[SUPPORT-209] ODS 2.0.4 fatal ods-enforcerd error: "SoftHSM.cpp: Missing CKA_MODULUS_BITS in pPublicKeyTemplate" - OpenDNSSEC

XML

Word

Printable

Details

Type: Support
Status: Resolved
Priority: Minor
Resolution: Fixed
Affects Version/s: OpenDNSSEC 2.0
Fix Version/s: None
Component/s: Enforcer, Enforcer NG
Labels:
None
Environment:

linux64
ods 2.0.4
softhsm2 2.3.0rc1

Description

Switching from ods branch 'develop' to '2.0/master', I've built/installed

	cd .../opendnssec
	git log | head
		commit a9df1eebb27ef13638bdbfcbea2b70730b2aebbc
		Merge: f8ab096 11a1a85
		Author: Yuri Schaeffer <yuri@nlnetlabs.nl>
		Date:   Fri Jan 13 11:15:38 2017 +0100

		    Merge remote-tracking branch 'upstream/2.0/develop' into ods204_merge

		commit 11a1a8589b74c44e3462ff70e0eae7064f5fa38b
		Merge: 74bc25b 0fc2f1f

	ods-signerd -V
		opendnssec version 2.0.4

	cd .../softhsm
	git log | head
		commit 7fd1d77e75edfeb79add6a1a867cfbaf14516839
		Merge: 04ee3d4 ace1b99
		Author: Rickard Bellgrim <rickard@opendnssec.org>
		Date:   Mon Dec 5 23:17:37 2016 +0100

		    Merge pull request #261 from matthauck/support-libeaycompat

		    Add support for libeaycompat lib for FIPS on windows

		commit 04ee3d4c99514ba3aec10f2454ff9bde798e3781

	softhsm2-util --version
		2.3.0rc1

SoftHSM's ecdsa support is on

	ods-hsmutil test SoftHSM -v
		Testing repository: SoftHSM
		...
		Generating ECDSA Curve P-256 key... OK
		Extracting key identifier... OK, 6b1...
		Signing (ECDSA/SHA256) with key... OK
		Deleting key... OK

		Generating ECDSA Curve P-384 key... OK
		Extracting key identifier... OK, ad5...
		Signing (ECDSA/SHA384) with key... OK
		Deleting key... OK
		...

My ODS2 'lab' policy includes

	<?xml version="1.0" encoding="UTF-8"?>
	<KASP>
		<Policy name="lab">
			...
			<Keys>
				<TTL>PT300S</TTL>
				<RetireSafety>PT360S</RetireSafety>
				<PublishSafety>PT360S</PublishSafety>
				<ShareKeys/>
				<Purge>PT6H</Purge>
				<KSK>
					<Algorithm>14</Algorithm>
					<Lifetime>PT3H</Lifetime>
					<Repository>SoftHSM</Repository>
				</KSK>
				<ZSK>
					<Algorithm>14</Algorithm>
					<Lifetime>PT2H</Lifetime>
					<Repository>SoftHSM</Repository>
				</ZSK>
			</Keys>
	...

policy imports ok

	ods-enforcer policy import
		Created policy lab successfully

starting with a clean db

	rm -rf /var/opendnssec/kasp.db
	ods-enforcer-db-setup -f
		Database setup successfully.

daemons start

	systemctl start ods-signerd
	systemctl start ods-enforcerd

	ps aux | grep ods
		opendns+  1932  0.0  0.4 286160 11312 ?        Sl   08:52   0:00 /usr/local/opendnssec/sbin/ods-signerd -d
		opendns+  1975  6.1  0.4 361536 12084 ?        Sl   08:52   0:02 /usr/local/opendnssec/sbin/ods-enforcerd -d

when I add a zone

	ods-enforcer zone add \
	--zone example.com \
	--xml \
	--policy lab \
	--input  /usr/local/etc/opendnssec/addns.xml \
	--output /usr/local/etc/opendnssec/addns.xml \
	--in-type DNS \
	--out-type DNS

it reports complete

	input is set to /usr/local/etc/opendnssec/addns.xml.
	output is set to /usr/local/etc/opendnssec/addns.xml.
	Zone example.com added successfully
	Zonelist /usr/local/etc/opendnssec/zonelist.xml updated successfully
	zone add completed in 0 seconds.

but logs show a FAIL

	Jan 13 08:55:37 test ods-enforcerd: [zone_add_cmd] zone example.com added [policy: lab]
	Jan 13 08:55:37 test ods-enforcerd: INFO: The XML in /usr/local/etc/opendnssec/zonelist.xml.update is valid
	Jan 13 08:55:37 test ods-enforcerd: [zone_add_cmd] zonelist /usr/local/etc/opendnssec/zonelist.xml updated successfully
	Jan 13 08:55:37 test ods-enforcerd: INFO: The XML in /var/opendnssec/enforcer/zones.xml is valid
	Jan 13 08:55:37 test ods-enforcerd: INFO: The XML in /var/opendnssec/enforcer/zones.xml.update is valid
	Jan 13 08:55:37 test ods-enforcerd: [zone_add_cmd] internal zonelist updated successfully
	Jan 13 08:55:37 test ods-enforcerd: 1 zone(s) found on policy "lab"
	Jan 13 08:55:37 test ods-enforcerd: [hsm_key_factory_generate] 8 keys needed for 1 zones covering 86400 seconds, generating 8 keys for policy lab
	Jan 13 08:55:37 test ods-enforcerd: 8 new KSK(s) (0 bits) need to be created.
	Jan 13 08:55:37 test ods-enforcerd: SoftHSM.cpp(7085): Missing CKA_MODULUS_BITS in pPublicKeyTemplate
	Jan 13 08:55:37 test ods-enforcerd: [hsm_key_factory_generate] key generation failed, HSM error: generate key pair: CKR_TEMPLATE_INCOMPLETE
	Jan 13 08:55:37 test ods-enforcerd: 1 zone(s) found on policy "lab"
	Jan 13 08:55:37 test ods-enforcerd: [hsm_key_factory_generate] 12 keys needed for 1 zones covering 86400 seconds, generating 12 keys for policy lab
	Jan 13 08:55:37 test ods-enforcerd: 12 new ZSK(s) (0 bits) need to be created.
	Jan 13 08:55:37 test ods-enforcerd: SoftHSM.cpp(7085): Missing CKA_MODULUS_BITS in pPublicKeyTemplate
	Jan 13 08:55:37 test ods-enforcerd: [hsm_key_factory_generate] key generation failed, HSM error: generate key pair: CKR_TEMPLATE_INCOMPLETE
	Jan 13 08:55:37 test ods-enforcerd: [enforcer] update zone: example.com
	Jan 13 08:55:37 test ods-enforcerd: [hsm_key_factory_get_key] no keys available
	Jan 13 08:55:37 test ods-enforcerd: [enforcer] updatePolicy: No keys available in HSM for policy lab, retry in 60 seconds
	Jan 13 08:55:37 test ods-enforcerd: [hsm_key_factory_get_key] no keys available
	Jan 13 08:55:37 test ods-enforcerd: [enforcer] updatePolicy: No keys available in HSM for policy lab, retry in 60 seconds
	Jan 13 08:55:37 test ods-enforcerd: 1 zone(s) found on policy "lab"
	Jan 13 08:55:37 test ods-enforcerd: [hsm_key_factory_generate] 8 keys needed for 1 zones covering 86400 seconds, generating 8 keys for policy lab
	Jan 13 08:55:37 test ods-enforcerd: 8 new KSK(s) (0 bits) need to be created.
	Jan 13 08:55:37 test ods-enforcerd: [enforcer] updateZone: no keylist
	Jan 13 08:55:37 test ods-enforcerd: SoftHSM.cpp(7085): Missing CKA_MODULUS_BITS in pPublicKeyTemplate
	Jan 13 08:55:37 test ods-enforcerd: [hsm_key_factory_generate] key generation failed, HSM error: generate key pair: CKR_TEMPLATE_INCOMPLETE
	Jan 13 08:55:37 test ods-enforcerd: [enforce_task] No changes to any signconf file required
	Jan 13 08:55:37 test ods-enforcerd: 1 zone(s) found on policy "lab"
	Jan 13 08:55:37 test ods-enforcerd: [hsm_key_factory_generate] 12 keys needed for 1 zones covering 86400 seconds, generating 12 keys for policy lab
	Jan 13 08:55:37 test ods-enforcerd: 12 new ZSK(s) (0 bits) need to be created.
	Jan 13 08:55:37 test ods-enforcerd: SoftHSM.cpp(7085): Missing CKA_MODULUS_BITS in pPublicKeyTemplate
	Jan 13 08:55:37 test ods-enforcerd: [hsm_key_factory_generate] key generation failed, HSM error: generate key pair: CKR_TEMPLATE_INCOMPLETE
	Jan 13 08:55:37 test ods-enforcerd: [enforcer] update zone: example.com
	Jan 13 08:55:37 test ods-enforcerd: [hsm_key_factory_get_key] no keys available
	Jan 13 08:55:37 test ods-enforcerd: [enforcer] updatePolicy: No keys available in HSM for policy lab, retry in 60 seconds
	Jan 13 08:55:37 test ods-enforcerd: [hsm_key_factory_get_key] no keys available
	Jan 13 08:55:37 test ods-enforcerd: [enforcer] updatePolicy: No keys available in HSM for policy lab, retry in 60 seconds
	Jan 13 08:55:37 test ods-enforcerd: 1 zone(s) found on policy "lab"
	Jan 13 08:55:37 test ods-enforcerd: [hsm_key_factory_generate] 12 keys needed for 1 zones covering 86400 seconds, generating 12 keys for policy lab
	Jan 13 08:55:37 test ods-enforcerd: 12 new ZSK(s) (0 bits) need to be created.
	Jan 13 08:55:37 test ods-enforcerd: [enforcer] updateZone: no keylist
	Jan 13 08:55:37 test ods-enforcerd: SoftHSM.cpp(7085): Missing CKA_MODULUS_BITS in pPublicKeyTemplate
	Jan 13 08:55:37 test ods-enforcerd: [hsm_key_factory_generate] key generation failed, HSM error: generate key pair: CKR_TEMPLATE_INCOMPLETE
	Jan 13 08:55:37 test ods-enforcerd: [enforce_task] No changes to any signconf file required
	Jan 13 08:55:37 test ods-enforcerd: 1 zone(s) found on policy "lab"
	Jan 13 08:55:37 test ods-enforcerd: [hsm_key_factory_generate] 8 keys needed for 1 zones covering 86400 seconds, generating 8 keys for policy lab
	Jan 13 08:55:37 test ods-enforcerd: 8 new KSK(s) (0 bits) need to be created.
	Jan 13 08:55:37 test ods-enforcerd: [enforce_task] No changes to any signconf file required
	Jan 13 08:55:37 test ods-enforcerd: SoftHSM.cpp(7085): Missing CKA_MODULUS_BITS in pPublicKeyTemplate
	Jan 13 08:55:37 test ods-enforcerd: [hsm_key_factory_generate] key generation failed, HSM error: generate key pair: CKR_TEMPLATE_INCOMPLETE
	Jan 13 08:55:37 test ods-enforcerd: [enforcer] update zone: example.com
	Jan 13 08:55:37 test ods-enforcerd: [hsm_key_factory_get_key] no keys available
	Jan 13 08:55:37 test ods-enforcerd: [enforcer] updatePolicy: No keys available in HSM for policy lab, retry in 60 seconds
	Jan 13 08:55:37 test ods-enforcerd: [hsm_key_factory_get_key] no keys available
	Jan 13 08:55:37 test ods-enforcerd: [enforcer] updatePolicy: No keys available in HSM for policy lab, retry in 60 seconds
	Jan 13 08:55:37 test ods-enforcerd: [enforcer] updateZone: no keylist
	Jan 13 08:55:37 test ods-enforcerd: 1 zone(s) found on policy "lab"
	Jan 13 08:55:37 test ods-enforcerd: [hsm_key_factory_generate] 8 keys needed for 1 zones covering 86400 seconds, generating 8 keys for policy lab
	Jan 13 08:55:37 test ods-enforcerd: 8 new KSK(s) (0 bits) need to be created.
	Jan 13 08:55:37 test ods-enforcerd: SoftHSM.cpp(7085): Missing CKA_MODULUS_BITS in pPublicKeyTemplate
	Jan 13 08:55:37 test ods-enforcerd: [hsm_key_factory_generate] key generation failed, HSM error: generate key pair: CKR_TEMPLATE_INCOMPLETE
	Jan 13 08:55:37 test ods-enforcerd: [enforce_task] No changes to any signconf file required
	Jan 13 08:55:37 test ods-enforcerd: 1 zone(s) found on policy "lab"
	Jan 13 08:55:37 test ods-enforcerd: [hsm_key_factory_generate] 12 keys needed for 1 zones covering 86400 seconds, generating 12 keys for policy lab
	Jan 13 08:55:37 test ods-enforcerd: 12 new ZSK(s) (0 bits) need to be created.
	Jan 13 08:55:37 test ods-enforcerd: [enforce_task] No changes to any signconf file required
	Jan 13 08:55:37 test ods-enforcerd: SoftHSM.cpp(7085): Missing CKA_MODULUS_BITS in pPublicKeyTemplate
	Jan 13 08:55:37 test ods-enforcerd: [hsm_key_factory_generate] key generation failed, HSM error: generate key pair: CKR_TEMPLATE_INCOMPLETE
	Jan 13 08:55:37 test ods-enforcerd: [enforcer] update zone: example.com
	Jan 13 08:55:37 test ods-enforcerd: [hsm_key_factory_get_key] no keys available
	Jan 13 08:55:37 test ods-enforcerd: [enforcer] updatePolicy: No keys available in HSM for policy lab, retry in 60 seconds
	Jan 13 08:55:37 test ods-enforcerd: [hsm_key_factory_get_key] no keys available
	Jan 13 08:55:37 test ods-enforcerd: [enforcer] updatePolicy: No keys available in HSM for policy lab, retry in 60 seconds
	Jan 13 08:55:37 test ods-enforcerd: 1 zone(s) found on policy "lab"
	Jan 13 08:55:37 test ods-enforcerd: [hsm_key_factory_generate] 8 keys needed for 1 zones covering 86400 seconds, generating 8 keys for policy lab
	Jan 13 08:55:37 test ods-enforcerd: 8 new KSK(s) (0 bits) need to be created.
	Jan 13 08:55:37 test ods-enforcerd: SoftHSM.cpp(7085): Missing CKA_MODULUS_BITS in pPublicKeyTemplate
	Jan 13 08:55:37 test ods-enforcerd: [enforcer] updateZone: no keylist
	Jan 13 08:55:37 test ods-enforcerd: [hsm_key_factory_generate] key generation failed, HSM error: generate key pair: CKR_TEMPLATE_INCOMPLETE
	Jan 13 08:55:37 test ods-enforcerd: [enforce_task] No changes to any signconf file required
	Jan 13 08:55:37 test ods-enforcerd: 1 zone(s) found on policy "lab"
	Jan 13 08:55:37 test ods-enforcerd: [hsm_key_factory_generate] 12 keys needed for 1 zones covering 86400 seconds, generating 12 keys for policy lab
	Jan 13 08:55:37 test ods-enforcerd: 12 new ZSK(s) (0 bits) need to be created.
	Jan 13 08:55:37 test ods-enforcerd: [enforce_task] No changes to any signconf file required
	Jan 13 08:55:37 test ods-enforcerd: SoftHSM.cpp(7085): Missing CKA_MODULUS_BITS in pPublicKeyTemplate
	Jan 13 08:55:37 test ods-enforcerd: [hsm_key_factory_generate] key generation failed, HSM error: generate key pair: CKR_TEMPLATE_INCOMPLETE
	Jan 13 08:55:37 test ods-enforcerd: [enforcer] update zone: example.com
	Jan 13 08:55:37 test ods-enforcerd: [hsm_key_factory_get_key] no keys available
	Jan 13 08:55:37 test ods-enforcerd: [enforcer] updatePolicy: No keys available in HSM for policy lab, retry in 60 seconds
	Jan 13 08:55:37 test ods-enforcerd: [hsm_key_factory_get_key] no keys available
	Jan 13 08:55:37 test ods-enforcerd: [enforcer] updatePolicy: No keys available in HSM for policy lab, retry in 60 seconds
	Jan 13 08:55:37 test ods-enforcerd: 1 zone(s) found on policy "lab"
	Jan 13 08:55:37 test ods-enforcerd: [hsm_key_factory_generate] 8 keys needed for 1 zones covering 86400 seconds, generating 8 keys for policy lab
	Jan 13 08:55:37 test ods-enforcerd: 8 new KSK(s) (0 bits) need to be created.
	Jan 13 08:55:37 test ods-enforcerd: [enforcer] updateZone: no keylist
	Jan 13 08:55:37 test ods-enforcerd: SoftHSM.cpp(7085): Missing CKA_MODULUS_BITS in pPublicKeyTemplate
	Jan 13 08:55:37 test ods-enforcerd: [hsm_key_factory_generate] key generation failed, HSM error: generate key pair: CKR_TEMPLATE_INCOMPLETE
	Jan 13 08:55:37 test ods-enforcerd: 1 zone(s) found on policy "lab"
	Jan 13 08:55:37 test ods-enforcerd: [hsm_key_factory_generate] 12 keys needed for 1 zones covering 86400 seconds, generating 12 keys for policy lab
	Jan 13 08:55:37 test ods-enforcerd: 12 new ZSK(s) (0 bits) need to be created.
	Jan 13 08:55:37 test ods-enforcerd: SoftHSM.cpp(7085): Missing CKA_MODULUS_BITS in pPublicKeyTemplate
	Jan 13 08:55:37 test ods-enforcerd: [hsm_key_factory_generate] key generation failed, HSM error: generate key pair: CKR_TEMPLATE_INCOMPLETE
	Jan 13 08:55:37 test ods-enforcerd: [enforce_task] No changes to any signconf file required
	Jan 13 08:55:37 test ods-enforcerd: [enforce_task] No changes to any signconf file required


and no keys are added

	ods-hsmutil list

		Listing keys in all repositories.
		0 keys found.

		Repository            ID                                Type
		----------            --                                ----

Attachments

Activity

People

Assignee:: Yuri Schaeffer

Reporter:: null

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2017-01-13 18:05

Updated:: 2017-01-16 10:13

Resolved:: 2017-01-16 10:13