dnssec-keyfromlabel not working with Debian 12 (bookworm)

Gérard Parat isc.bind at lunique.fr
Mon Dec 4 13:45:39 UTC 2023 

Hi,

I'll follow your advice ans postpone the use of SoftHSM2 for the time being.

Anyway, thanks for your help!

Gérard

Le 04/12/2023 à 14:31, Ondřej Surý a écrit :
> Hi,
>
> the guide was written for OpenSSL 1.1.x and tested with that version
> and the engines support in OpenSSL 3.x is deprecated, so most probably
> something got broken along the way.
>
> Everything works properly with OpenSSL 1.1.x (for example on Ubuntu focal).
>
> There's a new provider for OpenSSL 3.x here:
> https://github.com/latchset/pkcs11-provider
>
> The catch is that OpenSSL Provider can't really be used with SoftHSM 2,
> because that SoftHSM2 is itself broken when used with providers:
> https://github.com/latchset/pkcs11-provider/discussions/68#discussioncomment-3860124
>
> You can try using /usr/lib/x86_64-linux-gnu/libsoftokn3.so <http://libsoftokn3.so/> from libnss3 as PKCS#11 library
> instead of SoftHSM2, but unless you have a specific reason to use PKCS#11 I would
> suggest to simply avoid it until the dust settles.
>
> Adding SoftHSM2 on top of BIND 9 doesn't really increase security as the user under named
> runs has to have access to the private key data anyway.
>
> Ondrej
> --
> Ondřej Surý (He/Him)
> ondrej at isc.org
>
> My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.
>
>> On 4. 12. 2023, at 0:43, Gérard Parat via bind-users <bind-users at lists.isc.org> wrote:
>>
>> Hi,
>>
>> Weird behavior with /opt/bind9/etc/openssl.cnf.
>>
>> The only difference with /etc/ssl/openssl.cnf is the pkcs11 engine:
>>
>> [openssl_init]
>>
>> engines=engine_section
>>
>> [engine_section]
>>
>> pkcs11 = pkcs11_section
>>
>> [pkcs11_section]
>>
>> engine_id = pkcs11
>>
>> dynamic_path = /usr/lib/x86_64-linux-gnu/engines-3/pkcs11.so
>>
>> MODULE_PATH = /usr/lib/softhsm/libsofthsm2.so
>>
>> init = 0
>>
>> For example, dig is not working with environment variable OPENSSL_CONF:
>>
>> $ dig www.internet.nl +short
>> 04-Dec-2023 00:39:24.280 EVP_PKEY_fromdata_init failed (crypto failure)
>> 04-Dec-2023 00:39:24.280 error:03000096:digital envelope routines::operation not supported for this keytype:../crypto/evp/pmeth_gn.c:354:
>> dig: dst_lib_init: crypto failure
>>
>> It works if OPENSSL_CONF is undefined:
>>
>> $ OPENSSL_CONF= dig www.internet.nl +short
>> proloprod.internet.nl.
>> 62.204.66.10
>>
>> Issue seems wider than only relative to dnssec-keyfromlabel.
>>
>> Gérard
>>
>> Le 03/12/2023 à 18:40, Gérard Parat via bind-users a écrit :
>>> Hi,
>>>
>>> I used this tutorial as reference to setup DNSSEC with SoftHSM2:
>>> https://kb.isc.org/docs/bind-9-pkcs11
>>>
>>> I installed the Debian package instead of building libp11:
>>> libengine-pkcs11-openssl:amd64        0.4.12-0.1
>>>
>>> It works until reaching this command:
>>> $ dnssec-keyfromlabel \
>>> -E pkcs11 \
>>> -a RSASHA256 \
>>> -l "token=bind9object=example.net-ksk" \
>>> -f KSK example.net
>>> dnssec-keyfromlabel: fatal: could not initialize dst: crypto failure
>>>
>>> Trying directly from OpenSSL works:
>>> $ openssl pkey \
>>> -in "pkcs11:token=bind9;object=example.net-ksk" \
>>> -inform ENGINE \
>>> -engine pkcs11 \
>>> -text \
>>> -pubin
>>> Engine "pkcs11" set.
>>> -----BEGIN PUBLIC KEY-----
>>> MIG/MA0GCSqGSIb3DQEBAQUAA4GtADCBqQKBoQCmhO41MX09L/BiJiU7ygXt6D7J
>>> ujmZFMBB7tb/LJBazNp+Xd5TLHZvp1MxFBBW39swTU6oynLnp8IOIuWQNap6kyQ5
>>> hkGusvZ/JsrwHLZ1phPBKsdEd2ClB9EfF+ReabhXRVbqrw9yz22mLdlajmkLTx2d
>>> V6EsjJue+aSX1nxFmna6qNrZBA5ifClpKH7R/0ztQb1RlYA11RG1RGrsRSJnAgMB
>>> AAE=
>>> -----END PUBLIC KEY-----
>>> RSA Public-Key: (1280 bit)
>>> Modulus:
>>>      00:a6:84:ee:35:31:7d:3d:2f:f0:62:26:25:3b:ca:
>>>      05:ed:e8:3e:c9:ba:39:99:14:c0:41:ee:d6:ff:2c:
>>>      90:5a:cc:da:7e:5d:de:53:2c:76:6f:a7:53:31:14:
>>>      10:56:df:db:30:4d:4e:a8:ca:72:e7:a7:c2:0e:22:
>>>      e5:90:35:aa:7a:93:24:39:86:41:ae:b2:f6:7f:26:
>>>      ca:f0:1c:b6:75:a6:13:c1:2a:c7:44:77:60:a5:07:
>>>      d1:1f:17:e4:5e:69:b8:57:45:56:ea:af:0f:72:cf:
>>>      6d:a6:2d:d9:5a:8e:69:0b:4f:1d:9d:57:a1:2c:8c:
>>>      9b:9e:f9:a4:97:d6:7c:45:9a:76:ba:a8:da:d9:04:
>>>      0e:62:7c:29:69:28:7e:d1:ff:4c:ed:41:bd:51:95:
>>>      80:35:d5:11:b5:44:6a:ec:45:22:67
>>> Exponent: 65537 (0x10001)
>>>
>>> Debian 12 (bookworm) use OpenSSL version 3:
>>> libssl3:amd64                         3.0.11-1~deb12u2
>>> openssl                               3.0.11-1~deb12u2
>>>
>>> Installed BIND9 packages:
>>> bind9                                 1:9.18.19-1~deb12u1
>>> bind9-utils                           1:9.18.19-1~deb12u1
>>> bind9-dnsutils                        1:9.18.19-1~deb12u1
>>> bind9-doc                             1:9.18.19-1~deb12u1
>>> bind9-libs:amd64                      1:9.18.19-1~deb12u1
>>> bind9-host                            1:9.18.19-1~deb12u1
>>>
>>> $ dnssec-keyfromlabel -V
>>> dnssec-keyfromlabel 9.18.19-1~deb12u1-Debian
>>>
>>> [pkcs11_section]
>>> engine_id = pkcs11
>>> dynamic_path = /usr/lib/x86_64-linux-gnu/engines-3/pkcs11.so
>>> MODULE_PATH = /usr/lib/softhsm/libsofthsm2.so
>>> init = 0
>>>
>>> strace file:
>>> https://pasteb.in/?bd9a4ecaca6ece23#E2emtt8zi9t5UsnFJ2QWKVD6ALTkZmKG9656
>>> fuZR3ArX
>>>
>>> It seems to be an API problem or maybe I missed something ?
>>>
>>> Gérard
>> -- 
>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>>
>> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>>
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list