e25451b66ce773eed69ada005818ee3b40d0b555Francis Dupont BIND-9 PKCS#11 support
e25451b66ce773eed69ada005818ee3b40d0b555Francis DupontThe PKCS#11 support needs a PKCS#11 OpenSSL engine based on the Solaris one,
e25451b66ce773eed69ada005818ee3b40d0b555Francis Dupontreleased the 2008-12-02 for OpenSSL 0.9.8i, with back port of key by reference
e25451b66ce773eed69ada005818ee3b40d0b555Francis Dupontand some improvements, including user friendly PIN management. You may also
e25451b66ce773eed69ada005818ee3b40d0b555Francis Dupontuse the original engine code.
e25451b66ce773eed69ada005818ee3b40d0b555Francis Dupont"configure --with-pkcs11 ..."
e25451b66ce773eed69ada005818ee3b40d0b555Francis DupontPKCS#11 Libraries
e25451b66ce773eed69ada005818ee3b40d0b555Francis DupontTested with Solaris one with a SCA board and with openCryptoki with the
e25451b66ce773eed69ada005818ee3b40d0b555Francis Dupontsoftware token. Known to work on Linux and Windows 2003 server so
e25451b66ce773eed69ada005818ee3b40d0b555Francis Dupontshould work on most operating systems. For AEP Keyper or any device used
e25451b66ce773eed69ada005818ee3b40d0b555Francis Dupontonly for its protected key store, please switch to the sign-only engine.
e25451b66ce773eed69ada005818ee3b40d0b555Francis DupontOpenSSL Engines
e25451b66ce773eed69ada005818ee3b40d0b555Francis DupontWith PKCS#11 support the PKCS#11 engine is statically loaded but at its
e25451b66ce773eed69ada005818ee3b40d0b555Francis Dupontinitialization it dynamically loads the PKCS#11 objects.
e25451b66ce773eed69ada005818ee3b40d0b555Francis DupontEven the pre commands are therefore unused they are defined with:
e25451b66ce773eed69ada005818ee3b40d0b555Francis Dupont define: PKCS11_SO_PATH
e25451b66ce773eed69ada005818ee3b40d0b555Francis Dupont default: /usr/local/lib/engines/engine_pkcs11.so
e25451b66ce773eed69ada005818ee3b40d0b555Francis Dupont define: PKCS11_MODULE_PATH
e25451b66ce773eed69ada005818ee3b40d0b555Francis DupontWithout PKCS#11 support, a specific OpenSSL engine can be still used
e25451b66ce773eed69ada005818ee3b40d0b555Francis Dupontby defining ENGINE_ID at compile time.
e25451b66ce773eed69ada005818ee3b40d0b555Francis DupontThe contrib/pkcs11-keygen directory contains a set of experimental tools
e25451b66ce773eed69ada005818ee3b40d0b555Francis Dupontto handle keys stored in a Hardware Security Module at the benefit of BIND.
e25451b66ce773eed69ada005818ee3b40d0b555Francis DupontThe patch for OpenSSL 0.9.8i is in this directory. Read its README.pkcs11
e25451b66ce773eed69ada005818ee3b40d0b555Francis Dupontfor the way to use it (these are the original notes so with the original
e25451b66ce773eed69ada005818ee3b40d0b555Francis Dupontpath, etc. Define HAVE_GETPASSPHRASE if you have getpassphrase() on
e25451b66ce773eed69ada005818ee3b40d0b555Francis Duponta operating system which is not Solaris.)
e25451b66ce773eed69ada005818ee3b40d0b555Francis DupontNot all tools are supported on AEP Keyper but genkey and dnssec-keyfromlabel
e25451b66ce773eed69ada005818ee3b40d0b555Francis Dupontare functional.
e25451b66ce773eed69ada005818ee3b40d0b555Francis DupontPIN management
e25451b66ce773eed69ada005818ee3b40d0b555Francis DupontWith the just fixed PKCS#11 OpenSSL engine, the PIN should be entered
e25451b66ce773eed69ada005818ee3b40d0b555Francis Duponteach time it is required. With the improved engine, the PIN should be
e25451b66ce773eed69ada005818ee3b40d0b555Francis Dupontentered the first time it is required or can be configured in the
e25451b66ce773eed69ada005818ee3b40d0b555Francis DupontOpenSSL configuration file (aka. openssl.cnf) by adding in it:
e25451b66ce773eed69ada005818ee3b40d0b555Francis Dupont - at the beginning:
e25451b66ce773eed69ada005818ee3b40d0b555Francis Dupont openssl_conf = openssl_def
e25451b66ce773eed69ada005818ee3b40d0b555Francis Dupont - at any place these sections:
e25451b66ce773eed69ada005818ee3b40d0b555Francis Dupont [ openssl_def ]
e25451b66ce773eed69ada005818ee3b40d0b555Francis Dupont engines = engine_section
e25451b66ce773eed69ada005818ee3b40d0b555Francis Dupont [ engine_section ]
e25451b66ce773eed69ada005818ee3b40d0b555Francis Dupont pkcs11 = pkcs11_section
e25451b66ce773eed69ada005818ee3b40d0b555Francis Dupont [ pkcs11_section ]
e25451b66ce773eed69ada005818ee3b40d0b555Francis Dupont PIN = put__your__pin__value__here
e25451b66ce773eed69ada005818ee3b40d0b555Francis DupontSlot management
e25451b66ce773eed69ada005818ee3b40d0b555Francis DupontThe engine tries to use the first best slot but it is recommended
e25451b66ce773eed69ada005818ee3b40d0b555Francis Dupontto simply use the slot 0 (usual default, meta-slot on Solaris).
e25451b66ce773eed69ada005818ee3b40d0b555Francis DupontSign-only engine
e25451b66ce773eed69ada005818ee3b40d0b555Francis Dupontopenssl.../crypto/engine/hw_pk11-kp.c and hw_pk11_pub-kp.c contain
e25451b66ce773eed69ada005818ee3b40d0b555Francis Duponta stripped down version of hw_pk11.c and hw_pk11_pub.c files which
e25451b66ce773eed69ada005818ee3b40d0b555Francis Duponthas only the useful functions (i.e., signature with a RSA private
e25451b66ce773eed69ada005818ee3b40d0b555Francis Dupontkey in the device protected key store and key loading).
e25451b66ce773eed69ada005818ee3b40d0b555Francis DupontThis engine should be used with a device which provides mainly
e25451b66ce773eed69ada005818ee3b40d0b555Francis Duponta protected store and no acceleration. AEP Keyper is an example
e25451b66ce773eed69ada005818ee3b40d0b555Francis Dupontof such a device (BTW with the fully capable engine, key export
e25451b66ce773eed69ada005818ee3b40d0b555Francis Dupontmust be enabled on this device and this configuration is not yet
e25451b66ce773eed69ada005818ee3b40d0b555Francis DupontOriginal engine
e25451b66ce773eed69ada005818ee3b40d0b555Francis DupontIf you are using the original engine and getpassphrase() is not defined, add:
e25451b66ce773eed69ada005818ee3b40d0b555Francis Dupont#define getpassphrase(x) getpass(x)
e25451b66ce773eed69ada005818ee3b40d0b555Francis DupontSome names here are registered trademarks, at least Solaris is a trademark
e25451b66ce773eed69ada005818ee3b40d0b555Francis Dupontof Sun Microsystems Inc...
e25451b66ce773eed69ada005818ee3b40d0b555Francis DupontInclude files are from RSA Labs., PKCS#11 version is 2.20 amendment 3.
e25451b66ce773eed69ada005818ee3b40d0b555Francis DupontThe PKCS#11 support is compatible with the forthcoming FIPS 140-2 support.