Hi Daniel,
thanks a lot for the answer.. and your help. Maybe this could also help..
I had the same problems with a long key id:
pkcs11-tool --login --list-objects --module
/usr/local/lib/softhsm/libsofthsm2.so
Using slot 0 with a present token (0x3886239b)
Logging in to "token-one".
Please enter User PIN:
Public Key Object; RSA 3072 bits
label: dnssec-zsk-rsa
ID: 26a76a1665d562de731680a53aec586ff253d55e
Usage: encrypt, verify, wrap
Private Key Object; RSA
label: dnssec-zsk-rsa
ID: 26a76a1665d562de731680a53aec586ff253d55e
Usage: decrypt, sign, unwrap
keymgr
example.com import-pkcs11 26a76a1665d562de731680a53aec586ff253d55e
algorithm=RSASHA256 size=3072 ksk=no created=20181126090000
publish=20181126090000 retire=+10mo remove=+1y
Error (not exists)
# See knot.conf(5) manual page for documentation.
server:
listen: [ 127.0.0.1@53, ::1@53 ]
keystore:
- id: 26a76a1665d562de731680a53aec586ff253d55e
backend: pkcs11
config: "pkcs11:token=testKSK_1;pin-value=KUQFkRsxm4LmrdryKT5C
/usr/local/lib/softhsm/libsofthsm2.so"
policy:
- id: manual
manual: on
nsec3: on
nsec3-iterations: 16
nsec3-opt-out: on
nsec3-salt-length: 8
zone:
- domain:
example.com
dnssec-signing: on
dnssec-policy: manual
zonefile-load: difference
file: example.com.zone
storage: /etc/knot/
log:
- target: syslog
any: debug
best regards
--
Christian Petrasch
Product Owner
Zone Creation & Signing
IT-Services
DENIC eG
Kaiserstraße 75-77
60329 Frankfurt am Main
GERMANY
E-Mail: petrasch(a)denic.de
http://www.denic.de
PGP-KeyID: 549BE0AE, Fingerprint: 0E0B 6CBE 5D8C B82B 0B49 DE61 870E 8841
549B E0AE
Angaben nach § 25a Absatz 1 GenG: DENIC eG (Sitz: Frankfurt am Main)
Vorstand: Helga Krüger, Martin Küchenthal, Andreas Musielak, Dr. Jörg
Schweiger
Vorsitzender des Aufsichtsrats: Thomas Keller
Eingetragen unter Nr. 770 im Genossenschaftsregister, Amtsgericht
Frankfurt am Main
Von: daniel.salzman(a)nic.cz
An: "Christian Petrasch" <petrasch(a)denic.de>
Kopie: knot-dns-users(a)lists.nic.cz
Datum: 26.11.2018 10:55
Betreff: Re: [knot-dns-users] Problem to import key material of
softhsm into knot
Hi Christian,
I suspect there is a problem with the key ID, which is short. Please
give us some time to investigate it.
Best,
Daniel
On 2018-11-26 09:49, Christian Petrasch wrote:
Hi @ all,
we are testing with softhsm 2.5 and KNOT 2.7.4...
I try to import the keys inside softhsm into keymgr to sign with this
a example zone.
The keymaterial is shown via pkcs11-tool:
[root@centos-test2 ~]# pkcs11-tool --login --list-objects --module
/usr/local/lib/softhsm/libsofthsm2.so
Using slot 0 with a present token (0x285d1c08)
Logging in to "testKSK_1".
Please enter User PIN:
Private Key Object; RSA
label: testKSK_1
ID: a1a1
Usage: decrypt, sign, unwrap
Public Key Object; RSA 1024 bits
label: testZSK_1
ID: a1b1
Usage: encrypt, verify, wrap
Private Key Object; RSA
label: testZSK_1
ID: a1b1
Usage: decrypt, sign, unwrap
Public Key Object; RSA 2048 bits
label: testKSK_1
ID: a1a1
Usage: encrypt, verify, wrap
######
The KNOT config is :
[root@centos-test2 ~]# cat /etc/knot/knot.conf
# See knot.conf(5) manual page for documentation.
server:
listen: [ 127.0.0.1@53, ::1@53 ]
keystore:
- id: a1a1
backend: pkcs11
config: "pkcs11:token=testKSK_1;pin-value=5678
/usr/local/lib/softhsm/libsofthsm2.so"
- id: a1b1
backend: pkcs11
config: "pkcs11:token=testKSK_1;pin-value=5678
/usr/local/lib/softhsm/libsofthsm2.so"
policy:
- id: manual
manual: on
nsec3: on
nsec3-iterations: 16
nsec3-opt-out: on
nsec3-salt-length: 8
zone:
- domain:
example.com
dnssec-signing: on
dnssec-policy: manual
zonefile-load: difference
file: example.com.zone
storage: /etc/knot/
log:
- target: syslog
any: debug
###################
And if I try to import the key into keymgr i run the command:
[root@centos-test2 ~]# keymgr -c /etc/knot/knot.conf
example.com.
import-pkcs11 a1a1 algorithm=RSASHA256 size=2048 ksk=yes
created=20181126090000 publish=20181126090000 retire=+10mo remove=+1y
Error (not exists)
###
I don't know how I can fix this.. maybe anybody can help me ? The
documentation of KNOT is very good.. but at this point it is a little
bit insufficient. Does anybody has examples for this ?
Thanks a lot in advance for the help..
best regards
--
Christian Petrasch
Product Owner
Zone Creation & Signing
IT-Services
DENIC eG
Kaiserstraße 75-77
60329 Frankfurt am Main
GERMANY
E-Mail: petrasch(a)denic.de
http://www.denic.de
PGP-KeyID: 549BE0AE, Fingerprint: 0E0B 6CBE 5D8C B82B 0B49 DE61 870E
8841 549B E0AE
Angaben nach § 25a Absatz 1 GenG: DENIC eG (Sitz: Frankfurt am Main)
Vorstand: Helga Krüger, Martin Küchenthal, Andreas Musielak, Dr.
Jörg Schweiger
Vorsitzender des Aufsichtsrats: Thomas Keller
Eingetragen unter Nr. 770 im Genossenschaftsregister, Amtsgericht
Frankfurt am Main