[Opendnssec-develop] SoftHSM with BIND dnssec-key* utilities

Wed Jul 15 22:20:28 UTC 2009

Hello again DNSSEC wizards,
First, I would again like to thank those who helped me get the latest SoftHSM installed on my test box.  FWIW, I believe it is acceptable that folks building from the SVN trunk must have the autoconf/automake/libtools installed.  Of course, since the RC2 release has been made available, these tools are not necessary to configure/make/install, since they are included in the tar bundle.

I'm now hoping to test the storage of actual DNSSEC keys in the SoftHSM, and of course, use those keys to sign zones.

I am not a security engineer, and unfortunately, I don't have access to much in the way of expertise in the security (specifically OpenSSL) area.  I'm honestly still struggling with the difference between a PKCS11 *engine* and a PKCS11 *module* and where OpenCryptoki fits into the mix (if at all).  I would gladly welcome any links, references, etc that I should read to help me understand this space better.

My test box is RHEL5, and I've now installed the following software on this box:

-          Botan 1.6.2

-          SQLite 3.6.16

-          SoftHSM 1.0.0-RC2

-          Libp11 (from OpenSC)

-          Engine_pkcs11 (from OpenSC)

-          OpenCryptoki 2.2.7

-          BIND 9.6.1 (./configure --with-openssl=/usr/local/ssl --with-pkcs11)

The contents of my /usr/local/etc/softhsm.conf file looks as follows:

# softHSM configuration file
#
0:/var/softhsm/slot0.db

I've initialized a token in slot0 with the following command:
softhsm --init-token --slot 0 --label "Test token 1"  (with SO and user password 'foobar')

I've added the following to the end of my openssl.cnf file:

openssl_conf            = openssl_def

[openssl_def]
engines = engine_section

[engine_section]
pkcs11 = pkcs11_section

[pkcs11_section]
engine_id = pkcs11
#dynamic_path = /usr/local/lib/engines/engine_pkcs11.so
SO_PATH = /usr/local/lib/engines/engine_pkcs11.so
MODULE_PATH = /usr/local/lib/libsofthsm.so
PIN = foobar
init = 0

This is where I get lost.  I'm really not sure if the MODULE_PATH should point to the libsofthsm shared library?  If not, what should this be?

I'm further confused by the README.pkcs11 file that accompanies BIND 9.6.1, which states the following:

OpenSSL Engines

With PKCS#11 support the PKCS#11 engine is statically loaded but at its
initialization it dynamically loads the PKCS#11 objects.
Even the pre commands are therefore unused they are defined with:
 SO_PATH:
   define: PKCS11_SO_PATH
   default: /usr/local/lib/engines/engine_pkcs11.so
 MODULE_PATH:
   define: PKCS11_MODULE_PATH
   default: /usr/lib/libpkcs11.so
Without PKCS#11 support, a specific OpenSSL engine can be still used
by defining ENGINE_ID at compile time.

I read this several times, and I'm still not sure if I understand it.  However, I *think* that this means that the values in my openssl.cnf file don't apply to BIND and the associated BIND tools, because the PKCS#11 engine is statically linked?  In any case, only the SO_PATH is consistently set to the 'engine_pkcs11.so' library, where all of the examples I've seen have different values for the MODULE_PATH, which I thought should be the libsofthsm.so?

Also, the 'contrib/pkcs11' folder of the BIND distribution includes "a set of utilities that when used together create rsa keys in a PKCS11 keystore".  Do I need to use these tools to store keys in the SoftHSM?  If not how do I actually generate keys and put them into the SoftHSM?  I see here http://trac.opendnssec.org/wiki/SoftHSM/Install how to *import* keys from a .pem file format, but shouldn't I be able to just generate keys and store them directly?

Finally, whenever I try to run the BIND tools dnssec-keyfromlabel or dnssec-keygen, I get the following error:

./dnssec-keyfromlabel -a RSASHA1 -l foobar joe
dst_api.c:209: fatal error: RUNTIME_CHECK(dst_initialized == isc_boolean_true) failed
Aborted

I don't know what the source of this problem is.  Perhaps it is just that my binaries are not correct, but I suspect that I don't have something configured/aligned correctly, and that is what generates the error.

I guess I'm hoping that the folks on this mailing list have pieced all these things together somewhere along the way, and actually signed zones using keys in the SoftHSM.  I'd like to get to the same point, and I would greatly appreciate any pointers that you can provide.  I'm perfectly okay with a response like "go read these pages/books/links and then come back with any questions".

Clearly, I am a newbie at all of this, so please be gentle ;-)

Best regards,
Greg Rabil

A. Gregory Rabil | Lead Software Architect | BT Diamond IP |
Tel: +1 (610) 423-4770 | Fax: +1 (610) 423-4774 | Greg.Rabil at bt.com<mailto:Greg.Rabil at bt.com> |  http://bt.diamondip.com

This electronic message contains information from BT INS, Inc, which may be privileged
or confidential.  The information is intended for use only by the individual(s) or entity named above.  If you
are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of
this information is strictly prohibited.  If you have received this electronic message in error, please notify
me by telephone or email (to the number or email address above) immediately.

Activity and use of the BT INS, Inc  e-mail system is monitored to secure its effective
operation and for other lawful business purposes. Communications using this system will also be monitored
and may be recorded to secure effective operation and for other lawful business purposes.

BT INS Inc, 1600 Memorex Drive, Suite 200, Santa Clara California 95050-2842 ,United States

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20090715/57776cd3/attachment.htm>