[Opendnssec-user] Signer stuck after migration from 32-bit to 64-bit

Rickard Bellgrim rickard at opendnssec.org
Tue Jan 24 12:58:25 UTC 2012

>> The database for SoftHSM is storing the PKCS#11 attributes as a binary
>> string. The PKCS#11 CK_ULONG is different on 32-bit and 64-bit. Thus a
>> problem to move the database between the two architectures.
> Would it be possible to make this more portable? Like picking same length
> for all architectures, or at least storing length to the database and prepare
> convert tool.

The PKCS#11 API is not portable. The problem is that the information
is saved in PKCS#11 format and not in an intermediate format. Also,
the code for fetching the information has no knowledge about the
various attributes it only match the incoming request with what is in
the database. The user sends in an empty template which SoftHSM fills
in. Something to think about in SoftHSM v2.

>> I would suggest to migrate the keys using the key export/import
>> functionality in the softhsm tool.
> I tried, but the import is crying about missing label and I was clueless
> how to export the labels (or even print them) using the softhsm (or ods-hsmutil)
> tool.

OpenDNSSEC set the label to the text version of the CKA_ID, but it is
not used. So you can set it to what ever you want when import it. The
important information is the CKA_ID.

Export the key you have in the signconf:
sudo softhsm --slot 0 --pin 1234 --export key.pem --id

Import the key:
sudo softhsm --slot 0 --pin 1234 --import key.pem --label "Any label"
--id 1e71b7ccea75aca4ca7106fb94e4c275

// Rickard

More information about the Opendnssec-user mailing list