Hi Mark,

thanks a lot for you help..

I added the keystore to my config.. but I_m getting another error now..

# See knot.conf(5) manual page for documentation.

server:
    listen: [ 127.0.0.1@53, ::1@53 ]

keystore:

# KSK
  - id: a1a1
    backend: pkcs11
    config: "pkcs11:token=testKSK_1;pin-value=5678 /usr/local/lib/softhsm/libsofthsm2.so"

# ZSK
  - id: a1b1
    backend: pkcs11
    config: "pkcs11:token=testKSK_1;pin-value=5678 /usr/local/lib/softhsm/libsofthsm2.so"


policy:
  - id: manual
    manual: on
    keystore: a1b1
    nsec3: on
    nsec3-iterations: 16
    nsec3-opt-out: on
    nsec3-salt-length: 8

zone:
  - domain: example.com
    dnssec-signing: on
    dnssec-policy: manual
    zonefile-load: difference
    file: example.com.zone
    storage: /etc/knot/

log:
  - target: syslog
    any: debug


###

[root@centos-test2 ~]# keymgr -c /etc/knot/knot.conf example.com. import-pkcs11 a1b1 algorithm=RSASHA256 size=2048 ksk=no created=20181126090000 publish=20181126090000 retire=+10mo remove=+1y
Failed to initialize KASP (not implemented)

I tried with the -d parameter as well.. but i got:

keymgr -d /var/lib/knot/keys/ example.com. import-pkcs11 a1b1 algorithm=RSASHA256 size=2048 ksk=no created=20181126090000 publish=20181126090000 retire=+10mo remove=+1y
Error (not exists)

I read from former knot versions about the "keymgr init" command, but it is not implemented anymore..

Do you have another idea whats going wrong.. ?

Thanks a lot for your great help :)

best regards

--
Christian Petrasch
Product Owner
Zone Creation & Signing
IT-Services

DENIC eG
Kaiserstraße 75-77
60329 Frankfurt am Main
GERMANY

E-Mail: petrasch@denic.de
http://www.denic.de

PGP-KeyID: 549BE0AE, Fingerprint: 0E0B 6CBE 5D8C B82B 0B49  DE61 870E 8841 549B E0AE    

Angaben nach § 25a Absatz 1 GenG: DENIC  eG (Sitz: Frankfurt am Main)
Vorstand: Helga Krüger, Martin Küchenthal, Andreas Musielak, Dr. Jörg Schweiger
Vorsitzender des Aufsichtsrats: Thomas Keller
Eingetragen unter Nr. 770 im Genossenschaftsregister, Amtsgericht Frankfurt am Main



Von:        "Mark Karpilovskij" <mark.karpilovskij@nic.cz>
An:        "Christian Petrasch" <petrasch@denic.de>
Kopie:        knot-dns-users@lists.nic.cz
Datum:        26.11.2018 11:56
Betreff:        Re: [knot-dns-users] Problem to import key material of softhsm into knot



Hi Christian,

I have checked out your Knot configuration, and I suspect that the issue might be a missing keystore option in the policy section of your configuration. Try specifying the ID of the PKCS11 keystore in the policy section as follows:

keystore:
  - id: a1a1
    backend: pkcs11
    config: "pkcs11:token=testKSK_1;pin-value=5678 /usr/local/lib/softhsm/libsofthsm2.so"

  - id: a1b1
    backend: pkcs11
    config: "pkcs11:token=testKSK_1;pin-value=5678 /usr/local/lib/softhsm/libsofthsm2.so"


policy:
  - id: manual
    manual: on
    keystore: a1a1
    nsec3: on
    nsec3-iterations: 16
    nsec3-opt-out: on
    nsec3-salt-length: 8

Let us know if this helps.

Best regards,

Mark

On 26. 11. 18 9:49, Christian Petrasch wrote:
Hi @ all,

we are testing with softhsm 2.5 and KNOT 2.7.4...

I try to import the keys inside softhsm into keymgr to sign with this a example zone.

The keymaterial is shown via pkcs11-tool:

[root@centos-test2 ~]# pkcs11-tool --login --list-objects --module /usr/local/lib/softhsm/libsofthsm2.so

Using slot 0 with a present token (0x285d1c08)
Logging in to "testKSK_1".
Please enter User PIN:
Private Key Object; RSA
  label:      testKSK_1
  ID:         a1a1
  Usage:      decrypt, sign, unwrap
Public Key Object; RSA 1024 bits
  label:      testZSK_1
  ID:         a1b1
  Usage:      encrypt, verify, wrap
Private Key Object; RSA
  label:      testZSK_1
  ID:         a1b1
  Usage:      decrypt, sign, unwrap
Public Key Object; RSA 2048 bits
  label:      testKSK_1
  ID:         a1a1
  Usage:      encrypt, verify, wrap

######

The KNOT config is :

[root@centos-test2 ~]# cat /etc/knot/knot.conf
# See knot.conf(5) manual page for documentation.

server:
    listen: [ 127.0.0.1@53, ::1@53 ]

keystore:
  - id: a1a1
    backend: pkcs11
    config: "pkcs11:token=testKSK_1;pin-value=5678 /usr/local/lib/softhsm/libsofthsm2.so"

  - id: a1b1
    backend: pkcs11
    config: "pkcs11:token=testKSK_1;pin-value=5678 /usr/local/lib/softhsm/libsofthsm2.so"


policy:
  - id: manual
    manual: on
    nsec3: on
    nsec3-iterations: 16
    nsec3-opt-out: on
    nsec3-salt-length: 8

zone:
  - domain: example.com
    dnssec-signing: on
    dnssec-policy: manual
    zonefile-load: difference
    file: example.com.zone
    storage: /etc/knot/

log:
  - target: syslog
    any: debug

###################

And if I try to import the key into keymgr i run the command:

[root@centos-test2 ~]# keymgr -c /etc/knot/knot.conf example.com. import-pkcs11 a1a1 algorithm=RSASHA256 size=2048 ksk=yes created=20181126090000 publish=20181126090000 retire=+10mo remove=+1y
Error (not exists)

###

I don't know how I can fix this.. maybe anybody can help me ? The documentation of KNOT is very good.. but at this point it is a little bit insufficient. Does anybody has examples for this ?

Thanks a lot in advance for the help..

best regards

--
Christian Petrasch
Product Owner
Zone Creation & Signing
IT-Services

DENIC eG
Kaiserstraße 75-77
60329 Frankfurt am Main
GERMANY

E-Mail: petrasch@denic.de
http://www.denic.de

PGP-KeyID: 549BE0AE, Fingerprint: 0E0B 6CBE 5D8C B82B 0B49  DE61 870E 8841 549B E0AE    

Angaben nach § 25a Absatz 1 GenG: DENIC  eG (Sitz: Frankfurt am Main)
Vorstand: Helga Krüger, Martin Küchenthal, Andreas Musielak, Dr. Jörg Schweiger
Vorsitzender des Aufsichtsrats: Thomas Keller
Eingetragen unter Nr. 770 im Genossenschaftsregister, Amtsgericht Frankfurt am Main