[Opendnssec-user] softhsm unable to get key

Berry van Halderen berry at nlnetlabs.nl
Fri May 7 00:22:00 UTC 2021 

On 2021-05-07 01:53, Randy Bush via Opendnssec-user wrote:
> # uname -a
> FreeBSD rip.psg.com 12.2-RELEASE-p6 FreeBSD 12.2-RELEASE-p6 GENERIC  
> amd64
> # pkg info opendnssec2 | head -1
> opendnssec2-2.1.8
> # pkg info softhsm | head -1
> softhsm-1.3.8

Dear Randy,

OpenDNSSEC 2.1.9 is out, which solves this issue I think.

The problem is that certain HSMs (amongst which SoftHSM in database
backend mode) have a funny behaviour.

\Berry


> all worked until a reboot this morning
> 
> none recently changed
> # ls -l `which ods-signerd`
> -rwxr-xr-x  1 root  wheel  385632 Mar 13 19:56 
> /usr/local/sbin/ods-signerd*
> # ls -l `which ods-enforcerd`
> -rwxr-xr-x  1 root  wheel  482984 Mar 13 19:56 
> /usr/local/sbin/ods-enforcerd*
> # ls -l `which softhsm`
> -rwxr-xr-x  1 root  wheel  57200 Jul  7  2019 /usr/local/bin/softhsm*
> 
> May  6 23:08:15 rip ods-signerd[705]: [hsm] unable to get key: key
> c659db9ce13d7f18518cd1bbe0a2f0d8 not found
> May  6 23:08:15 rip ods-signerd[705]: [hsm] hsm_get_dnskey(): Got NULL 
> key
> May  6 23:08:15 rip ods-signerd[705]: [hsm] unable to get key: hsm
> failed to create dnskey
> May  6 23:08:15 rip ods-signerd[705]: [zone] unable to prepare signing
> keys for zone sol.int: error getting dnskey
> May  6 23:08:15 rip ods-signerd[705]: [worker[1]] CRITICAL: failed to
> sign zone sol.int: General error
> 
> and same for all signed zones
> 
> but
> 
>     # sqlite3 /usr/local/var/softhsm/slot0.db ".backup foo"
>     # ls -l foo
>     -rw-r--r--  1 root  wheel  316416 May  6 23:29 foo
> 
> still duckduckgoing for how to see if sqlite3 has that key,
> c659db9ce13d7f18518cd1bbe0a2f0d8
> 
> but
> 
>     # softhsm --show-slot
>     Available slots:
>     Slot 0
> 	       Token present: yes
> 	       Token initialized: yes
> 	       User PIN initialized: yes
> 	       Token label: opendnssec
> 
> and
> 
>     # softhsm --export test --slot 0 --pin no-way --id
> c659db9ce13d7f18518cd1bbe0a2f0d8
>     Error: Could not find the private key with ID =
> c659db9ce13d7f18518cd1bbe0a2f0d8
> 
> but
> 
>     # ods-enforcer key list -v -z ymbk.com
>     Keys:
>     Zone:                           Keytype: State:    Date of next
> transition: Size: Algorithm: CKA_ID:
> Repository: KeyTag:
>     ymbk.com                        KSK      active    2021-06-28
> 21:37:27      2048  8          52d55ded0e4a06b444774b9daf9ad050
> SoftHSM     53482
>     ymbk.com                        ZSK      active    2021-06-28
> 21:37:27      2048  8          a7f2aa72ecb73b40970abe2b4ffc353e
> SoftHSM     52456
> 
> though i am not sure enforcer is calling softhsm or just looking in its
> back pocket
> 
> so i
> 
> restarted opendnssec
> played my backup script
>     ods-enforcer backup prepare
>     sqlite3 /usr/local/var/softhsm/slot0.db ".backup `date
> '+%y%m%d'`.softhsm-copy.db"
>     ods-enforcer backup commit
> tried a reboot
> 
> an hour searching the net of a million lies was no help.  similar
> problems with much older versions.
> 
> i once tried to upgrade to softhsm2 and had to back off after major
> mess.  willing to try again if i can find a recipe.
> 
> the only possible hint is from a couple of days back, port upgrade of
> sqlite3
> 
>     bind-tools-9.16.13                 <   needs updating (remote has 
> 9.16.15)
>     bind916-9.16.13                    <   needs updating (remote has 
> 9.16.15)
>     sqlite3-3.34.1_1,1                 <   needs updating (remote has 
> 3.35.5,1)
> 
> clues very much appreciated
> 
> randy
> 
> ---
> randy at psg.com
> `gpg --locate-external-keys --auto-key-locate wkd randy at psg.com`
> signatures are back, thanks to dmarc header butchery
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

More information about the Opendnssec-user mailing list