Commit b56f3f5c authored by Francis Dupont's avatar Francis Dupont
Browse files

PKCS#11 20225 & all

parent e8537284
2702. [func] Update PKCS#11 tools (bin/pkcs11) [RT #20225 & all]
2701. [doc] Correction to ARM: hmac-md5 is no longer the only
supported TSIG key algorithm. [RT #18046]
......@@ -9,9 +9,8 @@ and other cryptographic support devices.
BIND 9 is known to work with two HSMs: The Sun SCA 6000 cryptographic
acceration board, tested under Solaris x86, and the AEP Keyper
network-attached key storage device, tested with a Debian Linux system.
(The Keyper has also been tested with Windows Server 2003 and found to
work, but with some stability problems that have not yet been resolved.)
network-attached key storage device, tested with a Debian Linux system,
Solaris x86 and Windows Server 2003.
......@@ -24,30 +23,37 @@ is available from the OpenSolaris project. It has been modified by
ISC to work with with BIND 9 and to provide new features such as
PIN management and key by reference.
The PKCS#11 engine supports two flavors:
- the crypto-accelerator which uses the PKCS#11 device for all crypto
operations it supports. This is the right choice for the SCA 6000.
- the sign-only which was stripped down and provides only the
useful features for a secure key store. The Keyper must use this
The modified OpenSSL depends on a "PKCS #11 provider". This is a shared
library object, providing a low-level PKCS #11 interface to the HSM
hardware; it is dynamically loaded by OpenSSL at runtime. The PKCS #11
provider comes from the HSM vendor, and and is specific to the HSM to be
The modified OpenSSL code is included in BIND 9.7.0a3 release in the form
of a context diff against OpenSSL 0.9.8i. Before building BIND 9 with
The modified OpenSSL code is included in BIND 9.7.0b1 release in the form
of a context diff against OpenSSL 0.9.8k. Before building BIND 9 with
PKCS #11 support, it will be necessary to build OpenSSL with this patch
in place and inform it of the path to the HSM-specific PKCS #11 provider
Obtain OpenSSL 0.9.8i:
Obtain OpenSSL 0.9.8k:
Extract the tarball:
tar zxf openssl-0.9.8i.tar.gz
tar zxf openssl-0.9.8k.tar.gz
Apply the patch from the BIND 9 release:
patch -p1 -d openssl-0.9.8i \
< bind-9.7.0a3/contrib/pkcs11-keygen/openssl-0.9.8i-patch
patch -p1 -d openssl-0.9.8k \
< bind-9.7.0b1/bin/pkcs11/openssl-0.9.8k-patch
(Note that the patch file may not be compatible with the "patch" utility
on all operating systems. You may need to install GNU patch.)
......@@ -63,17 +69,8 @@ We will use this location when we configure BIND 9.
not provide hardware cryptographic acceleration. It can carry out
cryptographic operations, but it is probably slower than your
system's CPU, so it is most efficient to use it only for operations
that require the secured private key.
The patched OpenSSL source tree includes two versions of the PKCS #11
engine; one uses the HSM for all cryptographic operations, and the
other only uses it for signing. The signing-only engine is recommended
for the Keyper. To build OpenSSL with the signing-only engine:
cp openssl-0.9.8i/crypto/engine/hw_pk11-kp.c \
cp openssl-0.9.8i/crypto/engine/hw_pk11_pub-kp.c \
that require the secured private key. This is why the PKCS#11
engine flavor shall be 'sign-only'.
The Keyper-specific PKCS #11 provider library is delivered with the
Keyper software. In this example, we place it /opt/pkcs11/usr/lib:
......@@ -86,9 +83,10 @@ We will use this location when we configure BIND 9.
Finally, the Keyper library requires threads, so we must specify -pthread.
cd openssl-0.9.8i
cd openssl-0.9.8k
./Configure linux-generic32 -m32 -pthread \
--pk11-libname=/opt/pkcs11/usr/lib/ \
--pk11-flavor=sign-only \
After configuring, run "make" and "make test". If "make test" fails
......@@ -98,13 +96,15 @@ We will use this location when we configure BIND 9.
The SCA-6000 PKCS #11 provider is installed as a system library,
libpkcs11. It is a true crypto accelerator, up to 4 times faster
than any CPU, so the flavor shall be 'crypto-accelerator'.
In this example, we are building on Solaris x86 on an AMD64 system.
cd openssl-0.9.8i
cd openssl-0.9.8k
./Configure solaris64-x86_64-cc \
--pk11-libname=/usr/lib/64/ \
--pk11-flavor=crypto-accelerator \
(For a 32-bit build, use "solaris-x86-cc" and /usr/lib/
......@@ -117,6 +117,8 @@ line:
(pkcs11) PKCS #11 engine support
<<"apps/openssl engine -t" to see if initialization is correct (available)>>
If the output is correct, run "make install".
......@@ -133,7 +135,7 @@ library must be specified via configure.
we are building on a 64-bit host, we must force a 32-bit build by
adding "-m32" to the CC options on the "configure" command line.
cd ../bind-9.7.0a3
cd ../bind-9.7.0b1
./configure CC="gcc -m32" --enable-threads \
--with-openssl=/opt/pkcs11/usr \
......@@ -143,10 +145,10 @@ library must be specified via configure.
To link with the PKCS #11 provider, threads must be enabled in the
BIND 9 build.
cd ../bind-9.7.0a3
cd ../bind-9.7.0b1
./configure CC="cc -xarch=amd64" --enable-threads \
--with-openssl=/opt/pkcs11/usr \
(For a 32-bit build, omit CC="cc -xarch=amd64".)
......@@ -208,6 +210,10 @@ otherwise the PCKS #11 engine will look for the key on disk rather than
in the HSM. If you forget to do this, dnssec-keyfromlabel will return
"not found".)
<<Something about -E>>
<<Something about bad formatted .private (simply rerun dnssec-keyfromlabel
which by side-effect will fix the smart signing dates too)>>
The resulting K*.key and K*.private files can now be used to sign the
zone. Unlike normal K* files, which contain both public and private
key data, these files will contain only the public key data, plus an
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment