[Opendnssec-develop] Re: hsmbully considered harmful?
jakob at kirei.se
Tue Aug 18 08:31:06 UTC 2009
On 18 aug 2009, at 10.14, Rick van Rein wrote:
> That's as good as saying "don't use this tool". If there is any
> we should specify in detail what it is, rather than use subjective
> Has the speedtester been designed as an exhaustive PKCS #11 test?
no, it has been designed to test the parts of PKCS#11 that OpenDNSSEC
> If so, we have duplicate code and one can go. If not, then there
> is an added value for hsmbully.
there is definately value for hsmbully. however, if a HSM doesn't work
with hsmbully doesn't mean it doesn't work with OpenDNSSEC. for
OpenDNSSEC, the hsmutil code might be better.
> If an HSM cracks on any PKCS #11 call, it's a bad implementation,
> it's as simple as that. I know it's human nature, and often correct,
> to blame the new code, but really, this sounds to me like a broken
the sca6000 is broken as you should never be able to crash a machine
from userland. still, it is a very widespread and well known HSM.
> I make no bypass calls to anything that is not PKCS #11, after all.
> People should be warned about those instead of about a tool testing
We've all weard the joke; Hey Doc, it hurts when I do this. and the
doctor says; Then don't do that!
having said that, we should of course report this bug to Sun so it can
> These are calls inside the PKCS #11 implementation, right? You --
> cut-- so
> I cannot be sure, but these labels are not mine.
> The Initiation Test surely is a devious one, trying to bypass loging
> and such. I am getting the impression that we bypassed a thing that
> is not
> welcomed by this PKCS #11 implementation.
> This is not new to me, by the way (except for the boldness of actually
> crashing). PKCS #11 implementations rarely live up to spec. I'd
> that HSM's (from Sun) would be better.
> Could I have access to this machine, and try myself?
the problem is that when it crashes it reboots, so I'd rather not
continue testing on this machine - it is the main development machine
for the project. I think we should let Sun debug this for us.
More information about the Opendnssec-develop