-
Type:
Bug
-
Status: Open
-
Priority:
Minor
-
Resolution: Unresolved
-
Affects Version/s: OpenDNSSEC 2.0.0a3, OpenDNSSEC 2.0, OpenDNSSEC 2.1, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.9, 2.1.8, 2.1.10
-
Fix Version/s: None
-
Component/s: Enforcer
-
Labels:None
-
Environment:
Any
Hello,
any attempt to 'ods-enforcer key import' hardcodes the key in question to state HSM_KEY_STATE_PRIVATE and also runs perform_keydata_import and perform_keystate_import. The tool does not provide the functionality present in 1.4.
Importing keys in state 'GENERATE' (that is, HSM_KEY_STATE_UNUSED) or keys that should be HSM_KEY_STATE_SHARED is not possible. Also, the code always runs perform_keydata_import and perform_keystate_import which creates very odd problems, 'sudo -u ods ods-enforcer key list -d' will show several different states for one CKA_ID key and so on.
Our use case is as follows:
1) create key material somewhere
2) import the key material into the HSM with preset/known CKA_ID for the key(s)
3) 'sudo -u ods ods-enforcer key import --algorithm .. --bits .. --repository .. --zone .. --keytype .. --cka_id .. --inception_time .. --keystate GENERATE'
This results in bogus state for keys that only exist in the HSM for ods to pick up when needed.
I also believe that trying to import shared keys (i.e. kasp.xml <Policy name="..."> has <ShareKeys/>) will fail; https://lists.opendnssec.org/pipermail/opendnssec-user/2022-January/004701.html may be related.
Our use case only covers '--keystate GENERATE' and I attach a patch for this. Other --keystate imports work just like now and should be addressed separately. I also ask somebody to delete/close the SUPPORT-285; this 'key import' was the issue all along, and I failed the logic as I didn't understand what the key state really means, so SUPPORT-285 is a NOTABUG report. My apologies for that.
Best regards,
–
Mikko Rantanen