native-pkcs11 and smartcard-hsm

FUSTE Emmanuel emmanuel.fuste at thalesgroup.com
Mon May 23 14:40:17 UTC 2016


Hello,

I'm trying to use a smartcard-hsm usb stick (v1.2) with BIND 9.10.3-P4.
This stick is working with powerdns and support all crypto operations 
required for basic DNSSEC support.

But I get this warning/error:
"PKCS#11 provider has no digest service".
"This HSM will not work with BIND 9 using native PKCS#11."

Bind version:
BIND 9.10.3-P4-Debian <id:ebd72b3>
built by make with '--prefix=/usr' '--mandir=/usr/share/man' 
'--libdir=/usr/lib/i386-linux-gnu' '--infodir=/usr/share/info' 
'--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' 
'--enable-threads' '--enable-largefile' '--with-libtool' 
'--enable-shared' '--enable-static' '--with-openssl=/usr' 
'--with-gssapi=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no' 
'--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' 
'--enable-native-pkcs11' 
'--with-pkcs11=/usr/lib/i386-linux-gnu/softhsm/libsofthsm2.so' 
'CFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat 
-Werror=format-security -fno-strict-aliasing 
-fno-delete-null-pointer-checks -DNO_VERSION_DATE' 'LDFLAGS=-fPIE -pie 
-Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2 
-DDIG_SIGCHASE'
compiled by GCC 5.3.1 20160429
compiled with OpenSSL version: OpenSSL 1.0.2h  3 May 2016
linked to OpenSSL version: OpenSSL 1.0.2h  3 May 2016
compiled with libxml2 version: 2.9.3
linked to libxml2 version: 20903

pkcs11-torens informations:
pkcs11-tokens -m /usr/lib/i386-linux-gnu/opensc-pkcs11.so
Warning: PKCS#11 provider has no digest service
This HSM will not work with BIND 9 using native PKCS#11.

DEFAULTS
         rand_token=0x80300368
         best_rsa_token=0x80300368
         best_dsa_token=(nil)
         best_dh_token=(nil)
         digest_token=(nil)
         best_ec_token=(nil)
         best_gost_token=(nil)
         aes_token=(nil)

TOKEN
         address=0x80300368
         slotID=0
         label=SmartCard-HSM (UserPIN)
         manufacturerID=www.CardContact.de
         model=PKCS#15 emulated
         serialNumber=DECC0100872
         supported operations=0x6 (RAND,RSA)

PKCS11 mechanism returned by pkcs11-tool:
pkcs11-tool -M
Using slot 0 with a present token (0x0)
Supported mechanisms:
   SHA-1, digest
   SHA256, digest
   SHA384, digest
   SHA512, digest
   MD5, digest
   RIPEMD160, digest
   GOSTR3411, digest
   ECDSA, keySize={192,320}, hw, sign, other flags=0x1d00000
   ECDSA-SHA1, keySize={192,320}, hw, sign, other flags=0x1d00000
   ECDH1-COFACTOR-DERIVE, keySize={192,320}, hw, derive, other 
flags=0x1d00000
   ECDH1-DERIVE, keySize={192,320}, hw, derive, other flags=0x1d00000
   ECDSA-KEY-PAIR-GEN, keySize={192,320}, hw, generate_key_pair, other 
flags=0x1d00000
   RSA-X-509, keySize={1024,2048}, hw, decrypt, sign, verify
   RSA-PKCS, keySize={1024,2048}, hw, decrypt, sign, verify
   SHA1-RSA-PKCS, keySize={1024,2048}, sign, verify
   SHA256-RSA-PKCS, keySize={1024,2048}, sign, verify
   SHA384-RSA-PKCS, keySize={1024,2048}, sign, verify
   SHA512-RSA-PKCS, keySize={1024,2048}, sign, verify
   MD5-RSA-PKCS, keySize={1024,2048}, sign, verify
   RIPEMD160-RSA-PKCS, keySize={1024,2048}, sign, verify
   RSA-PKCS-KEY-PAIR-GEN, keySize={1024,2048}, generate_key_pair

Perhaps Bind require more, but all needed digest services are here.
Is something that will be fixed ? How could I help to get it fixed ?
Does anyone have any insights or suggestions?

Thanks,

Emmanuel.


More information about the bind-users mailing list