Resolve "Add support for Utimaco HSM" (!972) · Merge requests · ISC Open Source Projects / BIND

Ondřej Surý requested to merge 656-add-support-for-utimaco-hsm-v9_11 into v9_11 Nov 03, 2018

Notes for the reviewer:

Testing this is fairly complex process which involves installing Utimaco HSM Simulator, then adding i386 runtime support for your 64-bit system, then installing java, and in case it's a remote server installing Xvfb and x11vnc servers.

We can probably setup one instance of the HSM simulator at ISC and then just copy the PKCS#11 library for future testing.

Once you have the HSM Simulator running, you need to configure ~/.utimaco/cs_pkcs11_R2.cfg:

[Global]
Logging = 0
Logsize = 10mb
KeysExternal = false
SlotMultiSession = true
SlotCount = 1
KeepLeadZeros = false
FallbackInterval = 0
KeepAlive = false
ConnectionTimeout = 5000
CommandTimeout = 60000
[CryptoServer]
Device = TCP:3001@127.0.0.1

99% comes from default, except the Device option.

The next step is to compile BIND with native PKCS#11 which might be as simple as:

./configure --enable-native-pkcs11 --with-pkcs11=<path>/libcs_pkcs11_R2.so
make && make install

Anyway, the patch is fairly simple, so the first part involves adding new PKCS#11 HSM flavor define and then setting it when *libcs* is passed to --with-pkcs11= path.

The second commit just disables running MD5 and SHA1 runtime checks when initializing DST HMAC part of the library.

Resolve "Add support for Utimaco HSM"

Merge request reports