[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
dnssec-signzone/keygen /w seamless pkcs11 support - Part II
- To: namedroppers@ops.ietf.org
- Subject: dnssec-signzone/keygen /w seamless pkcs11 support - Part II
- From: "Richard Lamb" <slamb@xtcn.com>
- Date: Mon, 3 Dec 2007 16:32:56 -0800
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=received:message-id:date:from:sender:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition:x-google-sender-auth; b=yDMwnJw67EG0bc9IjVG+4NVZ3e6aDO4AMqZ+emgukvjVg6XZ1IysehI9xIG7iNgjPtAmhljd1Rhx+U/Jv5v/4JBYweIvV9Z8PaAAl+RjN2BAnuREHv0QJ0Cu4kCK9cKEzygGPTQlLyBayVsF8d5NiknYT6BWJzHBpF4PEAwD3UI=
December 3, 2007
DNSSEC Enthusiasts-
Here is my second version of modifications to BIND for native PKCS11
HSM support (first released June 14 2007 on
dnssec-deployment@shinkuro.com). The vast majority of
changes to BIND are restricted to one file
(lib/dns/opensslrsa_link.c). Included are a number of HSM
utilities that should also work with any HSM with PKCS11
support such as private key backup using C_Wrap/C_Unwrap.
The archive is in fact a snapshot of what IANA is using in its demo
DNSSEC system. As there appears to be very little sample pkcs11 code
on the net, I hope it is in some way helpful to those of you
struggling with this. Feel free to use it or pieces of the code as you
please. Contact me if you have any questions and I will try to help.
I. How to build and test PKCS11 HSM tools:
1. If you have not done so already, install and configure the PKCS11
library for your HSM.
If first time using this HSM this typically includes:
a. copying the pkcs11 library into a directory
b. enable the HSM
c. initialize the HSM
Otherwise:
a. just enable the HSM
2. Set environment variables:
Edit "hsmconfig" to set PKCS11_LIBRARY_PATH to where you put the HSM
pkcs11 shared library and edit any other variables needed by your
particular HSM. Then run: ". hsmconfig" to set the environment
variables. My HSM tools and BIND mods will use PKCS11_LIBRARY_PATH to
determine what library to load.
3. Compile the tools:
$ wget http://www.xtcn.com/~lamb/pkcs11HSMtools.tar.gz
$ tar zxf pkcs11HSMtools.tar.gz
$ ./keygenbuild
4. Test
$ ./pkcs11-backup -l
(after asking for the HSM PIN, this should list the keys in the HSM)
or
$ ./pkcs11-random 10 randombytes
(to use the HSM to put 10 random bytes into a file called "randombytes")
II. To build pkcs11 modified BIND:
1. Build
$ wget http://ftp.isc.org/isc/bind9/9.4.1-P1/bind-9.4.1-P1.tar.gz
$ tar zxf bind-9.4.1-P1.tar.gz
$ mv bind-9.4.1-P1 bind-9.4.1-P1.pkcs11
$ wget http://www.xtcn.com/~lamb/bind-9.4.1-P1.pkcs11.diff
$ patch -p0 < bind-9.4.1-P1.pkcs11.diff
$ cd bind-9.4.1-P1.pkcs11
$ ./configure
$ make
2. To test:
$ bin/dnssec/dnssec-keygen -P 123456 -a RSASHA1 -b 1024 -n ZONE ip6.arpa
Kip6.arpa.+005+24727
this will generate two (2) files:
Kip6.arpa.+005+24727.key Kip6.arpa.+005+24727.private
(of course the tag id, 24727, will be different for each new key
generation)
the contents of Kip6.arpa.+005+24727.key : (the usual dnssec-keygen output)
ip6.arpa. IN DNSKEY 256 3 5
AwEAAeUUHWIG+nkRRKH6mXtrtll7CgIkqDrKCs8WN9By2OZMH5h6J3jn
Q8PEKPhkb8TZOi6z2jYMNzXckzEzKPBFYytg03lBRvW1AmzmkZf3nas8
xpUU7cB1hv4xi5Ry9rnV7PZwpPtmujToOCHb3hUhXmby4DQx77byRHVV V9O/stRL
and the contents of Kip6.arpa.+005+24727.private:
Private-key-format: xxx
slot:0
pin:
id:46
label:K24727
this is different from the normal BIND behaviour and contains only the
key label within the HSM and other location information. This
information will be used by dnssec-signzone to instruct the HSM to sign
records while ensuring the private key is never available in unencrypted
form.
To continue with testing dnssec-signzone:
$ cp ip6.arpa.zone zonefile
$ cat Kip6.arpa.+005+24727.key >> zonefile
$ bin/dnssec/dnssec-signzone -P 123456 -o ip6.arpa zonefile Kip6.arpa.+005+24727
dnssec-signzone: warning: zonefile:435: using RFC1035 TTL semantics
zonefile.signed
"zonefile.signed" is the ZSK signed zonefile.
Thats it.
III. dnssec-keygen and dnssec-signzone behaviour modifications:
1. Addition of "-P PIN" for unattended key generation and signing
operation using an HSM. Without it, the programs will ask for a PIN.
Small mod to bin/dnssec/dnssec-keygen.c and
bin/dnssec/dnssec-signzone.c to accomodate -P option.
2. The PKCS11 HSM will only be used if the environment variable
PKCS11_LIBRARY_PATH is defined as it is in "hsmconfig". Otherwise,
dnssec-keygen and dnssec-signzone should behave normally.
Sorry about the line breaks. Ill pdf it if there is interest.
Have fun,
Rick
--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>