RHEL, Centos, Fedora rpm 9.10.4-P1
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 http://www.five-ten-sg.com/mapper/bind contains links to the source rpms, and build instructions. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) iEYEAREKAAYFAldHAYsACgkQL6j7milTFsFY/QCdHoaZfVad+GZgxoKPOa5v4hIL 5noAnAwiq2r/RVOibbtWhRbuZ+P/8t6T =vvRq -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: native-pkcs11 and smartcard-hsm
I'd like to say a big THANK YOU for the work you are doing on this. I've made a couple of half-hearted attempts at doing exactly what you are doing and never had the time to complete the task - or to document where I got. Once it's all working (and documented), I'll be more than happy to run a server in this mode. 8-) I'd also like to see ISC make BIND more functional in this "HSM functioning as an HSM only" mode in the mainline code. AlanC On 5/26/16, 5:20 AM, "FUSTE Emmanuel" wrote: >Le 25/05/2016 16:27, FUSTE Emmanuel a écrit : >> Le 25/05/2016 14:29, FUSTE Emmanuel a écrit : >>> Le 24/05/2016 16:36, FUSTE Emmanuel a écrit : Le 23/05/2016 16:40, FUSTE Emmanuel a écrit : > Hello, > > I'm trying to use a smartcard-hsm usb stick (v1.2) with BIND >9.10.3-P4. > This stick is working with powerdns and support all crypto operations > required for basic DNSSEC support. > > But I get this warning/error: > "PKCS#11 provider has no digest service". > "This HSM will not work with BIND 9 using native PKCS#11." > > Bind version: > BIND 9.10.3-P4-Debian > built by make with '--prefix=/usr' '--mandir=/usr/share/man' > '--libdir=/usr/lib/i386-linux-gnu' '--infodir=/usr/share/info' > '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' > '--enable-threads' '--enable-largefile' '--with-libtool' > '--enable-shared' '--enable-static' '--with-openssl=/usr' > '--with-gssapi=/usr' '--with-gnu-ld' '--with-geoip=/usr' >'--with-atf=no' > '--enable-ipv6' '--enable-rrl' '--enable-filter-' > '--enable-native-pkcs11' > '--with-pkcs11=/usr/lib/i386-linux-gnu/softhsm/libsofthsm2.so' > 'CFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat > -Werror=format-security -fno-strict-aliasing > -fno-delete-null-pointer-checks -DNO_VERSION_DATE' 'LDFLAGS=-fPIE >-pie > -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2 > -DDIG_SIGCHASE' > compiled by GCC 5.3.1 20160429 > compiled with OpenSSL version: OpenSSL 1.0.2h 3 May 2016 > linked to OpenSSL version: OpenSSL 1.0.2h 3 May 2016 > compiled with libxml2 version: 2.9.3 > linked to libxml2 version: 20903 > > pkcs11-torens informations: > pkcs11-tokens -m /usr/lib/i386-linux-gnu/opensc-pkcs11.so > Warning: PKCS#11 provider has no digest service > This HSM will not work with BIND 9 using native PKCS#11. > > DEFAULTS > rand_token=0x80300368 > best_rsa_token=0x80300368 > best_dsa_token=(nil) > best_dh_token=(nil) > digest_token=(nil) > best_ec_token=(nil) > best_gost_token=(nil) > aes_token=(nil) > > TOKEN > address=0x80300368 > slotID=0 > label=SmartCard-HSM (UserPIN) > manufacturerID=www.CardContact.de > model=PKCS#15 emulated > serialNumber=DECC0100872 > supported operations=0x6 (RAND,RSA) > > PKCS11 mechanism returned by pkcs11-tool: > pkcs11-tool -M > Using slot 0 with a present token (0x0) > Supported mechanisms: >SHA-1, digest >SHA256, digest >SHA384, digest >SHA512, digest >MD5, digest >RIPEMD160, digest >GOSTR3411, digest >ECDSA, keySize={192,320}, hw, sign, other flags=0x1d0 >ECDSA-SHA1, keySize={192,320}, hw, sign, other flags=0x1d0 >ECDH1-COFACTOR-DERIVE, keySize={192,320}, hw, derive, other > flags=0x1d0 >ECDH1-DERIVE, keySize={192,320}, hw, derive, other >flags=0x1d0 >ECDSA-KEY-PAIR-GEN, keySize={192,320}, hw, generate_key_pair, >other > flags=0x1d0 >RSA-X-509, keySize={1024,2048}, hw, decrypt, sign, verify >RSA-PKCS, keySize={1024,2048}, hw, decrypt, sign, verify >SHA1-RSA-PKCS, keySize={1024,2048}, sign, verify >SHA256-RSA-PKCS, keySize={1024,2048}, sign, verify >SHA384-RSA-PKCS, keySize={1024,2048}, sign, verify >SHA512-RSA-PKCS, keySize={1024,2048}, sign, verify >MD5-RSA-PKCS, keySize={1024,2048}, sign, verify >RIPEMD160-RSA-PKCS, keySize={1024,2048}, sign, verify >RSA-PKCS-KEY-PAIR-GEN, keySize={1024,2048}, generate_key_pair > > Perhaps Bind require more, but all needed digest services are here. > Is something that will be fixed ? How could I help to get it fixed ? > Does anyone have any insights or suggestions? > > Thanks, > > Emmanuel. Ok, digging into docs and code give me some answers: In native PKCS11 mode, all crypto operations are offhanded to the HSM. This is totally crazy nowadays. HSM are HSM not PKCS11 crypto accelerators, a concept from
Re: native-pkcs11 and smartcard-hsm
Le 26/05/2016 12:20, FUSTE Emmanuel a écrit : > Le 25/05/2016 16:27, FUSTE Emmanuel a écrit : >> Le 25/05/2016 14:29, FUSTE Emmanuel a écrit : >>> Le 24/05/2016 16:36, FUSTE Emmanuel a écrit : Le 23/05/2016 16:40, FUSTE Emmanuel a écrit : > Hello, > > I'm trying to use a smartcard-hsm usb stick (v1.2) with BIND 9.10.3-P4. > This stick is working with powerdns and support all crypto operations > required for basic DNSSEC support. > > But I get this warning/error: > "PKCS#11 provider has no digest service". > "This HSM will not work with BIND 9 using native PKCS#11." > > Bind version: > BIND 9.10.3-P4-Debian > built by make with '--prefix=/usr' '--mandir=/usr/share/man' > '--libdir=/usr/lib/i386-linux-gnu' '--infodir=/usr/share/info' > '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' > '--enable-threads' '--enable-largefile' '--with-libtool' > '--enable-shared' '--enable-static' '--with-openssl=/usr' > '--with-gssapi=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no' > '--enable-ipv6' '--enable-rrl' '--enable-filter-' > '--enable-native-pkcs11' > '--with-pkcs11=/usr/lib/i386-linux-gnu/softhsm/libsofthsm2.so' > 'CFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat > -Werror=format-security -fno-strict-aliasing > -fno-delete-null-pointer-checks -DNO_VERSION_DATE' 'LDFLAGS=-fPIE -pie > -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2 > -DDIG_SIGCHASE' > compiled by GCC 5.3.1 20160429 > compiled with OpenSSL version: OpenSSL 1.0.2h 3 May 2016 > linked to OpenSSL version: OpenSSL 1.0.2h 3 May 2016 > compiled with libxml2 version: 2.9.3 > linked to libxml2 version: 20903 > > pkcs11-torens informations: > pkcs11-tokens -m /usr/lib/i386-linux-gnu/opensc-pkcs11.so > Warning: PKCS#11 provider has no digest service > This HSM will not work with BIND 9 using native PKCS#11. > > DEFAULTS > rand_token=0x80300368 > best_rsa_token=0x80300368 > best_dsa_token=(nil) > best_dh_token=(nil) > digest_token=(nil) > best_ec_token=(nil) > best_gost_token=(nil) > aes_token=(nil) > > TOKEN > address=0x80300368 > slotID=0 > label=SmartCard-HSM (UserPIN) > manufacturerID=www.CardContact.de > model=PKCS#15 emulated > serialNumber=DECC0100872 > supported operations=0x6 (RAND,RSA) > > PKCS11 mechanism returned by pkcs11-tool: > pkcs11-tool -M > Using slot 0 with a present token (0x0) > Supported mechanisms: > SHA-1, digest > SHA256, digest > SHA384, digest > SHA512, digest > MD5, digest > RIPEMD160, digest > GOSTR3411, digest > ECDSA, keySize={192,320}, hw, sign, other flags=0x1d0 > ECDSA-SHA1, keySize={192,320}, hw, sign, other flags=0x1d0 > ECDH1-COFACTOR-DERIVE, keySize={192,320}, hw, derive, other > flags=0x1d0 > ECDH1-DERIVE, keySize={192,320}, hw, derive, other flags=0x1d0 > ECDSA-KEY-PAIR-GEN, keySize={192,320}, hw, generate_key_pair, > other > flags=0x1d0 > RSA-X-509, keySize={1024,2048}, hw, decrypt, sign, verify > RSA-PKCS, keySize={1024,2048}, hw, decrypt, sign, verify > SHA1-RSA-PKCS, keySize={1024,2048}, sign, verify > SHA256-RSA-PKCS, keySize={1024,2048}, sign, verify > SHA384-RSA-PKCS, keySize={1024,2048}, sign, verify > SHA512-RSA-PKCS, keySize={1024,2048}, sign, verify > MD5-RSA-PKCS, keySize={1024,2048}, sign, verify > RIPEMD160-RSA-PKCS, keySize={1024,2048}, sign, verify > RSA-PKCS-KEY-PAIR-GEN, keySize={1024,2048}, generate_key_pair > > Perhaps Bind require more, but all needed digest services are here. > Is something that will be fixed ? How could I help to get it fixed ? > Does anyone have any insights or suggestions? > > Thanks, > > Emmanuel. Ok, digging into docs and code give me some answers: In native PKCS11 mode, all crypto operations are offhanded to the HSM. This is totally crazy nowadays. HSM are HSM not PKCS11 crypto accelerators, a concept from the past on actual hardware for 99.99% of real use. If something like "sign-only" and "crypto-accelerator" OpenSSL-based PKCS#11 is not implemented too in the future, native-pkcs11 is a dead end. Option that should be select-able at runtime and which eventually permit to chose what to offload to the device in the crypto-accelerator mode (and perhaps on different devices etc ...). Will try t
Re: native-pkcs11 and smartcard-hsm
Le 25/05/2016 16:27, FUSTE Emmanuel a écrit : > Le 25/05/2016 14:29, FUSTE Emmanuel a écrit : >> Le 24/05/2016 16:36, FUSTE Emmanuel a écrit : >>> Le 23/05/2016 16:40, FUSTE Emmanuel a écrit : Hello, I'm trying to use a smartcard-hsm usb stick (v1.2) with BIND 9.10.3-P4. This stick is working with powerdns and support all crypto operations required for basic DNSSEC support. But I get this warning/error: "PKCS#11 provider has no digest service". "This HSM will not work with BIND 9 using native PKCS#11." Bind version: BIND 9.10.3-P4-Debian built by make with '--prefix=/usr' '--mandir=/usr/share/man' '--libdir=/usr/lib/i386-linux-gnu' '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-' '--enable-native-pkcs11' '--with-pkcs11=/usr/lib/i386-linux-gnu/softhsm/libsofthsm2.so' 'CFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE' 'LDFLAGS=-fPIE -pie -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2 -DDIG_SIGCHASE' compiled by GCC 5.3.1 20160429 compiled with OpenSSL version: OpenSSL 1.0.2h 3 May 2016 linked to OpenSSL version: OpenSSL 1.0.2h 3 May 2016 compiled with libxml2 version: 2.9.3 linked to libxml2 version: 20903 pkcs11-torens informations: pkcs11-tokens -m /usr/lib/i386-linux-gnu/opensc-pkcs11.so Warning: PKCS#11 provider has no digest service This HSM will not work with BIND 9 using native PKCS#11. DEFAULTS rand_token=0x80300368 best_rsa_token=0x80300368 best_dsa_token=(nil) best_dh_token=(nil) digest_token=(nil) best_ec_token=(nil) best_gost_token=(nil) aes_token=(nil) TOKEN address=0x80300368 slotID=0 label=SmartCard-HSM (UserPIN) manufacturerID=www.CardContact.de model=PKCS#15 emulated serialNumber=DECC0100872 supported operations=0x6 (RAND,RSA) PKCS11 mechanism returned by pkcs11-tool: pkcs11-tool -M Using slot 0 with a present token (0x0) Supported mechanisms: SHA-1, digest SHA256, digest SHA384, digest SHA512, digest MD5, digest RIPEMD160, digest GOSTR3411, digest ECDSA, keySize={192,320}, hw, sign, other flags=0x1d0 ECDSA-SHA1, keySize={192,320}, hw, sign, other flags=0x1d0 ECDH1-COFACTOR-DERIVE, keySize={192,320}, hw, derive, other flags=0x1d0 ECDH1-DERIVE, keySize={192,320}, hw, derive, other flags=0x1d0 ECDSA-KEY-PAIR-GEN, keySize={192,320}, hw, generate_key_pair, other flags=0x1d0 RSA-X-509, keySize={1024,2048}, hw, decrypt, sign, verify RSA-PKCS, keySize={1024,2048}, hw, decrypt, sign, verify SHA1-RSA-PKCS, keySize={1024,2048}, sign, verify SHA256-RSA-PKCS, keySize={1024,2048}, sign, verify SHA384-RSA-PKCS, keySize={1024,2048}, sign, verify SHA512-RSA-PKCS, keySize={1024,2048}, sign, verify MD5-RSA-PKCS, keySize={1024,2048}, sign, verify RIPEMD160-RSA-PKCS, keySize={1024,2048}, sign, verify RSA-PKCS-KEY-PAIR-GEN, keySize={1024,2048}, generate_key_pair Perhaps Bind require more, but all needed digest services are here. Is something that will be fixed ? How could I help to get it fixed ? Does anyone have any insights or suggestions? Thanks, Emmanuel. >>> >>> Ok, digging into docs and code give me some answers: >>> >>> In native PKCS11 mode, all crypto operations are offhanded to the HSM. >>> This is totally crazy nowadays. HSM are HSM not PKCS11 crypto >>> accelerators, a concept from the past on actual hardware for 99.99% of >>> real use. >>> If something like "sign-only" and "crypto-accelerator" OpenSSL-based >>> PKCS#11 is not implemented too in the future, native-pkcs11 is a dead >>> end. Option that should be select-able at runtime and which eventually >>> permit to chose what to offload to the device in the crypto-accelerator >>> mode (and perhaps on different devices etc ...). >>> >>> Will try to compile a modified openssl in sign-only mode for my token. >>> I already successfully created keys with the pkcs11-keygen command and >>> the used debian/ubuntu package already include native pkcs1