GitLab

PK11_RSA_PKCS_REPLACE is not defined in configure or described in documentation and is therefore invisible for the user on main and v9_16.

In v9_11 one might set it via ./configure --enable-native-pkcs11 --with-pkcs11=/opt/Keyper/PKCS11Provider/pkcs11.so (see configure.ac, line 2324), which sets -DPK11_FLAVOR=PK11_AEP_FLAVOR, which in lib/isc/include/pk11/site.h via #if PK11_FLAVOR == PK11_AEP_FLAVOR defines PK11_RSA_PKCS_REPLACE.

#else /* ifndef PK11_RSA_PKCS_REPLACE */ blocks in lib/dns/pkcs11rsa_link.c are either dead code forgotten when OpenSSL was made mandatory with c3b8130f in v9_13_3 and thus should be dropped, made available by configure, or the least documented in e.g. OPTIONS.md.