running named built with --enable-native-pkcs11 without HSM provider library
each at isc.org
Wed Aug 6 19:42:06 UTC 2014
On Wed, Aug 06, 2014 at 02:02:33PM -0400, Tomas Hozza wrote:
> As far as I understand, without native-pkcs11 OpenSSL is used for crypto
> operations if the provided PKCS#11 library did not support some operation, or
> if the PKCS#11 provider library was not provided/was not available at all.
> With native-pkcs11 the the PKCS#11 provider library has to be provided
> and available all the time. I'm interested if there is any chance to
> fall-back to OpenSSL in that case OR specify OpenSSL as provider library
> (however preferably without the needed patch) during the build and if needed,
> specify e.g. the SoftHSMv2 provider library on the command line using '-E'
> during the runtime.
There are currently three possible ways to provide crypto in BIND.
- Link with OpenSSL (this is the default).
- PKCS#11 via patched OpenSSL. This requires an alternate version of
OpenSSL that originated as part of the OpenSolaris project (which is
no more). The patches were never accepted upstream by the OpenSSL
maintainers, so ISC has been supporting them: they're included with
the BIND source.
In this model, BIND calls crypto functions in OpenSSL as usual, but
OpenSSL passes along some of the requests as PKCS#11 primitives to an
HSM instead of handling them itself. Functions not provided by the HSM
are handled by OpenSSL.
This works with several HSMs, but it's complex, difficult to debug,
and cumbersome to have to use a nonstandard OpenSSL. Also, frankly
we'd prefer not to have to maintain the patches forever, so we're
hoping to deprecate this model in time.
- Native PKCS#11, introduced in BIND 9.10. In this model, BIND speaks
directly to a PKCS#11 provider; OpenSSL isn't in the picture at all.
For it to work, we need the provider to have a *full* implementation of
the PKCS#11 API, because the provider needs to serve *all* of BIND's
cryptographic needs -- not just signing but also validation, hashing,
random number generation, etc. Currently I only know of two PKCS#11
providers that work: Thales, and SoftHSMv2.
There isn't currently any mechanism to have BIND switch back and forth
between providers. You can use the -E option to select a provider
at runtime, but there's no way to alter that selection except to
restart the server. That's what the "shim" I mentioned would be for.
Unfortunately, I can't tell you anything about when such a thing is
likely to get written; we've got a lot of other tasks lined up
ahead of it, and not enough pairs of hands. Contributed code or
offers of sponsorship would be lovely.
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the bind-users