1 2 BIND-9 PKCS#11 support 3 4Prerequisite 5 6The PKCS#11 support needs a PKCS#11 OpenSSL engine based on the Solaris one, 7released the 2008-12-02 for OpenSSL 0.9.8i, with back port of key by reference 8and some improvements, including user friendly PIN management. You may also 9use the original engine code. 10 11Compilation 12 13"configure --with-pkcs11 ..." 14 15PKCS#11 Libraries 16 17Tested with Solaris one with a SCA board and with openCryptoki with the 18software token. Known to work on Linux and Windows 2003 server so 19should work on most operating systems. For AEP Keyper or any device used 20only for its protected key store, please switch to the sign-only engine. 21 22OpenSSL Engines 23 24With PKCS#11 support the PKCS#11 engine is statically loaded but at its 25initialization it dynamically loads the PKCS#11 objects. 26Even the pre commands are therefore unused they are defined with: 27 SO_PATH: 28 define: PKCS11_SO_PATH 29 default: /usr/local/lib/engines/engine_pkcs11.so 30 MODULE_PATH: 31 define: PKCS11_MODULE_PATH 32 default: /usr/lib/libpkcs11.so 33Without PKCS#11 support, a specific OpenSSL engine can be still used 34by defining ENGINE_ID at compile time. 35 36PKCS#11 tools 37 38The contrib/pkcs11-keygen directory contains a set of experimental tools 39to handle keys stored in a Hardware Security Module at the benefit of BIND. 40 41The patch for OpenSSL 0.9.8i is in this directory. Read its README.pkcs11 42for the way to use it (these are the original notes so with the original 43path, etc. Define HAVE_GETPASSPHRASE if you have getpassphrase() on 44a operating system which is not Solaris.) 45 46Not all tools are supported on AEP Keyper but genkey and dnssec-keyfromlabel 47are functional. 48 49PIN management 50 51With the just fixed PKCS#11 OpenSSL engine, the PIN should be entered 52each time it is required. With the improved engine, the PIN should be 53entered the first time it is required or can be configured in the 54OpenSSL configuration file (aka. openssl.cnf) by adding in it: 55 - at the beginning: 56 openssl_conf = openssl_def 57 - at any place these sections: 58 [ openssl_def ] 59 engines = engine_section 60 [ engine_section ] 61 pkcs11 = pkcs11_section 62 [ pkcs11_section ] 63 PIN = put__your__pin__value__here 64 65Slot management 66 67The engine tries to use the first best slot but it is recommended 68to simply use the slot 0 (usual default, meta-slot on Solaris). 69 70Sign-only engine 71 72openssl.../crypto/engine/hw_pk11-kp.c and hw_pk11_pub-kp.c contain 73a stripped down version of hw_pk11.c and hw_pk11_pub.c files which 74has only the useful functions (i.e., signature with a RSA private 75key in the device protected key store and key loading). 76 77This engine should be used with a device which provides mainly 78a protected store and no acceleration. AEP Keyper is an example 79of such a device (BTW with the fully capable engine, key export 80must be enabled on this device and this configuration is not yet 81supported). 82 83Original engine 84 85If you are using the original engine and getpassphrase() is not defined, add: 86#define getpassphrase(x) getpass(x) 87in openssl.../crypto/engine/hw_pk11_pub.c 88 89Notes 90 91Some names here are registered trademarks, at least Solaris is a trademark 92of Sun Microsystems Inc... 93Include files are from RSA Labs., PKCS#11 version is 2.20 amendment 3. 94The PKCS#11 support is compatible with the forthcoming FIPS 140-2 support. 95