[Opendnssec-user] Leaving the project

the project and making SoftHSM to what it is today. The SoftHSM-team is actively working on ensuring that the project moves forward. // Rickard Bellgrim ___ Opendnssec-user mailing list Opendnssec-user@lists.opendnssec.org https://lists.opendnssec.org

Re: [Opendnssec-user] Unclear SoftHSM behavior.

Hi Marco SoftHSM does not cache the key object but reads it from the object store (in memory) for each operation (encrypt/decrypt). We made some changes on how the library detect changes to the object store on disc in version 2.4. It might be, in your case, that SoftHSM also loads the object from

Re: [Opendnssec-user] Is it possible to change the SO PIN of SoftHSM2?

No, it is not implemented in softhsm2-util. But you can use C_SetPin() via PKCS#11. On Mon, May 7, 2018 at 12:03 PM, Spadoni Marco < marco.spad...@italiaonline.it> wrote: > I am running version 2.1.0 of SoftHSM on CentOS7. > > I was not able (both via softhsm2-util and pkcs11-tool as well) to fin

Re: [Opendnssec-user] Migrating from SoftHSM 1 to 2: "ERROR: Could not get the class of object 1. Continuing."

It is probably something wrong in the code that reads the object class from the SoftHSM database: https://github.com/opendnssec/SoftHSMv2/blob/e014b86c1f3dab6f57e066171637e120de924f78/src/bin/migrate/softhsm2-migrate.cpp#L518 That SQLITE_ROW is not returned or that pValue is null / does not match

Re: [Opendnssec-user] Question about P11Attributes checks

these `ck` checks are enforced though. For example, who enforces > `ck7` on a P11ECPrivateKeyObj, so that a sensitive key cannot be revealed? > > Thank you, > -Dave > > On Thu, Oct 12, 2017 at 11:09 AM Rickard Bellgrim > wrote: > >> Hi Dave >> >> The che

Re: [Opendnssec-user] Question about P11Attributes checks

Hi Dave The checks comes from PKCS#11 [1] and is enforced according to it. You can cross-reference all the attributes with PKCS#11. ck1 is set for CKA_CLASS [2], but CKA_TOKEN is an optional attribute that will default to CK_FALSE and is not required when creating an object. CKA_CERTIFICATE_TYPE

Re: [Opendnssec-user] SoftHSM userpin

Not currently, because the SO can only handle public objects. When to SO logs in, the session enters R/W SO Functions. R/W SO Functions: The Security Officer has been authenticated to the token. The application has read/write access only to public objects on the token, not to private objects. The

Re: [Opendnssec-user] Change SoftHSM user pin

If you do not have the old pins, then you will loose the encryption key used for encrypting the private objects. (You can replace the pins by manually editing the token object and replacing the salted and hashed pin. Check the source code for the correct format and functions.) // Rickard On Sun,

Re: [Opendnssec-user] Evaluation of SoftHSM

SoftHSMv2 is currently at version 2.1.0 and is considered a stable release. I have now updated that wiki page. If you do not have any external requirements, then yes, it is up to you define how you should handle the keys for your zones. The security level of SoftHSM is not comparable to real HSM:

Re: [Opendnssec-user] OpenDNSSEC with SafeNet Luna HSM

On Thu, May 12, 2016 at 7:54 PM, Roman Serbski wrote: > Do I need to follow 'softhsm --init-token ...' procedure (I noticed > that there is --module directive)? Or OpenDNSSEC has to be > recompiled with libCryptoki2_64.so support? > No, everything should work out of the box with OpenDNSSEC. Yo

Re: [Opendnssec-user] openhsm problem

On Fri, Apr 15, 2016 at 8:31 AM, surya prakash wrote: > I am using open hsm to generate public and private key pair. After > generating it private key will be stored in token and public key has to be > given to others. Now my problem is how to export public key into a file to > give it to others

Re: [Opendnssec-user] openhsm problem

On Wed, Apr 13, 2016 at 8:29 AM, surya prakash wrote: > openhsm2 does not allow exporting of keys then how public key can be > written > > into a file for others to use it > You should be able to extract the public key information from SoftHSMv2. Could you describe how you are trying to extract

Re: [Opendnssec-user] Plans for ECDSA support in softhsm(2)

On Sun, Mar 6, 2016 at 9:50 PM, Tom Hendrikx wrote: > Are there any plans for ECDSA support? I didn't find any github tickets > either mentioning this... > SoftHSMv2 is supporting this. This is also true for libhsm. Do not know the state of the signer and the enforcer. // Rickard _

Re: [Opendnssec-user] plans for softhsm-2 release?

On Wed, Feb 24, 2016 at 7:57 PM, Paul Wouters wrote: > > Hi, > > I need to pull in some post 2.0.0 fixes. I notice there are about 20 > commits since the release. It would safe me a lot of work if there was > a 2.0.1 (candidate or final) release I could use instead :) > > What is the schedule for

Re: [Opendnssec-user] Migrating to SoftHSM2

On Mon, Jan 11, 2016 at 10:41 AM, Fred.Zwarts wrote: > Thanks for your response. So, I was at the right track, but the version of > SoftHSM2 that is currently released, does not yoet support a migration from > SoftHSM v1. I will wait for a new release of SoftHSM that will support the > migration.

Re: [Opendnssec-user] Migrating to SoftHSM2

> 2015-12-23T09:27:09.152565+01:00 kvivs20 ods-signerd: [hsm] sign init: > CKR_GENERAL_ERROR > 2015-12-23T09:27:09.152600+01:00 kvivs20 ods-signerd: [hsm] error signing > rrset with libhsm > 2015-12-23T09:27:09.152635+01:00 kvivs20 ods-signerd: [rrset] unable to > sign RRset[99]: lhsm_sign() failed

Re: [Opendnssec-user] Migrating to SoftHSM2

Hi Fred I see that this did not override the SoftHSM 1.3.7 installation, but it > installs some new utilities. > You can have both SoftHSMv1 and SoftHSMv2 installed on the same system. The library, configuration file, and binaries all have new names. The next step is to migrate our SoftHSM 1.3.7

Re: [Opendnssec-user] Questions about SoftHSM and 'ods-ksmutil backup'

On Thu, Sep 24, 2015 at 4:55 PM, Rick van Rein wrote: > > The SQLite backups are made at the database level, and that is the level > at which you should look for tooling support for import / recover the > backup. The default procedure in lieu of any would be to stop KASP, > replace the database

Re: [Opendnssec-user] SoftHSM2 binaries for Windows

Hi Jaroslav On Fri, Jul 31, 2015 at 3:28 PM, Jaroslav Imrich wrote: > > I've noticed that SoftHSM2 has been released [0]. Are there any plans to > provide official binaries for Windows platforms or can I take over this > task and release them the same way as I did for SoftHSM1 [1]? > > [0] https:

Re: [Opendnssec-user] Import existing keys

On Fri, May 8, 2015 at 6:13 PM, Juan Orti Alcaine wrote: > I'm trying to import my current keys into SoftHSM with something like: > softhsm2-util --import ksk.pem --slot 0 --label KSK --id > > But I don't know how to obtain the ID. I've search all around the web > unsuccessfully. > --label and

Re: [Opendnssec-user] PKCS11 Specification version

On Thu, May 7, 2015 at 9:59 AM, Elizabeta wrote: > I have a small question about PKCS#11 specification and SoftHSM v2. > Is SoftHSM v2 under the v2.20 or v2.30 PKCS#11 specification ? > SoftHSMv2 is under PKCS#11 v2.20, but have some algorithms added from v2.30 and v2.40. v2.30 was never finali

Re: [Opendnssec-user] Information about SoftHSM v2 - signing operation

On Wed, Apr 15, 2015 at 11:09 AM, Elizabeta wrote: > In addition, concerning the key generation are there any advises when to > use the function C_CreateObject instead of C_GenerateKey ? I'm rising this > question since, as given in the specification, we can use both of them for > key generation.

Re: [Opendnssec-user] Information about SoftHSM v2 - signing operation

Hi Elizabeta C_Login() will log in the user on the token, thus changing the login state for all sessions on that token. The test script will login using hSessionRO, but hSessionRW will also move from the public state to the user state. If you add C_Logout(hSessionRO) after the key generation and

Re: [Opendnssec-user] Compiling SoftHSM 2.0.0b2 for Windows

On Mon, Mar 16, 2015 at 9:42 AM, Kil Tuy wrote: > Hi, > I am trying to compile SoftHSM 2.0.0b2 > for Windows. I > managed to get it work but I had an issue. BotanAES.cpp file contains a > call to functions Botan::rfc5649_keywrap and Botan:

Re: [Opendnssec-user] Differences between SoftHSMv1 and SoftHSMv2?

On Wed, Mar 11, 2015 at 8:01 PM, Dave Fine wrote: > What are the primary differences between version 1 and version 2 of > SoftHSM? It seems that version 1 is still being maintained as version 2 > continues its development. Does version 2 offer new functionality that > version 1 does not offer? Ad

Re: [Opendnssec-user] PKCS11Exception: CKR_DATA_LEN_RANGE using softhsm2

On Mon, Dec 8, 2014 at 7:54 PM, Rickard Bellgrim wrote: > We can rewrite the code to calculate the exact number of bytes need when > calling C_EncryptUpdate. > Does it work better after the latest commit? // Rickard ___ Opendnssec-user mai

Re: [Opendnssec-user] PKCS11Exception: CKR_DATA_LEN_RANGE using softhsm2

On Mon, Dec 8, 2014 at 6:01 PM, roko wrote: > So, I think padding is now supported, but in my application now I have > this exception: > > Caused by: javax.crypto.ShortBufferException > at sun.security.pkcs11.P11Cipher.implUpdate(P11Cipher.java:561) > at sun.security.pkcs11.P11Cip

Re: [Opendnssec-user] PKCS11Exception: CKR_DATA_LEN_RANGE using softhsm2

On Fri, Dec 5, 2014 at 8:09 AM, Roland van Rijswijk - Deij < roland.vanrijsw...@surfnet.nl> wrote: > Hi Roko, > > roko wrote: > > I'm getting this error: > > Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: > CKR_DATA_LEN_RANGE > > > > Is this maybe a known limitation for softhsm2 ? there i

Re: [Opendnssec-user] softhsm: Create a token without a PIN?

On Fri, Nov 7, 2014 at 12:23 AM, Mike Gerow wrote: > Is it possible to create a softhsm token without a PIN (and with the > flags for the CK_TOKEN_INFO not having CKF_LOGIN_REQUIRED set)? > You could manually call C_InitToken() and ignore calling C_InitPIN(). This would only give you access to t

Re: [Opendnssec-user] v1.4.6 static analysis results & discovered bugs

On Tue, Sep 30, 2014 at 10:06 PM, Paul Wouters wrote: > On Tue, 30 Sep 2014, Petr Spacek wrote: > > Subject: [Opendnssec-user] v1.4.6 static analysis results & discovered >> bugs >> > > And here is the one for softhsm2: > > http://people.redhat.com/pwouters/softhsm-2.0.0b1-2.el7.html > > The str

Re: [Opendnssec-user] Migrating signed zones from MS DNS 2008 to OpenDNSSEC

> > Has anybody done this before and willing to share some tips/hints > especially with regards to reusing the keys? If I'm not wrong, they > are in PFX file format. I found > https://wiki.opendnssec.org/display/DOCS/Migrating+to+OpenDNSSEC but > it explains how to convert BIND files. > If you wan

Re: [Opendnssec-user] v1.4.6 static analysis results & discovered bugs

On Tue, Sep 30, 2014 at 10:06 PM, Paul Wouters wrote: > On Tue, 30 Sep 2014, Petr Spacek wrote: > > Subject: [Opendnssec-user] v1.4.6 static analysis results & discovered >> bugs >> > > And here is the one for softhsm2: > > http://people.redhat.com/pwouters/softhsm-2.0.0b1-2.el7.html > > The str

Re: [Opendnssec-user] ods-signerd crashes - prob partially my fault

On Mon, Sep 29, 2014 at 5:23 PM, Paul Wouters wrote: > I would consider these all to be bugs. softhsm should handle the import > properly, especially file permissions. It should possibly warn if the > file is owned/grouped by root, or better if not owned/grouped by > whomever owns the /var/sofths

Re: [Opendnssec-user] ods-signerd crashes - prob partially my fault

On Wed, Sep 24, 2014 at 11:36 PM, Paul Wouters wrote: > On Tue, 23 Sep 2014, Rickard Bellgrim wrote: > > On Fri, Sep 19, 2014 at 9:49 PM, Paul Wouters wrote: >> [root@ns0 log]# ls -l /var/softhsm/slot0.db >> -rw-rw-r--. 1 root nsd 329728 Sep 14 10:09

Re: [Opendnssec-user] ods-signerd crashes - prob partially my fault

On Fri, Sep 19, 2014 at 9:49 PM, Paul Wouters wrote: > [root@ns0 log]# ls -l /var/softhsm/slot0.db > -rw-rw-r--. 1 root nsd 329728 Sep 14 10:09 /var/softhsm/slot0.db > What user and group is ods-signer dropping to according to conf.xml? // Rickard ___

Re: [Opendnssec-user] ods-enforcerd in error loop required manual ods-ksmutil hacking to get unstuck :(

On Mon, Sep 22, 2014 at 4:44 PM, Paul Wouters wrote: > > It is possible that testing with softhsm-2 and then reverting to > softhsm-1 caused these to happen, if these keys were generated during > the 2 days of running softhsm-v2. > It could be that the keys were generated during that time. Do yo

Re: [Opendnssec-user] softhsmv2 bugs

On Tue, Aug 5, 2014 at 9:59 PM, Paul Wouters wrote: > > I did a softhsm v1 to v2 migration for opendnssec, which seemed to have > worked: > > softhsm2-util --init-token --slot 0 --label "OpenDNSSEC" --pin 1234 > --so-pin 1234 > softhsm2-migrate --db /var/softhsm/slot0.db --pin 1234 --slot 0 > > t

Re: [Opendnssec-user] Re: exporting key from openhsm sqllite, no mysql

On Mon, Aug 4, 2014 at 8:01 AM, Jarno Huuskonen wrote: > > # softhsm --export my.zone.zsk.pem --slot 0 --pin haha42 --id deadbeef > > Error: Could not find the private key with ID = deadbeef > > Have you tried with: ods-ksmutil key list -v --zone your.zone > > An alternative is to use: $ sudo pk

Re: [Opendnssec-user] disk flower from ods-ksmutil list

On Mon, Jul 28, 2014 at 3:49 PM, Randy Bush wrote: > #0 0x0008019283bb in EVP_PKEY_CTX_free (ctx=0xd) at pmeth_lib.c:369 > #1 0x000801917435 in EVP_MD_CTX_cleanup (ctx=0x80288c0a0) at > digest.c:394 > #2 0x000802f71ae9 in Botan::(anonymous > namespace)::EVP_HashFunction::~EVP_HashF

Re: [Opendnssec-user] SoftHSM devel list?

On Wed, Jun 25, 2014 at 2:09 PM, Andreas Schwier < andreas.schw...@cardcontact.de> wrote: > That is correct. You also need the functionality to import the public > key of the recipient using C_CreateObject. Don't know if SoftHSM already > supports that. > It is supported in C_CreateObject: https:

Re: [Opendnssec-user] SoftHSM devel list?

On Wed, Jun 25, 2014 at 1:54 PM, Petr Spacek wrote: > My understanding is that for step 2 I need something like > CKM_RSA_PKCS_OAEP, right? > > The problem is that C_WrapKey in SoftHSM v2 doesn't support any asymmetric > algorithm for key wrapping. That is the reason why I asked for guidance > wh

Re: [Opendnssec-user] SoftHSMv2: key extraction

On Fri, Jun 20, 2014 at 6:20 PM, Petr Spacek wrote: > Unfortunately, it is absolutely crucial feature and we can't migrate to v2 > until we find a way how to do key exports. > > I understand that it is not desirable to enable this by default, it is > perfectly fine to provide key export in separa

Re: [Opendnssec-user] SoftHSM v2 status?

On Thu, Jun 19, 2014 at 5:28 AM, Paul Wouters wrote: > - Does softhsm2 change the API/ABI ? > The library is using the same version of PKCS#11, but have implemented more functions. The support tools have been changed, e.g. softhsm -> softhsm2-util New configuration file: softhsm2.conf > - Is

Re: [Opendnssec-user] SoftHSM v2 status?

On Wed, Jun 18, 2014 at 10:44 AM, Petr Spacek wrote: > If I say that performance is not very interesting for me, how reliable is > it? When it crashes, how likely is database corruption? (I don't expect > exact number, just general feels - it don't happen or it destroys data > daily.) > The only

Re: [Opendnssec-user] Key not found

On Wed, Jun 11, 2014 at 12:15 PM, David Peall wrote: > Here is the log line: > Jun 11 12:03:41 ods-signerd: [hsm] unable to get key: key > 5a4cf5871ef16a77118283e8666f486b not found > > 2014-06-11 12:03:41 [6670] t0067acf3ff7f: pkcs11: 08DB >> > C_FindObjectsInit > 2014-06-11 12:03:41 [66

Re: [Opendnssec-user] no softhsm whining

On Mon, Jun 9, 2014 at 7:27 PM, Randy Bush wrote: > > all ds are seen. repository is flagged. i am still not asked to back > keys up. > > > > /usr/local/lib/softhsm/libsofthsm.so > opendnssec > VibogNond1 >

Re: [Opendnssec-user] Signature failed to cryptographically verify

On Mon, Jun 2, 2014 at 11:56 AM, Gilles Massen wrote: > > > Have you tried validating the zone with validns? Does it give an > > error also? > > Yes, it does. The error was "wrong padding" or "wrong pad length" I think. > > Could it be that libhsm is not padding the data (signature or public key)

Re: [Opendnssec-user] entropy source for SoftHSM

On Wed, May 14, 2014 at 2:05 PM, Alex Omgovitskij wrote: > > Thus SoftHSM or SoftHSM + TRNG is a good choice for now, we can add TRNG > later or even add HSM later if required. > So the question still actual (to foresee future changes in hardware): is > it possible to use SoftHSM + TRNG? > That w

Re: [Opendnssec-user] no softhsm whining

On Wed, May 14, 2014 at 11:38 AM, Randy Bush wrote: > i realized that i have not seen softhsm telling me i need to > > sqlite3 /usr/local/var/softhsm/slot0.db ".backup `date > '+%y%m%d'`.softhsm-copy.db" > ods-ksmutil backup prepare > ods-ksmutil backup commit > > for a month or two.

Re: [Opendnssec-user] Generating public/private key

On Tue, Apr 15, 2014 at 7:11 PM, Aki Tuomi wrote: > Also. I tested that the database ends up in VERY different state when one > performs > > --export > --init-token > --import > > than it does with C_GenerateKeyPair() > > Is there something else one needs to do after C_GenerateKeyPair that I am >

Re: [Opendnssec-user] Generating public/private key

On Sat, Apr 12, 2014 at 1:08 PM, Aki Tuomi wrote: > > I hope someone can tell me what I am doing wrong? > > The issue is not CKA_SIGN, the issue is that you are generating a key with label "test4" but you are searching for an object with the label "test". // Rickard _

Re: [Opendnssec-user] ods-signerd changing file mode of signed zones

On Fri, Mar 28, 2014 at 2:00 PM, Mathieu Arnold wrote: > | (It still is an issue that the main application (ods-signer) gets > | affected.) > > That it is :-) Have created the following tickets: https://issues.opendnssec.org/browse/SOFTHSM-94 https://issues.opendnssec.org/browse/SOFTHSM-95 //

Re: [Opendnssec-user] ods-signerd changing file mode of signed zones

On Fri, Mar 28, 2014 at 11:01 AM, Mathieu Arnold wrote: > > > +--On 28 mars 2014 07:42:18 +0100 Rickard Bellgrim > > wrote: > | On Thu, Mar 27, 2014 at 5:45 PM, Mathieu Arnold wrote: > | > |> I've browsed ODS's sources, and can't really figure out why

Re: [Opendnssec-user] ods-signerd changing file mode of signed zones

On Thu, Mar 27, 2014 at 5:45 PM, Mathieu Arnold wrote: > I've browsed ODS's sources, and can't really figure out why it would > happen, I can't see anywhere where umask is changed, or even where file > modes are used to write to files... > Are you running SoftHSM 1.3.6? It uses umask when openi

Re: [Opendnssec-user] Key Wrapping with SUNPKCS11 and SoftHSM

> > I get an error statingjava.security.InvalidKeyException: No installed > provider supports this key: sun.security.pkcs11.P11Key$P11RSAPublicKey at > javax.crypto.Cipher.chooseProvider(Cipher.java:878) at > javax.crypto.Cipher.init(Cipher.java:1213) at > javax.crypto.Cipher.init(Cipher.java:1153)

Re: [Opendnssec-user] proper C_FindObjectsInit

> {CKA_LABEL, (void *)"card_data", sizeof("card_data" -1) }, > Maybe just a typo in the email, but the -1 should be outside the parentheses. > i compute 6 elements total, But then in the C_FindObjectsInit, i pass > ulCount - 1 > and i get no matches. > > should i be doing > > * rv = C_F

Re: [Opendnssec-user] Why C_Initialize calling differences?

Hi Jack > While i see the processing associated with pInitArgs, i wanted to ask what > use case the app programmer would want to call C_Initialise(pInitArgs) vs > C_Initialize(NULL_PTR) ?? > The documentation for PKCS#11 can be found here: ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20/pkcs-11

Re: [Opendnssec-user] would some kind soul share a clue?

> > suggestions? TIA, jackc... > It is hard to tell if the error is in XmlSecTool or SoftHSMv2. Could you check if there is any message in syslog or try to add PKCS#11 Spy in between them so that I can see the transactions? Please remove any sensitive information from the log file produced by PKCS

Re: [Opendnssec-user] softhsm 3.5 make check assertion failure on ppc64

Hi Paul On Sun, Nov 3, 2013 at 7:48 PM, Paul Wouters wrote: > > It seems running "make check" on ppc64 shows a failure: > > make[2]: Entering directory `/builddir/build/BUILD/softhsm-1.3.5/checks' > ./checks -z > checks: checks.c:545: runUserCheck: Assertion `rv == (0xa0)' failed. > Checking C_I

Re: [Opendnssec-user] DNSKEY keytag calculation differencens between ods-hsmutil and ods-ksmutil

On Thu, Nov 14, 2013 at 9:51 AM, Matthijs Mekking wrote: > Hi Klaus, > > On 11/14/2013 08:25 AM, Klaus Darilion wrote: > > Hi! Using ODS 1.3.15 and nCipher HSMs: > > > > The key itself is identical, but the calculated tag differs when > > calculated by ods-hsmutil: KSKs have an offset of 4 (and re

Re: [Opendnssec-user] ods-signerd calling vmstat?!?

On Wed, Sep 4, 2013 at 11:25 PM, Rickard Bellgrim wrote: > I might see an issue in the Botan code. I will verify this with Jack, but > the issue might be that it breaks out from the for-loop in the > Device_EntropySource, even if the polling goal is not fulfilled. When > reading from

Re: [Opendnssec-user] Enabling GOST algorithm

You can have a look on the SoftHSMv2 code: https://github.com/opendnssec/SoftHSMv2/blob/master/src/lib/crypto/OSSLCryptoFactory.cpp#L77 SoftHSMv2 have support for GOST in both the Botan and the OpenSSL code. OpenDNSSEC have support for GOST in libhsm, but not yet in the Enforcer. // Rickard On T

Re: [Opendnssec-user] Bad signerd crash.

> And with the number of zones I have, ZSK rollovers do happen more than once > a day, and the signer signs something every 30 seconds or so on average. > So, I get this : It sounds like r7307 of SoftHSM might fix this. // Rickard ___ Opendnssec-user m

Re: [Opendnssec-user] Bad signerd crash.

> Looking at the code (shared/hsm.c), it looks like hsm_find_key_by_id() > returns NULL, but libhsm does not provide an error. After a couple of > tries, the signer reports "key not found". > Could it be related to: https://issues.opendnssec.org/browse/SOFTHSM-45 Most of the code in SoftHSM had p

Re: [Opendnssec-user] ods-signerd calling vmstat?!?

> > Also, if earlier polls (eg /dev/random or EGD) succeed, then we > > will never query these sources at all, as spawning off all > > these processes is quite slow, so we avoid it except in cases > > where it is necessary due to lack of other options. > > Ref. above, I'm still seeing these message

Re: [Opendnssec-user] ods-signerd calling vmstat?!?

> > What I can do is to forward your concerns to the Botan mailing list. To > discuss the usage of "ls -alni /tmp" as one of the low priority sources. > Here is the response from Jack Lloyd: Well, there are two issues potentially involved - that a local attacker can manipulate the input, and that

Re: [Opendnssec-user] ods-signerd calling vmstat?!?

> Does priority mean it won't get used in normal situations? > > What happens when the system is temporarilly low on entropy? Any chance > it can get used then? > > What happens when I create thousands of filenames containing many "A"'s? > > I'm still not convinced these are harmless. But I guess I

Re: [Opendnssec-user] ods-signerd calling vmstat?!?

> I didn't find build instructions to say "use local entropy devices/daemons > whenever available" let alone "require their service at startup". What a > pitty -- it sounds like they leave it to SoftHSM to do this work, even if > the OS has proper sources of entropy. > Botan do try to use e.g. /d

Re: [Opendnssec-user] ods-signerd calling vmstat?!?

> > When polling for entropy, the PRNG will start with the first entropy > source added and then go through the list. The last entropy source, > Unix_EntropySource, will include the list of commands as mentioned earlier > in this email thread. The “ls -alni /tmp” has priority 4 out of 5. This > mak

Re: [Opendnssec-user] ods-signerd calling vmstat?!?

> Wow, that is pretty epic - in a bad way.. Am I really trusting > opendnssec > to generate RSA keys with the below code for entropy? filenames in /tmp? > CONCLUSION: The file names in the tmp directory will only be used as one of the last resorts if not enough entropy has been gathered from t

Re: [Opendnssec-user] ods-signerd calling vmstat?!?

> What worries me is, as a user of OpenDNSSEC, is that it is not > transparent which entropy source is used. There might be an compile-time > or run-time option to Botan to influence or force the selection, but I'm > not an expert in Botan. > OpenDNSSEC just uses an HSM. It has no knowledge of the

Re: [Opendnssec-user] ods-signerd calling vmstat?!?

On Mon, Sep 2, 2013 at 9:47 AM, Jakob Schlyter wrote: > On 30 aug 2013, at 17:44, Paul Wouters wrote: > > > Wow, that is pretty epic - in a bad way.. Am I really trusting > opendnssec > > to generate RSA keys with the below code for entropy? filenames in /tmp? > > Although I agree this is ba

Re: [Opendnssec-user] Looking for a "cheap" HSM

> > IIUC, user talks to web, web talks to WService, WService talks with token. > Doesnt that break the rule of the "user being the only one having the > PIN/access to key" > How the PIN is transferred over multiple systems to the HSM/token is out of scope. You have to build/use a system which make

Re: [Opendnssec-user] Looking for a "cheap" HSM

Your application will load a vendor specific PKCS#11 library. This library will expose the PKCS#11 function calls to your application. The communication to the HSM is handled internally by the library. Objects (such as private keys) are stored in a so called token. Anyone with credentials to the t

Re: [Opendnssec-user] softHSM

> Is there an automatic way of backing up the keys to the backup softHSM > server? Writing a script / cron job which copies the token database over to the second server. // Rickard ___ Opendnssec-user mailing list Opendnssec-user@lists.opendnssec.org ht

Re: [Opendnssec-user] ods-hsmutil

On Fri, Jul 13, 2012 at 5:57 PM, elsif wrote: > So, this same Keyper HSM with 36 (or more) keys on it... > > I run an "inittoken" now. > > "ods-hsmutil list" shows me no keys. I haven't nuked the APP keys via the > HSM console, though. They're still there but hsmutil doesn't show them. > Why? I

Re: [Opendnssec-user] ods-hsmutil

> Clearly there's a bad assumption on my part somewhere in here. Yes, if you create keys manually then you have to add them manually to OpenDNSSEC before you start OpenDNSSEC. If you have not added them to the Enforcer, then it will create keys by itself. My recommendation is to not generate keys

Re: [Opendnssec-user] Some questions from a new ods user

> You can have different SO and User PINs. > You should specify the User PIN in conf.xml > AFAIK the SO-pin isn't actively used by SoftHSM anyways. All the operations in OpenDNSSEC are done by using the regular user in PKCS#11. SoftHSM only need the Security Officer if you want to re-initialize t

Re: Re: [Opendnssec-user]Problem with ods-signerd and softhsm slot error

> 0:/var/opendnssec/kasp.db > 1:/var/opendnssec/slot1.db > or > 0:/home/test/slot0 > 1:/var/opendnssec/slot1.db > I confused which is the right one, maybe the problem is that I fetched the > data in a wrong .db file . You can use whatever you want. As long as SoftHSM has R/W privilege on that path

Re: [Opendnssec-user] Increasing signtime until reboot/restart

> For some reason the signing duration keeps increasing and then drops sharply. > We can explain the drops, it is when we restart ods (due to upgrades or > whatever). But why does it increase? (This plot is even before the DNSSEC > domain > explosion in NL, so it does not increase because of an in

Re: [Opendnssec-user]Problem with ods-signerd and softhsm slot error

> That really puzzled me why there was a sudden error with softhsm. > $ softhsm --show-slot > Available slots: > Slot 0 >Token present: yes >Token initialized: no >User PIN initialized: no > initialized:no? I'm sure I use this slot to create keys before this disa

Re: [Opendnssec-user] log whine i do not understand

> color me confused Have you done the second part of the log message? "and use ods-ksmutil key ds-seen when the DS appears in the DNS" The enforcer will not actively query the parent and look for any changes, it is up to the user. // Rickard ___ Opend

[Opendnssec-user] New project manager

Dear OpenDNSSEC users Since 2008, starting with my Master's Thesis on DNSSEC and DKIM, I have been working for .SE. After the thesis I started to develop SoftHSM and in January 2009 I became the project manager of OpenDNSSEC. Then in May 2011 I switched job to Certezza and became an IT Security Co

Re: [Opendnssec-user] 1.4.0a2 crasher

On Wed, May 30, 2012 at 6:21 AM, Paul Wouters wrote: > > I saw another ods-signerd crash. Unfortunately, core dumps did not make > it to disk, due to the OS settings. This has been fixed and hopefully I > can get a full trace when it happens again. So the only limited > information I have is below

Re: [Opendnssec-user] Re: softHSM : export/import or backup/restore question

>> So, what is the best solution to move an existing token (database) to a new > system? > > Hello > > I have the same problem. > > have you resolve it now ? You can find it in the documentation or in the readme: https://wiki.opendnssec.org/display/SoftHSMDOCS/SoftHSM+Documentation+Home#SoftHSMDo

Re: [Opendnssec-user] DelegationSignerSubmitCommand key identification

> It should be fairly rare to have a tag conflict for two keys on *one* zone, > no ? 1 / 65536 // Rickard ___ Opendnssec-user mailing list Opendnssec-user@lists.opendnssec.org https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

Re: [Opendnssec-user] DelegationSignerSubmitCommand key identification

> I am trying to set up automatic KSK rollover with OpenDNSSEC. If I use > DelegationSignerSubmitCommand option > for starting my external program, I am missing any information about key > identifier relating to DNSKEY record, > that should be subsequently used for key ds-seen. Although there is >

Re: [Opendnssec-user] OpenDNSSEC with AEP Keyper

> 2) ods-ksmutil key generate --policy=lab --interval P30D Just a comment: You do not need to generate the keys manually, OpenDNSSEC will do that for you (on the fly). But perhaps you do want to pre-generate keys, then this is the correct thing to do. // Rickard __

Re: [Opendnssec-user] More segfaults in ods-ksmutil!

> This bug (or at least one that looks very much like it) has been fixed > in version 1.3.8 . The release of this version is imminent, so hopefully > you will have a fix very soon. Sander: Was it fixed? // Rickard ___ Opendnssec-user mailing list Opendn

Re: [Opendnssec-user] SSL error "error is (1:113)" for enforcerd and signerd

> I have the following questions: > - - With respect to the signing proces: is this a harmless error? > - - Is this error related to the recent upgrade of openssl? OpenDNSSEC 1.3 does not rely on OpenSSL. Could this be log messages from the HSM-library? A loaded library will log using the same sy

Re: [Opendnssec-user] Segfaults in ods-ksmutil, part 2

> This trace looks exactly like the one i had back in february. > Please advise if more information is needed. What version of SoftHSM are you running? SoftHSM 1.3.2 contains: * Fix the destruction order of the Singleton objects // Rickard ___ Opendnss

Re: [Opendnssec-user] Different Default signature validity versus Denial signature validity

> Reading RFC 4641bis version 11, section 4.4.2.3 mentions why it's a good > idea to have different lifetimes, but it's not very strong about it. Is > still a good idea to have a different policy? I understand that policy > decisions are local and different lifetimes can be avoided by using the > s

Re: [Opendnssec-user] ods-signer broken for reverse classless delegations :)

> The issue here is that the zone name is used as an unique internal > identifier. Created a feature request for this, OPENDNSSEC-232. The Signer Engine has been fixed in r6244 for 1.3 branch and trunk. (The Auditor still have this error) // Rickard ___

Re: [Opendnssec-user] Solved: checking for Botan >= v1.8.0 ... no

> I just ran into this again and did some diving. Turns out it's a little > obscure error that configure didn't catch before this. > > It looks like the configure check for g++ is broken, and it mistakenly > thinks you have it installed. Then when it uses that in the botan check, > things break and

Re: [Opendnssec-user] Just getting started - configure softhsm

> Just getting started. I'm installing softhsm right now and when I typed > ./configure I got this > > checking for Botan >= v1.8.0 ... no If Botan is e.g. located here /my/path/lib/libbotan... Try ./configure --with-botan=/my/path/ // Rickard ___ Ope

Re: [Opendnssec-user] SmartCard-HSM as key store for DNSSEC

> We've designed a secure key store called SmartCard-HSM that implements > secure generation, storage and use of asymmetric keys in a CC evaluated > smart card (see flyer at [1]). What CC Protection Profile have you evaluated against? Is there any plan to also be FIPS 140-2 certified? Many custome

Re: [Opendnssec-user] `*** glibc detected *** /usr/sbin/ods-signerd: munmap_chunk(): invalid pointer: 0x0000000001100fe0 ***

2012/3/25 Bas van den Dikkenberg : > I cant start sigener i get this messages: Please file a bug report here: http://bugs.opendnssec.org/ Also include information like which version of OpenDNSSEC and OS you are running. // Rickard ___ Opendnssec-user m

Re: [Opendnssec-user] Problem with ods-signer - 1.3.6

On Wed, Mar 14, 2012 at 8:23 AM, denethorr wrote: >>In my experience this usually indicates that the >>ods-enforcerd process is not running. Can you confirm if this is the >>case here? (This has nothing to do with the signer though.) > > ods-signerd is running. Jan, Sion asked about the ods-enfor

Re: [Opendnssec-user] ods-signer broken for reverse classless delegations :)

> This same issue got in my way when I tried to set up split-horizon DNS. > In a split-horizon situation one would want to maintain two seperate > zone-files that share a name. The issue here is that the zone name is used as an unique internal identifier. Created a feature request for this, OPENDN

Re: [Opendnssec-user] ods-signer broken for reverse classless delegations :)

>>> Mar 14 16:31:22 nohats ods-signerd: [tools] unable to copy zone input file >>> 64/25.157.10.76.in-addr.arpa: Unable to open file >> >> The problem is that the forward slash is not allowed in a file name. > > And the Signer Engine uses the zone name directly. I have created OPENDNSSEC-231 in th

  1   2   3   4   >