Commit 6a90baa0 authored by Evan Hunt's avatar Evan Hunt
Browse files

2711. [port] win32: Add the bin/pkcs11 tools into the full

			build. [RT #20372]
parent 30bb4870
2711. [port] win32: Add the bin/pkcs11 tools into the full
build. [RT #20372]
2710. [func] New 'dnssec-signzone -x' flag and 'dnskey-ksk-only'
zone option cause a zone to be signed with only KSKs
signing the DNSKEY RRset, not ZSKs. This reduces
......
......@@ -41,16 +41,16 @@ choice depends on the HSM hardware:
secure key storage devices, but lack hardware acceleration. These
devices are highly secure, but are not necessarily any faster at
cryptography than the system CPU--often, they are slower. It is
therefore most efficient to use them only for those operation
therefore most efficient to use them only for those cryptographic
functions that require access to the secured private key, such as
zone signing, and to use the system CPU for all other computationally-
intensive operations. The AEP Keyper is an example of such a device.
The modified OpenSSL code is included in BIND 9.7.0b1 release in the form
of a context diff against OpenSSL 0.9.8k. Before building BIND 9 with
PKCS #11 support, it will be necessary to build OpenSSL with this patch
in place and inform it of the path to the HSM-specific PKCS #11 provider
library.
The modified OpenSSL code is included in the BIND 9.7.0b1 release, in the
form of a context diff against OpenSSL 0.9.8k. Before building BIND 9
with PKCS #11 support, it will be necessary to build OpenSSL with this
patch in place and inform it of the path to the HSM-specific PKCS #11
provider library.
Obtain OpenSSL 0.9.8k:
......@@ -65,8 +65,8 @@ Apply the patch from the BIND 9 release:
patch -p1 -d openssl-0.9.8k \
< bind-9.7.0b1/bin/pkcs11/openssl-0.9.8k-patch
(Note that the patch file may not be compatible with the "patch" utility
on all operating systems. You may need to install GNU patch.)
(Note that the patch file may not be compatible with the "patch"
utility on all operating systems. You may need to install GNU patch.)
When building OpenSSL, place it in a non-standard location so that it
does not interfere with OpenSSL libraries elsewhere on the system.
......@@ -175,17 +175,18 @@ Configure).
After configuring, run "make", "make test" and "make install".
PKCS #11 TOOLS
BIND 9 includes a minimal set of tools to operate the HSM, including
"pkcs11-keygen" to generate a new key pair within the HSM, "pkcs11-list"
to list objects currently available, and "pkcs11-destroy" to remove
objects.
These tools are built if BIND 9 is configured with the --with-pkcs11
option. (NOTE: If --with-pkcs11 is set to "yes", rather than to the
path of the PKCS #11 provider, then the tools will be built but the
provider will be left undefined. Use the -m option or the
PKCS11_PROVIDER environment variable to specify the path to the
provider.)
In UNIX/Linux builds, these tools are built only if BIND 9 is configured
with the --with-pkcs11 option. (NOTE: If --with-pkcs11 is set to "yes",
rather than to the path of the PKCS #11 provider, then the tools will be
built but the provider will be left undefined. Use the -m option or the
PKCS11_PROVIDER environment variable to specify the path to the provider.)
USING THE HSM
......@@ -238,8 +239,8 @@ arguments:
pkcs11-keygen -b 1024 -l sample-zsk
dnssec-keyfromlabel -l sample-zsk example.net
Alternatively, you may prefer to generate a conventional on-disk key, using
dnssec-keygen:
Alternatively, you may prefer to generate a conventional on-disk key,
using dnssec-keygen:
dnssec-keygen example.net
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: config.h.win32,v 1.22 2009/09/02 23:43:54 each Exp $ */
/* $Id: config.h.win32,v 1.23 2009/10/12 16:41:12 each Exp $ */
/*
* win32 configuration file
......@@ -248,3 +248,9 @@ typedef long off_t;
* of libisc, libdns, etc, this must be removed.
*/
#define BIND9 1
/*
* Define if PKCS11 is to be used.
*/
/* #undef USE_PKCS11 */
This diff is collapsed.
......@@ -113,6 +113,12 @@ nmake /nologo -f revoke.mak CFG="revoke - Win32 Release" NO_EXTERNAL_DEPS="1"
nmake /nologo -f settime.mak CFG="settime - Win32 Release" NO_EXTERNAL_DEPS="1"
cd ..\..
cd pkcs11\win32
nmake /nologo -f pk11keygen.mak CFG="pk11keygen - Win32 Release" NO_EXTERNAL_DEPS="1"
nmake /nologo -f pk11list.mak CFG="pk11list - Win32 Release" NO_EXTERNAL_DEPS="1"
nmake /nologo -f pk11destroy.mak CFG="pk11destroy - Win32 Release" NO_EXTERNAL_DEPS="1"
cd ..\..
rem This is the BIND 9 Installer
cd win32\BINDInstall
......
......@@ -64,6 +64,9 @@ copy ..\bin\dnssec\dnssec-keygen.html ..\Build\Release
copy ..\bin\dnssec\dnssec-signzone.html ..\Build\Release
copy ..\bin\dnssec\dnssec-dsfromkey.html ..\Build\Release
copy ..\bin\dnssec\dnssec-keyfromlabel.html ..\Build\Release
copy ..\bin\pkcs11\pkcs11-keygen.html ..\Build\Release
copy ..\bin\pkcs11\pkcs11-list.html ..\Build\Release
copy ..\bin\pkcs11\pkcs11-destroy.html ..\Build\Release
echo Copying the migration notes.
......
......@@ -14,16 +14,16 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: setpk11provider.pl,v 1.1 2009/10/06 22:14:13 each Exp $
# $Id: setpk11provider.pl,v 1.2 2009/10/12 16:41:13 each Exp $
# setpk11provider
# setpk11provider.pl
# This script sets the PKCS#11 provider name in the build scripts.
#
# for instance: perl setpk11provider bp201w32HSM
# for instance: setpk11provider.pl bp201w32HSM
#
if ($#ARGV != 0) {
die "Usage: perl setpk11provider <pkcs11_provider_dll_name>\n"
die "Usage: perl setpk11provider.pl <pkcs11_provider_dll_name>\n"
}
my $provider=$ARGV[0];
......@@ -31,12 +31,12 @@ my $provider=$ARGV[0];
$provider =~ s|\.[dD][lL][lL]$||;
# List of files that need to be updated
@filelist = ("../bin/pkcs11/win32/pk11keygen.mak",
"../bin/pkcs11/win32/pk11keygen.dsp",
"../bin/pkcs11/win32/pk11list.mak",
"../bin/pkcs11/win32/pk11list.dsp",
"../bin/pkcs11/win32/pk11destroy.mak",
"../bin/pkcs11/win32/pk11destroy.dsp");
@filelist = ("../bin/pkcs11/win32//pk11keygen.mak",
"../bin/pkcs11/win32//pk11keygen.dsp",
"../bin/pkcs11/win32//pk11list.mak",
"../bin/pkcs11/win32//pk11list.dsp",
"../bin/pkcs11/win32//pk11destroy.mak",
"../bin/pkcs11/win32//pk11destroy.dsp");
# function to replace the provider define
sub updatefile {
......@@ -62,6 +62,33 @@ sub updatefile {
close(RFILE);
}
# update config.h to define or undefine USE_PKCS11
sub updateconfig {
my($havexml, $substr, $line);
my(@Lines);
$havexml = $_[0];
open (RFILE, "../config.h") || die "Can't open config.h";
@Lines = <RFILE>;
close (RFILE);
foreach $line (@Lines) {
if ($havexml) {
$line =~ s/^.*#undef USE_PKCS11.*$/define USE_PKCS11 1/;
} else {
$line =~ s/^#define USE_PKCS11 .*$/\/\* #undef USE_PKCS11 \*\//;
}
}
open (RFILE, ">../config.h") || die "Can't open config.h";
print "Updating file ../config.h\n";
foreach $line (@Lines) {
print RFILE $line;
}
close(RFILE);
}
#Update the list of files
if ($provider ne 0) {
$ind = 0;
......@@ -71,4 +98,8 @@ if ($provider ne 0) {
updatefile($file, $provider);
$ind++;
}
updateconfig(1);
} else {
updateconfig(0);
}
......@@ -2,7 +2,7 @@ Copyright (C) 2004, 2005, 2008, 2009 Internet Systems Consortium, Inc. ("ISC")
Copyright (C) 2001, 2002 Internet Software Consortium.
See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
$Id: win32-build.txt,v 1.17 2009/09/24 13:03:39 fdupont Exp $
$Id: win32-build.txt,v 1.18 2009/10/12 16:41:13 each Exp $
BIND 9.7 for Win32 Source Build Instructions. 02-Jul-2009
......@@ -66,6 +66,12 @@ to see if the build instructions have changed:
ms\do_masm
nmake /f ms\ntdll.mak
If you wish to use PKCS #11 to control a cryptographic hardware service
module, please see bind9\README.pkcs11. You will need to apply the patch
in bind9\bin\pkcs11\openssl-0.9.8k-patch (this can be done using the Cygwin
'patch' utility) and add --pk11-libname and --pk11-flavor to the Configure
command above.
Step 2: Download and build libxml2
Download and untar the libxml2 sources from ftp://xmlsoft.org/libxml2.
......@@ -88,6 +94,11 @@ From the command prompt cd to the win32utils directory under
the BIND9 root:
cd bind-9.7.0\win32utils
If you wish to use PKCS #11 to control a cryptographic hardware service
module, set the path to the PKCS #11 provider library:
perl setpk11provider.pl <DLL path>
If using VC++ 6.0, run the BuildAll.bat file:
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment