4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk BIND-9 PKCS#11 support
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkPrerequisite
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkThe PKCS#11 support needs a PKCS#11 OpenSSL engine based on the Solaris one,
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkreleased the 2008-12-02 for OpenSSL 0.9.8i, with back port of key by reference
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkand some improvements, including user friendly PIN management. You may also
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkuse the original engine code.
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkCompilation
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk"configure --with-pkcs11 ..."
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkPKCS#11 Libraries
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkTested with Solaris one with a SCA board and with openCryptoki with the
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenksoftware token. Known to work on Linux and Windows 2003 server so
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkshould work on most operating systems. For AEP Keyper or any device used
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkonly for its protected key store, please switch to the sign-only engine.
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkOpenSSL Engines
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkWith PKCS#11 support the PKCS#11 engine is statically loaded but at its
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkinitialization it dynamically loads the PKCS#11 objects.
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkEven the pre commands are therefore unused they are defined with:
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk SO_PATH:
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk define: PKCS11_SO_PATH
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk default: /usr/local/lib/engines/engine_pkcs11.so
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk MODULE_PATH:
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk define: PKCS11_MODULE_PATH
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk default: /usr/lib/libpkcs11.so
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkWithout PKCS#11 support, a specific OpenSSL engine can be still used
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkby defining ENGINE_ID at compile time.
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkPKCS#11 tools
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkThe contrib/pkcs11-keygen directory contains a set of experimental tools
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkto handle keys stored in a Hardware Security Module at the benefit of BIND.
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkThe patch for OpenSSL 0.9.8i is in this directory. Read its README.pkcs11
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkfor the way to use it (these are the original notes so with the original
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkpath, etc. Define HAVE_GETPASSPHRASE if you have getpassphrase() on
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenka operating system which is not Solaris.)
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkNot all tools are supported on AEP Keyper but genkey and dnssec-keyfromlabel
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkare functional.
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkPIN management
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkWith the just fixed PKCS#11 OpenSSL engine, the PIN should be entered
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkeach time it is required. With the improved engine, the PIN should be
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkentered the first time it is required or can be configured in the
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkOpenSSL configuration file (aka. openssl.cnf) by adding in it:
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk - at the beginning:
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk openssl_conf = openssl_def
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk - at any place these sections:
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk [ openssl_def ]
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk engines = engine_section
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk [ engine_section ]
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk pkcs11 = pkcs11_section
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk [ pkcs11_section ]
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk PIN = put__your__pin__value__here
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkSlot management
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkThe engine tries to use the first best slot but it is recommended
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkto simply use the slot 0 (usual default, meta-slot on Solaris).
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkSign-only engine
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkopenssl.../crypto/engine/hw_pk11-kp.c and hw_pk11_pub-kp.c contain
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenka stripped down version of hw_pk11.c and hw_pk11_pub.c files which
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkhas only the useful functions (i.e., signature with a RSA private
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkkey in the device protected key store and key loading).
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkThis engine should be used with a device which provides mainly
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenka protected store and no acceleration. AEP Keyper is an example
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkof such a device (BTW with the fully capable engine, key export
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkmust be enabled on this device and this configuration is not yet
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenksupported).
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkOriginal engine
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkIf you are using the original engine and getpassphrase() is not defined, add:
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk#define getpassphrase(x) getpass(x)
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkin openssl.../crypto/engine/hw_pk11_pub.c
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkNotes
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkSome names here are registered trademarks, at least Solaris is a trademark
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkof Sun Microsystems Inc...
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkInclude files are from RSA Labs., PKCS#11 version is 2.20 amendment 3.
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenkThe PKCS#11 support is compatible with the forthcoming FIPS 140-2 support.
4b8d88eb610aa1e0bb6ec632f792744b3d6b5f22jeff.schenk