Dane Foster
2016-07-20 00:06:59 UTC
Hey all,
Trying out 2.0.0 on a raspberry pi with both SoftHSM 2 and a NitroKey HSM and getting some odd behaviour. Trying to create a Algo 13 KSK + ZSK:
***@nitropi:~# ods-enforcer-db-setup
*WARNING* This will erase all data in the database; are you sure? [y/N] y
Database setup successfully.
***@nitropi:~# ods-control start
Starting enforcer...
OpenDNSSEC key and signing policy enforcer version 2.0.0
Engine running.
ctrl completed in 0 seconds.
Starting signer engine...
OpenDNSSEC signer engine version 2.0.0
Engine running.
***@nitropi:~# ods-enforcer policy import
Created policy default successfully
Created policy lab successfully
Created policy ecdsa successfully
policy import completed in 1 seconds.
***@nitropi:~# ods-enforcer zone add -z commo.nz -p ecdsa
input is set to /var/opendnssec/unsigned/commo.nz.
output is set to /var/opendnssec/signed/commo.nz.
Zone commo.nz added successfully
zone add completed in 0 seconds.
Jul 20 11:56:29 nitropi ods-enforcerd: [zone_add_cmd] internal zonelist updated successfully
Jul 20 11:56:29 nitropi ods-enforcerd: 1 zone(s) found on policy "ecdsa"
Jul 20 11:56:29 nitropi ods-enforcerd: [hsm_key_factory_generate] 1 keys needed for 1 zones covering 31536000 seconds, generating 1 keys for policy ecdsa
Jul 20 11:56:29 nitropi ods-enforcerd: 1 new KSK(s) (256 bits) need to be created.
Jul 20 11:56:29 nitropi ods-enforcerd: ObjectFile.cpp(282): Object /var/lib/softhsm/tokens//d704a944-0930-6f77-8499-1aa37fb107df/token.object has changed
Jul 20 11:56:29 nitropi ods-enforcerd: OSSLRSA.cpp(1161): This RSA key size (256) is not supported
Jul 20 11:56:29 nitropi ods-enforcerd: SoftHSM.cpp(7044): Could not generate key pair
Jul 20 11:56:29 nitropi ods-enforcerd: [hsm_key_factory_generate] key generation failed, HSM error: generate key pair: CKR_GENERAL_ERROR
and no signconf for the zone is generated
The relevant KASP bit:
<Keys>
<!-- Parameters for both KSK and ZSK -->
<TTL>PT3600S</TTL>
<RetireSafety>PT3600S</RetireSafety>
<PublishSafety>PT3600S</PublishSafety>
<!-- <ShareKeys/> -->
<Purge>P14D</Purge>
<!-- Parameters for KSK only -->
<KSK>
<Algorithm length="256">13</Algorithm>
<Lifetime>P1Y</Lifetime>
<Repository>soft</Repository>
</KSK>
<!-- Parameters for ZSK only -->
<ZSK>
<Algorithm length="256">13</Algorithm>
<Lifetime>P90D</Lifetime>
<Repository>soft</Repository>
<!-- <ManualRollover/> -->
</ZSK>
</Keys>
The rest of the policy is copied exactly from the default policy.
and ods-kaspcheck yields:
***@nitropi:/etc/opendnssec# ods-kaspcheck
INFO: The XML in /etc/opendnssec/conf.xml is valid
INFO: The XML in /etc/opendnssec/kasp.xml is valid
WARNING: In policy default, Y used in duration field for Keys/KSK Lifetime (P1Y) in /etc/opendnssec/kasp.xml - this will be interpreted as 365 days
WARNING: In policy lab, Y used in duration field for Keys/KSK Lifetime (P1Y) in /etc/opendnssec/kasp.xml - this will be interpreted as 365 days
WARNING: In policy ecdsa, Y used in duration field for Keys/KSK Lifetime (P1Y) in /etc/opendnssec/kasp.xml - this will be interpreted as 365 days
INFO: The XML in /etc/opendnssec/zonelist.xml is valid
ods-hsmutil test confirms both repositories support ECDSA p-256.
Seems odd it’s trying to create a 256bit RSA key ? The behaviour seems consistent with both SoftHSM2 and the NitroKey HSM.
Trying out 2.0.0 on a raspberry pi with both SoftHSM 2 and a NitroKey HSM and getting some odd behaviour. Trying to create a Algo 13 KSK + ZSK:
***@nitropi:~# ods-enforcer-db-setup
*WARNING* This will erase all data in the database; are you sure? [y/N] y
Database setup successfully.
***@nitropi:~# ods-control start
Starting enforcer...
OpenDNSSEC key and signing policy enforcer version 2.0.0
Engine running.
ctrl completed in 0 seconds.
Starting signer engine...
OpenDNSSEC signer engine version 2.0.0
Engine running.
***@nitropi:~# ods-enforcer policy import
Created policy default successfully
Created policy lab successfully
Created policy ecdsa successfully
policy import completed in 1 seconds.
***@nitropi:~# ods-enforcer zone add -z commo.nz -p ecdsa
input is set to /var/opendnssec/unsigned/commo.nz.
output is set to /var/opendnssec/signed/commo.nz.
Zone commo.nz added successfully
zone add completed in 0 seconds.
Jul 20 11:56:29 nitropi ods-enforcerd: [zone_add_cmd] internal zonelist updated successfully
Jul 20 11:56:29 nitropi ods-enforcerd: 1 zone(s) found on policy "ecdsa"
Jul 20 11:56:29 nitropi ods-enforcerd: [hsm_key_factory_generate] 1 keys needed for 1 zones covering 31536000 seconds, generating 1 keys for policy ecdsa
Jul 20 11:56:29 nitropi ods-enforcerd: 1 new KSK(s) (256 bits) need to be created.
Jul 20 11:56:29 nitropi ods-enforcerd: ObjectFile.cpp(282): Object /var/lib/softhsm/tokens//d704a944-0930-6f77-8499-1aa37fb107df/token.object has changed
Jul 20 11:56:29 nitropi ods-enforcerd: OSSLRSA.cpp(1161): This RSA key size (256) is not supported
Jul 20 11:56:29 nitropi ods-enforcerd: SoftHSM.cpp(7044): Could not generate key pair
Jul 20 11:56:29 nitropi ods-enforcerd: [hsm_key_factory_generate] key generation failed, HSM error: generate key pair: CKR_GENERAL_ERROR
and no signconf for the zone is generated
The relevant KASP bit:
<Keys>
<!-- Parameters for both KSK and ZSK -->
<TTL>PT3600S</TTL>
<RetireSafety>PT3600S</RetireSafety>
<PublishSafety>PT3600S</PublishSafety>
<!-- <ShareKeys/> -->
<Purge>P14D</Purge>
<!-- Parameters for KSK only -->
<KSK>
<Algorithm length="256">13</Algorithm>
<Lifetime>P1Y</Lifetime>
<Repository>soft</Repository>
</KSK>
<!-- Parameters for ZSK only -->
<ZSK>
<Algorithm length="256">13</Algorithm>
<Lifetime>P90D</Lifetime>
<Repository>soft</Repository>
<!-- <ManualRollover/> -->
</ZSK>
</Keys>
The rest of the policy is copied exactly from the default policy.
and ods-kaspcheck yields:
***@nitropi:/etc/opendnssec# ods-kaspcheck
INFO: The XML in /etc/opendnssec/conf.xml is valid
INFO: The XML in /etc/opendnssec/kasp.xml is valid
WARNING: In policy default, Y used in duration field for Keys/KSK Lifetime (P1Y) in /etc/opendnssec/kasp.xml - this will be interpreted as 365 days
WARNING: In policy lab, Y used in duration field for Keys/KSK Lifetime (P1Y) in /etc/opendnssec/kasp.xml - this will be interpreted as 365 days
WARNING: In policy ecdsa, Y used in duration field for Keys/KSK Lifetime (P1Y) in /etc/opendnssec/kasp.xml - this will be interpreted as 365 days
INFO: The XML in /etc/opendnssec/zonelist.xml is valid
ods-hsmutil test confirms both repositories support ECDSA p-256.
Seems odd it’s trying to create a 256bit RSA key ? The behaviour seems consistent with both SoftHSM2 and the NitroKey HSM.