OLD-PKCS11-NOTES revision e25451b66ce773eed69ada005818ee3b40d0b555
cfb1587eb9a6dc6d1d36ea0344e1b20068b81e88Evan Hunt
c6fb85f9500350e5ce58c9a24f5d264c8a8bd6f4Automatic Updater BIND-9 PKCS#11 support
c6fb85f9500350e5ce58c9a24f5d264c8a8bd6f4Automatic Updater
c6fb85f9500350e5ce58c9a24f5d264c8a8bd6f4Automatic UpdaterPrerequisite
cfb1587eb9a6dc6d1d36ea0344e1b20068b81e88Evan Hunt
cfb1587eb9a6dc6d1d36ea0344e1b20068b81e88Evan HuntThe PKCS#11 support needs a PKCS#11 OpenSSL engine based on the Solaris one,
c6fb85f9500350e5ce58c9a24f5d264c8a8bd6f4Automatic Updaterreleased the 2008-12-02 for OpenSSL 0.9.8i, with back port of key by reference
cfb1587eb9a6dc6d1d36ea0344e1b20068b81e88Evan Huntand some improvements, including user friendly PIN management. You may also
cfb1587eb9a6dc6d1d36ea0344e1b20068b81e88Evan Huntuse the original engine code.
c6fb85f9500350e5ce58c9a24f5d264c8a8bd6f4Automatic Updater
cfb1587eb9a6dc6d1d36ea0344e1b20068b81e88Evan HuntCompilation
cfb1587eb9a6dc6d1d36ea0344e1b20068b81e88Evan Hunt
cfb1587eb9a6dc6d1d36ea0344e1b20068b81e88Evan Hunt"configure --with-pkcs11 ..."
cfb1587eb9a6dc6d1d36ea0344e1b20068b81e88Evan Hunt
cfb1587eb9a6dc6d1d36ea0344e1b20068b81e88Evan HuntPKCS#11 Libraries
c6fb85f9500350e5ce58c9a24f5d264c8a8bd6f4Automatic Updater
fd0b768f4c23d22c89f8a156a632831583b7fb68Automatic UpdaterTested with Solaris one with a SCA board and with openCryptoki with the
cfb1587eb9a6dc6d1d36ea0344e1b20068b81e88Evan Huntsoftware token. Known to work on Linux and Windows 2003 server so
cfb1587eb9a6dc6d1d36ea0344e1b20068b81e88Evan Huntshould work on most operating systems. For AEP Keyper or any device used
cfb1587eb9a6dc6d1d36ea0344e1b20068b81e88Evan Huntonly for its protected key store, please switch to the sign-only engine.
cfb1587eb9a6dc6d1d36ea0344e1b20068b81e88Evan Hunt
0ae35ecf053a29f61ad6b3659ac2445cf2c3f663Automatic UpdaterOpenSSL Engines
cfb1587eb9a6dc6d1d36ea0344e1b20068b81e88Evan Hunt
cfb1587eb9a6dc6d1d36ea0344e1b20068b81e88Evan HuntWith PKCS#11 support the PKCS#11 engine is statically loaded but at its
cfb1587eb9a6dc6d1d36ea0344e1b20068b81e88Evan Huntinitialization it dynamically loads the PKCS#11 objects.
cfb1587eb9a6dc6d1d36ea0344e1b20068b81e88Evan HuntEven the pre commands are therefore unused they are defined with:
cfb1587eb9a6dc6d1d36ea0344e1b20068b81e88Evan Hunt SO_PATH:
cfb1587eb9a6dc6d1d36ea0344e1b20068b81e88Evan Hunt define: PKCS11_SO_PATH
cfb1587eb9a6dc6d1d36ea0344e1b20068b81e88Evan Hunt default: /usr/local/lib/engines/engine_pkcs11.so
cfb1587eb9a6dc6d1d36ea0344e1b20068b81e88Evan Hunt MODULE_PATH:
cfb1587eb9a6dc6d1d36ea0344e1b20068b81e88Evan Hunt define: PKCS11_MODULE_PATH
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater default: /usr/lib/libpkcs11.so
cfb1587eb9a6dc6d1d36ea0344e1b20068b81e88Evan HuntWithout PKCS#11 support, a specific OpenSSL engine can be still used
cfb1587eb9a6dc6d1d36ea0344e1b20068b81e88Evan Huntby defining ENGINE_ID at compile time.
0ae35ecf053a29f61ad6b3659ac2445cf2c3f663Automatic Updater
cfb1587eb9a6dc6d1d36ea0344e1b20068b81e88Evan HuntPKCS#11 tools
cfb1587eb9a6dc6d1d36ea0344e1b20068b81e88Evan Hunt
fd0b768f4c23d22c89f8a156a632831583b7fb68Automatic UpdaterThe contrib/pkcs11-keygen directory contains a set of experimental tools
fd0b768f4c23d22c89f8a156a632831583b7fb68Automatic Updaterto handle keys stored in a Hardware Security Module at the benefit of BIND.
cfb1587eb9a6dc6d1d36ea0344e1b20068b81e88Evan Hunt
cfb1587eb9a6dc6d1d36ea0344e1b20068b81e88Evan HuntThe patch for OpenSSL 0.9.8i is in this directory. Read its README.pkcs11
cfb1587eb9a6dc6d1d36ea0344e1b20068b81e88Evan Huntfor the way to use it (these are the original notes so with the original
0ae35ecf053a29f61ad6b3659ac2445cf2c3f663Automatic Updaterpath, etc. Define HAVE_GETPASSPHRASE if you have getpassphrase() on
cfb1587eb9a6dc6d1d36ea0344e1b20068b81e88Evan Hunta operating system which is not Solaris.)
0ae35ecf053a29f61ad6b3659ac2445cf2c3f663Automatic Updater
0ae35ecf053a29f61ad6b3659ac2445cf2c3f663Automatic UpdaterNot all tools are supported on AEP Keyper but genkey and dnssec-keyfromlabel
0ae35ecf053a29f61ad6b3659ac2445cf2c3f663Automatic Updaterare functional.
0ae35ecf053a29f61ad6b3659ac2445cf2c3f663Automatic Updater
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic UpdaterPIN management
cfb1587eb9a6dc6d1d36ea0344e1b20068b81e88Evan Hunt
cfb1587eb9a6dc6d1d36ea0344e1b20068b81e88Evan HuntWith the just fixed PKCS#11 OpenSSL engine, the PIN should be entered
cfb1587eb9a6dc6d1d36ea0344e1b20068b81e88Evan Hunteach time it is required. With the improved engine, the PIN should be
0ae35ecf053a29f61ad6b3659ac2445cf2c3f663Automatic Updaterentered the first time it is required or can be configured in the
0ae35ecf053a29f61ad6b3659ac2445cf2c3f663Automatic UpdaterOpenSSL configuration file (aka. openssl.cnf) by adding in it:
0ae35ecf053a29f61ad6b3659ac2445cf2c3f663Automatic Updater - at the beginning:
0ae35ecf053a29f61ad6b3659ac2445cf2c3f663Automatic Updater openssl_conf = openssl_def
0ae35ecf053a29f61ad6b3659ac2445cf2c3f663Automatic Updater - at any place these sections:
cfb1587eb9a6dc6d1d36ea0344e1b20068b81e88Evan Hunt [ openssl_def ]
cfb1587eb9a6dc6d1d36ea0344e1b20068b81e88Evan Hunt engines = engine_section
cfb1587eb9a6dc6d1d36ea0344e1b20068b81e88Evan Hunt [ engine_section ]
cfb1587eb9a6dc6d1d36ea0344e1b20068b81e88Evan Hunt pkcs11 = pkcs11_section
0ae35ecf053a29f61ad6b3659ac2445cf2c3f663Automatic Updater [ pkcs11_section ]
cfb1587eb9a6dc6d1d36ea0344e1b20068b81e88Evan Hunt PIN = put__your__pin__value__here
cfb1587eb9a6dc6d1d36ea0344e1b20068b81e88Evan Hunt
cfb1587eb9a6dc6d1d36ea0344e1b20068b81e88Evan HuntSlot management
cfb1587eb9a6dc6d1d36ea0344e1b20068b81e88Evan Hunt
cfb1587eb9a6dc6d1d36ea0344e1b20068b81e88Evan HuntThe engine tries to use the first best slot but it is recommended
cfb1587eb9a6dc6d1d36ea0344e1b20068b81e88Evan Huntto simply use the slot 0 (usual default, meta-slot on Solaris).
cfb1587eb9a6dc6d1d36ea0344e1b20068b81e88Evan Hunt
cfb1587eb9a6dc6d1d36ea0344e1b20068b81e88Evan HuntSign-only engine
0ae35ecf053a29f61ad6b3659ac2445cf2c3f663Automatic Updater
cfb1587eb9a6dc6d1d36ea0344e1b20068b81e88Evan Huntopenssl.../crypto/engine/hw_pk11-kp.c and hw_pk11_pub-kp.c contain
cfb1587eb9a6dc6d1d36ea0344e1b20068b81e88Evan Hunta stripped down version of hw_pk11.c and hw_pk11_pub.c files which
cfb1587eb9a6dc6d1d36ea0344e1b20068b81e88Evan Hunthas only the useful functions (i.e., signature with a RSA private
cfb1587eb9a6dc6d1d36ea0344e1b20068b81e88Evan Huntkey in the device protected key store and key loading).
cfb1587eb9a6dc6d1d36ea0344e1b20068b81e88Evan Hunt
cfb1587eb9a6dc6d1d36ea0344e1b20068b81e88Evan HuntThis engine should be used with a device which provides mainly
0ae35ecf053a29f61ad6b3659ac2445cf2c3f663Automatic Updatera protected store and no acceleration. AEP Keyper is an example
cfb1587eb9a6dc6d1d36ea0344e1b20068b81e88Evan Huntof such a device (BTW with the fully capable engine, key export
cfb1587eb9a6dc6d1d36ea0344e1b20068b81e88Evan Huntmust be enabled on this device and this configuration is not yet
cfb1587eb9a6dc6d1d36ea0344e1b20068b81e88Evan Huntsupported).
cfb1587eb9a6dc6d1d36ea0344e1b20068b81e88Evan Hunt
cfb1587eb9a6dc6d1d36ea0344e1b20068b81e88Evan HuntOriginal engine
If you are using the original engine and getpassphrase() is not defined, add:
#define getpassphrase(x) getpass(x)
in openssl.../crypto/engine/hw_pk11_pub.c
Notes
Some names here are registered trademarks, at least Solaris is a trademark
of Sun Microsystems Inc...
Include files are from RSA Labs., PKCS#11 version is 2.20 amendment 3.
The PKCS#11 support is compatible with the forthcoming FIPS 140-2 support.