PKCS#11 stuff: "sign-only" vs "crypto-accelerator"
Johan Ihren
johani at johani.org
Wed Feb 10 12:03:41 UTC 2010
I'm playing with this (9.7.0rc2) and have a few questions.
1. If I build openssl in "sign-only" mode things seem to work (pkcs11-keygen creates keys in the HSM, dnssec-keyfromlabel extracts keys into K-files, dnssec-signzone signs the zone, etc).
But if I build openssl in "crypto-accelerator" mode I stumble on dnssec-keyfromlabel:
mango:/tmp#pkcs11-list
Enter Pin:
mango:/tmp#pkcs11-keygen -b 2048 -l johani.se-ksk
Enter Pin:
mango:/tmp#pkcs11-keygen -b 1024 -l johani.se-zsk
Enter Pin:
mango:/tmp#pkcs11-list
Enter Pin:
object[0]: handle 4 class 2 label[13] 'johani.se-zsk' id[0]
object[1]: handle 3 class 3 label[13] 'johani.se-zsk' id[0]
object[2]: handle 2 class 2 label[13] 'johani.se-ksk' id[0]
object[3]: handle 1 class 3 label[13] 'johani.se-ksk' id[0]
mango:/tmp#dnssec-keyfromlabel -l johani.se-ksk -f KSK johani.se
dnssec-keyfromlabel: fatal: failed to get key johani.se/RSASHA1: not found
What am I doing wrong?
2. In "sign-only" mode the contents of the K*.key and K*.private is different. Now I don't understand the format of the .private file, but I am curious as to what data is in there as it surely cannot be the private key and it doesn't seem to be the public key. Is it the public key in another format?
3. In the description of the differences between "sign only" and "crypto accelerator" it says:
- Use 'crypto-accelerator' with HSMs that have hardware cryptographic
acceleration features, such as the SCA 6000 board. This causes OpenSSL
to run all supported cryptographic operations in the HSM.
- Use 'sign-only' with HSMs that are designed to function primarily as
secure key storage devices, but lack hardware acceleration. These
devices are highly secure, but are not necessarily any faster at
cryptography than the system CPU--often, they are slower. It is
therefore most efficient to use them only for those cryptographic
functions that require access to the secured private key, such as
zone signing, and to use the system CPU for all other computationally-
intensive operations.
I understand the first paragraph. I think I understand the second paragraph. What I don't understand is what OTHER operations there are in a DNSSEC zone generation context than "key generation" and "zone signing". I.e. more precisely, what is the difference between the two modes?
4. Now I destroy the ZSK in the HSM and then try to extract the KSK again (this was actually by mistake). Bad things seem to happen:
mango:/tmp#pkcs11-destroy -l johani.se-zsk
label johani.se-zsk
Enter Pin:
object[0]: class 2 label 'johani.se-zsk' id[0]
object[1]: class 3 label 'johani.se-zsk' id[0]
sleeping 5 seconds...
mango:/tmp#/usr/local/sbin/dnssec-keyfromlabel -l johani.se-ksk johani.se
Enter PIN:
dnssec-keyfromlabel: warning: dns_dnssec_findmatchingkeys: error reading key file Kjohani.se.+005+21432.private: not found
Kjohani.se.+005+28461
mem.c:1093: INSIST(ctx->stats[i].gets == 0U) failed, back trace
#0 0x81291c8 in ??
#1 0x8129304 in ??
#2 0x8135b29 in ??
#3 0x8135d8a in ??
#4 0x804ca82 in ??
#5 0x804b874 in ??
#6 0x804b7d7 in ??
Abort trap (core dumped)
mango:/tmp#/usr/local/sbin/dnssec-keyfromlabel -l johani.se-ksk -f KSK johani.se
Enter PIN:
dnssec-keyfromlabel: warning: dns_dnssec_findmatchingkeys: error reading key file Kjohani.se.+005+21432.private: not found
dnssec-keyfromlabel: warning: dns_dnssec_findmatchingkeys: error reading key file Kjohani.se.+005+28461.private: not found
Kjohani.se.+005+28462
mem.c:1093: INSIST(ctx->stats[i].gets == 0U) failed, back trace
#0 0x81291c8 in ??
#1 0x8129304 in ??
#2 0x8135b29 in ??
#3 0x8135d8a in ??
#4 0x804ca82 in ??
#5 0x804b874 in ??
#6 0x804b7d7 in ??
Abort trap (core dumped)
Something is broken in there...
Regards,
Johan
More information about the bind-workers
mailing list