Hi Christian,
I have verified that it is indeed necessary for Knot to use full length key IDs with PKCS #11, so make sure you do that. Other than that, I am quite puzzled by the "Failed to initialize KASP (not implemented)" error that you are getting and so far I have been unable to reproduce it. I will spend some more time on it. Which version of CentOS are you using? Meanwhile, see if both setting correct policy configuration and using full length key IDs will help you.
Best regards,
Mark
Hi Mark,
thanks a lot for you help..
I added the keystore to my config.. but I_m getting another error now..
# See knot.conf(5) manual page for documentation.
server:
listen: [ 127.0.0.1@53, ::1@53 ]
keystore:
# KSK
- id: a1a1
backend: pkcs11
config: "pkcs11:token=testKSK_1;pin-value=5678 /usr/local/lib/softhsm/libsofthsm2.so"
# ZSK
- id: a1b1
backend: pkcs11
config: "pkcs11:token=testKSK_1;pin-value=5678 /usr/local/lib/softhsm/libsofthsm2.so"
policy:
- id: manual
manual: on
keystore: a1b1
nsec3: on
nsec3-iterations: 16
nsec3-opt-out: on
nsec3-salt-length: 8
zone:
- domain: example.com
dnssec-signing: on
dnssec-policy: manual
zonefile-load: difference
file: example.com.zone
storage: /etc/knot/
log:
- target: syslog
any: debug
###
[root@centos-test2 ~]# keymgr -c /etc/knot/knot.conf example.com. import-pkcs11 a1b1 algorithm=RSASHA256 size=2048 ksk=no created=20181126090000 publish=20181126090000 retire=+10mo remove=+1y
Failed to initialize KASP (not implemented)
I tried with the -d parameter as well.. but i got:
keymgr -d /var/lib/knot/keys/ example.com. import-pkcs11 a1b1 algorithm=RSASHA256 size=2048 ksk=no created=20181126090000 publish=20181126090000 retire=+10mo remove=+1y
Error (not exists)
I read from former knot versions about the "keymgr init" command, but it is not implemented anymore..
Do you have another idea whats going wrong.. ?
Thanks a lot for your great help :)
best regards
--
Christian Petrasch
Product Owner
Zone Creation & Signing
IT-Services
DENIC eG
Kaiserstraße 75-77
60329 Frankfurt am Main
GERMANY
E-Mail: petrasch@denic.de
http://www.denic.de
PGP-KeyID: 549BE0AE, Fingerprint: 0E0B 6CBE 5D8C B82B 0B49 DE61 870E 8841 549B E0AE
Angaben nach § 25a Absatz 1 GenG: DENIC eG (Sitz: Frankfurt am Main)
Vorstand: Helga Krüger, Martin Küchenthal, Andreas Musielak, Dr. Jörg Schweiger
Vorsitzender des Aufsichtsrats: Thomas Keller
Eingetragen unter Nr. 770 im Genossenschaftsregister, Amtsgericht Frankfurt am Main
Von: "Mark Karpilovskij" <mark.karpilovskij@nic.cz>
An: "Christian Petrasch" <petrasch@denic.de>
Kopie: knot-dns-users@lists.nic.cz
Datum: 26.11.2018 11:56
Betreff: Re: [knot-dns-users] Problem to import key material of softhsm into knot
Hi Christian,I have checked out your Knot configuration, and I suspect that the issue might be a missing keystore option in the policy section of your configuration. Try specifying the ID of the PKCS11 keystore in the policy section as follows:
keystore:
- id: a1a1
backend: pkcs11
config: "pkcs11:token=testKSK_1;pin-value=5678 /usr/local/lib/softhsm/libsofthsm2.so"
- id: a1b1
backend: pkcs11
config: "pkcs11:token=testKSK_1;pin-value=5678 /usr/local/lib/softhsm/libsofthsm2.so"
policy:
- id: manual
manual: on
keystore: a1a1
nsec3: on
nsec3-iterations: 16
nsec3-opt-out: on
nsec3-salt-length: 8Let us know if this helps.
Best regards,
Mark
On 26. 11. 18 9:49, Christian Petrasch wrote:
Hi @ all,
we are testing with softhsm 2.5 and KNOT 2.7.4...
I try to import the keys inside softhsm into keymgr to sign with this a example zone.
The keymaterial is shown via pkcs11-tool:
[root@centos-test2 ~]# pkcs11-tool --login --list-objects --module /usr/local/lib/softhsm/libsofthsm2.so
Using slot 0 with a present token (0x285d1c08)
Logging in to "testKSK_1".
Please enter User PIN:
Private Key Object; RSA
label: testKSK_1
ID: a1a1
Usage: decrypt, sign, unwrap
Public Key Object; RSA 1024 bits
label: testZSK_1
ID: a1b1
Usage: encrypt, verify, wrap
Private Key Object; RSA
label: testZSK_1
ID: a1b1
Usage: decrypt, sign, unwrap
Public Key Object; RSA 2048 bits
label: testKSK_1
ID: a1a1
Usage: encrypt, verify, wrap
######
The KNOT config is :
[root@centos-test2 ~]# cat /etc/knot/knot.conf
# See knot.conf(5) manual page for documentation.
server:
listen: [ 127.0.0.1@53, ::1@53 ]
keystore:
- id: a1a1
backend: pkcs11
config: "pkcs11:token=testKSK_1;pin-value=5678 /usr/local/lib/softhsm/libsofthsm2.so"
- id: a1b1
backend: pkcs11
config: "pkcs11:token=testKSK_1;pin-value=5678 /usr/local/lib/softhsm/libsofthsm2.so"
policy:
- id: manual
manual: on
nsec3: on
nsec3-iterations: 16
nsec3-opt-out: on
nsec3-salt-length: 8
zone:
- domain: example.com
dnssec-signing: on
dnssec-policy: manual
zonefile-load: difference
file: example.com.zone
storage: /etc/knot/
log:
- target: syslog
any: debug
###################
And if I try to import the key into keymgr i run the command:
[root@centos-test2 ~]# keymgr -c /etc/knot/knot.conf example.com. import-pkcs11 a1a1 algorithm=RSASHA256 size=2048 ksk=yes created=20181126090000 publish=20181126090000 retire=+10mo remove=+1y
Error (not exists)
###
I don't know how I can fix this.. maybe anybody can help me ? The documentation of KNOT is very good.. but at this point it is a little bit insufficient. Does anybody has examples for this ?
Thanks a lot in advance for the help..
best regards
--
Christian Petrasch
Product Owner
Zone Creation & Signing
IT-Services
DENIC eG
Kaiserstraße 75-77
60329 Frankfurt am Main
GERMANY
E-Mail: petrasch@denic.de
http://www.denic.de
PGP-KeyID: 549BE0AE, Fingerprint: 0E0B 6CBE 5D8C B82B 0B49 DE61 870E 8841 549B E0AE
Angaben nach § 25a Absatz 1 GenG: DENIC eG (Sitz: Frankfurt am Main)
Vorstand: Helga Krüger, Martin Küchenthal, Andreas Musielak, Dr. Jörg Schweiger
Vorsitzender des Aufsichtsrats: Thomas Keller
Eingetragen unter Nr. 770 im Genossenschaftsregister, Amtsgericht Frankfurt am Main