[Opendnssec-develop] Re: hsmbully considered harmful?

Jakob Schlyter jakob at kirei.se
Tue Aug 18 08:31:06 UTC 2009

On 18 aug 2009, at 10.14, Rick van Rein wrote:

> That's as good as saying "don't use this tool".  If there is any  
> problem
> we should specify in detail what it is, rather than use subjective  
> scary
> terms.

of course.

> Has the speedtester been designed as an exhaustive PKCS #11 test?

no, it has been designed to test the parts of PKCS#11 that OpenDNSSEC  
use currently.

> If so, we have duplicate code and one can go.  If not, then there
> is an added value for hsmbully.

there is definately value for hsmbully. however, if a HSM doesn't work  
with hsmbully doesn't mean it doesn't work with OpenDNSSEC. for  
OpenDNSSEC, the hsmutil code might be better.

> If an HSM cracks on any PKCS #11 call, it's a bad implementation,
> it's as simple as that.  I know it's human nature, and often correct,
> to blame the new code, but really, this sounds to me like a broken  
> HSM.

the sca6000 is broken as you should never be able to crash a machine  
from userland. still, it is a very widespread and well known HSM.

> I make no bypass calls to anything that is not PKCS #11, after all.
> People should be warned about those instead of about a tool testing  
> it?

We've all weard the joke; Hey Doc, it hurts when I do this. and the  
doctor says; Then don't do that!

having said that, we should of course report this bug to Sun so it can  
be fixed.

> These are calls inside the PKCS #11 implementation, right?  You -- 
> cut-- so
> I cannot be sure, but these labels are not mine.


> The Initiation Test surely is a devious one, trying to bypass loging  
> in
> and such.  I am getting the impression that we bypassed a thing that  
> is not
> welcomed by this PKCS #11 implementation.


> This is not new to me, by the way (except for the boldness of actually
> crashing).  PKCS #11 implementations rarely live up to spec.  I'd  
> hoped
> that HSM's (from Sun) would be better.
> Could I have access to this machine, and try myself?

the problem is that when it crashes it reboots, so I'd rather not  
continue testing on this machine - it is the main development machine  
for the project. I think we should let Sun debug this for us.


More information about the Opendnssec-develop mailing list