1*00b67f09SDavid van Moolenbroek 2*00b67f09SDavid van Moolenbroek BIND-9 PKCS#11 support 3*00b67f09SDavid van Moolenbroek 4*00b67f09SDavid van MoolenbroekPrerequisite 5*00b67f09SDavid van Moolenbroek 6*00b67f09SDavid van MoolenbroekThe PKCS#11 support needs a PKCS#11 OpenSSL engine based on the Solaris one, 7*00b67f09SDavid van Moolenbroekreleased the 2008-12-02 for OpenSSL 0.9.8i, with back port of key by reference 8*00b67f09SDavid van Moolenbroekand some improvements, including user friendly PIN management. You may also 9*00b67f09SDavid van Moolenbroekuse the original engine code. 10*00b67f09SDavid van Moolenbroek 11*00b67f09SDavid van MoolenbroekCompilation 12*00b67f09SDavid van Moolenbroek 13*00b67f09SDavid van Moolenbroek"configure --with-pkcs11 ..." 14*00b67f09SDavid van Moolenbroek 15*00b67f09SDavid van MoolenbroekPKCS#11 Libraries 16*00b67f09SDavid van Moolenbroek 17*00b67f09SDavid van MoolenbroekTested with Solaris one with a SCA board and with openCryptoki with the 18*00b67f09SDavid van Moolenbroeksoftware token. Known to work on Linux and Windows 2003 server so 19*00b67f09SDavid van Moolenbroekshould work on most operating systems. For AEP Keyper or any device used 20*00b67f09SDavid van Moolenbroekonly for its protected key store, please switch to the sign-only engine. 21*00b67f09SDavid van Moolenbroek 22*00b67f09SDavid van MoolenbroekOpenSSL Engines 23*00b67f09SDavid van Moolenbroek 24*00b67f09SDavid van MoolenbroekWith PKCS#11 support the PKCS#11 engine is statically loaded but at its 25*00b67f09SDavid van Moolenbroekinitialization it dynamically loads the PKCS#11 objects. 26*00b67f09SDavid van MoolenbroekEven the pre commands are therefore unused they are defined with: 27*00b67f09SDavid van Moolenbroek SO_PATH: 28*00b67f09SDavid van Moolenbroek define: PKCS11_SO_PATH 29*00b67f09SDavid van Moolenbroek default: /usr/local/lib/engines/engine_pkcs11.so 30*00b67f09SDavid van Moolenbroek MODULE_PATH: 31*00b67f09SDavid van Moolenbroek define: PKCS11_MODULE_PATH 32*00b67f09SDavid van Moolenbroek default: /usr/lib/libpkcs11.so 33*00b67f09SDavid van MoolenbroekWithout PKCS#11 support, a specific OpenSSL engine can be still used 34*00b67f09SDavid van Moolenbroekby defining ENGINE_ID at compile time. 35*00b67f09SDavid van Moolenbroek 36*00b67f09SDavid van MoolenbroekPKCS#11 tools 37*00b67f09SDavid van Moolenbroek 38*00b67f09SDavid van MoolenbroekThe contrib/pkcs11-keygen directory contains a set of experimental tools 39*00b67f09SDavid van Moolenbroekto handle keys stored in a Hardware Security Module at the benefit of BIND. 40*00b67f09SDavid van Moolenbroek 41*00b67f09SDavid van MoolenbroekThe patch for OpenSSL 0.9.8i is in this directory. Read its README.pkcs11 42*00b67f09SDavid van Moolenbroekfor the way to use it (these are the original notes so with the original 43*00b67f09SDavid van Moolenbroekpath, etc. Define HAVE_GETPASSPHRASE if you have getpassphrase() on 44*00b67f09SDavid van Moolenbroeka operating system which is not Solaris.) 45*00b67f09SDavid van Moolenbroek 46*00b67f09SDavid van MoolenbroekNot all tools are supported on AEP Keyper but genkey and dnssec-keyfromlabel 47*00b67f09SDavid van Moolenbroekare functional. 48*00b67f09SDavid van Moolenbroek 49*00b67f09SDavid van MoolenbroekPIN management 50*00b67f09SDavid van Moolenbroek 51*00b67f09SDavid van MoolenbroekWith the just fixed PKCS#11 OpenSSL engine, the PIN should be entered 52*00b67f09SDavid van Moolenbroekeach time it is required. With the improved engine, the PIN should be 53*00b67f09SDavid van Moolenbroekentered the first time it is required or can be configured in the 54*00b67f09SDavid van MoolenbroekOpenSSL configuration file (aka. openssl.cnf) by adding in it: 55*00b67f09SDavid van Moolenbroek - at the beginning: 56*00b67f09SDavid van Moolenbroek openssl_conf = openssl_def 57*00b67f09SDavid van Moolenbroek - at any place these sections: 58*00b67f09SDavid van Moolenbroek [ openssl_def ] 59*00b67f09SDavid van Moolenbroek engines = engine_section 60*00b67f09SDavid van Moolenbroek [ engine_section ] 61*00b67f09SDavid van Moolenbroek pkcs11 = pkcs11_section 62*00b67f09SDavid van Moolenbroek [ pkcs11_section ] 63*00b67f09SDavid van Moolenbroek PIN = put__your__pin__value__here 64*00b67f09SDavid van Moolenbroek 65*00b67f09SDavid van MoolenbroekSlot management 66*00b67f09SDavid van Moolenbroek 67*00b67f09SDavid van MoolenbroekThe engine tries to use the first best slot but it is recommended 68*00b67f09SDavid van Moolenbroekto simply use the slot 0 (usual default, meta-slot on Solaris). 69*00b67f09SDavid van Moolenbroek 70*00b67f09SDavid van MoolenbroekSign-only engine 71*00b67f09SDavid van Moolenbroek 72*00b67f09SDavid van Moolenbroekopenssl.../crypto/engine/hw_pk11-kp.c and hw_pk11_pub-kp.c contain 73*00b67f09SDavid van Moolenbroeka stripped down version of hw_pk11.c and hw_pk11_pub.c files which 74*00b67f09SDavid van Moolenbroekhas only the useful functions (i.e., signature with a RSA private 75*00b67f09SDavid van Moolenbroekkey in the device protected key store and key loading). 76*00b67f09SDavid van Moolenbroek 77*00b67f09SDavid van MoolenbroekThis engine should be used with a device which provides mainly 78*00b67f09SDavid van Moolenbroeka protected store and no acceleration. AEP Keyper is an example 79*00b67f09SDavid van Moolenbroekof such a device (BTW with the fully capable engine, key export 80*00b67f09SDavid van Moolenbroekmust be enabled on this device and this configuration is not yet 81*00b67f09SDavid van Moolenbroeksupported). 82*00b67f09SDavid van Moolenbroek 83*00b67f09SDavid van MoolenbroekOriginal engine 84*00b67f09SDavid van Moolenbroek 85*00b67f09SDavid van MoolenbroekIf you are using the original engine and getpassphrase() is not defined, add: 86*00b67f09SDavid van Moolenbroek#define getpassphrase(x) getpass(x) 87*00b67f09SDavid van Moolenbroekin openssl.../crypto/engine/hw_pk11_pub.c 88*00b67f09SDavid van Moolenbroek 89*00b67f09SDavid van MoolenbroekNotes 90*00b67f09SDavid van Moolenbroek 91*00b67f09SDavid van MoolenbroekSome names here are registered trademarks, at least Solaris is a trademark 92*00b67f09SDavid van Moolenbroekof Sun Microsystems Inc... 93*00b67f09SDavid van MoolenbroekInclude files are from RSA Labs., PKCS#11 version is 2.20 amendment 3. 94*00b67f09SDavid van MoolenbroekThe PKCS#11 support is compatible with the forthcoming FIPS 140-2 support. 95