Hi Christian,

I have verified that it is indeed necessary for Knot to use full length key IDs with PKCS #11, so make sure you do that. Other than that, I am quite puzzled by the "Failed to initialize KASP (not implemented)" error that you are getting and so far I have been unable to reproduce it. I will spend some more time on it. Which version of CentOS are you using? Meanwhile, see if both setting correct policy configuration and using full length key IDs will help you.

Best regards,

Mark

On 26. 11. 18 12:31, Christian Petrasch wrote:
Hi Mark,

thanks a lot for you help..

I added the keystore to my config.. but I_m getting another error now..

# See knot.conf(5) manual page for documentation.

server:
    listen: [ 127.0.0.1@53, ::1@53 ]

keystore:

# KSK
  - id: a1a1
    backend: pkcs11
    config: "pkcs11:token=testKSK_1;pin-value=5678 /usr/local/lib/softhsm/libsofthsm2.so"

# ZSK
  - id: a1b1
    backend: pkcs11
    config: "pkcs11:token=testKSK_1;pin-value=5678 /usr/local/lib/softhsm/libsofthsm2.so"


policy:
  - id: manual
    manual: on
    keystore: a1b1
    nsec3: on
    nsec3-iterations: 16
    nsec3-opt-out: on
    nsec3-salt-length: 8

zone:
  - domain: example.com
    dnssec-signing: on
    dnssec-policy: manual
    zonefile-load: difference
    file: example.com.zone
    storage: /etc/knot/

log:
  - target: syslog
    any: debug


###

[root@centos-test2 ~]# keymgr -c /etc/knot/knot.conf example.com. import-pkcs11 a1b1 algorithm=RSASHA256 size=2048 ksk=no created=20181126090000 publish=20181126090000 retire=+10mo remove=+1y
Failed to initialize KASP (not implemented)

I tried with the -d parameter as well.. but i got:

keymgr -d /var/lib/knot/keys/ example.com. import-pkcs11 a1b1 algorithm=RSASHA256 size=2048 ksk=no created=20181126090000 publish=20181126090000 retire=+10mo remove=+1y

Error (not exists)

I read from former knot versions about the "keymgr init" command, but it is not implemented anymore..

Do you have another idea whats going wrong.. ?

Thanks a lot for your great help :)

best regards

--
Christian Petrasch
Product Owner
Zone Creation & Signing
IT-Services

DENIC eG
Kaiserstraße 75-77
60329 Frankfurt am Main
GERMANY

E-Mail: petrasch@denic.de
http://www.denic.de

PGP-KeyID: 549BE0AE, Fingerprint: 0E0B 6CBE 5D8C B82B 0B49  DE61 870E 8841 549B E0AE    

Angaben nach § 25a Absatz 1 GenG: DENIC  eG (Sitz: Frankfurt am Main)
Vorstand: Helga Krüger, Martin Küchenthal, Andreas Musielak, Dr. Jörg Schweiger
Vorsitzender des Aufsichtsrats: Thomas Keller
Eingetragen unter Nr. 770 im Genossenschaftsregister, Amtsgericht Frankfurt am Main




Von:        "Mark Karpilovskij" <mark.karpilovskij@nic.cz>
An:        "Christian Petrasch" <petrasch@denic.de>
Kopie:        knot-dns-users@lists.nic.cz
Datum:        26.11.2018 11:56
Betreff:        Re: [knot-dns-users] Problem to import key material of softhsm into knot




Hi Christian,

I have checked out your Knot configuration, and I suspect that the issue might be a missing keystore option in the policy section of your configuration. Try specifying the ID of the PKCS11 keystore in the policy section as follows:

keystore:
  - id: a1a1
    backend: pkcs11
    config: "pkcs11:token=testKSK_1;pin-value=5678 /usr/local/lib/softhsm/libsofthsm2.so"

  - id: a1b1
    backend: pkcs11
    config: "pkcs11:token=testKSK_1;pin-value=5678 /usr/local/lib/softhsm/libsofthsm2.so"


policy:
  - id: manual
    manual: on
    keystore: a1a1
    nsec3: on
    nsec3-iterations: 16
    nsec3-opt-out: on
    nsec3-salt-length: 8

Let us know if this helps.

Best regards,

Mark

On 26. 11. 18 9:49, Christian Petrasch wrote:
Hi @ all,

we are testing with softhsm 2.5 and KNOT 2.7.4...

I try to import the keys inside softhsm into keymgr to sign with this a example zone.

The keymaterial is shown via pkcs11-tool:

[root@centos-test2 ~]# pkcs11-tool --login --list-objects --module /usr/local/lib/softhsm/libsofthsm2.so

Using slot 0 with a present token (0x285d1c08)
Logging in to "testKSK_1".
Please enter User PIN:
Private Key Object; RSA
  label:      testKSK_1
  ID:         a1a1
  Usage:      decrypt, sign, unwrap
Public Key Object; RSA 1024 bits
  label:      testZSK_1
  ID:         a1b1
  Usage:      encrypt, verify, wrap
Private Key Object; RSA
  label:      testZSK_1
  ID:         a1b1
  Usage:      decrypt, sign, unwrap
Public Key Object; RSA 2048 bits
  label:      testKSK_1
  ID:         a1a1
  Usage:      encrypt, verify, wrap

######

The KNOT config is :

[root@centos-test2 ~]# cat /etc/knot/knot.conf
# See knot.conf(5) manual page for documentation.

server:
    listen: [ 127.0.0.1@53, ::1@53 ]

keystore:
  - id: a1a1
    backend: pkcs11
    config: "pkcs11:token=testKSK_1;pin-value=5678 /usr/local/lib/softhsm/libsofthsm2.so"

  - id: a1b1
    backend: pkcs11
    config: "pkcs11:token=testKSK_1;pin-value=5678 /usr/local/lib/softhsm/libsofthsm2.so"


policy:
  - id: manual
    manual: on
    nsec3: on
    nsec3-iterations: 16
    nsec3-opt-out: on
    nsec3-salt-length: 8

zone:
  - domain: example.com
    dnssec-signing: on
    dnssec-policy: manual
    zonefile-load: difference
    file: example.com.zone
    storage: /etc/knot/

log:
  - target: syslog
    any: debug

###################

And if I try to import the key into keymgr i run the command:

[root@centos-test2 ~]# keymgr -c /etc/knot/knot.conf example.com. import-pkcs11 a1a1 algorithm=RSASHA256 size=2048 ksk=yes created=20181126090000 publish=20181126090000 retire=+10mo remove=+1y
Error (not exists)

###

I don't know how I can fix this.. maybe anybody can help me ? The documentation of KNOT is very good.. but at this point it is a little bit insufficient. Does anybody has examples for this ?

Thanks a lot in advance for the help..

best regards

--
Christian Petrasch
Product Owner
Zone Creation & Signing
IT-Services

DENIC eG
Kaiserstraße 75-77
60329 Frankfurt am Main
GERMANY

E-Mail:
petrasch@denic.de
http://www.denic.de

PGP-KeyID: 549BE0AE, Fingerprint: 0E0B 6CBE 5D8C B82B 0B49  DE61 870E 8841 549B E0AE    

Angaben nach § 25a Absatz 1 GenG: DENIC  eG (Sitz: Frankfurt am Main)
Vorstand: Helga Krüger, Martin Küchenthal, Andreas Musielak, Dr. Jörg Schweiger
Vorsitzender des Aufsichtsrats: Thomas Keller
Eingetragen unter Nr. 770 im Genossenschaftsregister, Amtsgericht Frankfurt am Main