mirror of
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git
synced 2024-12-29 06:47:21 +01:00
62 lines
1.8 KiB
Plaintext
62 lines
1.8 KiB
Plaintext
|
|
||
|
BIND-9 PKCS#11 support
|
||
|
|
||
|
Prerequisite
|
||
|
|
||
|
The PKCS#11 support needs a PKCS#11 OpenSSL engine based on the Solaris one,
|
||
|
released the 2007-11-21 for OpenSSL 0.9.8g, with a bug fix (call to free)
|
||
|
and some improvements, including user friendly PIN management.
|
||
|
|
||
|
Compilation
|
||
|
|
||
|
"configure --with-pkcs11 ..."
|
||
|
|
||
|
PKCS#11 Libraries
|
||
|
|
||
|
Tested with Solaris one with a SCA board and with openCryptoki with the
|
||
|
software token.
|
||
|
|
||
|
OpenSSL Engines
|
||
|
|
||
|
With PKCS#11 support the PKCS#11 engine is statically loaded but at its
|
||
|
initialization it dynamically loads the PKCS#11 objects.
|
||
|
Even the pre commands are therefore unused they are defined with:
|
||
|
SO_PATH:
|
||
|
define: PKCS11_SO_PATH
|
||
|
default: /usr/local/lib/engines/engine_pkcs11.so
|
||
|
MODULE_PATH:
|
||
|
define: PKCS11_MODULE_PATH
|
||
|
default: /usr/lib/libpkcs11.so
|
||
|
Without PKCS#11 support, a specific OpenSSL engine can be still used
|
||
|
by defining ENGINE_ID at compile time.
|
||
|
|
||
|
PKCS#11 tools
|
||
|
|
||
|
The contrib/pkcs11-keygen directory contains a set of experimental tools
|
||
|
to handle keys stored in a Hardware Security Module at the benefit of BIND.
|
||
|
|
||
|
The patch for OpenSSL 0.9.8g is in this directory. Read its README.pkcs11
|
||
|
for the way to use it (these are the original notes so with the original
|
||
|
path, etc. Define OPENCRYPTOKI to use it with openCryptoki.)
|
||
|
|
||
|
PIN management
|
||
|
|
||
|
With the just fixed PKCS#11 OpenSSL engine, the PIN should be entered
|
||
|
each time it is required. With the improved engine, the PIN should be
|
||
|
entered the first time it is required or can be configured in the
|
||
|
OpenSSL configuration file (aka. openssl.cnf) by adding in it:
|
||
|
- at the beginning:
|
||
|
openssl_conf = openssl_def
|
||
|
- at any place these sections:
|
||
|
[ openssl_def ]
|
||
|
engines = engine_section
|
||
|
[ engine_section ]
|
||
|
pkcs11 = pkcs11_section
|
||
|
[ pkcs11_section ]
|
||
|
PIN = put__your__pin__value__here
|
||
|
|
||
|
Note
|
||
|
|
||
|
Some names here are registered trademarks, at least Solaris is a trademark
|
||
|
of Sun Microsystems Inc...
|