Hi Daniel,

thanks a lot for the answer.. and your help. Maybe this could also help..

I had the same problems with a long key id:

pkcs11-tool --login --list-objects --module /usr/local/lib/softhsm/libsofthsm2.so
Using slot 0 with a present token (0x3886239b)
Logging in to "token-one".
Please enter User PIN:
Public Key Object; RSA 3072 bits
  label:      dnssec-zsk-rsa
  ID:         26a76a1665d562de731680a53aec586ff253d55e
  Usage:      encrypt, verify, wrap
Private Key Object; RSA
  label:      dnssec-zsk-rsa
  ID:         26a76a1665d562de731680a53aec586ff253d55e
  Usage:      decrypt, sign, unwrap


keymgr example.com import-pkcs11 26a76a1665d562de731680a53aec586ff253d55e algorithm=RSASHA256 size=3072 ksk=no created=20181126090000 publish=20181126090000 retire=+10mo remove=+1y
Error (not exists)

# See knot.conf(5) manual page for documentation.

server:
    listen: [ 127.0.0.1@53, ::1@53 ]

keystore:
  - id: 26a76a1665d562de731680a53aec586ff253d55e
    backend: pkcs11
    config: "pkcs11:token=testKSK_1;pin-value=KUQFkRsxm4LmrdryKT5C /usr/local/lib/softhsm/libsofthsm2.so"

policy:
  - id: manual
    manual: on
    nsec3: on
    nsec3-iterations: 16
    nsec3-opt-out: on
    nsec3-salt-length: 8

zone:
  - domain: example.com
    dnssec-signing: on
    dnssec-policy: manual
    zonefile-load: difference
    file: example.com.zone
    storage: /etc/knot/

log:
  - target: syslog
    any: debug


best regards

--
Christian Petrasch
Product Owner
Zone Creation & Signing
IT-Services

DENIC eG
Kaiserstraße 75-77
60329 Frankfurt am Main
GERMANY

E-Mail: petrasch@denic.de

http://www.denic.de

PGP-KeyID: 549BE0AE, Fingerprint: 0E0B 6CBE 5D8C B82B 0B49  DE61 870E 8841 549B E0AE    

Angaben nach § 25a Absatz 1 GenG: DENIC  eG (Sitz: Frankfurt am Main)
Vorstand: Helga Krüger, Martin Küchenthal, Andreas Musielak, Dr. Jörg Schweiger
Vorsitzender des Aufsichtsrats: Thomas Keller
Eingetragen unter Nr. 770 im Genossenschaftsregister, Amtsgericht Frankfurt am Main



Von:        daniel.salzman@nic.cz
An:        "Christian Petrasch" <petrasch@denic.de>
Kopie:        knot-dns-users@lists.nic.cz
Datum:        26.11.2018 10:55
Betreff:        Re: [knot-dns-users] Problem to import key material of softhsm into knot

---

Hi Christian,

I suspect there is a problem with the key ID, which is short. Please
give us some time to investigate it.

Best,
Daniel

On 2018-11-26 09:49, Christian Petrasch wrote:
> Hi @ all,
>
> we are testing with softhsm 2.5 and KNOT 2.7.4...
>
> I try to import the keys inside softhsm into keymgr to sign with this
> a example zone.
>
> The keymaterial is shown via pkcs11-tool:
>
> [root@centos-test2 ~]# pkcs11-tool --login --list-objects --module
> /usr/local/lib/softhsm/libsofthsm2.so
>
> Using slot 0 with a present token (0x285d1c08)
> Logging in to "testKSK_1".
> Please enter User PIN:
> Private Key Object; RSA
>   label:      testKSK_1
>   ID:         a1a1
>   Usage:      decrypt, sign, unwrap
> Public Key Object; RSA 1024 bits
>   label:      testZSK_1
>   ID:         a1b1
>   Usage:      encrypt, verify, wrap
> Private Key Object; RSA
>   label:      testZSK_1
>   ID:         a1b1
>   Usage:      decrypt, sign, unwrap
> Public Key Object; RSA 2048 bits
>   label:      testKSK_1
>   ID:         a1a1
>   Usage:      encrypt, verify, wrap
>
> ######
>
> The KNOT config is :
>
> [root@centos-test2 ~]# cat /etc/knot/knot.conf
> # See knot.conf(5) manual page for documentation.
>
> server:
>     listen: [ 127.0.0.1@53, ::1@53 ]
>
> keystore:
>   - id: a1a1
>     backend: pkcs11
>     config: "pkcs11:token=testKSK_1;pin-value=5678
> /usr/local/lib/softhsm/libsofthsm2.so"
>
>   - id: a1b1
>     backend: pkcs11
>     config: "pkcs11:token=testKSK_1;pin-value=5678
> /usr/local/lib/softhsm/libsofthsm2.so"
>
> policy:
>   - id: manual
>     manual: on
>     nsec3: on
>     nsec3-iterations: 16
>     nsec3-opt-out: on
>     nsec3-salt-length: 8
>
> zone:
>   - domain: example.com
>     dnssec-signing: on
>     dnssec-policy: manual
>     zonefile-load: difference
>     file: example.com.zone
>     storage: /etc/knot/
>
> log:
>   - target: syslog
>     any: debug
>
> ###################
>
> And if I try to import the key into keymgr i run the command:
>
> [root@centos-test2 ~]# keymgr -c /etc/knot/knot.conf example.com.
> import-pkcs11 a1a1 algorithm=RSASHA256 size=2048 ksk=yes
> created=20181126090000 publish=20181126090000 retire=+10mo remove=+1y
> Error (not exists)
>
> ###
>
> I don't know how I can fix this.. maybe anybody can help me ? The
> documentation of KNOT is very good.. but at this point it is a little
> bit insufficient. Does anybody has examples for this ?
>
> Thanks a lot in advance for the help..
>
> best regards
>
> --
> Christian Petrasch
> Product Owner
> Zone Creation & Signing
> IT-Services
>
> DENIC eG
> Kaiserstraße 75-77
> 60329 Frankfurt am Main
> GERMANY
>
> E-Mail: petrasch@denic.de
> http://www.denic.de
>
> PGP-KeyID: 549BE0AE, Fingerprint: 0E0B 6CBE 5D8C B82B 0B49  DE61 870E
> 8841 549B E0AE
>
> Angaben nach § 25a Absatz 1 GenG: DENIC  eG (Sitz: Frankfurt am Main)
> Vorstand: Helga Krüger, Martin Küchenthal, Andreas Musielak, Dr.
> Jörg Schweiger
> Vorsitzender des Aufsichtsrats: Thomas Keller
> Eingetragen unter Nr. 770 im Genossenschaftsregister, Amtsgericht
> Frankfurt am Main