fix ods-ksmutil for 2.0.x #920

tduehr · 2017-07-14T16:11:34Z

It became ods-enforcer and its behavior changed.

Upgrade
Test if DNSSEC master works (test_integration/test_dnssec)
opendnssec 2.0.x in Fedora (waiting for maintainer opinion, https://bugzilla.redhat.com/show_bug.cgi?id=1332354)

MartinBasti · 2017-07-17T16:18:11Z

Thank you for patch! LGTM. I put missing pieces in description to keep track on them.

However, the upstream CI and gating heavily rely on Fedora, we cannot merge this patch without having the latest opendnssec package in Fedora.

Postponing this until opendnssec will be available in Fedora or have any promising answer from Fedora opendnssec maintainer.

tduehr · 2017-07-17T16:38:33Z

It's no longer supported in 2.0.x. I'm not sure the exact effect of that.

MartinBasti · 2017-07-19T13:58:16Z

Could you please try to install 2 FreeIPA servers with DNSSEC, with dnssec signed zone (ipa dnszone-add example.test. --dnssec=true) and test if both servers provide DNSSEC signed answers dig +dnssec @server_ip example.test. SOA

tduehr · 2017-07-19T16:09:08Z

I'm not getting dnssec responses from either of my hosts. They're upgrades from previous versions so I don't know how/if that changes anything either.

Looks like I may have another, possibly related, bug to deal with.

tduehr · 2017-07-19T22:55:12Z

It seems for some reason I needed to run ods-enforcer policy import to get the zones added but I'm still not seeing signatures in DNS replies.

I see errors in the journal for ods-exporter:

ipapython.p11helper.Error: Error at key wrapping: get buffer length: 0x70

tduehr · 2017-07-20T00:39:04Z

There are some errors in ipa-ods-exporter related to the schema change.

MartinBasti · 2017-07-21T13:43:28Z

I see errors in the journal for ods-exporter:ipapython.p11helper.Error:
Error at key wrapping: get buffer length: 0x70

That's excatly what I was afraid of.

#define CKR_MECHANISM_INVALID  0x00000070

CKR_MECHANISM_INVALID: An invalid mechanism was specified to the
cryptographic operation. This error code is an appropriate return value if an unknown
mechanism was specified or if the mechanism specified cannot be used in the selected token
with the selected function.

Because key is probably not marked as extractable, SoftHSM doesn't allow to wrap that key and send it encrypted to other replicas.

Source: https://www.cryptsoft.com/pkcs11doc/STANDARD/pkcs-11v2-11r1.pdf

Could you please run and provide output of following commands on a DNSSEC master server: https://www.freeipa.org/page/Troubleshooting#DNS_keys_are_stored_in_local_HSM_on_key_master_replica

tduehr · 2017-07-21T16:28:41Z

I didn't think about that being the reason somehow. That'll give me enough to work on to figure that out.

tduehr · 2017-07-21T16:28:50Z

root@sfldap:~# sudo -u opendnssec -s /bin/bash
bash: /root/.bashrc: Permission denied
opendnssec@sfldap:~$ python2 /usr/lib/python2.7/dist-packages/ipapython/dnssec/localhsm.py
Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/ipapython/dnssec/localhsm.py", line 194, in <module>
    open(paths.DNSSEC_SOFTHSM_PIN).read())
  File "/usr/lib/python2.7/dist-packages/ipapython/dnssec/localhsm.py", line 96, in __init__
    self.p11 = _ipap11helper.P11_Helper(label, pin, library)
  File "/usr/lib/python2.7/dist-packages/ipapython/p11helper.py", line 873, in __init__
    raise Error("No slot for label {} found".format(self.token_label))
ipapython.p11helper.Error: No slot for label 0 found
Exception AttributeError: "'LocalHSM' object has no attribute 'p11'" in <bound method LocalHSM.__del__ of <__main__.LocalHSM object at 0x7f61365ed810>> ignored
opendnssec@sfldap:~$ softhsm2-util --show-slots
ERROR: Could not initialize the library.
root@sfldap:~# softhsm-util --show-slots
No command 'softhsm-util' found, did you mean:
 Command 'softhsm2-util' from package 'softhsm2' (universe)
softhsm-util: command not found
root@sfldap:~# softhsm2-util --show-slots
Available slots:
Slot 1674633294
    Slot info:
        Description:      SoftHSM slot ID 0x63d0e04e                                      
        Manufacturer ID:  SoftHSM project                 
        Hardware version: 2.2
        Firmware version: 2.2
        Token present:    yes
    Token info:
        Manufacturer ID:  SoftHSM project                 
        Model:            SoftHSM v2      
        Hardware version: 2.2
        Firmware version: 2.2
        Serial number:    d46a06e863d0e04e
        Initialized:      yes
        User PIN init.:   yes
        Label:            ipaDNSSEC                       
Slot 1
    Slot info:
        Description:      SoftHSM slot ID 0x1                                             
        Manufacturer ID:  SoftHSM project                 
        Hardware version: 2.2
        Firmware version: 2.2
        Token present:    yes
    Token info:
        Manufacturer ID:  SoftHSM project                 
        Model:            SoftHSM v2      
        Hardware version: 2.2
        Firmware version: 2.2
        Serial number:                    
        Initialized:      no
        User PIN init.:   no
        Label:

tduehr · 2017-07-23T01:14:49Z

Is this what we're looking for?

root@sfldap:~# ods-enforcer key export --zone example.test.
example.test.	3600	IN	DNSKEY	257 3 8 AwEAAb+HFVtoba8/TodAlLVO0E9MkE5EZ+eNsuVyGmdyCNrq1dfaUahjFWNJpeU/WS2NfDqO1apC5HdU5VJANVAHIIC/WVJgrCPpmR4Wz1G+RYvKbGryR7QMd3KTm9OCypOPG5pjtEL6ttTcPilENrT+mx4DZWtyIxdFt6gfNBYTLxOb0r9v3SdZKTfSTACV8hml0wE1j2NjZPXyU3Yr/G5Vb+5zP2Y1zS6jsti1OrQUJgXZ87+AgI8bFqkbTNGIZLuvnNRbiJIgi8yh5iF2VW7uwiJD/0u3exPXHw3rnuRbV/J0W2Bw9EB99KC8qCTkwwzX1tjqMPY8iKeAFQjx4aMp6v+/wdnV7IVN4A8IOgP7ghT/6KOya6BM5tWTuo8J521xTIqm2LGoLO9+fX+vmEB10E65T6h2Gr8/KF2VQ+5aJ0sS3wHhsBhNzNV/r0feQPPkD7/4F4Mwt600qyeS9Iv4BKPd2FV8/ayP9hUMIbRVNhPihdnQUnWFN47yFPV5+pXqXQ== ;{id = 39454 (ksk), size = 3072b}
key export completed in 0 seconds.

MartinBasti · 2017-07-23T08:08:45Z

sorry, it looks that troubleshooting guide misses a few steps (those are in previous section)

It should be

sudo -u ods -s /bin/bash
source /etc/sysconfig/ods
export SOFTHSM2_CONF
python2 /usr/lib/python2.7/dist-packages/ipapython/dnssec/localhsm.py

or you can just run:
SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf python2 /usr/lib/python2.7/dist-packages/ipapython/dnssec/localhsm.py

FreeIPA is using custom SoftHSM storage, so env variable SOFTHMS2_CONF must be set to FreeIPA's config.

tduehr · 2017-07-23T14:15:01Z

root@sfldap:~# sudo -u opendnssec -s /bin/bash
bash: /root/.bashrc: Permission denied
opendnssec@sfldap:~$ source /etc/sys
sysctl.conf  sysctl.d/    systemd/     
opendnssec@sfldap:~$ source /etc/de
debconf.conf    default/        depmod.d/       
debian_version  deluser.conf    
opendnssec@sfldap:~$ source /etc/default/open
opendnssec  open-iscsi  
opendnssec@sfldap:~$ source /etc/default/opendnssec 
opendnssec@sfldap:~$ export SOFTHSM2_CONF
opendnssec@sfldap:~$ less /etc/default/opendnssec 
opendnssec@sfldap:~$ echo $SOFTHSM2_CONF
/etc/ipa/dnssec/softhsm2.conf
opendnssec@sfldap:~$ python2 /usr/lib/python2.7/dist-packages/ipapython/dnssec/localhsm.py
Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/ipapython/dnssec/localhsm.py", line 194, in <module>
    open(paths.DNSSEC_SOFTHSM_PIN).read())
  File "/usr/lib/python2.7/dist-packages/ipapython/dnssec/localhsm.py", line 96, in __init__
    self.p11 = _ipap11helper.P11_Helper(label, pin, library)
  File "/usr/lib/python2.7/dist-packages/ipapython/p11helper.py", line 873, in __init__
    raise Error("No slot for label {} found".format(self.token_label))
ipapython.p11helper.Error: No slot for label 0 found
Exception AttributeError: "'LocalHSM' object has no attribute 'p11'" in <bound method LocalHSM.__del__ of <__main__.LocalHSM object at 0x7fa1449e4810>> ignored

MartinBasti · 2017-07-23T20:48:33Z

Sorry, it is regression caused by the latests fix :-(

Fix bellow

if __name__ == '__main__':
    if 'SOFTHSM2_CONF' not in os.environ:
        os.environ['SOFTHSM2_CONF'] = paths.DNSSEC_SOFTHSM2_CONF
-    localhsm = LocalHSM(paths.LIBSOFTHSM2_SO, 0,
+    localhsm = LocalHSM(paths.LIBSOFTHSM2_SO, ipalib.constants.SOFTHSM_DNSSEC_TOKEN_LABEL,
            open(paths.DNSSEC_SOFTHSM_PIN).read())

tduehr · 2017-07-24T03:35:41Z

HA! It works! I added an import and rebased to master–thinking that was already there.

now on to that SQL error...

root@sfldap:~# sudo -u opendnssec -s /bin/bash
bash: /root/.bashrc: Permission denied
opendnssec@sfldap:~$ source /etc/default/opendnssec
opendnssec@sfldap:~$ export SOFTHSM2_CONF
opendnssec@sfldap:~$ echo $SOFTHSM2_CONF
/etc/ipa/dnssec/softhsm2.conf
opendnssec@sfldap:~$ python2 /usr/lib/python2.7/dist-packages/ipapython/dnssec/localhsm.py
replica public keys: CKA_WRAP = TRUE
====================================
8d377a1db4c7282166e6017b43570103
{'ipk11encrypt': False, 'ipk11trusted': False, 'ipk11label': u'dnssec-replica:ldap.example.com.', 'ipk11modifiable': True, 'ipk11local': False, 'ipk11id': '\x8d7z\x1d\xb4\xc7(!f\xe6\x01{CW\x01\x03', 'ipk11keytype': 'rsa', 'ipk11wrap': True, 'ipk11verify': False, 'ipk11private': True, 'ipk11derive': False, 'ipk11verifyrecover': True}
a21ce9a47709bf2996a4315f057e3c84
{'ipk11encrypt': False, 'ipk11trusted': False, 'ipk11label': u'dnssec-replica:sfldap.example.com.', 'ipk11modifiable': True, 'ipk11local': True, 'ipk11id': '\xa2\x1c\xe9\xa4w\t\xbf)\x96\xa41_\x05~<\x84', 'ipk11keytype': 'rsa', 'ipk11wrap': True, 'ipk11verify': False, 'ipk11private': True, 'ipk11derive': False, 'ipk11verifyrecover': False}

replica public keys: all
========================
ef44a4fd5a03b0d610f463accda57628
{'ipk11encrypt': False, 'ipk11trusted': False, 'ipk11label': u'dnssec-replica:ldap.example.com.', 'ipk11modifiable': True, 'ipk11local': False, 'ipk11id': '\xefD\xa4\xfdZ\x03\xb0\xd6\x10\xf4c\xac\xcd\xa5v(', 'ipk11keytype': 'rsa', 'ipk11wrap': False, 'ipk11verify': False, 'ipk11private': True, 'ipk11derive': False, 'ipk11verifyrecover': True}
8d377a1db4c7282166e6017b43570103
{'ipk11encrypt': False, 'ipk11trusted': False, 'ipk11label': u'dnssec-replica:ldap.example.com.', 'ipk11modifiable': True, 'ipk11local': False, 'ipk11id': '\x8d7z\x1d\xb4\xc7(!f\xe6\x01{CW\x01\x03', 'ipk11keytype': 'rsa', 'ipk11wrap': True, 'ipk11verify': False, 'ipk11private': True, 'ipk11derive': False, 'ipk11verifyrecover': True}
a58836b3bdb1204f75b01316a0aa9655
{'ipk11encrypt': False, 'ipk11trusted': False, 'ipk11label': u'dnssec-replica:sfldap.example.com.', 'ipk11modifiable': True, 'ipk11local': True, 'ipk11id': '\xa5\x886\xb3\xbd\xb1 Ou\xb0\x13\x16\xa0\xaa\x96U', 'ipk11keytype': 'rsa', 'ipk11wrap': False, 'ipk11verify': False, 'ipk11private': True, 'ipk11derive': False, 'ipk11verifyrecover': False}
563edddadab87fcf42bf374c84c20570
{'ipk11encrypt': False, 'ipk11trusted': False, 'ipk11label': u'dnssec-replica:sfldap.example.com.', 'ipk11modifiable': True, 'ipk11local': True, 'ipk11id': 'V>\xdd\xda\xda\xb8\x7f\xcfB\xbf7L\x84\xc2\x05p', 'ipk11keytype': 'rsa', 'ipk11wrap': False, 'ipk11verify': False, 'ipk11private': True, 'ipk11derive': False, 'ipk11verifyrecover': False}
949c0acdebe8f831116c6b3de27d5753
{'ipk11encrypt': False, 'ipk11trusted': False, 'ipk11label': u'dnssec-replica:sfldap.example.com.', 'ipk11modifiable': True, 'ipk11local': True, 'ipk11id': '\x94\x9c\n\xcd\xeb\xe8\xf81\x11lk=\xe2}WS', 'ipk11keytype': 'rsa', 'ipk11wrap': False, 'ipk11verify': False, 'ipk11private': True, 'ipk11derive': False, 'ipk11verifyrecover': False}
8e29ccbe7815f24ba19749472ad0d26c
{'ipk11encrypt': False, 'ipk11trusted': False, 'ipk11label': u'dnssec-replica:sfldap.example.com.', 'ipk11modifiable': True, 'ipk11local': True, 'ipk11id': '\x8e)\xcc\xbex\x15\xf2K\xa1\x97IG*\xd0\xd2l', 'ipk11keytype': 'rsa', 'ipk11wrap': False, 'ipk11verify': False, 'ipk11private': True, 'ipk11derive': False, 'ipk11verifyrecover': False}
1c119a928b25c957b50d7e8c699129aa
{'ipk11encrypt': False, 'ipk11trusted': False, 'ipk11label': u'dnssec-replica:sfldap.example.com.', 'ipk11modifiable': True, 'ipk11local': True, 'ipk11id': '\x1c\x11\x9a\x92\x8b%\xc9W\xb5\r~\x8ci\x91)\xaa', 'ipk11keytype': 'rsa', 'ipk11wrap': False, 'ipk11verify': False, 'ipk11private': True, 'ipk11derive': False, 'ipk11verifyrecover': False}
a21ce9a47709bf2996a4315f057e3c84
{'ipk11encrypt': False, 'ipk11trusted': False, 'ipk11label': u'dnssec-replica:sfldap.example.com.', 'ipk11modifiable': True, 'ipk11local': True, 'ipk11id': '\xa2\x1c\xe9\xa4w\t\xbf)\x96\xa41_\x05~<\x84', 'ipk11keytype': 'rsa', 'ipk11wrap': True, 'ipk11verify': False, 'ipk11private': True, 'ipk11derive': False, 'ipk11verifyrecover': False}
e17c562fdca29a74596e1a33091eb666
{'ipk11encrypt': False, 'ipk11trusted': False, 'ipk11label': u'dnssec-replica:sfldap.example.com.', 'ipk11modifiable': True, 'ipk11local': True, 'ipk11id': '\xe1|V/\xdc\xa2\x9atYn\x1a3\t\x1e\xb6f', 'ipk11keytype': 'rsa', 'ipk11wrap': False, 'ipk11verify': False, 'ipk11private': True, 'ipk11derive': False, 'ipk11verifyrecover': False}
eed789bb5f8cdceac0473a243d60a3d5
{'ipk11encrypt': False, 'ipk11trusted': False, 'ipk11label': u'dnssec-replica:ldap.example.com.', 'ipk11modifiable': True, 'ipk11local': False, 'ipk11id': '\xee\xd7\x89\xbb_\x8c\xdc\xea\xc0G:$=`\xa3\xd5', 'ipk11keytype': 'rsa', 'ipk11wrap': False, 'ipk11verify': False, 'ipk11private': True, 'ipk11derive': False, 'ipk11verifyrecover': True}
deb0cad588aefe3e4f6a2a61f29001a0
{'ipk11encrypt': False, 'ipk11trusted': False, 'ipk11label': u'dnssec-replica:sfldap.example.com.', 'ipk11modifiable': True, 'ipk11local': True, 'ipk11id': '\xde\xb0\xca\xd5\x88\xae\xfe>Oj*a\xf2\x90\x01\xa0', 'ipk11keytype': 'rsa', 'ipk11wrap': False, 'ipk11verify': False, 'ipk11private': True, 'ipk11derive': False, 'ipk11verifyrecover': False}

master keys
===========
dc3fc8b6ca356409cfab6320d6b05737
{'ipk11encrypt': False, 'ipk11alwayssensitive': True, 'ipk11trusted': False, 'ipk11decrypt': False, 'ipk11label': u'dnssec-master', 'ipk11modifiable': True, 'ipk11unwrap': True, 'ipk11local': True, 'ipk11neverextractable': False, 'ipk11id': '\xdc?\xc8\xb6\xca5d\t\xcf\xabc \xd6\xb0W7', 'ipk11keytype': 'aes', 'ipk11wrap': False, 'ipk11verify': False, 'ipk11private': True, 'ipk11derive': False, 'ipk11extractable': True, 'ipk11sensitive': True, 'ipk11sign': False, 'ipk11wrapwithtrusted': False}
3d0247733122ff30713b8f928e2cc29a
{'ipk11encrypt': False, 'ipk11alwayssensitive': True, 'ipk11trusted': False, 'ipk11decrypt': False, 'ipk11label': u'dnssec-master', 'ipk11modifiable': True, 'ipk11unwrap': True, 'ipk11local': True, 'ipk11neverextractable': False, 'ipk11id': '=\x02Gs1"\xff0q;\x8f\x92\x8e,\xc2\x9a', 'ipk11keytype': 'aes', 'ipk11wrap': True, 'ipk11verify': False, 'ipk11private': True, 'ipk11derive': False, 'ipk11extractable': True, 'ipk11sensitive': True, 'ipk11sign': False, 'ipk11wrapwithtrusted': False}
1d13b13c60e556d8a5616bb092c96a16
{'ipk11encrypt': False, 'ipk11alwayssensitive': True, 'ipk11trusted': False, 'ipk11decrypt': False, 'ipk11label': u'dnssec-master', 'ipk11modifiable': True, 'ipk11unwrap': True, 'ipk11local': True, 'ipk11neverextractable': False, 'ipk11id': '\x1d\x13\xb1<`\xe5V\xd8\xa5ak\xb0\x92\xc9j\x16', 'ipk11keytype': 'aes', 'ipk11wrap': False, 'ipk11verify': False, 'ipk11private': True, 'ipk11derive': False, 'ipk11extractable': True, 'ipk11sensitive': True, 'ipk11sign': False, 'ipk11wrapwithtrusted': False}
3d6ce3bc4fdc4c83e535660f468c30d7
{'ipk11encrypt': False, 'ipk11alwayssensitive': True, 'ipk11trusted': False, 'ipk11decrypt': False, 'ipk11label': u'dnssec-master', 'ipk11modifiable': True, 'ipk11unwrap': True, 'ipk11local': True, 'ipk11neverextractable': False, 'ipk11id': '=l\xe3\xbcO\xdcL\x83\xe55f\x0fF\x8c0\xd7', 'ipk11keytype': 'aes', 'ipk11wrap': False, 'ipk11verify': False, 'ipk11private': True, 'ipk11derive': False, 'ipk11extractable': True, 'ipk11sensitive': True, 'ipk11sign': False, 'ipk11wrapwithtrusted': False}

zone public keys
================
896d6a09b345d4f0a410d71edc4da15c
{'ipk11encrypt': False, 'ipk11trusted': False, 'ipk11label': u'896d6a09b345d4f0a410d71edc4da15c', 'ipk11modifiable': True, 'ipk11local': True, 'ipk11id': '\x89mj\t\xb3E\xd4\xf0\xa4\x10\xd7\x1e\xdcM\xa1\\', 'ipk11keytype': 'rsa', 'ipk11wrap': False, 'ipk11verify': True, 'ipk11private': False, 'ipk11derive': False, 'ipk11verifyrecover': True}
27997d1c5871e58a828cd99711c5124f
{'ipk11encrypt': False, 'ipk11trusted': False, 'ipk11label': u'27997d1c5871e58a828cd99711c5124f', 'ipk11modifiable': True, 'ipk11local': True, 'ipk11id': "'\x99}\x1cXq\xe5\x8a\x82\x8c\xd9\x97\x11\xc5\x12O", 'ipk11keytype': 'rsa', 'ipk11wrap': False, 'ipk11verify': True, 'ipk11private': False, 'ipk11derive': False, 'ipk11verifyrecover': True}
0448fedd120e65426268d192d580516d
{'ipk11encrypt': False, 'ipk11trusted': False, 'ipk11label': u'0448fedd120e65426268d192d580516d', 'ipk11modifiable': True, 'ipk11local': True, 'ipk11id': '\x04H\xfe\xdd\x12\x0eeBbh\xd1\x92\xd5\x80Qm', 'ipk11keytype': 'rsa', 'ipk11wrap': False, 'ipk11verify': True, 'ipk11private': False, 'ipk11derive': False, 'ipk11verifyrecover': True}
acc08a94c6a04fbc6581209b03bf248b
{'ipk11encrypt': False, 'ipk11trusted': False, 'ipk11label': u'acc08a94c6a04fbc6581209b03bf248b', 'ipk11modifiable': True, 'ipk11local': True, 'ipk11id': '\xac\xc0\x8a\x94\xc6\xa0O\xbce\x81 \x9b\x03\xbf$\x8b', 'ipk11keytype': 'rsa', 'ipk11wrap': False, 'ipk11verify': True, 'ipk11private': False, 'ipk11derive': False, 'ipk11verifyrecover': True}
e72f60a2f0c27a3026e342eb35008ab8
{'ipk11encrypt': False, 'ipk11trusted': False, 'ipk11label': u'e72f60a2f0c27a3026e342eb35008ab8', 'ipk11modifiable': True, 'ipk11local': True, 'ipk11id': '\xe7/`\xa2\xf0\xc2z0&\xe3B\xeb5\x00\x8a\xb8', 'ipk11keytype': 'rsa', 'ipk11wrap': False, 'ipk11verify': True, 'ipk11private': False, 'ipk11derive': False, 'ipk11verifyrecover': True}
80089f7fe488a2d2d600724180052ee2
{'ipk11encrypt': False, 'ipk11trusted': False, 'ipk11label': u'80089f7fe488a2d2d600724180052ee2', 'ipk11modifiable': True, 'ipk11local': True, 'ipk11id': '\x80\x08\x9f\x7f\xe4\x88\xa2\xd2\xd6\x00rA\x80\x05.\xe2', 'ipk11keytype': 'rsa', 'ipk11wrap': False, 'ipk11verify': True, 'ipk11private': False, 'ipk11derive': False, 'ipk11verifyrecover': True}
e8d58beb62ad167f927dfe3e38f86033
{'ipk11encrypt': False, 'ipk11trusted': False, 'ipk11label': u'e8d58beb62ad167f927dfe3e38f86033', 'ipk11modifiable': True, 'ipk11local': True, 'ipk11id': '\xe8\xd5\x8b\xebb\xad\x16\x7f\x92}\xfe>8\xf8`3', 'ipk11keytype': 'rsa', 'ipk11wrap': False, 'ipk11verify': True, 'ipk11private': False, 'ipk11derive': False, 'ipk11verifyrecover': True}
ffceedd428136507d0b8bd7848ee1c31
{'ipk11encrypt': False, 'ipk11trusted': False, 'ipk11label': u'ffceedd428136507d0b8bd7848ee1c31', 'ipk11modifiable': True, 'ipk11local': True, 'ipk11id': '\xff\xce\xed\xd4(\x13e\x07\xd0\xb8\xbdxH\xee\x1c1', 'ipk11keytype': 'rsa', 'ipk11wrap': False, 'ipk11verify': True, 'ipk11private': False, 'ipk11derive': False, 'ipk11verifyrecover': True}

zone private keys
=================
896d6a09b345d4f0a410d71edc4da15c
{'ipk11private': True, 'ipk11alwayssensitive': True, 'ipk11decrypt': False, 'ipk11label': u'896d6a09b345d4f0a410d71edc4da15c', 'ipk11modifiable': True, 'ipk11unwrap': False, 'ipk11local': True, 'ipk11id': '\x89mj\t\xb3E\xd4\xf0\xa4\x10\xd7\x1e\xdcM\xa1\\', 'ipk11keytype': 'rsa', 'ipk11alwaysauthenticate': False, 'ipk11neverextractable': True, 'ipk11signrecover': True, 'ipk11derive': False, 'ipk11extractable': False, 'ipk11sensitive': True, 'ipk11sign': True, 'ipk11wrapwithtrusted': False}
27997d1c5871e58a828cd99711c5124f
{'ipk11private': True, 'ipk11alwayssensitive': True, 'ipk11decrypt': False, 'ipk11label': u'27997d1c5871e58a828cd99711c5124f', 'ipk11modifiable': True, 'ipk11unwrap': False, 'ipk11local': True, 'ipk11id': "'\x99}\x1cXq\xe5\x8a\x82\x8c\xd9\x97\x11\xc5\x12O", 'ipk11keytype': 'rsa', 'ipk11alwaysauthenticate': False, 'ipk11neverextractable': True, 'ipk11signrecover': True, 'ipk11derive': False, 'ipk11extractable': False, 'ipk11sensitive': True, 'ipk11sign': True, 'ipk11wrapwithtrusted': False}
0448fedd120e65426268d192d580516d
{'ipk11private': True, 'ipk11alwayssensitive': True, 'ipk11decrypt': False, 'ipk11label': u'0448fedd120e65426268d192d580516d', 'ipk11modifiable': True, 'ipk11unwrap': False, 'ipk11local': True, 'ipk11id': '\x04H\xfe\xdd\x12\x0eeBbh\xd1\x92\xd5\x80Qm', 'ipk11keytype': 'rsa', 'ipk11alwaysauthenticate': False, 'ipk11neverextractable': True, 'ipk11signrecover': True, 'ipk11derive': False, 'ipk11extractable': False, 'ipk11sensitive': True, 'ipk11sign': True, 'ipk11wrapwithtrusted': False}
acc08a94c6a04fbc6581209b03bf248b
{'ipk11private': True, 'ipk11alwayssensitive': True, 'ipk11decrypt': False, 'ipk11label': u'acc08a94c6a04fbc6581209b03bf248b', 'ipk11modifiable': True, 'ipk11unwrap': False, 'ipk11local': True, 'ipk11id': '\xac\xc0\x8a\x94\xc6\xa0O\xbce\x81 \x9b\x03\xbf$\x8b', 'ipk11keytype': 'rsa', 'ipk11alwaysauthenticate': False, 'ipk11neverextractable': True, 'ipk11signrecover': True, 'ipk11derive': False, 'ipk11extractable': False, 'ipk11sensitive': True, 'ipk11sign': True, 'ipk11wrapwithtrusted': False}
e72f60a2f0c27a3026e342eb35008ab8
{'ipk11private': True, 'ipk11alwayssensitive': True, 'ipk11decrypt': False, 'ipk11label': u'e72f60a2f0c27a3026e342eb35008ab8', 'ipk11modifiable': True, 'ipk11unwrap': False, 'ipk11local': True, 'ipk11id': '\xe7/`\xa2\xf0\xc2z0&\xe3B\xeb5\x00\x8a\xb8', 'ipk11keytype': 'rsa', 'ipk11alwaysauthenticate': False, 'ipk11neverextractable': True, 'ipk11signrecover': True, 'ipk11derive': False, 'ipk11extractable': False, 'ipk11sensitive': True, 'ipk11sign': True, 'ipk11wrapwithtrusted': False}
80089f7fe488a2d2d600724180052ee2
{'ipk11private': True, 'ipk11alwayssensitive': True, 'ipk11decrypt': False, 'ipk11label': u'80089f7fe488a2d2d600724180052ee2', 'ipk11modifiable': True, 'ipk11unwrap': False, 'ipk11local': True, 'ipk11id': '\x80\x08\x9f\x7f\xe4\x88\xa2\xd2\xd6\x00rA\x80\x05.\xe2', 'ipk11keytype': 'rsa', 'ipk11alwaysauthenticate': False, 'ipk11neverextractable': True, 'ipk11signrecover': True, 'ipk11derive': False, 'ipk11extractable': False, 'ipk11sensitive': True, 'ipk11sign': True, 'ipk11wrapwithtrusted': False}
e8d58beb62ad167f927dfe3e38f86033
{'ipk11private': True, 'ipk11alwayssensitive': True, 'ipk11decrypt': False, 'ipk11label': u'e8d58beb62ad167f927dfe3e38f86033', 'ipk11modifiable': True, 'ipk11unwrap': False, 'ipk11local': True, 'ipk11id': '\xe8\xd5\x8b\xebb\xad\x16\x7f\x92}\xfe>8\xf8`3', 'ipk11keytype': 'rsa', 'ipk11alwaysauthenticate': False, 'ipk11neverextractable': True, 'ipk11signrecover': True, 'ipk11derive': False, 'ipk11extractable': False, 'ipk11sensitive': True, 'ipk11sign': True, 'ipk11wrapwithtrusted': False}
ffceedd428136507d0b8bd7848ee1c31
{'ipk11private': True, 'ipk11alwayssensitive': True, 'ipk11decrypt': False, 'ipk11label': u'ffceedd428136507d0b8bd7848ee1c31', 'ipk11modifiable': True, 'ipk11unwrap': False, 'ipk11local': True, 'ipk11id': '\xff\xce\xed\xd4(\x13e\x07\xd0\xb8\xbdxH\xee\x1c1', 'ipk11keytype': 'rsa', 'ipk11alwaysauthenticate': False, 'ipk11neverextractable': True, 'ipk11signrecover': True, 'ipk11derive': False, 'ipk11extractable': False, 'ipk11sensitive': True, 'ipk11sign': True, 'ipk11wrapwithtrusted': False}

tduehr · 2017-07-24T17:45:13Z

huh... It seems they no longer support the rsa key wrap mechanisms: https://wiki.opendnssec.org/display/SoftHSM/v2+Mechanisms

MartinBasti · 2017-07-24T20:34:50Z

Oh why ... I will check some things on wednesday and it looks I must file regression bugs against opendnssec and softhsm.

tduehr · 2017-07-24T21:18:25Z

It's entirely possible their documentation is not up to date. There are more in the headers. I haven't gone through the code yet, but I suspect there's new ones there.

tduehr · 2017-07-24T22:11:29Z

Another clue: https://stackoverflow.com/questions/12246498/what-does-cka-sensitive-attribute-in-pkcs-11-means#12314810

Unfortunately, I have to redo the DNSSEC entirely to test it. I have a staging env but it's a long test cycle for tweaks.

tduehr · 2017-07-25T03:29:40Z

Still getting the same 0x70 error but that's most likely because I'm having problems clearing out the softhsm config between trials.

MartinBasti · 2017-07-26T09:22:26Z

I checked keys in Softhsm and currently we have keys extractable.

zone private keys
=================
8e29b227302b1e1b3b2a646301cf7bc3
{'ipk11private': True, 'ipk11alwayssensitive': True, 'ipk11decrypt': False, 'ipk11label': u'8e29b227302b1e1b3b2a646301cf7bc3', 'ipk11modifiable': True, 'ipk11unwrap': False, 'ipk11local': True, 'ipk11id': "\x8e)\xb2'0+\x1e\x1b;*dc\x01\xcf{\xc3", 'ipk11keytype': 'rsa', 'ipk11alwaysauthenticate': False, 'ipk11neverextractable': False, 'ipk11signrecover': True, 'ipk11derive': False, 'ipk11extractable': True, 'ipk11sensitive': True, 'ipk11sign': True, 'ipk11wrapwithtrusted': False}
c565d2fb0a911102d903c42e6b2c52e7
{'ipk11private': True, 'ipk11alwayssensitive': True, 'ipk11decrypt': False, 'ipk11label': u'c565d2fb0a911102d903c42e6b2c52e7', 'ipk11modifiable': True, 'ipk11unwrap': False, 'ipk11local': True, 'ipk11id': '\xc5e\xd2\xfb\n\x91\x11\x02\xd9\x03\xc4.k,R\xe7', 'ipk11keytype': 'rsa', 'ipk11alwaysauthenticate': False, 'ipk11neverextractable': False, 'ipk11signrecover': True, 'ipk11derive': False, 'ipk11extractable': True, 'ipk11sensitive': True, 'ipk11sign': True, 'ipk11wrapwithtrusted': False}

Compare 'ipk11extractable': True and 'ipk11neverextractable': False with your output. Without extractable keys we cannot distribute key material to other replicas. So we have to ask for adding <AllowExtraction/> back to config.

MartinBasti · 2017-07-26T10:35:58Z

daemons/dnssec/ipa-ods-exporter

@@ -51,7 +51,8 @@ KEYTAB_FB = paths.IPA_ODS_EXPORTER_KEYTAB
 ODS_SE_MAXLINE = 1024  # from ODS common/config.h
 ODS_DB_LOCK_PATH = "%s%s" % (paths.OPENDNSSEC_KASP_DB, '.our_lock')

-SECRETKEY_WRAPPING_MECH = 'rsaPkcsOaep'
+# SECRETKEY_WRAPPING_MECH = 'rsaPkcsOaep'
+SECRETKEY_WRAPPING_MECH = 'aesKeyWrapPad'


We cannot just change this, we are using RSA keys (public keys) to securely distribute secretkey to all replicas

My bad. I thought I'd reverted that part. Might be part of why I'm still gettting 0x70.

tduehr · 2017-07-26T13:02:24Z

I'll redo it and get a new dump. Apart from purging the package, how do I get rid of the keys (not just the tokens) from SoftHSM?

MartinBasti · 2017-07-26T13:22:57Z

I'm investigating, so far I found that patch which is responsible for <AllowExtraction/> was merged only into 1.4 version, not into master branch. IMO that's why this functionality just disappear.

opendnssec/opendnssec@672d2c7

git branch --contains 672d2c75ccd3cd5f2317bb76af4c9cc4e5aa4a37
  1.4/master

MartinBasti · 2017-07-26T13:24:14Z

I'll redo it and get a new dump. Apart from purging the package, how do I get rid of the keys (not just the tokens) from SoftHSM?

run ipa-dns-install again. It should drop all older tokens from HSM

MartinBasti · 2017-07-26T13:48:19Z

huh... It seems they no longer support the rsa key wrap mechanisms: https://wiki.opendnssec.org/display/SoftHSM/v2+Mechanisms

I still see CKM_RSA_PKCS_OAEP implemented in sources
https://github.com/opendnssec/SoftHSMv2/blob/develop/src/lib/SoftHSM.cpp#L2817

It is probably just a doc issue

MartinBasti · 2017-07-26T14:02:37Z

@tduehr we (@tomaskrizek) asked on OpenDNSSEC mailing list for assistance https://lists.opendnssec.org/pipermail/opendnssec-user/2017-July/004086.html

tduehr · 2017-07-26T14:20:30Z

I found an old msg on that subject but it seems a bit off.

http://opendnssec-user.opendnssec.narkive.com/RVxfYrbG/softhsmv2-key-extraction

We'll also need some help porting the SQL used in IPA from 1.x to 2.x

tduehr · 2017-07-27T02:27:09Z

We're getting closer. I'm not getting export errors any more. Now I just have to fix the replicant and we'll have a full test...

root@sfldap:~# sudo -u opendnssec -s /bin/bash
bash: /root/.bashrc: Permission denied
opendnssec@sfldap:~$ source /etc/default/opendnssec
opendnssec@sfldap:~$ export SOFTHSM2_CONF
opendnssec@sfldap:~$ echo $SOFTHSM2_CONF
/etc/ipa/dnssec/softhsm2.conf
opendnssec@sfldap:~$ python2 /usr/lib/python2.7/dist-packages/ipapython/dnssec/localhsm.py
replica public keys: CKA_WRAP = TRUE
====================================

replica public keys: all
========================
c0dc81ddd993d4bcca75abe780d278eb
{'ipk11encrypt': False, 'ipk11trusted': False, 'ipk11label': u'dnssec-replica:sfldap.example.com.', 'ipk11modifiable': True, 'ipk11local': True, 'ipk11id': '\xc0\xdc\x81\xdd\xd9\x93\xd4\xbc\xcau\xab\xe7\x80\xd2x\xeb', 'ipk11keytype': 'rsa', 'ipk11wrap': False, 'ipk11verify': False, 'ipk11private': True, 'ipk11derive': False, 'ipk11verifyrecover': False}
8d377a1db4c7282166e6017b43570103
{'ipk11encrypt': False, 'ipk11trusted': False, 'ipk11label': u'dnssec-replica:ldap.example.com.', 'ipk11modifiable': True, 'ipk11local': False, 'ipk11id': '\x8d7z\x1d\xb4\xc7(!f\xe6\x01{CW\x01\x03', 'ipk11keytype': 'rsa', 'ipk11wrap': False, 'ipk11verify': False, 'ipk11private': True, 'ipk11derive': False, 'ipk11verifyrecover': True}
fe0cba3fca614352c25328e94bb97718
{'ipk11encrypt': False, 'ipk11trusted': False, 'ipk11label': u'dnssec-replica:sfldap.example.com.', 'ipk11modifiable': True, 'ipk11local': True, 'ipk11id': '\xfe\x0c\xba?\xcaaCR\xc2S(\xe9K\xb9w\x18', 'ipk11keytype': 'rsa', 'ipk11wrap': False, 'ipk11verify': False, 'ipk11private': True, 'ipk11derive': False, 'ipk11verifyrecover': False}
9f0a6398f1b8e177d4ef819f7150d482
{'ipk11encrypt': False, 'ipk11trusted': False, 'ipk11label': u'dnssec-replica:sfldap.example.com.', 'ipk11modifiable': True, 'ipk11local': True, 'ipk11id': '\x9f\nc\x98\xf1\xb8\xe1w\xd4\xef\x81\x9fqP\xd4\x82', 'ipk11keytype': 'rsa', 'ipk11wrap': False, 'ipk11verify': False, 'ipk11private': True, 'ipk11derive': False, 'ipk11verifyrecover': False}

master keys
===========
aacee77637ace22caf985e2dbb4d8f93
{'ipk11encrypt': False, 'ipk11alwayssensitive': False, 'ipk11trusted': False, 'ipk11decrypt': False, 'ipk11label': u'dnssec-master', 'ipk11modifiable': True, 'ipk11unwrap': True, 'ipk11local': True, 'ipk11neverextractable': False, 'ipk11id': '\xaa\xce\xe7v7\xac\xe2,\xaf\x98^-\xbbM\x8f\x93', 'ipk11keytype': 'aes', 'ipk11wrap': False, 'ipk11verify': False, 'ipk11private': True, 'ipk11derive': False, 'ipk11extractable': True, 'ipk11sensitive': False, 'ipk11sign': False, 'ipk11wrapwithtrusted': False}
9022b8ed75b33e69bdea8eafc1eedfb4
{'ipk11encrypt': False, 'ipk11alwayssensitive': False, 'ipk11trusted': False, 'ipk11decrypt': False, 'ipk11label': u'dnssec-master', 'ipk11modifiable': True, 'ipk11unwrap': True, 'ipk11local': True, 'ipk11neverextractable': False, 'ipk11id': '\x90"\xb8\xedu\xb3>i\xbd\xea\x8e\xaf\xc1\xee\xdf\xb4', 'ipk11keytype': 'aes', 'ipk11wrap': True, 'ipk11verify': False, 'ipk11private': True, 'ipk11derive': False, 'ipk11extractable': True, 'ipk11sensitive': False, 'ipk11sign': False, 'ipk11wrapwithtrusted': False}

zone public keys
================

zone private keys
=================
opendnssec@sfldap:~$

MartinBasti · 2017-07-27T07:55:27Z

@tduehr Thank you.

Also I have a good message, the AllowExtraction option that is missing in 2.x will be added back upstream, https://lists.opendnssec.org/pipermail/opendnssec-user/2017-July/004088.html

Until this fix is released, this should be patched downstream in ubuntu, fedora, etc..

tduehr · 2017-07-27T13:51:06Z

It may not be necessary, let me get the fixes over to my replication host and see how they've worked so far. Though, I'm still not getting signatures from the primary.

I also have the call to ods-enforcer policy import in the wrong spot. It needs to be called after ods-enforcerd is started.

tduehr · 2017-07-27T13:52:05Z

... And there's 0x70 ...

tiran · 2017-12-11T08:37:56Z

Is this patch still relevant? If yes, please rebase to latest master and address failing CI.

nicki-krizek · 2017-12-11T12:02:58Z

@tiran It is relevant to have working DNSSEC with opendnssec 2.0+, which is already in Debian. To avoid working with 2 different version in upstream, we filed a BZ for opendnssec rebase to 2.0+ in Fedora. There has been no activity in the BZ and this PR is thus blocked.

tiran · 2017-12-12T11:47:27Z

Thanks @tomaskrizek . I have left a comment on https://bugzilla.redhat.com/show_bug.cgi?id=1470604

tiran · 2017-12-12T12:19:03Z

And opened https://src.fedoraproject.org/rpms/opendnssec/pull-request/1

tiran · 2017-12-14T18:15:00Z

Paul is working on OpenDNSSEC 2.1. He started by upgrading the packages to latest 1.4. https://bugzilla.redhat.com/show_bug.cgi?id=1332354

It became ods-enforcer and its behavior changed.

tduehr · 2018-04-05T14:05:05Z

Working on this again in ubuntu... rebased against master and now ods-enforcer is running.

Just need to get ipa-ods-exporter fixed:

ipa-ods-exporter[15759]: Traceback (most recent call last):
ipa-ods-exporter[15759]:   File "/usr/lib/ipa/ipa-ods-exporter", line 674, in <module>
ipa-ods-exporter[15759]:     master2ldap_zone_keys_sync(ldapkeydb, localhsm)
ipa-ods-exporter[15759]:   File "/usr/lib/ipa/ipa-ods-exporter", line 414, in master2ldap_zone_keys_sync
ipa-ods-exporter[15759]:     wrapping_mech=wrappingmech_name2id[PRIVKEY_WRAPPING_MECH])
ipa-ods-exporter[15759]:   File "/usr/lib/python2.7/dist-packages/ipaserver/p11helper.py", line 1509, in export_wrapped_key
ipa-ods-exporter[15759]:     check_return_value(rv, "key wrapping: get buffer length")
ipa-ods-exporter[15759]:   File "/usr/lib/python2.7/dist-packages/ipaserver/p11helper.py", line 615, in check_return_value
ipa-ods-exporter[15759]:     raise Error(errmsg)
ipa-ods-exporter[15759]: ipaserver.p11helper.Error: Error at key wrapping: get buffer length: 0x6a

rcritten · 2018-05-15T18:09:27Z

Closing due to inactivity.

MartinBasti · 2018-05-15T19:35:13Z

@tduehr CKR_KEY_UNEXTRACTABLE 0x0000006A means that probably <AllowExtraction/> doesn't work as expected. What is your version of OpenDNSSEC?
According https://issues.opendnssec.org/browse/OPENDNSSEC-906 this issue should be fixed in version 2.1.2+

Probably check flags mentioned in comment #920 (comment) again

@rcritten I don't think that this PR should be closed due inactivity. I see comment from community member but no reply from developers. Also inactivity is in the openened DNSSEC BZ, because OpenDNSSEC introduced incompatible changes, you need newer OpenDNSSEC to have this code tested.

Or does this mean that semi-broken DNS in ubuntu will be never fixed and newer opendnssec unsupported forever?

Maybe dropping DNSSEC from FreeIPA might be a good solution too.

rcritten · 2018-05-15T21:21:05Z

@MartinBasti it can be re-opened if there is someone interested in pursuing it.

I closed several due to inactivity (more than a month since last update) to clean up the PR backlog.

tduehr · 2018-05-16T14:08:35Z

@MartinBasti There seem to be two parts of this.

getting ODS 2.x running and working for a fresh install. I believe that may be completed but haven't had much time to test it out due to other projects.
The code currently sets flags that don't allow the keys to be extracted when they are properly enforced. As they're properly enforced in ODS 2, there will need to be some upgrade scripts created so users don't lose data when upgrading.

MartinBasti added the postponed label Jul 17, 2017

tduehr force-pushed the fix_ods branch from 876d4d2 to 96f3ccb Compare July 24, 2017 03:38

MartinBasti reviewed Jul 26, 2017

View reviewed changes

tduehr closed this Jul 26, 2017

tduehr reopened this Jul 26, 2017

tduehr force-pushed the fix_ods branch from 0b03ad9 to 7163329 Compare July 26, 2017 13:04

MartinBasti assigned nicki-krizek Jul 26, 2017

tduehr force-pushed the fix_ods branch from 7163329 to b6a200b Compare September 14, 2017 15:07

tiran removed the postponed label Dec 14, 2017

tduehr force-pushed the fix_ods branch from b6a200b to 2331e0a Compare December 18, 2017 20:40

nicki-krizek removed their assignment Dec 19, 2017

fix ods-ksmutil for 2.0.x

ef0e87d

It became ods-enforcer and its behavior changed.

tduehr force-pushed the fix_ods branch from 2331e0a to ef0e87d Compare April 5, 2018 13:51

rcritten closed this May 15, 2018

fix ods-ksmutil for 2.0.x #920

fix ods-ksmutil for 2.0.x #920

Conversation

tduehr commented Jul 14, 2017 • edited by rcritten Loading

MartinBasti commented Jul 17, 2017

tduehr commented Jul 17, 2017

MartinBasti commented Jul 19, 2017

tduehr commented Jul 19, 2017 • edited Loading

tduehr commented Jul 19, 2017

tduehr commented Jul 20, 2017

MartinBasti commented Jul 21, 2017

tduehr commented Jul 21, 2017

tduehr commented Jul 21, 2017

tduehr commented Jul 23, 2017

MartinBasti commented Jul 23, 2017

tduehr commented Jul 23, 2017

MartinBasti commented Jul 23, 2017

tduehr commented Jul 24, 2017

tduehr commented Jul 24, 2017

MartinBasti commented Jul 24, 2017 • edited Loading

tduehr commented Jul 24, 2017

tduehr commented Jul 24, 2017

tduehr commented Jul 25, 2017

MartinBasti commented Jul 26, 2017

MartinBasti Jul 26, 2017

Choose a reason for hiding this comment

tduehr Jul 26, 2017

Choose a reason for hiding this comment

tduehr commented Jul 26, 2017

MartinBasti commented Jul 26, 2017

MartinBasti commented Jul 26, 2017

MartinBasti commented Jul 26, 2017

MartinBasti commented Jul 26, 2017 • edited Loading

tduehr commented Jul 26, 2017

tduehr commented Jul 27, 2017

MartinBasti commented Jul 27, 2017

tduehr commented Jul 27, 2017

tduehr commented Jul 27, 2017

tiran commented Dec 11, 2017

nicki-krizek commented Dec 11, 2017

tiran commented Dec 12, 2017

tiran commented Dec 12, 2017

tiran commented Dec 14, 2017

tduehr commented Apr 5, 2018

rcritten commented May 15, 2018

MartinBasti commented May 15, 2018

rcritten commented May 15, 2018

tduehr commented May 16, 2018

tduehr commented Jul 14, 2017 •

edited by rcritten

Loading

tduehr commented Jul 19, 2017 •

edited

Loading

MartinBasti commented Jul 24, 2017 •

edited

Loading

MartinBasti commented Jul 26, 2017 •

edited

Loading