Hi Christian,
I have verified that it is indeed necessary for Knot to use full length
key IDs with PKCS #11, so make sure you do that. Other than that, I am
quite puzzled by the "*Failed to initialize KASP (not implemented)*"
error that you are getting and so far I have been unable to reproduce
it. I will spend some more time on it. Which version of CentOS are you
using? Meanwhile, see if both setting correct policy configuration and
using full length key IDs will help you.
Best regards,
Mark
On 26. 11. 18 12:31, Christian Petrasch wrote:
Hi Mark,
thanks a lot for you help..
I added the keystore to my config.. but I_m getting another error now..
# See knot.conf(5) manual page for documentation.
server:
listen: [ 127.0.0.1@53, ::1@53 ]
keystore:
# KSK
- id: a1a1
backend: pkcs11
config: "pkcs11:token=testKSK_1;pin-value=5678
/usr/local/lib/softhsm/libsofthsm2.so"
# ZSK
- id: a1b1
backend: pkcs11
config: "pkcs11:token=testKSK_1;pin-value=5678
/usr/local/lib/softhsm/libsofthsm2.so"
policy:
- id: manual
manual: on
keystore: a1b1
nsec3: on
nsec3-iterations: 16
nsec3-opt-out: on
nsec3-salt-length: 8
zone:
- domain:
example.com
dnssec-signing: on
dnssec-policy: manual
zonefile-load: difference
file: example.com.zone
storage: /etc/knot/
log:
- target: syslog
any: debug
###
[root@centos-test2 ~]# keymgr -c /etc/knot/knot.conf
example.com.
import-pkcs11 a1b1 algorithm=RSASHA256 size=2048 ksk=no
created=20181126090000 publish=20181126090000 retire=+10mo remove=+1y
*Failed to initialize KASP (not implemented)*
I tried with the -d parameter as well.. but i got:
keymgr -d /var/lib/knot/keys/
example.com. import-pkcs11 a1b1
algorithm=RSASHA256 size=2048 ksk=no created=20181126090000
publish=20181126090000 retire=+10mo remove=+1y
*Error (not exists)*
I read from former knot versions about the "keymgr init" command, but
it is not implemented anymore..
Do you have another idea whats going wrong.. ?
Thanks a lot for your great help :)
best regards
--
Christian Petrasch
Product Owner
Zone Creation & Signing
IT-Services
DENIC eG
Kaiserstraße 75-77
60329 Frankfurt am Main
GERMANY
E-Mail: petrasch(a)denic.de
http://www.denic.de <http://www.denic.de/>
PGP-KeyID: 549BE0AE, Fingerprint: 0E0B 6CBE 5D8C B82B 0B49 DE61 870E
8841 549B E0AE
Angaben nach § 25a Absatz 1 GenG: DENIC eG (Sitz: Frankfurt am Main)
Vorstand: Helga Krüger, Martin Küchenthal, Andreas Musielak, Dr. Jörg
Schweiger
Vorsitzender des Aufsichtsrats: Thomas Keller
Eingetragen unter Nr. 770 im Genossenschaftsregister, Amtsgericht
Frankfurt am Main
Von: "Mark Karpilovskij" <mark.karpilovskij(a)nic.cz>
An: "Christian Petrasch" <petrasch(a)denic.de>
Kopie: knot-dns-users(a)lists.nic.cz
Datum: 26.11.2018 11:56
Betreff: Re: [knot-dns-users] Problem to import key material of
softhsm into knot
------------------------------------------------------------------------
Hi Christian,
I have checked out your Knot configuration, and I suspect that the
issue might be a missing keystore option in the policy section of your
configuration. Try specifying the ID of the PKCS11 keystore in the
policy section as follows:
keystore:
- id: a1a1
backend: pkcs11
config: "pkcs11:token=testKSK_1;pin-value=5678
/usr/local/lib/softhsm/libsofthsm2.so"
- id: a1b1
backend: pkcs11
config: "pkcs11:token=testKSK_1;pin-value=5678
/usr/local/lib/softhsm/libsofthsm2.so"
policy:
- id: manual
manual: on
*keystore: a1a1*
nsec3: on
nsec3-iterations: 16
nsec3-opt-out: on
nsec3-salt-length: 8
Let us know if this helps.
Best regards,
Mark
On 26. 11. 18 9:49, Christian Petrasch wrote:
Hi @ all,
we are testing with softhsm 2.5 and KNOT 2.7.4...
I try to import the keys inside softhsm into keymgr to sign with this
a example zone.
The keymaterial is shown via pkcs11-tool:
[root@centos-test2 ~]# pkcs11-tool --login --list-objects --module
/usr/local/lib/softhsm/libsofthsm2.so
Using slot 0 with a present token (0x285d1c08)
Logging in to "testKSK_1".
Please enter User PIN:
Private Key Object; RSA
label: testKSK_1
ID: a1a1
Usage: decrypt, sign, unwrap
Public Key Object; RSA 1024 bits
label: testZSK_1
ID: a1b1
Usage: encrypt, verify, wrap
Private Key Object; RSA
label: testZSK_1
ID: a1b1
Usage: decrypt, sign, unwrap
Public Key Object; RSA 2048 bits
label: testKSK_1
ID: a1a1
Usage: encrypt, verify, wrap
######
The KNOT config is :
[root@centos-test2 ~]# cat /etc/knot/knot.conf
# See knot.conf(5) manual page for documentation.
server:
listen: [ 127.0.0.1@53, ::1@53 ]
keystore:
- id: a1a1
backend: pkcs11
config: "pkcs11:token=testKSK_1;pin-value=5678
/usr/local/lib/softhsm/libsofthsm2.so"
- id: a1b1
backend: pkcs11
config: "pkcs11:token=testKSK_1;pin-value=5678
/usr/local/lib/softhsm/libsofthsm2.so"
policy:
- id: manual
manual: on
nsec3: on
nsec3-iterations: 16
nsec3-opt-out: on
nsec3-salt-length: 8
zone:
- domain:
example.com
dnssec-signing: on
dnssec-policy: manual
zonefile-load: difference
file: example.com.zone
storage: /etc/knot/
log:
- target: syslog
any: debug
###################
And if I try to import the key into keymgr i run the command:
[root@centos-test2 ~]# keymgr -c /etc/knot/knot.conf
example.com.
import-pkcs11 a1a1 algorithm=RSASHA256 size=2048 ksk=yes
created=20181126090000 publish=20181126090000 retire=+10mo remove=+1y
Error (not exists)
###
I don't know how I can fix this.. maybe anybody can help me ? The
documentation of KNOT is very good.. but at this point it is a little
bit insufficient. Does anybody has examples for this ?
Thanks a lot in advance for the help..
best regards
--
Christian Petrasch
Product Owner
Zone Creation & Signing
IT-Services
DENIC eG
Kaiserstraße 75-77
60329 Frankfurt am Main
GERMANY
E-Mail: _petrasch(a)denic.de_ <mailto:petrasch@denic.de>_
__http://www.denic.de_ <http://www.denic.de/>
PGP-KeyID: 549BE0AE, Fingerprint: 0E0B 6CBE 5D8C B82B 0B49 DE61 870E
8841 549B E0AE
Angaben nach § 25a Absatz 1 GenG: DENIC eG (Sitz: Frankfurt am Main)
Vorstand: Helga Krüger, Martin Küchenthal, Andreas Musielak, Dr. Jörg
Schweiger
Vorsitzender des Aufsichtsrats: Thomas Keller
Eingetragen unter Nr. 770 im Genossenschaftsregister, Amtsgericht
Frankfurt am Main