native-pkcs11 and smartcard-hsm

FUSTE Emmanuel emmanuel.fuste at thalesgroup.com
Wed May 25 12:29:06 UTC 2016 

Le 24/05/2016 16:36, FUSTE Emmanuel a écrit :
> Le 23/05/2016 16:40, FUSTE Emmanuel a écrit :
>> Hello,
>>
>> I'm trying to use a smartcard-hsm usb stick (v1.2) with BIND 9.10.3-P4.
>> This stick is working with powerdns and support all crypto operations
>> required for basic DNSSEC support.
>>
>> But I get this warning/error:
>> "PKCS#11 provider has no digest service".
>> "This HSM will not work with BIND 9 using native PKCS#11."
>>
>> Bind version:
>> BIND 9.10.3-P4-Debian <id:ebd72b3>
>> built by make with '--prefix=/usr' '--mandir=/usr/share/man'
>> '--libdir=/usr/lib/i386-linux-gnu' '--infodir=/usr/share/info'
>> '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/'
>> '--enable-threads' '--enable-largefile' '--with-libtool'
>> '--enable-shared' '--enable-static' '--with-openssl=/usr'
>> '--with-gssapi=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no'
>> '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa'
>> '--enable-native-pkcs11'
>> '--with-pkcs11=/usr/lib/i386-linux-gnu/softhsm/libsofthsm2.so'
>> 'CFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat
>> -Werror=format-security -fno-strict-aliasing
>> -fno-delete-null-pointer-checks -DNO_VERSION_DATE' 'LDFLAGS=-fPIE -pie
>> -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2
>> -DDIG_SIGCHASE'
>> compiled by GCC 5.3.1 20160429
>> compiled with OpenSSL version: OpenSSL 1.0.2h  3 May 2016
>> linked to OpenSSL version: OpenSSL 1.0.2h  3 May 2016
>> compiled with libxml2 version: 2.9.3
>> linked to libxml2 version: 20903
>>
>> pkcs11-torens informations:
>> pkcs11-tokens -m /usr/lib/i386-linux-gnu/opensc-pkcs11.so
>> Warning: PKCS#11 provider has no digest service
>> This HSM will not work with BIND 9 using native PKCS#11.
>>
>> DEFAULTS
>>            rand_token=0x80300368
>>            best_rsa_token=0x80300368
>>            best_dsa_token=(nil)
>>            best_dh_token=(nil)
>>            digest_token=(nil)
>>            best_ec_token=(nil)
>>            best_gost_token=(nil)
>>            aes_token=(nil)
>>
>> TOKEN
>>            address=0x80300368
>>            slotID=0
>>            label=SmartCard-HSM (UserPIN)
>>            manufacturerID=www.CardContact.de
>>            model=PKCS#15 emulated
>>            serialNumber=DECC0100872
>>            supported operations=0x6 (RAND,RSA)
>>
>> PKCS11 mechanism returned by pkcs11-tool:
>> pkcs11-tool -M
>> Using slot 0 with a present token (0x0)
>> Supported mechanisms:
>>      SHA-1, digest
>>      SHA256, digest
>>      SHA384, digest
>>      SHA512, digest
>>      MD5, digest
>>      RIPEMD160, digest
>>      GOSTR3411, digest
>>      ECDSA, keySize={192,320}, hw, sign, other flags=0x1d00000
>>      ECDSA-SHA1, keySize={192,320}, hw, sign, other flags=0x1d00000
>>      ECDH1-COFACTOR-DERIVE, keySize={192,320}, hw, derive, other
>> flags=0x1d00000
>>      ECDH1-DERIVE, keySize={192,320}, hw, derive, other flags=0x1d00000
>>      ECDSA-KEY-PAIR-GEN, keySize={192,320}, hw, generate_key_pair, other
>> flags=0x1d00000
>>      RSA-X-509, keySize={1024,2048}, hw, decrypt, sign, verify
>>      RSA-PKCS, keySize={1024,2048}, hw, decrypt, sign, verify
>>      SHA1-RSA-PKCS, keySize={1024,2048}, sign, verify
>>      SHA256-RSA-PKCS, keySize={1024,2048}, sign, verify
>>      SHA384-RSA-PKCS, keySize={1024,2048}, sign, verify
>>      SHA512-RSA-PKCS, keySize={1024,2048}, sign, verify
>>      MD5-RSA-PKCS, keySize={1024,2048}, sign, verify
>>      RIPEMD160-RSA-PKCS, keySize={1024,2048}, sign, verify
>>      RSA-PKCS-KEY-PAIR-GEN, keySize={1024,2048}, generate_key_pair
>>
>> Perhaps Bind require more, but all needed digest services are here.
>> Is something that will be fixed ? How could I help to get it fixed ?
>> Does anyone have any insights or suggestions?
>>
>> Thanks,
>>
>> Emmanuel.
>
> Ok, digging into docs and code give me some answers:
>
> In native PKCS11 mode, all crypto operations are offhanded to the HSM.
> This is totally crazy nowadays. HSM are HSM not PKCS11 crypto
> accelerators, a concept from the past on actual hardware for 99.99% of
> real use.
> If something like "sign-only" and "crypto-accelerator" OpenSSL-based
> PKCS#11 is not implemented too in the future, native-pkcs11 is a dead
> end. Option that should be select-able at runtime and which eventually
> permit to chose what to offload to the device in the crypto-accelerator
> mode (and perhaps on different devices etc ...).
>
> Will try to compile a modified openssl in sign-only mode for my token.
> I already successfully created keys with the pkcs11-keygen command and
> the used debian/ubuntu package already include native pkcs11 and openssl
> versions of named and dnssec tools (-pkcs11 variants).
> I was misguided by the "named -V" command which return the
> --enable-native-pkcs11 flag on the two binary but they are linked with
> different
> libisc libraries (cosmetic packaging problem).
>
> Will report results.
>
> Emmanuel.
>

Latest progress:

OpenSSL PKCS#11 patch does not permit to build a shared version of the 
"pkcs11" engine.
Will try now do do that manually.

In the mean time, I try to use native mode with p11-kit.
The idea was to use softhsm2 pkcs11 lib as the main provider and my 
token via opensc-pkcs11 for the sign operations.
Bind would use openssl for all it crypto operations via softhsm and 
pkcs11 uri would transparently point to my token via opensc-pkcs11 for 
sign operations.
But neither pkcs11 commands or dnssec- command work with 
p11-kit-proxy.so : "fatal: could not initialize dst: PKCS#11 
initialization failed" or "Unrecoverable error initializing PKCS#11: 
PKCS#11 initialization failed"

As a last resort, if the dynamic engine is a dead end, I will try to 
build rebuild bind with a static version of openssl before giving up. 
Not an appealing thing from a maintenance point of view, but it will 
permit to validate if bind could work NOW one way or another in 
auto-dnssec maintain mode with a smartcard-hsm.

Emmanuel.

More information about the bind-users mailing list