Re: [Opendnssec-user] Key not found

David Peall Wed, 11 Jun 2014 05:14:04 -0700

Hi Rickard

I appreciate the help.


Its not timing as the key can be pulled before, it seems that the request for 
the CKO_PRIVATE_KEY is failing.

2014-06-11 13:59:41 [4212] t002747eb417f0000: pkcs11: 000008DA >    CKA_CLASS:  
CKO_PRIVATE_KEY
vs
2014-06-11 13:57:01 [4252] t40978d224f7f0000: pkcs11: 000008CB >    CKA_CLASS:  
CKO_PUBLIC_KEY

Seems to be the issue?

Regards
—
David Peall

On 11 Jun 2014, at 12:57 PM, Rickard Bellgrim <rick...@opendnssec.org> wrote:

> On Wed, Jun 11, 2014 at 12:15 PM, David Peall <da...@dnservices.co.za> wrote:
> Here is the log line:
> Jun 11 12:03:41 ods-signerd: [hsm] unable to get key: key 
> 5a4cf5871ef16a77118283e8666f486b not found
> 
> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB >>   
> C_FindObjectsInit
> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB >    hSession 
> 0x000008DB
> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB >    
> CKA_CLASS:  CKO_PRIVATE_KEY
> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB >    CKA_ID
>   pAtt->pValue= 16 bytes
>                                         5a4cf587 1ef16a77 118283e8 666f486b
> 
> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB <    rv 
> 0x00000000 (CKR_OK)
> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB >>   
> C_FindObjects
> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB >    hSession 
> 0x000008DB
> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB >    phObject 
> 0x7ffff3ac5cd8
> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB >    
> ulMaxObjectCount 1
> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB <    
> *pulObjectCount 0
> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB <    rv 
> 0x00000000 (CKR_OK)
> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB >>   
> C_FindObjectsFinal
> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB >    hSession 
> 0x000008DB
> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB <    rv 
> 0x00000000 (CKR_OK)
> 
> OpenDNSSEC (ods-signerd) is acting correctly because the HSM says that there 
> is no key which match the search criteria. See the pulObjectCount returned 
> from the HSM above.
> 
> The issue is probably some synchronization problem with the HSM. E.g. object 
> information not propagating fast enough between the two loaded instances of 
> the PKCS#11 library or you are operating a HA-cluster and the object has not 
> been synchronized to the second cluster member. The PKCS#11 library should 
> not return from the key generation function until this has been done.
> 
> // Rickard

smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

Re: [Opendnssec-user] Key not found

Reply via email to