[Opendnssec-user] Key not found

David Peall david at dnservices.co.za
Thu Jun 12 08:10:35 UTC 2014 

Hi

Advice from the HSM provider was to add the following option which disables the cache for C_FIND_OBJECTS:
CKNFAST_ASSUME_SINGLE_PROCESS=0

I no longer get the key not found but I did get this:
kernel: [  204.880613] ods-signerd[1364]: segfault at 7f6a00000020 ip 000000000042cb25 sp 00007f6acc628c40 error 4 in ods-signerd[400000+5c000]

Running it in debug now trying to get you more information, but otherwise appears finding the keys.

Regards
—
David Peall

On 11 Jun 2014, at 2:13 PM, David Peall <david at dnservices.co.za> wrote:

> Hi Rickard
> 
> I appreciate the help.
> 
> Its not timing as the key can be pulled before, it seems that the request for the CKO_PRIVATE_KEY is failing.
> 
> 2014-06-11 13:59:41 [4212] t002747eb417f0000: pkcs11: 000008DA >    CKA_CLASS:  CKO_PRIVATE_KEY
> vs
> 2014-06-11 13:57:01 [4252] t40978d224f7f0000: pkcs11: 000008CB >    CKA_CLASS:  CKO_PUBLIC_KEY
> 
> Seems to be the issue?
> 
> Regards
>> David Peall
> 
> On 11 Jun 2014, at 12:57 PM, Rickard Bellgrim <rickard at opendnssec.org> wrote:
> 
>> On Wed, Jun 11, 2014 at 12:15 PM, David Peall <david at dnservices.co.za> wrote:
>> Here is the log line:
>> Jun 11 12:03:41 ods-signerd: [hsm] unable to get key: key 5a4cf5871ef16a77118283e8666f486b not found
>> 
>> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB >>   C_FindObjectsInit
>> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB >    hSession 0x000008DB
>> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB >    CKA_CLASS:  CKO_PRIVATE_KEY
>> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB >    CKA_ID
>>  pAtt->pValue= 16 bytes
>>                                        5a4cf587 1ef16a77 118283e8 666f486b
>> 
>> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB <    rv 0x00000000 (CKR_OK)
>> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB >>   C_FindObjects
>> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB >    hSession 0x000008DB
>> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB >    phObject 0x7ffff3ac5cd8
>> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB >    ulMaxObjectCount 1
>> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB <    *pulObjectCount 0
>> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB <    rv 0x00000000 (CKR_OK)
>> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB >>   C_FindObjectsFinal
>> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB >    hSession 0x000008DB
>> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB <    rv 0x00000000 (CKR_OK)
>> 
>> OpenDNSSEC (ods-signerd) is acting correctly because the HSM says that there is no key which match the search criteria. See the pulObjectCount returned from the HSM above.
>> 
>> The issue is probably some synchronization problem with the HSM. E.g. object information not propagating fast enough between the two loaded instances of the PKCS#11 library or you are operating a HA-cluster and the object has not been synchronized to the second cluster member. The PKCS#11 library should not return from the key generation function until this has been done.
>> 
>> // Rickard
> 
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4148 bytes
Desc: not available
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20140612/352cf383/attachment.bin>

More information about the Opendnssec-user mailing list