[Opendnssec-user] Signer cannot find key

Rickard Bellgrim rickard.bellgrim at iis.se
Tue Nov 30 14:38:12 UTC 2010


On 30 nov 2010, at 11.22, Gilles Massen wrote:

> As a follow-up to this issue:
> 
>> ods-signerd: could not find key fc477155ce7eeff5eeb9e67fb47a9492
> 
> The problem seems to be related to the working of the PKCS11 provider.
> What happens is that "ods-ksmutil key generate" starts a process to have
> the HSM create keys (via PKCS#11). This works, but the process
> ods-signer (which has been started before the key generation) is not
> seeing the newly generated keys (C_FindObjects gets no result). As the
> signer is remaining whithin its PKCS11 session I don't know if that's
> expected or not.
> 
> Stopping/starting the signer fixes this.
> 
> It is unclear to me if OpenDNSSEC could or should address this, or if
> it's rather an PKCS11 provider implementation fault. Comments would be
> most welcome...

Yes, they are doing it wrong. Two applications should be able to access token objects created by the other application (if they have the correct credentials) without having the need to re-initialize the library.

See "6.7.7 Example of use of sessions" in: ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20/pkcs-11v2-20.pdf

// Rickard




More information about the Opendnssec-user mailing list