]>
Commit | Line | Data |
---|---|---|
0e2063c3 PL |
1 | PKCS#11 support |
2 | =============== | |
3 | ||
4 | .. note:: | |
5 | This feature is experimental, use at your own risk! | |
6 | ||
7 | .. deprecated:: 4.0.0 | |
8 | slot IDs are deprecated, and you are expected to use slot label instead | |
9 | ||
10 | To enable it, compile PowerDNS Authoritative Server using | |
11 | ``--enable-experimental-pkcs11`` flag on configure. This requires you to | |
12 | have p11-kit libraries and headers. | |
13 | ||
14 | You can also log on to the tokens after starting server, in this case | |
15 | you need to edit your PKCS#11 cryptokey record and remove PIN or set it | |
16 | empty. PIN is required for assigning keys to zone. | |
17 | ||
18 | Using with SoftHSM | |
19 | ------------------ | |
20 | ||
f3e09398 PL |
21 | .. warning:: |
22 | Due to an interaction between `SoftHSM and Botan <https://github.com/PowerDNS/pdns/issues/2496>`__, | |
23 | the PowerDNS Authoritative Server **will most likely** crash on exit when built with ``--enable-botan1.10 --enable-experimental-pkcs11``. | |
24 | This is the case with the packages provided from the PowerDNS repositories. | |
25 | ||
0e2063c3 PL |
26 | To test this feature, a software HSM can be used. It is **not |
27 | recommended** to use this in production. | |
28 | ||
29 | Instructions on how to setup SoftHSM to work with the feature after | |
30 | compilation on ubuntu/debian (tested with Ubuntu 12 and 14). - | |
31 | ``apt-get install softhsm p11-kit opensc`` - create directory | |
32 | /etc/pkcs11/modules - Add file called 'softhsm' there with (on newer | |
33 | versions, use softhsm.module) | |
34 | ``module: /home/cmouse/softhsm/lib/softhsm/libsofthsm.so managed: yes`` | |
35 | - Verify it works: ``p11-kit -l`` - Create at least two tokens (ksk and | |
36 | zsk) with (slot-number starts from 0) | |
37 | ||
38 | :: | |
39 | ||
40 | ``` | |
41 | sudo softhsm --init-token --slot slot-number --label zone-ksk|zone-zsk --pin some-pin --so-pin another-pin | |
42 | ``` | |
43 | ||
44 | - Using pkcs11-tool, initialize your new keys. | |
45 | ||
46 | :: | |
47 | ||
48 | sudo pkcs11-tool --module=/home/cmouse/softhsm/lib/softhsm/libsofthsm.so -l -p some-pin -k --key-type RSA:2048 -a zone-ksk|zone-zsk --slot-index slot-number | |
49 | ||
50 | - Assign the keys using (note that token label is not necessarily same | |
51 | as object label, see p11-kit -l) | |
52 | ||
53 | :: | |
54 | ||
55 | pdnsutil hsm assign zone rsasha256 ksk|zsk softhsm token-label pin zone-ksk|zsk | |
56 | ||
57 | - Verify that everything worked, you should see valid data there | |
58 | ||
59 | :: | |
60 | ||
61 | pdnsutil show-zone zone | |
62 | ||
63 | - SoftHSM signatures are fast enough to be used in live environment. | |
64 | ||
65 | Using CryptAS | |
66 | ------------- | |
67 | ||
68 | Instructions on how to use CryptAS | |
69 | ```Athena IDProtect Key USB Token V2J`` <http://www.cryptoshop.com/products/smartcards/idprotect-key-j-laser.html>`__ | |
70 | Smart Card token on Ubuntu 14. - install the manufacturer\`s support | |
71 | software on your system and initialize the Smart Card token as per | |
72 | instructions (do not use PIV). - apt-get install p11-kit opensc - create | |
73 | directory /etc/pkcs11/modules - Add file called 'athena.module' with | |
74 | content | |
75 | ||
76 | :: | |
77 | ||
78 | ``` | |
79 | module: /lib64/libASEP11.so | |
80 | managed: yes | |
81 | ``` | |
82 | ||
83 | - Verify it worked, it should resemble output below. do not continue if | |
84 | this does not show up. | |
85 | ||
86 | :: | |
87 | ||
88 | $ p11-kit -l | |
89 | athena: /lib64/libASEP11.so | |
90 | library-description: ASE Cryptoki | |
91 | library-manufacturer: Athena Smartcard Solutions | |
92 | library-version: 3.1 | |
93 | token: IDProtect#0A50123456789 | |
94 | manufacturer: Athena Smartcard Solutions | |
95 | model: IDProtect | |
96 | serial-number: 0A50123456789 | |
97 | hardware-version: 1.0 | |
98 | firmware-version: 1.0 | |
99 | flags: | |
100 | rng | |
101 | login-required | |
102 | user-pin-initialized | |
103 | token-initialized | |
104 | ||
105 | - Using pkcs11-tool, initialize your new keys. After this IDProtect | |
106 | Manager no longer can show your token certificates and keys, at least | |
107 | on version v6.23.04. | |
108 | ||
109 | :: | |
110 | ||
111 | pkcs11-tool --module=/home/cmouse/softhsm/lib/softhsm/libsofthsm.so -l -p some-pin -k --key-type RSA:2048 -a zone-ksk | |
112 | pkcs11-tool --module=/home/cmouse/softhsm/lib/softhsm/libsofthsm.so -l -p some-pin -k --key-type RSA:2048 -a zone-zsk | |
113 | ||
114 | - Verify that keys are there. | |
115 | ||
116 | :: | |
117 | ||
118 | $ pkcs11-tool --module=/lib64/libASEP11.so -l -p some-pin -O | |
119 | Using slot 0 with a present token (0x0) | |
120 | Public Key Object; RSA 2048 bits | |
121 | label: zone-ksk | |
122 | Usage: encrypt, verify, wrap | |
123 | Public Key Object; RSA 2048 bits | |
124 | label: zone-zsk | |
125 | Usage: encrypt, verify, wrap | |
126 | Private Key Object; RSA | |
127 | label: zone-ksk | |
128 | Usage: decrypt, sign, unwrap | |
129 | Private Key Object; RSA | |
130 | label: zone-zsk | |
131 | Usage: decrypt, sign, unwrap | |
132 | ||
133 | - Assign the keys using | |
134 | ||
135 | :: | |
136 | ||
137 | pdnsutil hsm assign zone rsasha256 ksk|zsk athena IDProtect#0A50123456789 pin zone-ksk|zsk | |
138 | ||
139 | - Verify that everything worked, you should see valid data there. | |
140 | ||
141 | :: | |
142 | ||
143 | pdnsutil show-zone zone | |
144 | ||
145 | - Note that the physical token is pretty slow, so you have to use it as | |
146 | hidden master. It has been observed to produce about | |
147 | 1.5signatures/second. | |
148 | ||
149 |