Using a HSM card to sign zone

Sergio Ramirez sramirez at seciu.edu.uy
Mon Feb 17 18:16:39 UTC 2014 


pc1#> /usr/local/ssl/bin/openssl engine
(dynamic) Dynamic engine loading support
(4758cca) IBM 4758 CCA hardware engine support
(aep) Aep hardware engine support
(atalla) Atalla hardware engine support
(cswift) CryptoSwift hardware engine support
(LunaCA3) Luna CA3 engine support     
(chil) CHIL hardware engine support
(nuron) Nuron hardware engine support
(sureware) SureWare hardware engine support
(ubsec) UBSEC hardware engine support
(padlock) VIA PadLock (no-RNG, no-ACE)
(gost) Reference implementation of GOST engine
pc1#
pc1#/usr/local/ssl/bin/openssl engine LunaCA3 -t
(LunaCA3) Luna CA3 engine support
     [ available ]
pc1# 

In the openssl.cnf we have:
---
[ Openssl_init ]
# Extra OBJECT IDENTIFIER info:
oid_section             = new_oids
engines                 = engine_section

[ engine_section ]
LunaCA3 = luna_section

[ luna_section ]
dynamic_path = /usr/lunapci/lib/libCryptoki2.so
---

It is required that there is a section labeled 'pkcs11' to
use from bind or dnssec-* commands ?


--
Sergio R.


----- Mensaje original -----
De: "Alan Clegg" <alan at clegg.com>
Para: bind-users at lists.isc.org
Enviados: Domingo, 16 de Febrero 2014 9:33:21
Asunto: Re: Using a HSM card to sign zone

On 2/14/14, 10:43 PM, Sergio Ramirez wrote:
> Hi, 
> 
> We want to sign zones with bind using an HSM Luna PCI Safenet card.
>  
> The command 'dnssec- keyfromlabel' fails:
> 
> # /usr/local/sbin/dnssec-keyfromlabel -v 9 -E LunaCA3 -a RSASHA1 -l KSK1-testdnssec -f KSK testdnssec.
> dnssec-keyfromlabel: warning: ENGINE_load_private_key failed
> dnssec-keyfromlabel: info: error:2609707D:engine routines:ENGINE_load_public_key:no load function:eng_pkey.c:155:
> dnssec-keyfromlabel: info: error:2609607D:engine routines:ENGINE_load_private_key:no load function:eng_pkey.c:119:
> dnssec-keyfromlabel: fatal: failed to get key testdnssec/RSASHA1: not found
> 
> It was installed on Debian 4 Linux 2.6.18-6-686 server with:
>   - openssl-1.0.0e
>   - patch provided by vendor of the HSM (openssl-lunaca3-patch-1.0.0e.tar.gz)
>   - bind 9.9.2 -P1
> 
> ** The commands pkcs11-keygen, pkcs11-list and ohter pkcs11-* distributed
> with bind, are working OK. ** 
> 
> The key 'KSK1-testdnssec' was generated with pkcs11-keygen command.
> 
> We would like to know if anyone are using this HSM or similar.
> 
> Furthermore we would like to get some guidance to solve this problem.

I'm not familiar with that HSM, but have used both Thales and AEP with
no problem.

Does "openssl engine" show pkcs11?
If so, does "openssl engine pkcs11 -t" show that the engine is available?

Having played with OpenSSL patches over the last few days, I can tell
you that when it works, it works well, but when it fails, you are pretty
much out-of-luck as far as error messages go.  8-\

AlanC


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list