On 30.07.2015 19:35, Evan Hunt wrote: > On Thu, Jul 30, 2015 at 10:19:49AM -0700, Carl Byington wrote: > > RHEL7/Centos7 now has softhsm v2 available. What about a new pkcs11 > > provider that is just an interface into openssl? > > > > --enable-native-pkcs11 \ > > --with-pkcs11=pkcs11-openssl-shim > > > > Bind uses native pkcs11, but the default .so it loads just redirects all > > the calls into openssl. > > That in fact is exactly what SoftHSMv2 does. > > > Bind will ask it to generate keys, and will > > assume that that provider will keep the private key part. So we still > > don't end up with the original /var/named/K*.private files. > > Technically you still have the files, but instead of the files containing > private key material themselves, they have indentifiers to tell the HSM > (or pseudo-HSM) which key is to be used. > > > Well, this new provider is *only* used by bind, so it could run under > > the bind user account, have selinux access to /var/named, and keep its > > private key data in files, possibly in a new /var/named/pkcs11-openssl- > > shim directory. > > > > With this scheme, we would not need the -pkcs11 rpm subpackages, but > > could use /etc/sysconfig/named to control the switch between providers. > > Better than just replicating the behavior of SoftHSMv2 would be a shim > that can switch between multiple PKCS#11 providers. > > You'd build BIND to link to the shim provider. The shim in turn could > pass along PKCS#11 calls to either SoftHSM or some other HSM, depending > on the key. Then for example, you could use a KeyPer (slow but very secure) > for certain high value keys but use software crypto (much faster but less > secure) for others. > > This has been on our to-do list for some time but other items have taken > priority. > > > Does redhat want to write (or fund the writing of) such a shim provider? > > We'd certainly be happy for any assistance. >
Hi all. In Fedora and RHEL 7.2 we are building bind with and without native-pkcs#11 support at the same time. It requires some hacks in Makefile, but it works. We are doing the same for SDB API and have named-sdb binary available. We are building regular named binary and libraries with OpenSSL, but also named-pkcs11 binary and *-pkcs11 versions of appropriate libraries. This way user can install whichever version they need. Note that we use SoftHSM v2 as a provider by default. I know only about FreeIPA project, which requested the named to be available also with native pkcs#11. Currently we don't have any plans for implementing our own provider. Regards, -- Tomas Hozza Software Engineer - EMEA ENG Developer Experience PGP: 1D9F3C2D UTC+2 (CEST) Red Hat Inc. http://cz.redhat.com _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users