[Opendnssec-user] Key not found

David Peall david at dnservices.co.za
Wed Jun 11 12:13:19 UTC 2014 

Hi Rickard

I appreciate the help.

Its not timing as the key can be pulled before, it seems that the request for the CKO_PRIVATE_KEY is failing.

2014-06-11 13:59:41 [4212] t002747eb417f0000: pkcs11: 000008DA >    CKA_CLASS:  CKO_PRIVATE_KEY
vs
2014-06-11 13:57:01 [4252] t40978d224f7f0000: pkcs11: 000008CB >    CKA_CLASS:  CKO_PUBLIC_KEY

Seems to be the issue?

Regards
—
David Peall

On 11 Jun 2014, at 12:57 PM, Rickard Bellgrim <rickard at opendnssec.org> wrote:

> On Wed, Jun 11, 2014 at 12:15 PM, David Peall <david at dnservices.co.za> wrote:
> Here is the log line:
> Jun 11 12:03:41 ods-signerd: [hsm] unable to get key: key 5a4cf5871ef16a77118283e8666f486b not found
> 
> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB >>   C_FindObjectsInit
> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB >    hSession 0x000008DB
> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB >    CKA_CLASS:  CKO_PRIVATE_KEY
> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB >    CKA_ID
>   pAtt->pValue= 16 bytes
>                                         5a4cf587 1ef16a77 118283e8 666f486b
> 
> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB <    rv 0x00000000 (CKR_OK)
> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB >>   C_FindObjects
> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB >    hSession 0x000008DB
> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB >    phObject 0x7ffff3ac5cd8
> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB >    ulMaxObjectCount 1
> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB <    *pulObjectCount 0
> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB <    rv 0x00000000 (CKR_OK)
> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB >>   C_FindObjectsFinal
> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB >    hSession 0x000008DB
> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB <    rv 0x00000000 (CKR_OK)
> 
> OpenDNSSEC (ods-signerd) is acting correctly because the HSM says that there is no key which match the search criteria. See the pulObjectCount returned from the HSM above.
> 
> The issue is probably some synchronization problem with the HSM. E.g. object information not propagating fast enough between the two loaded instances of the PKCS#11 library or you are operating a HA-cluster and the object has not been synchronized to the second cluster member. The PKCS#11 library should not return from the key generation function until this has been done.
> 
> // Rickard

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4148 bytes
Desc: not available
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20140611/0ccd3bb0/attachment.bin>

More information about the Opendnssec-user mailing list