-
Type:
Bug
-
Status: Open
-
Priority:
Minor
-
Resolution: Unresolved
-
Affects Version/s: OpenDNSSEC 2.1
-
Fix Version/s: None
-
Component/s: Enforcer
-
Labels:None
-
Environment:
RHEL9, Alma9 tested, VMs on Intel and Apple M1 hardware.
Hello,
there's a logic error in hsm_key_factory.c preventing key rollover from working.
The function takes argument "hsm_key_state_t hsm_key_state" and checks that it is either of type HSM_KEY_STATE_PRIVATE or HSM_KEY_STATE_SHARED. If not, the function returns NULL.
When looking for matching key from db, the code (perhaps copy-paste from somewhere) uses "hsm_key_state_clause(clause_list, HSM_KEY_STATE_UNUSED)" which can't ever be true (previous return NULL if so).
The result is that upon key rollover, there's debug message "[hsm_key_factory_get_key] no keys available" and the the code never finds a suitable key, so no key rollovers.
I attach a patch.
Best regards,
–
Mikko Rantanen