Re: PKCS#11 engine implementation
On 2010/03/03 23:41, Jeremy C. Reed wrote: On Wed, 3 Mar 2010, Nikolay Elenkov wrote: I've a few question about the PKCS#11 support in BIND 9.7, specifically the OpenSSL engine implementation. Is this the right place to ask? There appears to be no bind-dev mailing list. I see you already asked your question. This list is okay. OK, thanks. There is a developers list. It is called bind-workers. https://lists.isc.org/mailman/listinfo/bind-workers Maybe the list page needs a couple of words what the list is about. It's not exactly obvious. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: PKCS#11 engine implementation
On 2010/03/04 3:29, Evan Hunt wrote: What version of the original OpenSolaris patch is the openssl-0.9.8l-patch in the 9.7.0 tarball based on? 2009-03-11. More specificaly, pkcs11_engine-0.9.8j.patch.2009-03-11, applied to 0.9.8k as explained in http://blogs.sun.com/janp/entry/pkcs_11_engine_patch_for1. Thank you, that makes diff-ing a bit easier. What has been changed/added? Principally: 1) ability to access key by reference I've been looking at the BIND 9.7 patch and the 'original' OpenSolaris patch. The Solaris one has pretty decent key by reference support, but unfortunately it doesn't currently work with BIND 9.7. I was able to generate keys, but dnssec-signzone fails to find the private key when signing. I haven't looked to it in detail (yet), but at least one problem is that opensslrsa_isprivate doesn't recognize the key as private (looks like RSA_FLAG_EXT_PKEY is not set?). So how is the key by reference implemented/used in the BIND version? I don't see a clear distinction between session and token keys. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: PKCS#11 engine implementation
There is a developers list. It is called bind-workers. https://lists.isc.org/mailman/listinfo/bind-workers Maybe the list page needs a couple of words what the list is about. It's not exactly obvious. You know - it isn't exactly obvious is it - I looked at the likely web page routes someone would traverse to find bind-workers list and... well no. Anyone who has been around awhile most likely just *knows*, but anyone else coming along might easily be baffled. Good feedback - thanks. I'll add it to the TBC list. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: PKCS#11 engine implementation
On 2010/03/03 14:23, Nikolay Elenkov wrote: Hi, I've a few question about the PKCS#11 support in BIND 9.7, specifically the OpenSSL engine implementation. Is this the right place to ask? There appears to be no bind-dev mailing list. No answer so far, so here goes a simple question: What version of the original OpenSolaris patch is the openssl-0.9.8l-patch in the 9.7.0 tarball based on? What has been changed/added? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: PKCS#11 engine implementation
On Wed, 3 Mar 2010, Nikolay Elenkov wrote: I've a few question about the PKCS#11 support in BIND 9.7, specifically the OpenSSL engine implementation. Is this the right place to ask? There appears to be no bind-dev mailing list. I see you already asked your question. This list is okay. There is a developers list. It is called bind-workers. https://lists.isc.org/mailman/listinfo/bind-workers ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: PKCS#11 engine implementation
What version of the original OpenSolaris patch is the openssl-0.9.8l-patch in the 9.7.0 tarball based on? 2009-03-11. More specificaly, pkcs11_engine-0.9.8j.patch.2009-03-11, applied to 0.9.8k as explained in http://blogs.sun.com/janp/entry/pkcs_11_engine_patch_for1. What has been changed/added? Principally: 1) ability to access key by reference 2) (relatively) user-friendly PIN management 3) ported to WIN32 4) separate crypto-accelerator and sign-only engines (see the 9.7.0 Administrator's Reference Manual, section 4.11, for details) -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users