% ./configure --with-objectstore-backend-db --prefix=/usr/local/softhsmv2
uname -m = x86_64
uname -r = 4.18.0-277.el8.x86_64
uname -s = Linux
uname -v = #1 SMP Wed Feb 3 20:35:19 UTC 2021
% cat $OPENSSL_CONF
openssl.cnf
openssl_conf = openssl_init
# JPM
[openssl_init]
engines=engine_section
[engine_section]
pkcs11 = pkcs11_section
[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/lib64/engines-1.1/pkcs11.so
MODULE_PATH = /usr/local/softhsmv2/lib/softhsm/libsofthsm2.so
init = 0
PIN = 1234
% cat $SOFTHSM_CONF
directories.tokendir = /usr/local/softhsmv2/var/lib/softhsm/tokens/
objectstore.backend = db
objectstore.umask = 0077
# ERROR, WARNING, INFO, DEBUG
log.level = ERROR
# If CKF_REMOVABLE_DEVICE flag should be set
slots.removable = false
# Enable and disable PKCS#11 mechanisms using slots.mechanisms.
slots.mechanisms = ALL
# If the library should reset the state on fork
library.reset_on_fork = false
% /usr/local/softhsmv2/bin/softhsm2-util --init-token --slot 0 --label jptest
=== SO PIN (4-255 characters) ===
Please enter SO PIN: ****
Please reenter SO PIN: ****
=== User PIN (4-255 characters) ===
Please enter user PIN: ****
Please reenter user PIN: ****
The token has been initialized and is reassigned to slot 229861393
% l /usr/local/softhsmv2/var/lib/softhsm/tokens/8fbb4ca5-06a7-2790-81c6-83840db36811/
total 40
-rw-------. 1 root root 40960 Sep 27 10:14 sqlite3.db
% pkcs11-tool --module /usr/local/softhsmv2/lib/softhsm/libsofthsm2.so -l -k --key-type EC:prime256v1 --label jp01.de-ksk --id 10001 --pin 1234
Using slot 0 with a present token (0xdb36811)
Key pair generated:
Private Key Object; EC
label: jp01.de-ksk
ID: 010001
Usage: decrypt, sign, unwrap, derive
Access: sensitive, always sensitive, never extractable, local
Public Key Object; EC EC_POINT 256 bits
EC_POINT: 044104ab06f428af26b2855f8f3cf44d24660b5f603bba9cc20fc0e84df9db5571aeb54811299ed4013063f0ea8d6d2cf80e3ec9765d6b16c6b822f0179838f4e480a3
EC_PARAMS: 06082a8648ce3d030107
label: jp01.de-ksk
ID: 010001
Usage: encrypt, verify, wrap, derive
Access: local
% time dnssec-keyfromlabel -E pkcs11 -a 13 -l "token=jptest;object=jp01.de-ksk" -f KSK jp01.de
Kjp01.de.+013+42450
real 0m0.078s
user 0m0.031s
sys 0m0.017s
% dnssec-signzone -E pkcs11 -t -z -S -o jp01.de jp01.de
Fetching jp01.de/ECDSAP256SHA256/42450 (KSK) from key repository.
Verifying the zone using the following algorithms:
- ECDSAP256SHA256
Zone fully signed:
Algorithm: ECDSAP256SHA256: KSKs: 1 active, 0 stand-by, 0 revoked
ZSKs: 0 active, 0 stand-by, 0 revoked
jp01.de.signed
Signatures generated: 4
Signatures retained: 0
Signatures dropped: 0
Signatures successfully verified: 0
Signatures unsuccessfully verified: 0
Signing time in seconds: 0.012
Signatures per second: 333.333
Runtime in seconds: 0.066% for n in $(seq 1 1000); do time pkcs11-tool --module /usr/local/softhsmv2/lib/softhsm/libsofthsm2.so -l -k --key-type EC:prime256v1 --label jp01.de-$n-ksk --id 200$n --pin 1234; done
Using slot 0 with a present token (0xdb36811)
Key pair generated:
Private Key Object; EC
label: jp01.de-1-ksk
ID: 2001
Usage: decrypt, sign, unwrap, derive
Access: sensitive, always sensitive, never extractable, local
Public Key Object; EC EC_POINT 256 bits
EC_POINT: 0441043c3e436cea00d7074d37540dcd57218bde835189e9760f96339cac09039a9918$63b0e6ea496bda0f1f0870abe95c041c2149dc2f0d974f15c231c1c19e865b3
EC_PARAMS: 06082a8648ce3d030107
label: jp01.de-1-ksk
ID: 2001
Usage: encrypt, verify, wrap, derive
Access: local
real 0m0.358s
user 0m0.037s
sys 0m0.035s
...
Using slot 0 with a present token (0xdb36811)
Key pair generated:
Private Key Object; EC
label: jp01.de-554-ksk
ID: 200554
Usage: decrypt, sign, unwrap, derive
Access: sensitive, always sensitive, never extractable, local
Public Key Object; EC EC_POINT 256 bits
EC_POINT: 04410424545c078f6d75c46243d284a8b9e8d930aac2cd4146b7f9bf3c083208ab1496eb05c35480940321dd3909762d4ca40371711d43764b70c91dd452b8db65bda8
EC_PARAMS: 06082a8648ce3d030107
label: jp01.de-554-ksk
ID: 200554
Usage: encrypt, verify, wrap, derive
Access: local
real 0m1.092s
user 0m0.766s
sys 0m0.056s
...
Using slot 0 with a present token (0xdb36811)
Key pair generated:
Private Key Object; EC
label: jp01.de-1000-ksk
ID: 02001000
Usage: decrypt, sign, unwrap, derive
Access: sensitive, always sensitive, never extractable, local
Public Key Object; EC EC_POINT 256 bits
EC_POINT: 044104f5aca558cc8d18f433aa0ccd1812d8257f5c4444486a30a5617f56ad1fb6f5dfaa44244f3168d43a71bfcd7e11c58eb8466b8382abbb17bf1e3d8bac73bdc4cd
EC_PARAMS: 06082a8648ce3d030107
label: jp01.de-1000-ksk
ID: 02001000
Usage: encrypt, verify, wrap, derive
Access: local
real 0m1.455s
user 0m1.094s
sys 0m0.059s
% l /usr/local/softhsmv2/var/lib/softhsm/tokens/8fbb4ca5-06a7-2790-81c6-83840db36811/
total 1096
-rw-------. 1 root root 1122304 Sep 27 10:34 sqlite3.db
% mv Kjp01.de.+013+42450.* old/
% time dnssec-keyfromlabel -E pkcs11 -a 13 -l "token=jptest;object=jp01.de-ksk" -f KS
K jp01.de
Kjp01.de.+013+42450
real 3m36.381s
user 3m8.400s
sys 0m6.344s
% dnssec-signzone -E pkcs11 -t -z -S -o jp01.de jp01.de
Fetching jp01.de/ECDSAP256SHA256/42450 (KSK) from key repository.
Verifying the zone using the following algorithms:
- ECDSAP256SHA256
Zone fully signed:
Algorithm: ECDSAP256SHA256: KSKs: 1 active, 0 stand-by, 0 revoked
ZSKs: 0 active, 0 stand-by, 0 revoked
jp01.de.signed
Signatures generated: 4
Signatures retained: 0
Signatures dropped: 0
Signatures successfully verified: 0
Signatures unsuccessfully verified: 0
Signing time in seconds: 0.013
Signatures per second: 307.692
Runtime in seconds: 228.086
% strace -o str.keyfromlabel dnssec-keyfromlabel -E pkcs11 -a 13 -l "token=jptest;object=jp01.de-ksk" -f KSK jp01.de
Kjp01.de.+013+42450
% wc -l str.keyfromlabel
1876123 str.keyfromlabel
% grep -c ENOENT str.keyfromlabel
428717
% grep ENOENT str.keyfromlabel | tail -6
stat("/usr/local/softhsmv2/var/lib/softhsm/tokens//8fbb4ca5-06a7-2790-81c6-83840db36811/sqlite3.db-wal", 0x7ffc6db57170) = -1 ENOENT (No such file or directory)
stat("/usr/local/softhsmv2/var/lib/softhsm/tokens//8fbb4ca5-06a7-2790-81c6-83840db36811/sqlite3.db-journal", 0x7ffc6db57170) = -1 ENOENT (No such file or directory)
stat("/usr/local/softhsmv2/var/lib/softhsm/tokens//8fbb4ca5-06a7-2790-81c6-83840db36811/sqlite3.db-wal", 0x7ffc6db57170) = -1 ENOENT (No such file or directory)
stat("/usr/local/softhsmv2/var/lib/softhsm/tokens//8fbb4ca5-06a7-2790-81c6-83840db36811/sqlite3.db-journal", 0x7ffc6db57170) = -1 ENOENT (No such file or directory)
stat("/usr/local/softhsmv2/var/lib/softhsm/tokens//8fbb4ca5-06a7-2790-81c6-83840db36811/sqlite3.db-wal", 0x7ffc6db57170) = -1 ENOENT (No such file or directory)
% grep -c stat str.keyfromlabel
655138
% strace -o str.signzone dnssec-signzone -E pkcs11 -t -z -S -o jp01.de jp01.de
Fetching jp01.de/ECDSAP256SHA256/42450 (KSK) from key repository.
Verifying the zone using the following algorithms:
- ECDSAP256SHA256
Zone fully signed:
Algorithm: ECDSAP256SHA256: KSKs: 1 active, 0 stand-by, 0 revoked
ZSKs: 0 active, 0 stand-by, 0 revoked
jp01.de.signed
Signatures generated: 4
Signatures retained: 0
Signatures dropped: 0
Signatures successfully verified: 0
Signatures unsuccessfully verified: 0
Signing time in seconds: 0.017
Signatures per second: 235.294
Runtime in seconds: 299.037
% wc -l str.signzone
1876286 str.signzone
% grep -c ENOENT str.signzone
428726