<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:"Courier New";}
span.code-keyword
{mso-style-name:code-keyword;}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
/* List Definitions */
@list l0
{mso-list-id:712924344;
mso-list-type:hybrid;
mso-list-template-ids:-2006708726 184193882 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
{mso-level-start-at:2;
mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Calibri","sans-serif";
mso-fareast-font-family:Calibri;
mso-bidi-font-family:"Times New Roman";}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal>Hello again DNSSEC wizards,<o:p></o:p></p>
<p class=MsoNormal>First, I would again like to thank those who helped me get
the latest SoftHSM installed on my test box. FWIW, I believe it is
acceptable that folks building from the SVN trunk must have the autoconf/automake/libtools
installed. Of course, since the RC2 release has been made available,
these tools are not necessary to configure/make/install, since they are
included in the tar bundle.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>I’m now hoping to test the storage of actual DNSSEC
keys in the SoftHSM, and of course, use those keys to sign zones.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>I am not a security engineer, and unfortunately, I don’t
have access to much in the way of expertise in the security (specifically
OpenSSL) area. I’m honestly still struggling with the difference between
a PKCS11 *<b>engine</b>* and a PKCS11 *<b>module</b>* and where OpenCryptoki
fits into the mix (if at all). I would gladly welcome any links,
references, etc that I should read to help me understand this space better.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>My test box is RHEL5, and I’ve now installed the
following software on this box:<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoListParagraph style='text-indent:-.25in;mso-list:l0 level1 lfo1'><![if !supportLists]><span
style='mso-list:Ignore'>-<span style='font:7.0pt "Times New Roman"'>
</span></span><![endif]>Botan 1.6.2<o:p></o:p></p>
<p class=MsoListParagraph style='text-indent:-.25in;mso-list:l0 level1 lfo1'><![if !supportLists]><span
style='mso-list:Ignore'>-<span style='font:7.0pt "Times New Roman"'>
</span></span><![endif]>SQLite 3.6.16<o:p></o:p></p>
<p class=MsoListParagraph style='text-indent:-.25in;mso-list:l0 level1 lfo1'><![if !supportLists]><span
style='mso-list:Ignore'>-<span style='font:7.0pt "Times New Roman"'>
</span></span><![endif]>SoftHSM 1.0.0-RC2<o:p></o:p></p>
<p class=MsoListParagraph style='text-indent:-.25in;mso-list:l0 level1 lfo1'><![if !supportLists]><span
style='mso-list:Ignore'>-<span style='font:7.0pt "Times New Roman"'>
</span></span><![endif]>Libp11 (from OpenSC)<o:p></o:p></p>
<p class=MsoListParagraph style='text-indent:-.25in;mso-list:l0 level1 lfo1'><![if !supportLists]><span
style='mso-list:Ignore'>-<span style='font:7.0pt "Times New Roman"'>
</span></span><![endif]>Engine_pkcs11 (from OpenSC)<o:p></o:p></p>
<p class=MsoListParagraph style='text-indent:-.25in;mso-list:l0 level1 lfo1'><![if !supportLists]><span
style='mso-list:Ignore'>-<span style='font:7.0pt "Times New Roman"'>
</span></span><![endif]>OpenCryptoki 2.2.7<o:p></o:p></p>
<p class=MsoListParagraph style='text-indent:-.25in;mso-list:l0 level1 lfo1'><![if !supportLists]><span
style='mso-list:Ignore'>-<span style='font:7.0pt "Times New Roman"'>
</span></span><![endif]>BIND 9.6.1 (./configure --with-openssl=/usr/local/ssl <b>--with-pkcs11</b>)<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>The contents of my /usr/local/etc/softhsm.conf file looks as
follows:<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New"'>#
softHSM configuration file<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New"'>#<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New"'>0:/var/softhsm/slot0.db<o:p></o:p></span></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>I’ve initialized a token in slot0 with the following
command:<o:p></o:p></p>
<p class=MsoNormal>softhsm --init-token --slot 0 --label "Test token
1" (with SO and user password ‘foobar’)<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>I’ve added the following to the end of my openssl.cnf
file:<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>openssl_conf
= openssl_def<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>[openssl_def]<o:p></o:p></p>
<p class=MsoNormal>engines = engine_section<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>[engine_section]<o:p></o:p></p>
<p class=MsoNormal>pkcs11 = pkcs11_section<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>[pkcs11_section]<o:p></o:p></p>
<p class=MsoNormal>engine_id = pkcs11<o:p></o:p></p>
<p class=MsoNormal>#dynamic_path = /usr/local/lib/engines/engine_pkcs11.so<o:p></o:p></p>
<p class=MsoNormal>SO_PATH = /usr/local/lib/engines/engine_pkcs11.so<o:p></o:p></p>
<p class=MsoNormal>MODULE_PATH = /usr/local/lib/libsofthsm.so<o:p></o:p></p>
<p class=MsoNormal>PIN = foobar<o:p></o:p></p>
<p class=MsoNormal>init = 0<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>This is where I get lost. I’m really not sure if
the MODULE_PATH should point to the libsofthsm shared library? If not,
what should this be?<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>I’m further confused by the README.pkcs11 file that
accompanies BIND 9.6.1, which states the following:<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal style='margin-left:.5in'>OpenSSL Engines<o:p></o:p></p>
<p class=MsoNormal style='margin-left:.5in'><o:p> </o:p></p>
<p class=MsoNormal style='margin-left:.5in'>With PKCS#11 support the PKCS#11
engine is statically loaded but at its<o:p></o:p></p>
<p class=MsoNormal style='margin-left:.5in'>initialization it dynamically loads
the PKCS#11 objects.<o:p></o:p></p>
<p class=MsoNormal style='margin-left:.5in'>Even the pre commands are therefore
unused they are defined with:<o:p></o:p></p>
<p class=MsoNormal style='margin-left:.5in'> SO_PATH:<o:p></o:p></p>
<p class=MsoNormal style='margin-left:.5in'> define: PKCS11_SO_PATH<o:p></o:p></p>
<p class=MsoNormal style='margin-left:.5in'> default:
/usr/local/lib/engines/engine_pkcs11.so<o:p></o:p></p>
<p class=MsoNormal style='margin-left:.5in'> MODULE_PATH:<o:p></o:p></p>
<p class=MsoNormal style='margin-left:.5in'> define:
PKCS11_MODULE_PATH<o:p></o:p></p>
<p class=MsoNormal style='margin-left:.5in'> default:
/usr/lib/libpkcs11.so<o:p></o:p></p>
<p class=MsoNormal style='margin-left:.5in'>Without PKCS#11 support, a specific
OpenSSL engine can be still used<o:p></o:p></p>
<p class=MsoNormal style='margin-left:.5in'>by defining ENGINE_ID at compile
time.<o:p></o:p></p>
<p class=MsoNormal style='margin-left:.5in'><o:p> </o:p></p>
<p class=MsoNormal>I read this several times, and I’m still not sure if I
understand it. However, I *<b>think</b>* that this means that the values
in my openssl.cnf file don’t apply to BIND and the associated BIND tools,
because the PKCS#11 engine is statically linked? In any case, only the
SO_PATH is consistently set to the ‘engine_pkcs11.so’ library,
where all of the examples I’ve seen have different values for the
MODULE_PATH, which I thought should be the libsofthsm.so?<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Also, the ‘contrib/pkcs11’ folder of the BIND distribution
includes “a set of utilities that when used together create rsa keys in a
PKCS11 keystore”. Do I need to use these tools to store keys in the
SoftHSM? If not how do I actually generate keys and put them into the
SoftHSM? I see here <a
href="http://trac.opendnssec.org/wiki/SoftHSM/Install">http://trac.opendnssec.org/wiki/SoftHSM/Install</a>
how to *<b>import</b>* keys from a .pem file format, but shouldn’t I be
able to just generate keys and store them directly?<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Finally, whenever I try to run the BIND tools dnssec-keyfromlabel
or dnssec-keygen, I get the following error:<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>./dnssec-keyfromlabel -a RSASHA1 -l foobar joe<o:p></o:p></p>
<p class=MsoNormal>dst_api.c:209: fatal error: RUNTIME_CHECK(dst_initialized ==
isc_boolean_true) failed<o:p></o:p></p>
<p class=MsoNormal>Aborted<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>I don’t know what the source of this problem is.
Perhaps it is just that my binaries are not correct, but I suspect that I don’t
have something configured/aligned correctly, and that is what generates the
error.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>I guess I’m hoping that the folks on this mailing list
have pieced all these things together somewhere along the way, and actually
signed zones using keys in the SoftHSM. I’d like to get to the same
point, and I would greatly appreciate any pointers that you can provide. I’m
perfectly okay with a response like “go read these pages/books/links and
then come back with any questions”.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Clearly, I am a newbie at all of this, so please be gentle
;-)<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Best regards,<o:p></o:p></p>
<p class=MsoNormal>Greg Rabil<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif";
color:navy;layout-grid-mode:line'>A. Gregory Rabil | Lead Software Architect |
BT Diamond IP | <o:p></o:p></span></p>
<p class=MsoNormal><span lang=PT-BR style='font-size:10.0pt;font-family:"Verdana","sans-serif";
color:navy;layout-grid-mode:line'>Tel: +1 (610) 423-4770 | Fax: +1 (610)
423-4774 | <a href="mailto:Greg.Rabil@bt.com"><span style='color:blue'>Greg.Rabil@bt.com</span></a>
| <u><a href="http://bt.diamondip.com"><span style='font-size:11.0pt;
color:blue'>http://bt.diamondip.com</span></a> </u> <o:p></o:p></span></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";
layout-grid-mode:line'>This electronic message contains information from BT
INS, Inc, which may be privileged <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";
layout-grid-mode:line'>or confidential. The information is intended for
use only by the individual(s) or entity named above. If you <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";
layout-grid-mode:line'>are not the intended recipient, be aware that any
disclosure, copying, distribution or use of the contents of <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";
layout-grid-mode:line'>this information is strictly prohibited. If you
have received this electronic message in error, please notify<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";
layout-grid-mode:line'>me by telephone or email (to the number or email address
above) immediately.<o:p></o:p></span></p>
<p class=MsoNormal style='margin-left:1.5in'><span style='font-size:8.0pt;
font-family:"Verdana","sans-serif";layout-grid-mode:line'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";
layout-grid-mode:line'>Activity and use of the BT INS, Inc e-mail system
is monitored to secure its effective <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";
layout-grid-mode:line'>operation and for other lawful business purposes.
Communications using this system will also be monitored<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";
layout-grid-mode:line'>and may be recorded to secure effective operation and
for other lawful business purposes.<o:p></o:p></span></p>
<p class=MsoNormal style='margin-left:1.5in'><span style='font-size:4.0pt;
font-family:"Verdana","sans-serif";color:blue;layout-grid-mode:line'><o:p> </o:p></span></p>
<p class=MsoNormal style='mso-margin-top-alt:5.0pt;margin-right:0in;margin-bottom:
5.0pt;margin-left:0in;text-autospace:none'><span style='font-size:8.0pt;
font-family:"Verdana","sans-serif";color:gray;layout-grid-mode:line'>BT INS
Inc, </span><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";
color:gray'>1600 Memorex Drive, Suite 200, Santa Clara California 95050-2842
,United States<o:p></o:p></span></p>
<p class=MsoNormal><o:p> </o:p></p>
</div>
</body>
</html>