PKCS#11 vs OpenSSL (BIND Future Development Question)

Ondřej Surý ondrej at
Mon Jun 4 08:33:20 UTC 2018

> On 4 Jun 2018, at 10:21, Mathieu Arnold <mat at> wrote:
> On Sun, Jun 03, 2018 at 06:00:08AM +0000, Ondřej Surý wrote:
>> The PKCS#11 interface is very fragile, as the different vendors implement different parts of the
>> standard, and BIND needs to be compiled with a specific PKCS#11 provider defined at the
>> compile time.  This is certainly suboptimal, and we are looking at ways how to improve that.
> My understanding was that you had to choose at compile time wether you
> needed PKCS#11 or OpenSSL, and that, even if you could link with a
> specific provider during the build, you could opt-out and start named
> with -E /path/to/ At least, it is the way it is done in the
> FreeBSD ports tree.

That’s only sort of true, see lib/isc/include/pk11/ for more detailed description,
but there are some HSMs that need compile time flags in site.h, and the default is

/* Default is for Thales nCipher */
#ifndef PK11_FLAVOR

/* doesn't work but supported #define PK11_DSA_PARAMETER_GEN_SKIP */

So, even if you can specify a runtime PKCS#11 library, it doesn’t mean it will work
as expected.

To my best understanding, if we keep only the Public-Key crypto for PKCS#11,
there’s only one parameter that will need tuning PK11_RSA_PKCS_REPLACE
and we could either declare that the HSM must support EMSA-PKCS#1-v1.5
or turn that into runtime detection (as this would be the only workaround that
we would need to keep).

Ondřej Surý
ondrej at

More information about the bind-users mailing list