running named built with --enable-native-pkcs11 without HSM provider library

Carl Byington carl at byington.org
Thu Jul 30 17:19:49 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 2014-08-06 at 13:47 -0400, Tomas Hozza wrote:
> Basically we want to enable user to use native-pkcs11 with SoftHSM
> if needed. However by default have named running without it.

RHEL7/Centos7 now has softhsm v2 available. What about a new pkcs11
provider that is just an interface into openssl?

  --enable-native-pkcs11 \
  --with-pkcs11=pkcs11-openssl-shim

Bind uses native pkcs11, but the default .so it loads just redirects all
the calls into openssl. Bind will ask it to generate keys, and will
assume that that provider will keep the private key part. So we still
don't end up with the original /var/named/K*.private files.

Well, this new provider is *only* used by bind, so it could run under
the bind user account, have selinux access to /var/named, and keep its
private key data in files, possibly in a new /var/named/pkcs11-openssl-
shim directory.

With this scheme, we would not need the -pkcs11 rpm subpackages, but
could use /etc/sysconfig/named to control the switch between providers.

Does redhat want to write (or fund the writing of) such a shim provider?



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEARECAAYFAlW6W8EACgkQL6j7milTFsHfTwCfV02OgTJN/itdtTxoa25l/lH0
HdIAniOiPxtE30SklCaADGFDRdY4ttNl
=+SfE
-----END PGP SIGNATURE-----





More information about the bind-users mailing list