Update OpenSSL patches for implementing HSM support where native pkcs11 cannot be used.
Per Support ticket #15888, this is a request to review and potentially update the patches provided for OpenSSL, as recommended for use in the BIND ARM for accessing HSMs that do not (yet) have a fully-functional pkcs11 native implementation that BIND can use.
This request may turn out to be unnecessary, depending on the outcome of #1534 (closed).
There are two angles to this request:
-
The patches for OpenSSL do not allow the BIND utilities to generate, maintain and access keys using ECDSA
-
The patches for OpenSSL are for older/superseded versions of OpenSSL and appear not to have been updated for some time.
This is a request to look into this for BIND 9.11 alone, as this is our current ESV. Native pkcs11 is of course the way forward, but I'd like to make sure that we're not leaving anyone behind as we set off along the native path. What I would be delighted to see as the outcome of this ticket is affirmation (from investigations in issue #1534 (closed)) that the range of popular HSM pkcs11 implementations are now all fully functional, so that we don't need to do anything other than deprecate patched OpenSSL with advice to HSM users that they should aim to migrate to native pkcs11 instead.
====
(Aside: since access to the HSM pin is more limited with native pkcs11 than with patched OpenSSL, we should also make sure that at the same time we implement #911 (closed) to provide all the options for pin management that administrators will need).