[Opendnssec-develop] SoftHSM with BIND dnssec-key* utilities

Thu Jul 16 07:51:46 UTC 2009

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> Hello again DNSSEC wizards,

Hi Greg

> I am not a security engineer, and unfortunately, I don’t have 
> access to much in the way of expertise in the security 
> (specifically OpenSSL) area.  I’m honestly still struggling 
> with the difference between a PKCS11 *engine* and a PKCS11 
> *module* and where OpenCryptoki fits into the mix (if at 
> all).  I would gladly welcome any links, references, etc that 
> I should read to help me understand this space better.

An engine can provide OpenSSL with cryptographic functionality. So that you can switch the engine in "your car" for a faster one. A PKCS#11 engine then provides OpenSSL the cryptographic operations via an HSM. A PKCS#11 module is the library that you application links against, so you can talk to the HSM. OpenSSL -> Engine -> Module -> HSM

OpenCryptoki should not be confused with Cryptoki, which is the name of the PKCS#11 API.

OpenCryptoki is an open source software, a PKCS#11 module, that can provide a PKCS#11 interface for different HSM:s (not everyone has its own complete PKCS#11 module), e.g. IBM cryptographic hardware, Sun SCA600, and a soft token for testing.

Info from OpenDNSSEC
http://trac.opendnssec.org/wiki/HSM
http://trac.opendnssec.org/wiki/PKCS11

Wikipedia summery
http://en.wikipedia.org/wiki/PKCS11

PKCS#11 Documentation
ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20/pkcs-11v2-20a3.pdf

Engine PKCS#11
http://www.opensc-project.org/engine_pkcs11/

> # softHSM configuration file
> 
> #
> 
> 0:/var/softhsm/slot0.db
> 
>  
> 
> I’ve initialized a token in slot0 with the following command:
> 
> softhsm --init-token --slot 0 --label "Test token 1"  (with 
> SO and user password ‘foobar’)

Looks ok.

> I’ve added the following to the end of my openssl.cnf file:
> 
>  
> 
> openssl_conf            = openssl_def
> 
>  
> 
> [openssl_def]
> 
> engines = engine_section
> 
>  
> 
> [engine_section]
> 
> pkcs11 = pkcs11_section
> 
>  
> 
> [pkcs11_section]
> 
> engine_id = pkcs11
> 
> #dynamic_path = /usr/local/lib/engines/engine_pkcs11.so
> 
> SO_PATH = /usr/local/lib/engines/engine_pkcs11.so
> 
> MODULE_PATH = /usr/local/lib/libsofthsm.so
> 
> PIN = foobar
> 
> init = 0
>
> This is where I get lost.  I’m really not sure if the 
> MODULE_PATH should point to the libsofthsm shared library?  
> If not, what should this be?

I have tried with:
dynamic_path = /usr/local/lib/engines/engine_pkcs11.so
And not the SO_PATH, but got it working with OpenSSL.
Yeah, MODULE_PATH should point to libsofthsm.so

You can read more on:
http://www.opensc-project.org/engine_pkcs11/wiki/QuickStart

> I’m further confused by the README.pkcs11 file that 
> accompanies BIND 9.6.1, which states the following:
> 
>  
> 
> OpenSSL Engines
> 
>  
> 
> With PKCS#11 support the PKCS#11 engine is statically loaded 
> but at its
> 
> initialization it dynamically loads the PKCS#11 objects.
> 
> Even the pre commands are therefore unused they are defined with:
> 
>  SO_PATH:
> 
>    define: PKCS11_SO_PATH
> 
>    default: /usr/local/lib/engines/engine_pkcs11.so
> 
>  MODULE_PATH:
> 
>    define: PKCS11_MODULE_PATH
> 
>    default: /usr/lib/libpkcs11.so
> 
> Without PKCS#11 support, a specific OpenSSL engine can be still used
> 
> by defining ENGINE_ID at compile time.
> 
>  
> 
> I read this several times, and I’m still not sure if I 
> understand it.  However, I *think* that this means that the 
> values in my openssl.cnf file don’t apply to BIND and the 
> associated BIND tools, because the PKCS#11 engine is 
> statically linked?  In any case, only the SO_PATH is 
> consistently set to the ‘engine_pkcs11.so’ library, where all 
> of the examples I’ve seen have different values for the 
> MODULE_PATH, which I thought should be the libsofthsm.so?

I think they mean that the engine is statically loaded (because they are using SO_PATH), but the module is dynamicly loaded on the fly. Yeah, module path is the location of the PKCS#11 module you want to use.

> Also, the ‘contrib/pkcs11’ folder of the BIND distribution 
> includes “a set of utilities that when used together create 
> rsa keys in a PKCS11 keystore”.  Do I need to use these tools 
> to store keys in the SoftHSM?  If not how do I actually 
> generate keys and put them into the SoftHSM?  I see here 
> http://trac.opendnssec.org/wiki/SoftHSM/Install how to 
> *import* keys from a .pem file format, but shouldn’t I be 
> able to just generate keys and store them directly?

I do not actually know how Bind create its keys, but it could be the case that you must use their tools. Their tools then calls the PKCS#11 functions and create a key that way.

- From my point of view you only need to call the PKCS#11 functions in the libsofthsm, the tools are just there to give you a quick command line utility. You can always use the C_CreateObject function to create an object in SoftHSM (if you are writing your own software). But you need the softhsm tool, if you want to extract the keys. Because I take them directly from the database, thus bypassing any PKCS#11 extraction rules (you can specify that a key should not be extractable via the PKCS#11 interface).

You always play around with "pkcs11-tool" that comes with OpenSC that you have installed.

> Finally, whenever I try to run the BIND tools 
> dnssec-keyfromlabel or dnssec-keygen, I get the following error:
> 
>  
> 
> ./dnssec-keyfromlabel -a RSASHA1 -l foobar joe
> 
> dst_api.c:209: fatal error: RUNTIME_CHECK(dst_initialized == 
> isc_boolean_true) failed
> 
> Aborted
> 
>  
> 
> I don’t know what the source of this problem is.  Perhaps it 
> is just that my binaries are not correct, but I suspect that 
> I don’t have something configured/aligned correctly, and that 
> is what generates the error.

Sorry haven't tried to run Bind with Engine PKCS#11.

> I guess I’m hoping that the folks on this mailing list have 
> pieced all these things together somewhere along the way, and 
> actually signed zones using keys in the SoftHSM.  I’d like to 
> get to the same point, and I would greatly appreciate any 
> pointers that you can provide.  I’m perfectly okay with a 
> response like “go read these pages/books/links and then come 
> back with any questions”.

I tried the Engine PKCS#11 some months ago, but it had some bugs in it. Perhaps they are fixed by now. Hopefully everything will go well for you.

// Rickard
-----BEGIN PGP SIGNATURE-----
Version: 9.8.3 (Build 4028)
Charset: utf-8

wsBVAwUBSl7cEuCjgaNTdVjaAQgFrwf8CgN99l92T7Spy1RU/XY/l3mrJDAjkDOO
NPcj8Tovy7xppOApQmd9EeyTJyZe99oSaOQwzSXwtLrLX4XMDWL8L3/YEd2Bzi6X
DZsgjXDumLOAQ6q2jzikquscjK4sdP8agcU9+dbmCIDVRy9YtilB11ps41AJxtWP
F6orZmbvLdWqY2ZYWCSr+31rVwmn8ZADiszFyF9AmNLoLm7QcvXBJrp4IWT3PSSn
WxZcCR0ANlcbn5yWfO2swJ23QIQ8A4g0CW1MnUeJ6hbJU3pSyPJnCtx1tDWWrHVh
KlbbiigptV7boyXVapiX/HzFCNCPvZbt2lu2PdO4y0kKoCW1g2O93g==
=841S
-----END PGP SIGNATURE-----