From: Aki Tuomi <cmouse@desteem.org>
Date: Thu, 15 May 2014 13:17:15 +0000 (+0300)
Subject: Support for PKCS#11 signing
X-Git-Tag: rec-3.6.0-rc1~9^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=70f0f8c4dce651b749c9deb185c6da67b292eec8;p=thirdparty%2Fpdns.git

Support for PKCS#11 signing
---

diff --git a/.travis.yml b/.travis.yml
index 6c1926a9f3..250c0f0557 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -7,7 +7,7 @@ before_script:
  - sudo /sbin/ip addr add 10.0.3.0/24 dev lo
  - sudo rm /etc/apt/sources.list.d/travis_ci_zeromq3-source.list
  - sudo apt-get update
- - sudo apt-get install --no-install-recommends libboost-all-dev libtolua-dev bc libcdb-dev libnet-dns-perl unbound-host ldnsutils dnsutils bind9utils libtool libcdb-dev xmlto links asciidoc ruby-json ruby-sqlite3 rubygems libcurl4-openssl-dev ruby1.9.1 socat time libzmq1 libzmq-dev pkg-config daemontools authbind liblua5.1-posix1 libopendbx1-dev libopendbx1-sqlite3 python-virtualenv libldap2-dev
+ - sudo apt-get install --no-install-recommends libboost-all-dev libtolua-dev bc libcdb-dev libnet-dns-perl unbound-host ldnsutils dnsutils bind9utils libtool libcdb-dev xmlto links asciidoc ruby-json ruby-sqlite3 rubygems libcurl4-openssl-dev ruby1.9.1 socat time libzmq1 libzmq-dev pkg-config daemontools authbind liblua5.1-posix1 libopendbx1-dev libopendbx1-sqlite3 python-virtualenv libldap2-dev softhsm libp11-kit-dev p11-kit 
  - sudo sh -c 'sed s/precise/trusty/g /etc/apt/sources.list > /etc/apt/sources.list.d/trusty.list'
  - sudo apt-get update
  - sudo apt-get install liblmdb0 liblmdb-dev lmdb-utils
@@ -22,9 +22,16 @@ before_script:
  - cd modules/remotebackend
  - travis_retry ruby -S bundle install
  - cd ../..
+ - sudo mkdir -p /etc/pkcs11/modules/
+ - sudo cp -f regression-tests/softhsm.mod /etc/pkcs11/modules/softhsm
+ - sudo cp -f regression-tests/softhsm.conf /etc/softhsm/softhsm.conf
+ - sudo chmod 0755 /etc/softhsm/
+ - sudo chmod 0644 /etc/softhsm/softhsm.conf
+ - sudo chmod 0777 /var/lib/softhsm
+ - p11-kit -l # ensure it's ok
 script:
  - ./bootstrap
- - ./configure --with-modules='bind gmysql gpgsql gsqlite3 mydns tinydns remote random opendbx ldap lmdb' --enable-unit-tests --enable-remotebackend-http --enable-tools --enable-remotebackend-zeromq
+ - ./configure --with-modules='bind gmysql gpgsql gsqlite3 mydns tinydns remote random opendbx ldap lmdb' --enable-unit-tests --enable-remotebackend-http --enable-tools --enable-remotebackend-zeromq --enable-experimental-pkcs11
  - make dist
  - make -j 4
  - travis_retry make -j 4 check # Workaround for remotebackend failures on travis-ci
@@ -53,6 +60,7 @@ script:
  - touch tests/verify-dnssec-zone/skip.optout
  - ./start-test-stop 5300 bind-both
  - ./start-test-stop 5300 bind-dnssec-both
+ - ./start-test-stop 5300 bind-dnssec-pkcs11
  - ./start-test-stop 5300 bind-dnssec-nsec3-both
  - ./start-test-stop 5300 bind-dnssec-nsec3-optout-both
  - ./start-test-stop 5300 bind-dnssec-nsec3-narrow
diff --git a/pdns/Makefile.am b/pdns/Makefile.am
index 9c5ac51f48..785f8e653d 100644
--- a/pdns/Makefile.am
+++ b/pdns/Makefile.am
@@ -179,9 +179,13 @@ sdig_SOURCES=sdig.cc sstuff.hh dnsparser.cc dnsparser.hh dnsrecords.cc dnswriter
 
 saxfr_SOURCES=saxfr.cc sstuff.hh dnsparser.cc dnsparser.hh dnsrecords.cc dnswriter.cc dnslabeltext.cc dnswriter.hh \
 	misc.cc misc.hh rcpgenerator.cc rcpgenerator.hh base64.cc base64.hh unix_utility.cc \
-	logger.cc statbag.cc qtype.cc sillyrecords.cc nsecrecords.cc base32.cc dnssecinfra.cc
+	logger.cc statbag.cc qtype.cc sillyrecords.cc nsecrecords.cc base32.cc dnssecinfra.cc 
 saxfr_LDADD= $(POLARSSL_LIBS)
 
+if PKCS11
+saxfr_SOURCES +=  pkcs11signers.cc pkcs11signers.hh
+saxfr_LDADD += $(P11KIT1_LIBS)
+endif
 
 dnstcpbench_SOURCES=dnstcpbench.cc sstuff.hh dnsparser.cc dnsparser.hh dnsrecords.cc dnswriter.cc dnslabeltext.cc dnswriter.hh \
 	misc.cc misc.hh rcpgenerator.cc rcpgenerator.hh base64.cc base64.hh unix_utility.cc \
@@ -203,6 +207,10 @@ nsec3dig_SOURCES=nsec3dig.cc sstuff.hh dnsparser.cc dnsparser.hh dnsrecords.cc d
 	logger.cc statbag.cc qtype.cc sillyrecords.cc nsecrecords.cc base32.cc
 nsec3dig_LDADD= $(POLARSSL_LIBS)
 
+if PKCS11
+nsec3dig_SOURCES +=  pkcs11signers.cc pkcs11signers.hh
+nsec3dig_LDADD += $(P11KIT1_LIBS)
+endif
 
 toysdig_SOURCES=toysdig.cc sstuff.hh dnsparser.cc dnsparser.hh dnsrecords.cc dnswriter.cc dnslabeltext.cc dnswriter.hh \
 	misc.cc misc.hh rcpgenerator.cc rcpgenerator.hh base64.cc base64.hh unix_utility.cc \
@@ -219,6 +227,11 @@ tsig_tests_SOURCES=tsig-tests.cc sstuff.hh dnsparser.cc dnsparser.hh dnsrecords.
 tsig_tests_LDADD= $(POLARSSL_LIBS)
 
 
+if PKCS11
+tsig_tests_SOURCES +=  pkcs11signers.cc pkcs11signers.hh
+tsig_tests_LDADD += $(P11KIT1_LIBS)
+endif
+
 speedtest_SOURCES=speedtest.cc dnsparser.cc dnsparser.hh dnsrecords.cc dnswriter.cc dnslabeltext.cc dnswriter.hh \
 	misc.cc misc.hh rcpgenerator.cc rcpgenerator.hh base64.cc base64.hh unix_utility.cc \
 	qtype.cc sillyrecords.cc logger.cc statbag.cc nsecrecords.cc base32.cc 
diff --git a/pdns/dnssecinfra.cc b/pdns/dnssecinfra.cc
index 94d98a0fed..6da34f8514 100644
--- a/pdns/dnssecinfra.cc
+++ b/pdns/dnssecinfra.cc
@@ -79,7 +79,7 @@ DNSCryptoKeyEngine* DNSCryptoKeyEngine::makeFromISCString(DNSKEYRecordContent& d
 #ifdef HAVE_P11KIT1
     dpk = PKCS11DNSCryptoKeyEngine::maker(algorithm); 
 #else
-    throw new PDNSException("Cannot load PKCS#11 key without support for it");
+    throw PDNSException("Cannot load PKCS#11 key without support for it");
 #endif
   } else {
     dpk=make(algorithm);
diff --git a/pdns/docs/pdns.xml b/pdns/docs/pdns.xml
index 1a570a392e..5423a1d064 100644
--- a/pdns/docs/pdns.xml
+++ b/pdns/docs/pdns.xml
@@ -13449,6 +13449,47 @@ $ pdnssec rectify-zone powerdnssec.org
   </para>
   </section>
 </section>
+  <section id="dnssec-pkcs11"><title>PKCS#11 support</title>
+    <para>
+      NB! This feature is experimental, and not ready for production. Use at your own risk!
+    </para>
+    <para>
+      To enable it, compile PowerDNS Authoritative Server using --experimental-pkcs11-support flag. This requires you to have p11-kit libraries and headers. 
+    </para>
+    <para> 
+      Instructions on how to setup SoftHSM to work with the feature after compilation on ubuntu/debian.
+      <itemizedlist>
+      <listitem><para>apt-get install softhsm p11-kit</para></listitem>
+      <listitem><para>create directory /etc/pkcs11/modules</para></listitem>
+      <listitem><para>Add file called 'softhsm' there with (on some versions, use softhsm.module)
+<programlisting>
+module: /home/cmouse/softhsm/lib/softhsm/libsofthsm.so
+managed: yes
+</programlisting>
+</para></listitem>
+      <listitem><para>Run p11-kit -l to verify it worked (you should see softhsm there)</para></listitem>
+      <listitem><para>Create at least two tokens (ksk and zsk) with (slot-number starts from 0)
+<programlisting>
+softhsm --init-token --slot slot-number --label zone-ksk|zone-zsk --pin some-pin --so-pin another-pin 
+</programlisting>
+</para></listitem>
+      <listitem><para>Run p11-kit -l to verify it worked (you should see softhsm there and tokens)</para></listitem>
+      <listitem><para>Assign the keys using
+<programlisting>
+pdnssec hsm assign zone rsasha256 ksk|zsk softhsm slot-id pin zone-ksk|zsk
+</programlisting>
+</para></listitem>
+      <listitem><para>Take note of the generated key id, if it always shows up 1, run pdnssec show-zone zone to retrieve them</para></listitem>
+      <listitem><para>Generate the keys using
+<programlisting>
+pdnssec hsm create-key zone key-id
+</programlisting>
+</para></listitem>
+      <listitem><para>Verify that everything worked with pdnssec show-zone zone, you should see valid data there</para></listitem>
+      <listitem><para>Enjoy using PKCS#11!</para></listitem>
+      </itemizedlist>
+    </para>
+  </section>
   <section id="dnssec-transfers"><title>Secure transfers</title>
   <para>
     From 3.3.1 and up, PowerDNS support secure DNSSEC transfers as described in <ulink
diff --git a/pdns/pdnssec.cc b/pdns/pdnssec.cc
index fac2415c91..1030b75e3a 100644
--- a/pdns/pdnssec.cc
+++ b/pdns/pdnssec.cc
@@ -1120,7 +1120,8 @@ try
     cerr<<"get-meta ZONE [kind kind ..]       Get zone metadata. If no KIND given, lists all known"<<endl;
     cerr<<"hash-zone-record ZONE RNAME        Calculate the NSEC3 hash for RNAME in ZONE"<<endl;
     cerr<<"hsm assign zone module slot pin    Assign a hardware signing module to a ZONE"<<endl;
-    cerr<<"hsm create-key zone                Create a key using hardware signing module for ZONE (assign first)"<<endl;
+    cerr<<"hsm create-key zone [bits]         Create a key using hardware signing module for ZONE (use assign first)"<<endl; 
+    cerr<<"                                   bits defaults to 2048"<<endl;
     cerr<<"increase-serial ZONE               Increases the SOA-serial by 1. Uses SOA-EDIT"<<endl;
     cerr<<"import-tsig-key NAME ALGORITHM KEY Import TSIG key"<<endl;
     cerr<<"import-zone-key ZONE FILE          Import from a file a private key, ZSK or KSK"<<endl;
@@ -1938,10 +1939,15 @@ try
      cerr << "Module " << module << " slot " << slot << " assigned to " << zone << " with key id " << id << endl;
      return 0;
     } else if (cmds[1] == "create-key") {
+
+      if (cmds.size() < 4) {
+        cerr << "Usage: pdnssec hsm create-key zone key-id [bits]" << endl;
+        return 1;
+      }
       DomainInfo di;
       string zone = cmds[2];
       unsigned int id;
-
+      int bits = 2048;
       // verify zone
       if (!B.getDomainInfo(zone, di)) {
         cerr << "Unable to create key for unknown zone '" << zone << "'" << std::endl;
@@ -1969,17 +1975,21 @@ try
         cerr << "Could not find key with ID " << id << endl;
         return 1;
       }
+      if (cmds.size() > 4) {
+        bits = boost::lexical_cast<int>(cmds[4]);
+      }
+      if (bits < 1) {
+        cerr << "Invalid bit size " << bits << "given, must be positive integer";
+        return 1;
+      }
       try {
-        dke->create(2048);
-      } catch (PDNSException& e1) {
-         cerr << e1.reason << endl;
-         return 1;
-      } catch (PDNSException* e2) {
-         cerr << e2->reason << endl;
+        dke->create(bits);
+      } catch (PDNSException& e) {
+         cerr << e.reason << endl;
          return 1;
       }
 
-      cerr << "Created key i think" << std::endl;
+      cerr << "Key of size " << bits << " created" << std::endl;
       return 0;
     }
   } else {
diff --git a/pdns/pkcs11signers.cc b/pdns/pkcs11signers.cc
index 32e82acef4..d5c36ded06 100644
--- a/pdns/pkcs11signers.cc
+++ b/pdns/pkcs11signers.cc
@@ -11,6 +11,7 @@
 #include "dnssecinfra.hh"
 #include "pkcs11signers.hh"
 #include "pdnsexception.hh"
+#include "logger.hh"
 
 /* TODO
 
@@ -297,8 +298,8 @@ P11KitSlot::P11KitSlot(const P11KitSlot &rhs)
 
 P11KitSlot::~P11KitSlot()
 {
-  if (this->d_module)
-    this->d_module->functions->C_CloseAllSessions(this->d_slot);
+  if (this->d_module && this->d_session)
+    this->d_module->functions->C_CloseSession(this->d_session);
 }
 
 // DO NOT CALL THIS ON YOUR OWN
@@ -594,9 +595,9 @@ static bool pkcs11_GetSlot(const std::string& engine, CK_SLOT_ID slotId, const s
     return false; 
   };
   rv = slot.Login(pin, CKU_USER);
-//  if (rv) {
-//    std::cerr << "Login gave " << rv << std::endl;
-//  };
+  if (rv) {
+    L<<Logger::Error<<"Login failed for " << engine << " slot " << slotId << ": " << rv <<std::endl;
+  };
   return rv == 0;
 }
 
@@ -643,7 +644,7 @@ void PKCS11DNSCryptoKeyEngine::create(unsigned int bits) {
   if ((rv = d_slot.GenerateKeyPair(&mech, pubAttr, privAttr, &pubKey, &privKey))) {
     std::ostringstream error;
     error << "Keypair generation failed with " << rv;
-    throw new PDNSException(error.str());
+    throw PDNSException(error.str());
   }
 };
 
diff --git a/regression-tests/softhsm.conf b/regression-tests/softhsm.conf
new file mode 100644
index 0000000000..54cba13d5b
--- /dev/null
+++ b/regression-tests/softhsm.conf
@@ -0,0 +1,34 @@
+# SoftHSM configuration file
+#
+# Format:
+# <Slot ID>:<Path to the token database>
+#
+# The given paths are just an indication to SoftHSM on where it should 
+# store the information for each token.
+
+0:/var/lib/softhsm/slot0.db
+1:/var/lib/softhsm/slot1.db
+2:/var/lib/softhsm/slot2.db
+3:/var/lib/softhsm/slot3.db
+4:/var/lib/softhsm/slot4.db
+5:/var/lib/softhsm/slot5.db
+6:/var/lib/softhsm/slot6.db
+7:/var/lib/softhsm/slot7.db
+8:/var/lib/softhsm/slot8.db
+9:/var/lib/softhsm/slot9.db
+10:/var/lib/softhsm/slot10.db
+11:/var/lib/softhsm/slot11.db
+12:/var/lib/softhsm/slot12.db
+13:/var/lib/softhsm/slot13.db
+14:/var/lib/softhsm/slot14.db
+15:/var/lib/softhsm/slot15.db
+16:/var/lib/softhsm/slot16.db
+17:/var/lib/softhsm/slot17.db
+18:/var/lib/softhsm/slot18.db
+19:/var/lib/softhsm/slot19.db
+20:/var/lib/softhsm/slot20.db
+21:/var/lib/softhsm/slot21.db
+22:/var/lib/softhsm/slot22.db
+23:/var/lib/softhsm/slot23.db
+24:/var/lib/softhsm/slot24.db
+25:/var/lib/softhsm/slot25.db
diff --git a/regression-tests/softhsm.mod b/regression-tests/softhsm.mod
new file mode 100644
index 0000000000..1f1ff19393
--- /dev/null
+++ b/regression-tests/softhsm.mod
@@ -0,0 +1,2 @@
+module: /usr/lib/libsofthsm.so
+managed: yes
diff --git a/regression-tests/start-test-stop b/regression-tests/start-test-stop
index 96977dc627..74882df638 100755
--- a/regression-tests/start-test-stop
+++ b/regression-tests/start-test-stop
@@ -54,6 +54,7 @@ securezone ()
 {
 	local zone=$1
 	local configname=$2
+
 	if [ -n "$configname" ]
 	then
 		configname="--config-name=$configname"
@@ -66,7 +67,26 @@ securezone ()
 		../pdns/pdnssec --config-dir=. $configname activate-zone-key $zone $keyid 2>&1
 		../pdns/pdnssec --config-dir=. $configname rectify-zone $zone 2>&1
 	else
-		../pdns/pdnssec --config-dir=. $configname secure-zone $zone 2>&1
+		# check if PKCS#11 should be used
+		if [ $pcks11 -eq 1 ]; then
+                  if [ "$slot" == "" ]; then
+                    slot=0
+                  else
+                    slot=$((slot+1))
+                  fi
+                  sudo softhsm --init-token --slot $slot --label label$slot --pin 123$slot --so-pin 123$slot 
+                  kid=`../pdns/pdnssec --config-dir=. $configname hsm assign $zone rsasha256 ksk softhsm $slot 123$slot label$slot 2>&1 | grep softhsm | awk '{ print $NF }'` 
+# keep this until #1413 is merged
+                  kid=`../pdns/pdnssec --config-dir=. $configname show-zone $zone | grep 'ID =.*KSK' | awk '{ print $3 }'`
+                  ../pdns/pdnssec --config-dir=. $configname hsm create-key $zone $kid
+                  slot=$((slot+1))
+                  sudo softhsm --init-token --slot $slot --label label$slot --pin 123$slot --so-pin 123$slot
+                  kid=`../pdns/pdnssec --config-dir=. $configname hsm assign $zone rsasha256 zsk softhsm $slot 123$slot label$slot 2>&1 | grep softhsm | awk '{ print $NF }'`
+                  kid=`../pdns/pdnssec --config-dir=. $configname show-zone $zone | grep 'ID =.*ZSK' | awk '{ print $3 }'`
+                  ../pdns/pdnssec --config-dir=. $configname hsm create-key $zone $kid
+                else
+                  ../pdns/pdnssec --config-dir=. $configname secure-zone $zone 2>&1
+                fi
 	fi
 }
 
@@ -227,12 +247,19 @@ then
 fi
 
 optout=0
+pkcs11=0
 
 if [ "${context: -13}" = "-nsec3-optout" ]
 then
 	optout=1
 fi
 
+if [ "${context: -7}" = "-pkcs11" ]
+then
+        pcks11=1
+        context=${context:0:-7}
+fi
+
 # check for lua
 if grep -q "^#define HAVE_LUA 1" ../config.h
 then