- sudo /sbin/ip addr add 10.0.3.0/24 dev lo
- sudo rm /etc/apt/sources.list.d/travis_ci_zeromq3-source.list
- sudo apt-get update
- - sudo apt-get install --no-install-recommends libboost-all-dev libtolua-dev bc libcdb-dev libnet-dns-perl unbound-host ldnsutils dnsutils bind9utils libtool libcdb-dev xmlto links asciidoc ruby-json ruby-sqlite3 rubygems libcurl4-openssl-dev ruby1.9.1 socat time libzmq1 libzmq-dev pkg-config daemontools authbind liblua5.1-posix1 libopendbx1-dev libopendbx1-sqlite3 python-virtualenv libldap2-dev
+ - sudo apt-get install --no-install-recommends libboost-all-dev libtolua-dev bc libcdb-dev libnet-dns-perl unbound-host ldnsutils dnsutils bind9utils libtool libcdb-dev xmlto links asciidoc ruby-json ruby-sqlite3 rubygems libcurl4-openssl-dev ruby1.9.1 socat time libzmq1 libzmq-dev pkg-config daemontools authbind liblua5.1-posix1 libopendbx1-dev libopendbx1-sqlite3 python-virtualenv libldap2-dev softhsm libp11-kit-dev p11-kit
- sudo sh -c 'sed s/precise/trusty/g /etc/apt/sources.list > /etc/apt/sources.list.d/trusty.list'
- sudo apt-get update
- sudo apt-get install liblmdb0 liblmdb-dev lmdb-utils
- cd modules/remotebackend
- travis_retry ruby -S bundle install
- cd ../..
+ - sudo mkdir -p /etc/pkcs11/modules/
+ - sudo cp -f regression-tests/softhsm.mod /etc/pkcs11/modules/softhsm
+ - sudo cp -f regression-tests/softhsm.conf /etc/softhsm/softhsm.conf
+ - sudo chmod 0755 /etc/softhsm/
+ - sudo chmod 0644 /etc/softhsm/softhsm.conf
+ - sudo chmod 0777 /var/lib/softhsm
+ - p11-kit -l # ensure it's ok
script:
- ./bootstrap
- - ./configure --with-modules='bind gmysql gpgsql gsqlite3 mydns tinydns remote random opendbx ldap lmdb' --enable-unit-tests --enable-remotebackend-http --enable-tools --enable-remotebackend-zeromq
+ - ./configure --with-modules='bind gmysql gpgsql gsqlite3 mydns tinydns remote random opendbx ldap lmdb' --enable-unit-tests --enable-remotebackend-http --enable-tools --enable-remotebackend-zeromq --enable-experimental-pkcs11
- make dist
- make -j 4
- travis_retry make -j 4 check # Workaround for remotebackend failures on travis-ci
- touch tests/verify-dnssec-zone/skip.optout
- ./start-test-stop 5300 bind-both
- ./start-test-stop 5300 bind-dnssec-both
+ - ./start-test-stop 5300 bind-dnssec-pkcs11
- ./start-test-stop 5300 bind-dnssec-nsec3-both
- ./start-test-stop 5300 bind-dnssec-nsec3-optout-both
- ./start-test-stop 5300 bind-dnssec-nsec3-narrow
saxfr_SOURCES=saxfr.cc sstuff.hh dnsparser.cc dnsparser.hh dnsrecords.cc dnswriter.cc dnslabeltext.cc dnswriter.hh \
misc.cc misc.hh rcpgenerator.cc rcpgenerator.hh base64.cc base64.hh unix_utility.cc \
- logger.cc statbag.cc qtype.cc sillyrecords.cc nsecrecords.cc base32.cc dnssecinfra.cc
+ logger.cc statbag.cc qtype.cc sillyrecords.cc nsecrecords.cc base32.cc dnssecinfra.cc
saxfr_LDADD= $(POLARSSL_LIBS)
+if PKCS11
+saxfr_SOURCES += pkcs11signers.cc pkcs11signers.hh
+saxfr_LDADD += $(P11KIT1_LIBS)
+endif
dnstcpbench_SOURCES=dnstcpbench.cc sstuff.hh dnsparser.cc dnsparser.hh dnsrecords.cc dnswriter.cc dnslabeltext.cc dnswriter.hh \
misc.cc misc.hh rcpgenerator.cc rcpgenerator.hh base64.cc base64.hh unix_utility.cc \
logger.cc statbag.cc qtype.cc sillyrecords.cc nsecrecords.cc base32.cc
nsec3dig_LDADD= $(POLARSSL_LIBS)
+if PKCS11
+nsec3dig_SOURCES += pkcs11signers.cc pkcs11signers.hh
+nsec3dig_LDADD += $(P11KIT1_LIBS)
+endif
toysdig_SOURCES=toysdig.cc sstuff.hh dnsparser.cc dnsparser.hh dnsrecords.cc dnswriter.cc dnslabeltext.cc dnswriter.hh \
misc.cc misc.hh rcpgenerator.cc rcpgenerator.hh base64.cc base64.hh unix_utility.cc \
tsig_tests_LDADD= $(POLARSSL_LIBS)
+if PKCS11
+tsig_tests_SOURCES += pkcs11signers.cc pkcs11signers.hh
+tsig_tests_LDADD += $(P11KIT1_LIBS)
+endif
+
speedtest_SOURCES=speedtest.cc dnsparser.cc dnsparser.hh dnsrecords.cc dnswriter.cc dnslabeltext.cc dnswriter.hh \
misc.cc misc.hh rcpgenerator.cc rcpgenerator.hh base64.cc base64.hh unix_utility.cc \
qtype.cc sillyrecords.cc logger.cc statbag.cc nsecrecords.cc base32.cc
#ifdef HAVE_P11KIT1
dpk = PKCS11DNSCryptoKeyEngine::maker(algorithm);
#else
- throw new PDNSException("Cannot load PKCS#11 key without support for it");
+ throw PDNSException("Cannot load PKCS#11 key without support for it");
#endif
} else {
dpk=make(algorithm);
</para>
</section>
</section>
+ <section id="dnssec-pkcs11"><title>PKCS#11 support</title>
+ <para>
+ NB! This feature is experimental, and not ready for production. Use at your own risk!
+ </para>
+ <para>
+ To enable it, compile PowerDNS Authoritative Server using --experimental-pkcs11-support flag. This requires you to have p11-kit libraries and headers.
+ </para>
+ <para>
+ Instructions on how to setup SoftHSM to work with the feature after compilation on ubuntu/debian.
+ <itemizedlist>
+ <listitem><para>apt-get install softhsm p11-kit</para></listitem>
+ <listitem><para>create directory /etc/pkcs11/modules</para></listitem>
+ <listitem><para>Add file called 'softhsm' there with (on some versions, use softhsm.module)
+<programlisting>
+module: /home/cmouse/softhsm/lib/softhsm/libsofthsm.so
+managed: yes
+</programlisting>
+</para></listitem>
+ <listitem><para>Run p11-kit -l to verify it worked (you should see softhsm there)</para></listitem>
+ <listitem><para>Create at least two tokens (ksk and zsk) with (slot-number starts from 0)
+<programlisting>
+softhsm --init-token --slot slot-number --label zone-ksk|zone-zsk --pin some-pin --so-pin another-pin
+</programlisting>
+</para></listitem>
+ <listitem><para>Run p11-kit -l to verify it worked (you should see softhsm there and tokens)</para></listitem>
+ <listitem><para>Assign the keys using
+<programlisting>
+pdnssec hsm assign zone rsasha256 ksk|zsk softhsm slot-id pin zone-ksk|zsk
+</programlisting>
+</para></listitem>
+ <listitem><para>Take note of the generated key id, if it always shows up 1, run pdnssec show-zone zone to retrieve them</para></listitem>
+ <listitem><para>Generate the keys using
+<programlisting>
+pdnssec hsm create-key zone key-id
+</programlisting>
+</para></listitem>
+ <listitem><para>Verify that everything worked with pdnssec show-zone zone, you should see valid data there</para></listitem>
+ <listitem><para>Enjoy using PKCS#11!</para></listitem>
+ </itemizedlist>
+ </para>
+ </section>
<section id="dnssec-transfers"><title>Secure transfers</title>
<para>
From 3.3.1 and up, PowerDNS support secure DNSSEC transfers as described in <ulink
cerr<<"get-meta ZONE [kind kind ..] Get zone metadata. If no KIND given, lists all known"<<endl;
cerr<<"hash-zone-record ZONE RNAME Calculate the NSEC3 hash for RNAME in ZONE"<<endl;
cerr<<"hsm assign zone module slot pin Assign a hardware signing module to a ZONE"<<endl;
- cerr<<"hsm create-key zone Create a key using hardware signing module for ZONE (assign first)"<<endl;
+ cerr<<"hsm create-key zone [bits] Create a key using hardware signing module for ZONE (use assign first)"<<endl;
+ cerr<<" bits defaults to 2048"<<endl;
cerr<<"increase-serial ZONE Increases the SOA-serial by 1. Uses SOA-EDIT"<<endl;
cerr<<"import-tsig-key NAME ALGORITHM KEY Import TSIG key"<<endl;
cerr<<"import-zone-key ZONE FILE Import from a file a private key, ZSK or KSK"<<endl;
cerr << "Module " << module << " slot " << slot << " assigned to " << zone << " with key id " << id << endl;
return 0;
} else if (cmds[1] == "create-key") {
+
+ if (cmds.size() < 4) {
+ cerr << "Usage: pdnssec hsm create-key zone key-id [bits]" << endl;
+ return 1;
+ }
DomainInfo di;
string zone = cmds[2];
unsigned int id;
-
+ int bits = 2048;
// verify zone
if (!B.getDomainInfo(zone, di)) {
cerr << "Unable to create key for unknown zone '" << zone << "'" << std::endl;
cerr << "Could not find key with ID " << id << endl;
return 1;
}
+ if (cmds.size() > 4) {
+ bits = boost::lexical_cast<int>(cmds[4]);
+ }
+ if (bits < 1) {
+ cerr << "Invalid bit size " << bits << "given, must be positive integer";
+ return 1;
+ }
try {
- dke->create(2048);
- } catch (PDNSException& e1) {
- cerr << e1.reason << endl;
- return 1;
- } catch (PDNSException* e2) {
- cerr << e2->reason << endl;
+ dke->create(bits);
+ } catch (PDNSException& e) {
+ cerr << e.reason << endl;
return 1;
}
- cerr << "Created key i think" << std::endl;
+ cerr << "Key of size " << bits << " created" << std::endl;
return 0;
}
} else {
#include "dnssecinfra.hh"
#include "pkcs11signers.hh"
#include "pdnsexception.hh"
+#include "logger.hh"
/* TODO
P11KitSlot::~P11KitSlot()
{
- if (this->d_module)
- this->d_module->functions->C_CloseAllSessions(this->d_slot);
+ if (this->d_module && this->d_session)
+ this->d_module->functions->C_CloseSession(this->d_session);
}
// DO NOT CALL THIS ON YOUR OWN
return false;
};
rv = slot.Login(pin, CKU_USER);
-// if (rv) {
-// std::cerr << "Login gave " << rv << std::endl;
-// };
+ if (rv) {
+ L<<Logger::Error<<"Login failed for " << engine << " slot " << slotId << ": " << rv <<std::endl;
+ };
return rv == 0;
}
if ((rv = d_slot.GenerateKeyPair(&mech, pubAttr, privAttr, &pubKey, &privKey))) {
std::ostringstream error;
error << "Keypair generation failed with " << rv;
- throw new PDNSException(error.str());
+ throw PDNSException(error.str());
}
};
--- /dev/null
+# SoftHSM configuration file
+#
+# Format:
+# <Slot ID>:<Path to the token database>
+#
+# The given paths are just an indication to SoftHSM on where it should
+# store the information for each token.
+
+0:/var/lib/softhsm/slot0.db
+1:/var/lib/softhsm/slot1.db
+2:/var/lib/softhsm/slot2.db
+3:/var/lib/softhsm/slot3.db
+4:/var/lib/softhsm/slot4.db
+5:/var/lib/softhsm/slot5.db
+6:/var/lib/softhsm/slot6.db
+7:/var/lib/softhsm/slot7.db
+8:/var/lib/softhsm/slot8.db
+9:/var/lib/softhsm/slot9.db
+10:/var/lib/softhsm/slot10.db
+11:/var/lib/softhsm/slot11.db
+12:/var/lib/softhsm/slot12.db
+13:/var/lib/softhsm/slot13.db
+14:/var/lib/softhsm/slot14.db
+15:/var/lib/softhsm/slot15.db
+16:/var/lib/softhsm/slot16.db
+17:/var/lib/softhsm/slot17.db
+18:/var/lib/softhsm/slot18.db
+19:/var/lib/softhsm/slot19.db
+20:/var/lib/softhsm/slot20.db
+21:/var/lib/softhsm/slot21.db
+22:/var/lib/softhsm/slot22.db
+23:/var/lib/softhsm/slot23.db
+24:/var/lib/softhsm/slot24.db
+25:/var/lib/softhsm/slot25.db
--- /dev/null
+module: /usr/lib/libsofthsm.so
+managed: yes
{
local zone=$1
local configname=$2
+
if [ -n "$configname" ]
then
configname="--config-name=$configname"
../pdns/pdnssec --config-dir=. $configname activate-zone-key $zone $keyid 2>&1
../pdns/pdnssec --config-dir=. $configname rectify-zone $zone 2>&1
else
- ../pdns/pdnssec --config-dir=. $configname secure-zone $zone 2>&1
+ # check if PKCS#11 should be used
+ if [ $pcks11 -eq 1 ]; then
+ if [ "$slot" == "" ]; then
+ slot=0
+ else
+ slot=$((slot+1))
+ fi
+ sudo softhsm --init-token --slot $slot --label label$slot --pin 123$slot --so-pin 123$slot
+ kid=`../pdns/pdnssec --config-dir=. $configname hsm assign $zone rsasha256 ksk softhsm $slot 123$slot label$slot 2>&1 | grep softhsm | awk '{ print $NF }'`
+# keep this until #1413 is merged
+ kid=`../pdns/pdnssec --config-dir=. $configname show-zone $zone | grep 'ID =.*KSK' | awk '{ print $3 }'`
+ ../pdns/pdnssec --config-dir=. $configname hsm create-key $zone $kid
+ slot=$((slot+1))
+ sudo softhsm --init-token --slot $slot --label label$slot --pin 123$slot --so-pin 123$slot
+ kid=`../pdns/pdnssec --config-dir=. $configname hsm assign $zone rsasha256 zsk softhsm $slot 123$slot label$slot 2>&1 | grep softhsm | awk '{ print $NF }'`
+ kid=`../pdns/pdnssec --config-dir=. $configname show-zone $zone | grep 'ID =.*ZSK' | awk '{ print $3 }'`
+ ../pdns/pdnssec --config-dir=. $configname hsm create-key $zone $kid
+ else
+ ../pdns/pdnssec --config-dir=. $configname secure-zone $zone 2>&1
+ fi
fi
}
fi
optout=0
+pkcs11=0
if [ "${context: -13}" = "-nsec3-optout" ]
then
optout=1
fi
+if [ "${context: -7}" = "-pkcs11" ]
+then
+ pcks11=1
+ context=${context:0:-7}
+fi
+
# check for lua
if grep -q "^#define HAVE_LUA 1" ../config.h
then
projects / thirdparty / pdns.git / commitdiff
