:7e:d1:ff:4c:ed:41:bd:51:95:
80:35:d5:11:b5:44:6a:ec:45:22:67
Exponent: 65537 (0x10001)
Debian 12 (bookworm) use OpenSSL version 3:
libssl3:amd64 3.0.11-1~deb12u2
openssl 3.0.11-1~deb12u2
Installed BIND9 packages:
bind9 1:9.18.19-1~deb12u1
bind9-utils 1:9.18.19-1~deb12u1
bind9-dnsutils 1:9.18.19-1~deb12u1
bind9-doc 1:9.18.19-1~deb12u1
bind9-libs:amd64 1:9.18.19-1~deb12u1
bind9-host 1:9.18.19-1~deb12u1
$ dnssec-keyfromlabel -V
dnssec-keyfromlabel 9.18.19-1~deb12u1-Debian
[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/lib/x86_64-linux-gnu/engines-3/pkcs11.so
MODULE_PATH = /usr/lib/softhsm/libsofthsm2.so
init = 0
strace file:
https://pasteb.in/?bd9a4ecaca6ece23#E2emtt8zi9t5UsnFJ2QWKVD6ALTkZmKG9656
fuZR3ArX
It seems to be an API problem or maybe I missed something ?
Gérard
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
