upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-05-28 04:34:54 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge branch '2691-remove-native-pkcs-11-support-from-bind-9-17-9-18' into 'main'

Browse source 
Remove native PKCS#11 support

Closes #2691

See merge request isc-projects/bind9!5074
This commit is contained in:
Ondřej Surý 2021-09-09 14:11:48 +00:00
commit c50301f3c7
112 changed files with 148 additions and 11255 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

48
.gitlab-ci.yml
View file

@ -1024,54 +1024,6 @@ unit:clang:buster:amd64:
- job: clang:buster:amd64
artifacts: true
# Jobs for PKCS#11-enabled GCC builds on Debian "sid" (amd64)
gcc:softhsm2.4:
variables:
CC: gcc
CFLAGS: "${CFLAGS_COMMON}"
EXTRA_CONFIGURE: "--without-jemalloc --enable-native-pkcs11 --with-pkcs11=/usr/lib/softhsm/libsofthsm2.so"
<<: *base_image
<<: *build_job
system:gcc:softhsm2.4:
<<: *base_image
<<: *system_test_job
needs:
- job: gcc:softhsm2.4
artifacts: true
unit:gcc:softhsm2.4:
<<: *base_image
<<: *unit_test_job
needs:
- job: gcc:softhsm2.4
artifacts: true
# Jobs for PKCS#11-enabled GCC builds on Fedora 34 (amd64)
gcc:softhsm2.6:
variables:
CC: gcc
CFLAGS: "${CFLAGS_COMMON} -O1"
EXTRA_CONFIGURE: "--with-libidn2 --enable-native-pkcs11 --with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so"
<<: *fedora_34_amd64_image
<<: *build_job
system:gcc:softhsm2.6:
<<: *fedora_34_amd64_image
<<: *system_test_job
needs:
- job: gcc:softhsm2.6
artifacts: true
unit:gcc:softhsm2.6:
<<: *fedora_34_amd64_image
<<: *unit_test_job
needs:
- job: gcc:softhsm2.6
artifacts: true
# Jobs for Clang builds on FreeBSD 11 (amd64)
clang:freebsd11:amd64:

3
CHANGES
View file

@ -1,3 +1,6 @@
5712. [func] Remove native PKCS#11 support in favor of OpenSSL
engine_pkcs11 from the OpenSC project. [GL #2691]
5711. [bug] "map" files exceeding 2GB in size could fail to
load due to a size comparison that incorrectly
treated the file size as a signed integer. [GL #2878]

5
README.md
View file

@ -191,9 +191,8 @@ For the server to support DNSSEC, you need to build it with crypto support.
To use OpenSSL, you must have OpenSSL 1.0.2e or newer installed. If the
OpenSSL library is installed in a nonstandard location, specify the prefix
using `--with-openssl=<PREFIX>` on the configure command line. To use a
PKCS#11 hardware service module for cryptographic operations, specify the
path to the PKCS#11 provider library using `--with-pkcs11=<PREFIX>`, and
configure BIND with `--enable-native-pkcs11`.
PKCS#11 hardware service module for cryptographic operations, it will
be necessary to compile and use engine_pkcs11 from the OpenSC project.
To support DNS over HTTPS, the server must be linked with `libnghttp2`.

4
bin/Makefile.am
View file

@ -1,5 +1 @@
SUBDIRS = named rndc dig delv dnssec tools nsupdate check confgen tests plugins
if HAVE_PKCS11
SUBDIRS += pkcs11
endif

2
bin/confgen/keygen.c
View file

@ -23,8 +23,6 @@
#include <isc/result.h>
#include <isc/string.h>
#include <pk11/site.h>
#include <dns/keyvalues.h>
#include <dns/name.h>

2
bin/confgen/rndc-confgen.c
View file

@ -38,8 +38,6 @@
#include <isc/time.h>
#include <isc/util.h>
#include <pk11/site.h>
#include <dns/keyvalues.h>
#include <dns/name.h>

7
bin/confgen/tsig-keygen.c
View file

@ -34,10 +34,6 @@
#include <isc/time.h>
#include <isc/util.h>
#if USE_PKCS11
#include <pk11/result.h>
#endif /* if USE_PKCS11 */
#include <dns/keyvalues.h>
#include <dns/name.h>
#include <dns/result.h>
@ -101,9 +97,6 @@ main(int argc, char **argv) {
int len = 0;
int ch;
#if USE_PKCS11
pk11_result_register();
#endif /* if USE_PKCS11 */
dns_result_register();
result = isc_file_progname(*argv, program, sizeof(program));

2
bin/dig/dig.c
View file

@ -27,8 +27,6 @@
#include <isc/task.h>
#include <isc/util.h>
#include <pk11/site.h>
#include <dns/byaddr.h>
#include <dns/dns64.h>
#include <dns/fixedname.h>

9
bin/dig/dighost.c
View file

@ -55,8 +55,6 @@
#include <isc/types.h>
#include <isc/util.h>
#include <pk11/site.h>
#include <dns/byaddr.h>
#include <dns/fixedname.h>
#include <dns/log.h>
@ -84,10 +82,6 @@
#include "dighost.h"
#if USE_PKCS11
#include <pk11/result.h>
#endif /* if USE_PKCS11 */
#define systemlocale(l) (void)setlocale(l, "")
#define resetlocale(l) (void)setlocale(l, "C")
@ -1338,9 +1332,6 @@ setup_libs(void) {
debug("setup_libs()");
#if USE_PKCS11
pk11_result_register();
#endif /* if USE_PKCS11 */
dns_result_register();
result = isc_net_probeipv4();

7
bin/dnssec/dnssec-cds.c
View file

@ -55,10 +55,6 @@
#include <dst/dst.h>
#if USE_PKCS11
#include <pk11/result.h>
#endif /* if USE_PKCS11 */
#include "dnssectool.h"
const char *program = "dnssec-cds";
@ -1061,9 +1057,6 @@ main(int argc, char *argv[]) {
isc_mem_create(&mctx);
#if USE_PKCS11
pk11_result_register();
#endif /* if USE_PKCS11 */
dns_result_register();
isc_commandline_errprint = false;

7
bin/dnssec/dnssec-dsfromkey.c
View file

@ -43,10 +43,6 @@
#include <dst/dst.h>
#if USE_PKCS11
#include <pk11/result.h>
#endif /* if USE_PKCS11 */
#include "dnssectool.h"
const char *program = "dnssec-dsfromkey";
@ -377,9 +373,6 @@ main(int argc, char **argv) {
isc_mem_create(&mctx);
#if USE_PKCS11
pk11_result_register();
#endif /* if USE_PKCS11 */
dns_result_register();
isc_commandline_errprint = false;

7
bin/dnssec/dnssec-importkey.c
View file

@ -41,10 +41,6 @@
#include <dst/dst.h>
#if USE_PKCS11
#include <pk11/result.h>
#endif /* if USE_PKCS11 */
#include "dnssectool.h"
const char *program = "dnssec-importkey";
@ -316,9 +312,6 @@ main(int argc, char **argv) {
isc_mem_create(&mctx);
#if USE_PKCS11
pk11_result_register();
#endif /* if USE_PKCS11 */
dns_result_register();
isc_commandline_errprint = false;

23
bin/dnssec/dnssec-keyfromlabel.c
View file

@ -25,8 +25,6 @@
#include <isc/string.h>
#include <isc/util.h>
#include <pk11/site.h>
#include <dns/dnssec.h>
#include <dns/fixedname.h>
#include <dns/keyvalues.h>
@ -38,10 +36,6 @@
#include <dst/dst.h>
#if USE_PKCS11
#include <pk11/result.h>
#endif /* if USE_PKCS11 */
#include "dnssectool.h"
#define MAX_RSA 4096 /* should be long enough... */
@ -69,14 +63,7 @@ usage(void) {
fprintf(stderr, " -3: use NSEC3-capable algorithm\n");
fprintf(stderr, " -c class (default: IN)\n");
fprintf(stderr, " -E <engine>:\n");
#if USE_PKCS11
fprintf(stderr,
" path to PKCS#11 provider library "
"(default is %s)\n",
PK11_LIB_LOCATION);
#else /* if USE_PKCS11 */
fprintf(stderr, " name of an OpenSSL engine to use\n");
#endif /* if USE_PKCS11 */
fprintf(stderr, " -f keyflag: KSK | REVOKE\n");
fprintf(stderr, " -K directory: directory in which to place "
"key files\n");
@ -170,9 +157,6 @@ main(int argc, char **argv) {
isc_mem_create(&mctx);
#if USE_PKCS11
pk11_result_register();
#endif /* if USE_PKCS11 */
dns_result_register();
isc_commandline_errprint = false;
@ -622,12 +606,7 @@ main(int argc, char **argv) {
isc_buffer_init(&buf, filename, sizeof(filename) - 1);
/* associate the key */
ret = dst_key_fromlabel(name, alg, flags, protocol, rdclass,
#if USE_PKCS11
"pkcs11",
#else /* if USE_PKCS11 */
engine,
#endif /* if USE_PKCS11 */
ret = dst_key_fromlabel(name, alg, flags, protocol, rdclass, engine,
label, NULL, mctx, &key);
if (ret != ISC_R_SUCCESS) {

20
bin/dnssec/dnssec-keyfromlabel.rst
View file

@ -78,10 +78,7 @@ Options
When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
engine identifier that drives the cryptographic accelerator or
hardware service module (usually ``pkcs11``). When BIND is
built with native PKCS#11 cryptography (``--enable-native-pkcs11``), it
defaults to the path of the PKCS#11 provider library specified via
``--with-pkcs11``.
hardware service module (usually ``pkcs11``).
``-l label``
This option specifies the label for a key pair in the crypto hardware.
@ -91,21 +88,6 @@ Options
preceded by an optional OpenSSL engine name, followed by a colon, as
in ``pkcs11:keylabel``.
When BIND 9 is built with native PKCS#11 support, the label is a
PKCS#11 URI string in the format
``pkcs11:keyword\ =value[;\ keyword\ =value;...]``. Keywords
include ``token``, which identifies the HSM; ``object``, which identifies
the key; and ``pin-source``, which identifies a file from which the
HSM's PIN code can be obtained. The label is stored in the
on-disk ``private`` file.
If the label contains a ``pin-source`` field, tools using the
generated key files are able to use the HSM for signing and other
operations without any need for an operator to manually enter a PIN.
Note: Making the HSM's PIN accessible in this manner may reduce the
security advantage of using an HSM; use caution
with this feature.
``-n nametype``
This option specifies the owner type of the key. The value of ``nametype`` must
either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY

16
bin/dnssec/dnssec-keygen.c
View file

@ -40,8 +40,6 @@
#include <isc/string.h>
#include <isc/util.h>
#include <pk11/site.h>
#include <dns/dnssec.h>
#include <dns/fixedname.h>
#include <dns/kasp.h>
@ -59,10 +57,6 @@
#include <isccfg/kaspconf.h>
#include <isccfg/namedconf.h>
#if USE_PKCS11
#include <pk11/result.h>
#endif /* if USE_PKCS11 */
#include "dnssectool.h"
#define MAX_RSA 4096 /* should be long enough... */
@ -168,14 +162,7 @@ usage(void) {
fprintf(stderr, " -c <class>: (default: IN)\n");
fprintf(stderr, " -d <digest bits> (0 => max, default)\n");
fprintf(stderr, " -E <engine>:\n");
#if USE_PKCS11
fprintf(stderr,
" path to PKCS#11 provider library "
"(default is %s)\n",
PK11_LIB_LOCATION);
#else /* if USE_PKCS11 */
fprintf(stderr, " name of an OpenSSL engine to use\n");
#endif /* if USE_PKCS11 */
fprintf(stderr, " -f <keyflag>: KSK | REVOKE\n");
fprintf(stderr, " -g <generator>: use specified generator "
"(DH only)\n");
@ -881,9 +868,6 @@ main(int argc, char **argv) {
usage();
}
#if USE_PKCS11
pk11_result_register();
#endif /* if USE_PKCS11 */
dns_result_register();
isc_commandline_errprint = false;

5
bin/dnssec/dnssec-keygen.rst
View file

@ -105,10 +105,7 @@ Options
When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
engine identifier that drives the cryptographic accelerator or
hardware service module (usually ``pkcs11``). When BIND is
built with native PKCS#11 cryptography (``--enable-native-pkcs11``), it
defaults to the path of the PKCS#11 provider library specified via
``--with-pkcs11``.
hardware service module (usually ``pkcs11``).
``-f flag``
This option sets the specified flag in the flag field of the KEY/DNSKEY record.

14
bin/dnssec/dnssec-revoke.c
View file

@ -31,10 +31,6 @@
#include <dst/dst.h>
#if USE_PKCS11
#include <pk11/result.h>
#endif /* if USE_PKCS11 */
#include "dnssectool.h"
const char *program = "dnssec-revoke";
@ -49,14 +45,7 @@ usage(void) {
fprintf(stderr, "Usage:\n");
fprintf(stderr, " %s [options] keyfile\n\n", program);
fprintf(stderr, "Version: %s\n", PACKAGE_VERSION);
#if USE_PKCS11
fprintf(stderr,
" -E engine: specify PKCS#11 provider "
"(default: %s)\n",
PK11_LIB_LOCATION);
#else /* if USE_PKCS11 */
fprintf(stderr, " -E engine: specify OpenSSL engine\n");
#endif /* if USE_PKCS11 */
fprintf(stderr, " -f: force overwrite\n");
fprintf(stderr, " -h: help\n");
fprintf(stderr, " -K directory: use directory for key files\n");
@ -94,9 +83,6 @@ main(int argc, char **argv) {
isc_mem_create(&mctx);
#if USE_PKCS11
pk11_result_register();
#endif /* if USE_PKCS11 */
dns_result_register();
isc_commandline_errprint = false;

5
bin/dnssec/dnssec-revoke.rst
View file

@ -61,10 +61,7 @@ Options
When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
engine identifier that drives the cryptographic accelerator or
hardware service module (usually ``pkcs11``). When BIND is
built with native PKCS#11 cryptography (``--enable-native-pkcs11``), it
defaults to the path of the PKCS#11 provider library specified via
``--with-pkcs11``.
hardware service module (usually ``pkcs11``).
``-f``
This option indicates a forced overwrite and causes ``dnssec-revoke`` to write the new key pair,

17
bin/dnssec/dnssec-settime.c
View file

@ -35,10 +35,6 @@
#include <dst/dst.h>
#if USE_PKCS11
#include <pk11/result.h>
#endif /* if USE_PKCS11 */
#include "dnssectool.h"
const char *program = "dnssec-settime";
@ -54,17 +50,7 @@ usage(void) {
fprintf(stderr, " %s [options] keyfile\n\n", program);
fprintf(stderr, "Version: %s\n", PACKAGE_VERSION);
fprintf(stderr, "General options:\n");
#if USE_PKCS11
fprintf(stderr,
" -E engine: specify PKCS#11 provider "
"(default: %s)\n",
PK11_LIB_LOCATION);
#elif defined(USE_PKCS11)
fprintf(stderr, " -E engine: specify OpenSSL engine "
"(default \"pkcs11\")\n");
#else /* if USE_PKCS11 */
fprintf(stderr, " -E engine: specify OpenSSL engine\n");
#endif /* if USE_PKCS11 */
fprintf(stderr, " -f: force update of old-style "
"keys\n");
fprintf(stderr, " -K directory: set key file location\n");
@ -262,9 +248,6 @@ main(int argc, char **argv) {
setup_logging(mctx, &log);
#if USE_PKCS11
pk11_result_register();
#endif /* if USE_PKCS11 */
dns_result_register();
isc_commandline_errprint = false;

5
bin/dnssec/dnssec-settime.rst
View file

@ -104,10 +104,7 @@ Options
When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
engine identifier that drives the cryptographic accelerator or
hardware service module (usually ``pkcs11``). When BIND is
built with native PKCS#11 cryptography (``--enable-native-pkcs11``), it
defaults to the path of the PKCS#11 provider library specified via
``--with-pkcs11``.
hardware service module (usually ``pkcs11``).
Timing Options
~~~~~~~~~~~~~~

14
bin/dnssec/dnssec-signzone.c
View file

@ -84,10 +84,6 @@
#include <dst/dst.h>
#if USE_PKCS11
#include <pk11/result.h>
#endif /* if USE_PKCS11 */
#include "dnssectool.h"
const char *program = "dnssec-signzone";
@ -3254,14 +3250,7 @@ usage(void) {
fprintf(stderr, "verify generated signatures\n");
fprintf(stderr, "\t-c class (IN)\n");
fprintf(stderr, "\t-E engine:\n");
#if USE_PKCS11
fprintf(stderr,
"\t\tpath to PKCS#11 provider library "
"(default is %s)\n",
PK11_LIB_LOCATION);
#else /* if USE_PKCS11 */
fprintf(stderr, "\t\tname of an OpenSSL engine to use\n");
#endif /* if USE_PKCS11 */
fprintf(stderr, "\t-P:\t");
fprintf(stderr, "disable post-sign verification\n");
fprintf(stderr, "\t-Q:\t");
@ -3401,9 +3390,6 @@ main(int argc, char *argv[]) {
isc_mem_create(&mctx);
#if USE_PKCS11
pk11_result_register();
#endif /* if USE_PKCS11 */
dns_result_register();
isc_commandline_errprint = false;

5
bin/dnssec/dnssec-signzone.rst
View file

@ -71,10 +71,7 @@ Options
When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
engine identifier that drives the cryptographic accelerator or
hardware service module (usually ``pkcs11``). When BIND is
built with native PKCS#11 cryptography (``--enable-native-pkcs11``), it
defaults to the path of the PKCS#11 provider library specified via
``--with-pkcs11``.
hardware service module (usually ``pkcs11``).
``-g``
This option indicates that DS records for child zones should be generated from a ``dsset-`` or ``keyset-``

14
bin/dnssec/dnssec-verify.c
View file

@ -61,10 +61,6 @@
#include <dst/dst.h>
#if USE_PKCS11
#include <pk11/result.h>
#endif /* if USE_PKCS11 */
#include "dnssectool.h"
const char *program = "dnssec-verify";
@ -163,14 +159,7 @@ usage(void) {
fprintf(stderr, "\t\tfile format of input zonefile (text)\n");
fprintf(stderr, "\t-c class (IN)\n");
fprintf(stderr, "\t-E engine:\n");
#if USE_PKCS11
fprintf(stderr,
"\t\tpath to PKCS#11 provider library "
"(default is %s)\n",
PK11_LIB_LOCATION);
#else /* if USE_PKCS11 */
fprintf(stderr, "\t\tname of an OpenSSL engine to use\n");
#endif /* if USE_PKCS11 */
fprintf(stderr, "\t-x:\tDNSKEY record signed with KSKs only, "
"not ZSKs\n");
fprintf(stderr, "\t-z:\tAll records signed with KSKs\n");
@ -219,9 +208,6 @@ main(int argc, char *argv[]) {
isc_mem_create(&mctx);
#if USE_PKCS11
pk11_result_register();
#endif /* if USE_PKCS11 */
dns_result_register();
isc_commandline_errprint = false;

5
bin/dnssec/dnssec-verify.rst
View file

@ -49,10 +49,7 @@ Options
When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
engine identifier that drives the cryptographic accelerator or
hardware service module (usually ``pkcs11``). When BIND is
built with native PKCS#11 cryptography (``--enable-native-pkcs11``), it
defaults to the path of the PKCS#11 provider library specified via
``--with-pkcs11``.
hardware service module (usually ``pkcs11``).
``-I input-format``
This option sets the format of the input zone file. Possible formats are ``text``

2
bin/named/config.c
View file

@ -25,8 +25,6 @@
#include <isc/string.h>
#include <isc/util.h>
#include <pk11/site.h>
#include <dns/fixedname.h>
#include <dns/name.h>
#include <dns/rdataclass.h>

6
bin/named/main.c
View file

@ -53,9 +53,6 @@
#include <dst/result.h>
#include <isccc/result.h>
#if USE_PKCS11
#include <pk11/result.h>
#endif /* if USE_PKCS11 */
#include <dlz/dlz_dlopen_driver.h>
@ -1463,9 +1460,6 @@ main(int argc, char *argv[]) {
dns_result_register();
dst_result_register();
isccc_result_register();
#if USE_PKCS11
pk11_result_register();
#endif /* if USE_PKCS11 */
parse_command_line(argc, argv);

5
bin/named/named.rst
View file

@ -74,10 +74,7 @@ Options
When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
engine identifier that drives the cryptographic accelerator or
hardware service module (usually ``pkcs11``). When BIND is
built with native PKCS#11 cryptography (``--enable-native-pkcs11``), it
defaults to the path of the PKCS#11 provider library specified via
``--with-pkcs11``.
hardware service module (usually ``pkcs11``).
``-f``
This option runs the server in the foreground (i.e., do not daemonize).

2
bin/nsupdate/nsupdate.c
View file

@ -46,8 +46,6 @@
#include <isc/types.h>
#include <isc/util.h>
#include <pk11/site.h>
#include <dns/callbacks.h>
#include <dns/dispatch.h>
#include <dns/dnssec.h>

4
bin/pkcs11/.gitignore vendored
View file

@ -1,4 +0,0 @@
pkcs11-destroy
pkcs11-keygen
pkcs11-list
pkcs11-tokens

13
bin/pkcs11/Makefile.am
View file

@ -1,13 +0,0 @@
include $(top_srcdir)/Makefile.top
AM_CPPFLAGS += \
$(LIBISC_CFLAGS)
LDADD += \
$(LIBISC_LIBS)
bin_PROGRAMS = \
pkcs11-list \
pkcs11-destroy \
pkcs11-keygen \
pkcs11-tokens

265
bin/pkcs11/pkcs11-destroy.c
View file

@ -1,265 +0,0 @@
/*
* Copyright (C) 2009, 2015 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
* ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
* WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE
* FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/*
* Portions copyright (c) 2008 Nominet UK. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
/*
* pkcs11-destroy [-m module] [-s $slot] [-i $id | -l $label]
* [-p $pin] [ -w $wait ]
*/
/*! \file */
#include <errno.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <isc/commandline.h>
#include <isc/print.h>
#include <isc/result.h>
#include <isc/types.h>
#include <pk11/pk11.h>
#include <pk11/result.h>
int
main(int argc, char *argv[]) {
isc_result_t result;
CK_RV rv;
CK_SLOT_ID slot = 0;
CK_SESSION_HANDLE hSession;
CK_BYTE attr_id[2];
CK_OBJECT_HANDLE akey[50];
pk11_context_t pctx;
char *lib_name = NULL;
char *label = NULL;
char *pin = NULL;
int error = 0;
unsigned int id = 0, i = 0, wait = 5;
int c, errflg = 0;
CK_ULONG ulObjectCount;
CK_ATTRIBUTE search_template[] = { { CKA_ID, &attr_id,
sizeof(attr_id) } };
unsigned int j, len;
while ((c = isc_commandline_parse(argc, argv, ":m:s:i:l:p:w:")) != -1) {
switch (c) {
case 'm':
lib_name = isc_commandline_argument;
break;
case 's':
slot = atoi(isc_commandline_argument);
break;
case 'i':
id = atoi(isc_commandline_argument);
id &= 0xffff;
break;
case 'l':
label = isc_commandline_argument;
break;
case 'p':
pin = isc_commandline_argument;
break;
case 'w':
wait = atoi(isc_commandline_argument);
break;
case ':':
fprintf(stderr, "Option -%c requires an operand\n",
isc_commandline_option);
errflg++;
break;
case '?':
default:
fprintf(stderr, "Unrecognised option: -%c\n",
isc_commandline_option);
errflg++;
}
}
if (errflg || (id && (label != NULL))) {
fprintf(stderr, "Usage:\n");
fprintf(stderr, "\tpkcs11-destroy [-m module] [-s slot] "
"{-i id | -l label} [-p pin] [-w waittime]\n");
exit(1);
}
if (id) {
attr_id[0] = (id >> 8) & 0xff;
attr_id[1] = id & 0xff;
} else if (label) {
search_template[0].type = CKA_LABEL;
search_template[0].pValue = label;
search_template[0].ulValueLen = strlen(label);
}
pk11_result_register();
/* Initialize the CRYPTOKI library */
if (lib_name != NULL) {
pk11_set_lib_name(lib_name);
}
if (pin == NULL) {
pin = getpass("Enter Pin: ");
}
result = pk11_get_session(&pctx, OP_ANY, false, true, true,
(const char *)pin, slot);
if (result == PK11_R_NORANDOMSERVICE ||
result == PK11_R_NODIGESTSERVICE || result == PK11_R_NOAESSERVICE)
{
fprintf(stderr, "Warning: %s\n", isc_result_totext(result));
fprintf(stderr, "This HSM will not work with BIND 9 "
"using native PKCS#11.\n");
} else if (result != ISC_R_SUCCESS) {
fprintf(stderr,
"Unrecoverable error initializing "
"PKCS#11: %s\n",
isc_result_totext(result));
exit(1);
}
memset(pin, 0, strlen(pin));
hSession = pctx.session;
rv = pkcs_C_FindObjectsInit(hSession, search_template,
((id != 0) || (label != NULL)) ? 1 : 0);
if (rv != CKR_OK) {
fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8lX\n", rv);
error = 1;
goto exit_session;
}
rv = pkcs_C_FindObjects(hSession, akey, 50, &ulObjectCount);
if (rv != CKR_OK) {
fprintf(stderr, "C_FindObjects: Error = 0x%.8lX\n", rv);
error = 1;
goto exit_search;
}
if (ulObjectCount == 0) {
printf("No matching key objects found.\n");
goto exit_search;
} else {
printf("Key object%s found:\n", ulObjectCount > 1 ? "s" : "");
}
for (i = 0; i < ulObjectCount; i++) {
CK_OBJECT_CLASS oclass = 0;
CK_BYTE labelbuf[64 + 1];
CK_BYTE idbuf[64];
CK_ATTRIBUTE attr_template[] = {
{ CKA_CLASS, &oclass, sizeof(oclass) },
{ CKA_LABEL, labelbuf, sizeof(labelbuf) - 1 },
{ CKA_ID, idbuf, sizeof(idbuf) }
};
memset(labelbuf, 0, sizeof(labelbuf));
memset(idbuf, 0, sizeof(idbuf));
rv = pkcs_C_GetAttributeValue(hSession, akey[i], attr_template,
3);
if (rv != CKR_OK) {
fprintf(stderr,
"C_GetAttributeValue[%u]: rv = 0x%.8lX\n", i,
rv);
error = 1;
goto exit_search;
}
len = attr_template[2].ulValueLen;
printf(" object[%u]: class %lu, label '%s', id[%lu] ", i,
oclass, labelbuf, attr_template[2].ulValueLen);
if (len > 4) {
len = 4;
}
if (len > 0) {
printf("0x");
}
for (j = 0; j < len; j++)
printf("%02x", idbuf[j]);
if (attr_template[2].ulValueLen > len) {
printf("...\n");
} else {
printf("\n");
}
}
if (wait != 0) {
printf("WARNING: This action is irreversible! "
"Destroying key objects in %u seconds\n ",
wait);
for (i = 0; i < wait; i++) {
printf(".");
fflush(stdout);
sleep(1);
}
printf("\n");
}
for (i = 0; i < ulObjectCount; i++) {
rv = pkcs_C_DestroyObject(hSession, akey[i]);
if (rv != CKR_OK) {
fprintf(stderr,
"C_DestroyObject[%u] failed: rv = 0x%.8lX\n", i,
rv);
error = 1;
}
}
if (error == 0) {
printf("Destruction complete.\n");
}
exit_search:
rv = pkcs_C_FindObjectsFinal(hSession);
if (rv != CKR_OK) {
fprintf(stderr, "C_FindObjectsFinal: Error = 0x%.8lX\n", rv);
error = 1;
}
exit_session:
pk11_return_session(&pctx);
(void)pk11_finalize();
exit(error);
}

71
bin/pkcs11/pkcs11-destroy.rst
View file

@ -1,71 +0,0 @@
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, you can obtain one at https://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
.. highlight: console
.. _man_pkcs11-destroy:
pkcs11-destroy - destroy PKCS#11 objects
Synopsis
~~~~~~~~
:program:`pkcs11-destroy` [**-m** module] [**-s** slot] [**-i** ID] [**-l** label] [**-p** PIN] [**-w** seconds]
Description
~~~~~~~~~~~
``pkcs11-destroy`` destroys keys stored in a PKCS#11 device, identified
by their ``ID`` or ``label``.
Matching keys are displayed before being destroyed. By default, there is
a five-second delay to allow the user to interrupt the process before
the destruction takes place.
Options
~~~~~~~
``-m module``
This option specifies the PKCS#11 provider module. This must be the full path to a
shared library object implementing the PKCS#11 API for the device.
``-s slot``
This option opens the session with the given PKCS#11 slot. The default is slot 0.
``-i ID``
This option destroys keys with the given object ID.
``-l label``
This option destroys keys with the given label.
``-p PIN``
This option specifies the ``PIN`` for the device. If no ``PIN`` is provided on the command
line, ``pkcs11-destroy`` prompts for it.
``-w seconds``
This option specifies how long, in seconds, to pause before carrying out key destruction. The
default is 5 seconds. If set to ``0``, destruction is
immediate.
See Also
~~~~~~~~
:manpage:`pkcs11-keygen(8)`, :manpage:`pkcs11-list(8)`, :manpage:`pkcs11-tokens(8)`

476
bin/pkcs11/pkcs11-keygen.c
View file

@ -1,476 +0,0 @@
/*
* Copyright (C) 2009, 2012, 2015 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
* ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
* WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE
* FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/*
* Portions copyright (c) 2008 Nominet UK. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
/* pkcs11-keygen - PKCS#11 key generator
*
* Create a key in the keystore of an HSM
*
* The calculation of key tag is left to the script
* that converts the key into a DNSKEY RR and inserts
* it into a zone file.
*
* usage:
* pkcs11-keygen [-P] [-m module] [-s slot] [-e] [-b keysize]
* [-i id] [-p pin] -l label
*
*/
/*! \file */
#include <errno.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <isc/commandline.h>
#include <isc/print.h>
#include <isc/result.h>
#include <isc/types.h>
#include <isc/util.h>
#include <pk11/constants.h>
#include <pk11/pk11.h>
#include <pk11/result.h>
/* Define static key template values */
static CK_BBOOL truevalue = TRUE;
static CK_BBOOL falsevalue = FALSE;
/* Static arrays of data used for key template initialization */
static CK_BYTE pk11_ecc_prime256v1[] = PK11_ECC_PRIME256V1;
static CK_BYTE pk11_ecc_secp384r1[] = PK11_ECC_SECP384R1;
static CK_BYTE pk11_ecx_ed25519[] = PK11_ECX_ED25519;
static CK_BYTE pk11_ecx_ed448[] = PK11_ECX_ED448;
/* Key class: RSA, ECC, ECX, or unknown */
typedef enum { key_unknown, key_rsa, key_ecc, key_ecx } key_class_t;
/*
* Private key template
*/
#define PRIVATE_LABEL 0
#define PRIVATE_SIGN 1
#define PRIVATE_TOKEN 2
#define PRIVATE_PRIVATE 3
#define PRIVATE_SENSITIVE 4
#define PRIVATE_EXTRACTABLE 5
#define PRIVATE_ID 6
#define PRIVATE_ATTRS 7
static CK_ATTRIBUTE private_template[] = {
{ CKA_LABEL, NULL_PTR, 0 },
{ CKA_SIGN, &truevalue, sizeof(truevalue) },
{ CKA_TOKEN, &truevalue, sizeof(truevalue) },
{ CKA_PRIVATE, &truevalue, sizeof(truevalue) },
{ CKA_SENSITIVE, &truevalue, sizeof(truevalue) },
{ CKA_EXTRACTABLE, &falsevalue, sizeof(falsevalue) },
{ CKA_ID, NULL_PTR, 0 }
};
/*
* Public key template for RSA keys
*/
#define RSA_LABEL 0
#define RSA_VERIFY 1
#define RSA_TOKEN 2
#define RSA_PRIVATE 3
#define RSA_MODULUS_BITS 4
#define RSA_PUBLIC_EXPONENT 5
#define RSA_ID 6
#define RSA_ATTRS 7
static CK_ATTRIBUTE rsa_template[] = {
{ CKA_LABEL, NULL_PTR, 0 },
{ CKA_VERIFY, &truevalue, sizeof(truevalue) },
{ CKA_TOKEN, &truevalue, sizeof(truevalue) },
{ CKA_PRIVATE, &falsevalue, sizeof(falsevalue) },
{ CKA_MODULUS_BITS, NULL_PTR, 0 },
{ CKA_PUBLIC_EXPONENT, NULL_PTR, 0 },
{ CKA_ID, NULL_PTR, 0 }
};
/*
* Public key template for ECC/ECX keys
*/
#define ECC_LABEL 0
#define ECC_VERIFY 1
#define ECC_TOKEN 2
#define ECC_PRIVATE 3
#define ECC_PARAMS 4
#define ECC_ID 5
#define ECC_ATTRS 6
static CK_ATTRIBUTE ecc_template[] = {
{ CKA_LABEL, NULL_PTR, 0 },
{ CKA_VERIFY, &truevalue, sizeof(truevalue) },
{ CKA_TOKEN, &truevalue, sizeof(truevalue) },
{ CKA_PRIVATE, &falsevalue, sizeof(falsevalue) },
{ CKA_EC_PARAMS, NULL_PTR, 0 },
{ CKA_ID, NULL_PTR, 0 }
};
/*
* Convert from text to key class. Accepts the names of DNSSEC
* signing algorithms, so e.g., ECDSAP256SHA256 maps to ECC and
* NSEC3RSASHA1 maps to RSA.
*/
static key_class_t
keyclass_fromtext(const char *name) {
if (name == NULL) {
return (key_unknown);
}
if (strncasecmp(name, "rsa", 3) == 0 ||
strncasecmp(name, "nsec3rsa", 8) == 0) {
return (key_rsa);
} else if (strncasecmp(name, "ecc", 3) == 0 ||
strncasecmp(name, "ecdsa", 5) == 0)
{
return (key_ecc);
} else if (strncasecmp(name, "ecx", 3) == 0 ||
strncasecmp(name, "ed", 2) == 0) {
return (key_ecx);
} else {
return (key_unknown);
}
}
static void
usage(void) {
fprintf(stderr, "Usage:\n"
"\tpkcs11-keygen -a algorithm -b keysize -l label\n"
"\t [-P] [-m module] "
"[-s slot] [-e] [-S] [-i id] [-p PIN]\n");
exit(2);
}
int
main(int argc, char *argv[]) {
isc_result_t result;
CK_RV rv;
CK_SLOT_ID slot = 0;
CK_MECHANISM mech;
CK_SESSION_HANDLE hSession;
char *lib_name = NULL;
char *pin = NULL;
CK_ULONG bits = 0;
CK_CHAR *label = NULL;
CK_OBJECT_HANDLE privatekey, publickey;
CK_BYTE exponent[5];
CK_ULONG expsize = 0;
pk11_context_t pctx;
int error = 0;
int c, errflg = 0;
int hide = 1, quiet = 0;
int idlen = 0, id_offset = 0;
unsigned long id = 0;
CK_BYTE idbuf[4];
CK_ULONG ulObjectCount;
CK_ATTRIBUTE search_template[] = { { CKA_LABEL, NULL_PTR, 0 } };
CK_ATTRIBUTE *public_template = NULL;
CK_ULONG public_attrcnt = 0, private_attrcnt = PRIVATE_ATTRS;
key_class_t keyclass = key_rsa;
pk11_optype_t op_type = OP_ANY;
#define OPTIONS ":a:b:ei:l:m:Pp:qSs:"
while ((c = isc_commandline_parse(argc, argv, OPTIONS)) != -1) {
switch (c) {
case 'a':
keyclass = keyclass_fromtext(isc_commandline_argument);
break;
case 'P':
hide = 0;
break;
case 'm':
lib_name = isc_commandline_argument;
break;
case 's':
slot = atoi(isc_commandline_argument);
break;
case 'e':
expsize = 5;
break;
case 'b':
bits = atoi(isc_commandline_argument);
break;
case 'l':
/* -l option is retained for backward compatibility * */
label = (CK_CHAR *)isc_commandline_argument;
break;
case 'i':
id = strtoul(isc_commandline_argument, NULL, 0);
idlen = 4;
break;
case 'p':
pin = isc_commandline_argument;
break;
case 'q':
quiet = 1;
break;
case ':':
fprintf(stderr, "Option -%c requires an operand\n",
isc_commandline_option);
errflg++;
break;
case '?':
default:
fprintf(stderr, "Unrecognised option: -%c\n",
isc_commandline_option);
errflg++;
}
}
if (label == NULL && isc_commandline_index < argc) {
label = (CK_CHAR *)argv[isc_commandline_index];
}
if (errflg || (label == NULL)) {
usage();
}
if (expsize != 0 && keyclass != key_rsa) {
fprintf(stderr, "The -e option is only compatible "
"with RSA key generation\n");
exit(2);
}
switch (keyclass) {
case key_rsa:
op_type = OP_RSA;
if (expsize == 0) {
expsize = 3;
}
if (bits == 0) {
usage();
}
mech.mechanism = CKM_RSA_PKCS_KEY_PAIR_GEN;
mech.pParameter = NULL;
mech.ulParameterLen = 0;
public_template = rsa_template;
public_attrcnt = RSA_ATTRS;
id_offset = RSA_ID;
/* Set public exponent to F4 or F5 */
exponent[0] = 0x01;
exponent[1] = 0x00;
if (expsize == 3) {
exponent[2] = 0x01;
} else {
exponent[2] = 0x00;
exponent[3] = 0x00;
exponent[4] = 0x01;
}
public_template[RSA_MODULUS_BITS].pValue = &bits;
public_template[RSA_MODULUS_BITS].ulValueLen = sizeof(bits);
public_template[RSA_PUBLIC_EXPONENT].pValue = &exponent;
public_template[RSA_PUBLIC_EXPONENT].ulValueLen = expsize;
break;
case key_ecc:
op_type = OP_ECDSA;
if (bits == 0) {
bits = 256;
} else if (bits != 256 && bits != 384) {
fprintf(stderr, "ECC keys only support bit sizes of "
"256 and 384\n");
exit(2);
}
mech.mechanism = CKM_EC_KEY_PAIR_GEN;
mech.pParameter = NULL;
mech.ulParameterLen = 0;
public_template = ecc_template;
public_attrcnt = ECC_ATTRS;
id_offset = ECC_ID;
if (bits == 256) {
public_template[4].pValue = pk11_ecc_prime256v1;
public_template[4].ulValueLen =
sizeof(pk11_ecc_prime256v1);
} else {
public_template[4].pValue = pk11_ecc_secp384r1;
public_template[4].ulValueLen =
sizeof(pk11_ecc_secp384r1);
}
break;
case key_ecx:
op_type = OP_EDDSA;
if (bits == 0) {
bits = 256;
} else if (bits != 256 && bits != 456) {
fprintf(stderr, "ECX keys only support bit sizes of "
"256 and 456\n");
exit(2);
}
mech.mechanism = CKM_EC_EDWARDS_KEY_PAIR_GEN;
mech.pParameter = NULL;
mech.ulParameterLen = 0;
public_template = ecc_template;
public_attrcnt = ECC_ATTRS;
id_offset = ECC_ID;
if (bits == 256) {
public_template[4].pValue = pk11_ecx_ed25519;
public_template[4].ulValueLen =
sizeof(pk11_ecx_ed25519);
} else {
public_template[4].pValue = pk11_ecx_ed448;
public_template[4].ulValueLen = sizeof(pk11_ecx_ed448);
}
break;
case key_unknown:
usage();
}
search_template[0].pValue = label;
search_template[0].ulValueLen = strlen((char *)label);
public_template[0].pValue = label;
public_template[0].ulValueLen = strlen((char *)label);
private_template[0].pValue = label;
private_template[0].ulValueLen = strlen((char *)label);
if (idlen == 0) {
public_attrcnt--;
private_attrcnt--;
} else {
if (id <= 0xffff) {
idlen = 2;
idbuf[0] = (CK_BYTE)(id >> 8);
idbuf[1] = (CK_BYTE)id;
} else {
idbuf[0] = (CK_BYTE)(id >> 24);
idbuf[1] = (CK_BYTE)(id >> 16);
idbuf[2] = (CK_BYTE)(id >> 8);
idbuf[3] = (CK_BYTE)id;
}
public_template[id_offset].pValue = idbuf;
public_template[id_offset].ulValueLen = idlen;
private_template[PRIVATE_ID].pValue = idbuf;
private_template[PRIVATE_ID].ulValueLen = idlen;
}
pk11_result_register();
/* Initialize the CRYPTOKI library */
if (lib_name != NULL) {
pk11_set_lib_name(lib_name);
}
if (pin == NULL) {
pin = getpass("Enter Pin: ");
}
result = pk11_get_session(&pctx, op_type, false, true, true,
(const char *)pin, slot);
if (result == PK11_R_NORANDOMSERVICE ||
result == PK11_R_NODIGESTSERVICE || result == PK11_R_NOAESSERVICE)
{
fprintf(stderr, "Warning: %s\n", isc_result_totext(result));
fprintf(stderr, "This HSM will not work with BIND 9 "
"using native PKCS#11.\n");
} else if (result != ISC_R_SUCCESS) {
fprintf(stderr,
"Unrecoverable error initializing "
"PKCS#11: %s\n",
isc_result_totext(result));
exit(1);
}
memset(pin, 0, strlen(pin));
hSession = pctx.session;
/* check if a key with the same id already exists */
rv = pkcs_C_FindObjectsInit(hSession, search_template, 1);
if (rv != CKR_OK) {
fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8lX\n", rv);
error = 1;
goto exit_session;
}
rv = pkcs_C_FindObjects(hSession, &privatekey, 1, &ulObjectCount);
if (rv != CKR_OK) {
fprintf(stderr, "C_FindObjects: Error = 0x%.8lX\n", rv);
error = 1;
goto exit_search;
}
if (ulObjectCount != 0) {
fprintf(stderr, "Key already exists.\n");
error = 1;
goto exit_search;
}
/* Set attributes if the key is not to be hidden */
if (!hide) {
private_template[4].pValue = &falsevalue;
private_template[5].pValue = &truevalue;
}
/* Generate Key pair for signing/verifying */
rv = pkcs_C_GenerateKeyPair(hSession, &mech, public_template,
public_attrcnt, private_template,
private_attrcnt, &publickey, &privatekey);
if (rv != CKR_OK) {
fprintf(stderr, "C_GenerateKeyPair: Error = 0x%.8lX\n", rv);
error = 1;
} else if (!quiet) {
printf("Key pair generation complete.\n");
}
exit_search:
rv = pkcs_C_FindObjectsFinal(hSession);
if (rv != CKR_OK) {
fprintf(stderr, "C_FindObjectsFinal: Error = 0x%.8lX\n", rv);
error = 1;
}
exit_session:
pk11_return_session(&pctx);
(void)pk11_finalize();
exit(error);
}

90
bin/pkcs11/pkcs11-keygen.rst
View file

@ -1,90 +0,0 @@
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, you can obtain one at https://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
.. highlight: console
.. _man_pkcs11-keygen:
pkcs11-keygen - generate keys on a PKCS#11 device
-------------------------------------------------
Synopsis
~~~~~~~~
:program:`pkcs11-keygen` [**-a** algorithm] [**-b** keysize] [**-e**] [**-i** id] [**-m** module] [**-P**] [**-p** PIN] [**-q**] [**-S**] [**-s** slot] label
Description
~~~~~~~~~~~
``pkcs11-keygen`` causes a PKCS#11 device to generate a new key pair
with the given ``label`` (which must be unique) and with ``keysize``
bits of prime.
Options
~~~~~~~
``-a algorithm``
This option specifies the key algorithm class: supported classes are RSA, DSA, DH,
ECC, and ECX. In addition to these strings, the ``algorithm`` can be
specified as a DNSSEC signing algorithm to be used with this
key; for example, NSEC3RSASHA1 maps to RSA, ECDSAP256SHA256 maps to
ECC, and ED25519 to ECX. The default class is ``RSA``.
``-b keysize``
This option creates the key pair with ``keysize`` bits of prime. For ECC keys, the
only valid values are 256 and 384, and the default is 256. For ECX
keys, the only valid values are 256 and 456, and the default is 256.
``-e``
For RSA keys only, this option specifies use of a large exponent.
``-i id``
This option creates key objects with ``id``. The ID is either an unsigned short 2-byte
or an unsigned long 4-byte number.
``-m module``
This option specifies the PKCS#11 provider module. This must be the full path to a
shared library object implementing the PKCS#11 API for the device.
``-P``
This option sets the new private key to be non-sensitive and extractable, and
allows the private key data to be read from the PKCS#11 device. The
default is for private keys to be sensitive and non-extractable.
``-p PIN``
This option specifies the ``PIN`` for the device. If no ``PIN`` is provided on the command
line, ``pkcs11-keygen`` prompts for it.
``-q``
This option sets quiet mode, which suppresses unnecessary output.
``-S``
For Diffie-Hellman (DH) keys only, this option specifies use of a special prime of 768-, 1024-,
or 1536-bit size and base (AKA generator) 2. If not specified, bit
size defaults to 1024.
``-s slot``
This option opens the session with the given PKCS#11 slot. The default is slot 0.
See Also
~~~~~~~~
:manpage:`pkcs11-destroy(8)`, :manpage:`pkcs11-list(8)`, :manpage:`pkcs11-tokens(8)`, :manpage:`dnssec-keyfromlabel(8)`

274
bin/pkcs11/pkcs11-list.c
View file

@ -1,274 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
/*
* Portions copyright (c) 2008 Nominet UK. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
/* pkcs11-list [-P] [-m module] [-s slot] [-i $id | -l $label] [-p $pin] */
/*! \file */
#include <errno.h>
#include <fcntl.h>
#include <stdbool.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <isc/commandline.h>
#include <isc/print.h>
#include <isc/result.h>
#include <isc/types.h>
#include <pk11/pk11.h>
#include <pk11/result.h>
int
main(int argc, char *argv[]) {
isc_result_t result;
CK_RV rv;
CK_SLOT_ID slot = 0;
CK_SESSION_HANDLE hSession;
CK_BYTE attr_id[2];
CK_OBJECT_HANDLE akey[50];
pk11_context_t pctx;
char *lib_name = NULL;
char *label = NULL;
char *pin = NULL;
bool error = false, logon = true, all = false;
unsigned int i = 0, id = 0;
int c, errflg = 0;
CK_ULONG ulObjectCount;
CK_ATTRIBUTE search_template[] = { { CKA_ID, &attr_id,
sizeof(attr_id) } };
while ((c = isc_commandline_parse(argc, argv, ":m:s:i:l:p:P")) != -1) {
switch (c) {
case 'P':
logon = false;
break;
case 'm':
lib_name = isc_commandline_argument;
break;
case 's':
slot = atoi(isc_commandline_argument);
break;
case 'i':
id = atoi(isc_commandline_argument);
id &= 0xffff;
break;
case 'l':
label = isc_commandline_argument;
break;
case 'p':
pin = isc_commandline_argument;
break;
case ':':
fprintf(stderr, "Option -%c requires an operand\n",
isc_commandline_option);
errflg++;
break;
case '?':
default:
fprintf(stderr, "Unrecognised option: -%c\n",
isc_commandline_option);
errflg++;
}
}
if (errflg) {
fprintf(stderr, "Usage:\n");
fprintf(stderr, "\tpkcs11-list [-P] [-m module] [-s slot] "
"[-i id | -l label] [-p pin]\n");
exit(1);
}
if (!id && (label == NULL)) {
all = true;
}
if (slot) {
printf("slot %lu\n", slot);
}
if (id) {
printf("id %u\n", id);
attr_id[0] = (id >> 8) & 0xff;
attr_id[1] = id & 0xff;
} else if (label != NULL) {
printf("label %s\n", label);
search_template[0].type = CKA_LABEL;
search_template[0].pValue = label;
search_template[0].ulValueLen = strlen(label);
}
pk11_result_register();
/* Initialize the CRYPTOKI library */
if (lib_name != NULL) {
pk11_set_lib_name(lib_name);
}
if (logon && pin == NULL) {
pin = getpass("Enter Pin: ");
}
result = pk11_get_session(&pctx, OP_ANY, false, false, logon, pin,
slot);
if (result == PK11_R_NORANDOMSERVICE ||
result == PK11_R_NODIGESTSERVICE || result == PK11_R_NOAESSERVICE)
{
fprintf(stderr, "Warning: %s\n", isc_result_totext(result));
fprintf(stderr, "This HSM will not work with BIND 9 "
"using native PKCS#11.\n");
} else if (result != ISC_R_SUCCESS) {
fprintf(stderr,
"Unrecoverable error initializing "
"PKCS#11: %s\n",
isc_result_totext(result));
fprintf(stderr,
"Unrecoverable error initializing "
"PKCS#11: %s\n",
isc_result_totext(result));
exit(1);
}
if (pin != NULL) {
memset(pin, 0, strlen(pin));
}
hSession = pctx.session;
rv = pkcs_C_FindObjectsInit(hSession, search_template, all ? 0 : 1);
if (rv != CKR_OK) {
fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8lX\n", rv);
error = 1;
goto exit_session;
}
ulObjectCount = 1;
while (ulObjectCount) {
rv = pkcs_C_FindObjects(hSession, akey, 50, &ulObjectCount);
if (rv != CKR_OK) {
fprintf(stderr, "C_FindObjects: Error = 0x%.8lX\n", rv);
error = 1;
goto exit_search;
}
for (i = 0; i < ulObjectCount; i++) {
unsigned int j, len;
CK_OBJECT_CLASS oclass = 0;
CK_BYTE labelbuf[64 + 1];
CK_BYTE idbuf[64];
CK_BBOOL extract = TRUE;
CK_BBOOL never = FALSE;
CK_ATTRIBUTE template[] = {
{ CKA_CLASS, &oclass, sizeof(oclass) },
{ CKA_LABEL, labelbuf, sizeof(labelbuf) - 1 },
{ CKA_ID, idbuf, sizeof(idbuf) }
};
CK_ATTRIBUTE priv_template[] = {
{ CKA_EXTRACTABLE, &extract, sizeof(extract) },
{ CKA_NEVER_EXTRACTABLE, &never, sizeof(never) }
};
memset(labelbuf, 0, sizeof(labelbuf));
memset(idbuf, 0, sizeof(idbuf));
rv = pkcs_C_GetAttributeValue(hSession, akey[i],
template, 3);
if (rv != CKR_OK) {
fprintf(stderr,
"C_GetAttributeValue[%u]: "
"rv = 0x%.8lX\n",
i, rv);
if (rv == CKR_BUFFER_TOO_SMALL) {
fprintf(stderr,
"%u too small: %lu %lu %lu\n",
i, template[0].ulValueLen,
template[1].ulValueLen,
template[2].ulValueLen);
}
error = 1;
continue;
}
len = template[2].ulValueLen;
printf("object[%u]: handle %lu class %lu "
"label[%lu] '%s' id[%lu] ",
i, akey[i], oclass, template[1].ulValueLen,
labelbuf, template[2].ulValueLen);
if (len == 2) {
id = (idbuf[0] << 8) & 0xff00;
id |= idbuf[1] & 0xff;
printf("%u", id);
} else {
if (len > 8) {
len = 8;
}
if (len > 0) {
printf("0x");
}
for (j = 0; j < len; j++)
printf("%02x", idbuf[j]);
if (template[2].ulValueLen > len) {
printf("...");
}
}
if ((oclass == CKO_PRIVATE_KEY ||
oclass == CKO_SECRET_KEY) &&
pkcs_C_GetAttributeValue(hSession, akey[i],
priv_template,
2) == CKR_OK)
{
printf(" E:%s",
extract ? "true"
: (never ? "never" : "false"));
}
printf("\n");
}
}
exit_search:
rv = pkcs_C_FindObjectsFinal(hSession);
if (rv != CKR_OK) {
fprintf(stderr, "C_FindObjectsFinal: Error = 0x%.8lX\n", rv);
error = 1;
}
exit_session:
pk11_return_session(&pctx);
(void)pk11_finalize();
exit(error);
}

66
bin/pkcs11/pkcs11-list.rst
View file

@ -1,66 +0,0 @@
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, you can obtain one at https://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
.. highlight: console
.. _man_pkcs11-list:
pkcs11-list - list PKCS#11 objects
----------------------------------
:program:`pkcs11-list` [**-P**] [**-m** module] [**-s** slot] [**-i** ID **] [-l** label] [**-p** PIN]
Description
~~~~~~~~~~~
``pkcs11-list`` lists the PKCS#11 objects with ``ID`` or ``label`` or, by
default, all objects. The object class, label, and ID are displayed for
all keys. For private or secret keys, the extractability attribute is
also displayed, as either ``true``, ``false``, or ``never``.
Options
~~~~~~~
``-P``
This option lists only the public objects. (Note that on some PKCS#11 devices, all
objects are private.)
``-m module``
This option specifies the PKCS#11 provider module. This must be the full path to a
shared library object implementing the PKCS#11 API for the device.
``-s slot``
This option opens the session with the given PKCS#11 slot. The default is slot 0.
``-i ID``
This option lists only key objects with the given object ID.
``-l label``
This option lists only key objects with the given label.
``-p PIN``
This option specifies the ``PIN`` for the device. If no ``PIN`` is provided on the command
line, ``pkcs11-list`` prompts for it.
See Also
~~~~~~~~
:manpage:`pkcs11-destroy(8)`, :manpage:`pkcs11-keygen(8)`, :manpage:`pkcs11-tokens(8)`

101
bin/pkcs11/pkcs11-tokens.c
View file

@ -1,101 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
/* pkcs11-tokens [-m module] */
/*! \file */
#include <errno.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <isc/commandline.h>
#include <isc/mem.h>
#include <isc/print.h>
#include <isc/result.h>
#include <isc/types.h>
#include <pk11/pk11.h>
#include <pk11/result.h>
int
main(int argc, char *argv[]) {
isc_result_t result;
char *lib_name = NULL;
int c, errflg = 0;
isc_mem_t *mctx = NULL;
pk11_context_t pctx;
while ((c = isc_commandline_parse(argc, argv, ":m:v")) != -1) {
switch (c) {
case 'm':
lib_name = isc_commandline_argument;
break;
case 'v':
pk11_verbose_init = true;
break;
case ':':
fprintf(stderr, "Option -%c requires an operand\n",
isc_commandline_option);
errflg++;
break;
case '?':
default:
fprintf(stderr, "Unrecognised option: -%c\n",
isc_commandline_option);
errflg++;
}
}
if (errflg) {
fprintf(stderr, "Usage:\n");
fprintf(stderr, "\tpkcs11-tokens [-v] [-m module]\n");
exit(1);
}
isc_mem_create(&mctx);
pk11_result_register();
/* Initialize the CRYPTOKI library */
if (lib_name != NULL) {
pk11_set_lib_name(lib_name);
}
result = pk11_get_session(&pctx, OP_ANY, true, false, false, NULL, 0);
if (result == PK11_R_NORANDOMSERVICE ||
result == PK11_R_NODIGESTSERVICE || result == PK11_R_NOAESSERVICE)
{
fprintf(stderr, "Warning: %s\n", isc_result_totext(result));
fprintf(stderr, "This HSM will not work with BIND 9 "
"using native PKCS#11.\n\n");
} else if ((result != ISC_R_SUCCESS) && (result != ISC_R_NOTFOUND)) {
fprintf(stderr,
"Unrecoverable error initializing "
"PKCS#11: %s\n",
isc_result_totext(result));
exit(1);
}
pk11_dump_tokens();
if (pctx.handle != NULL) {
pk11_return_session(&pctx);
}
(void)pk11_finalize();
isc_mem_destroy(&mctx);
exit(0);
}

53
bin/pkcs11/pkcs11-tokens.rst
View file

@ -1,53 +0,0 @@
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, you can obtain one at https://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
.. highlight: console
.. _man_pkcs11-tokens:
pkcs11-tokens - list PKCS#11 available tokens
---------------------------------------------
Synopsis
~~~~~~~~
:program:`pkcs11-tokens` [**-m** module] [**-v**]
Description
~~~~~~~~~~~
``pkcs11-tokens`` lists the PKCS#11 available tokens with defaults from
the slot/token scan performed at application initialization.
Options
~~~~~~~
``-m module``
This option specifies the PKCS#11 provider module. This must be the full path to a
shared library object implementing the PKCS#11 API for the device.
``-v``
This option makes the PKCS#11 libisc initialization verbose.
See Also
~~~~~~~~
:manpage:`pkcs11-destroy(8)`, :manpage:`pkcs11-keygen(8)`, :manpage:`pkcs11-list(8)`

2
bin/rndc/rndc.c
View file

@ -36,8 +36,6 @@
#include <isc/thread.h>
#include <isc/util.h>
#include <pk11/site.h>
#include <dns/name.h>
#include <isccc/alist.h>

4
bin/tests/system/Makefile.am
View file

@ -230,10 +230,6 @@ endif HAVE_PYMOD_DNS
endif HAVE_PYTHON
if HAVE_PKCS11
TESTS += pkcs11
endif
else !HAVE_PERL
check:
echo Perl is not available, no tests were ran

14
bin/tests/system/cleanpkcs11.sh
View file

@ -1,14 +0,0 @@
#!/bin/sh
#
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
. ./conf.sh
[ -x "$TOP_BUILDDIR/bin/pkcs11/pkcs11-destroy" ] && $PK11DEL -w0 > /dev/null 2>&1

3
bin/tests/system/conf.sh.common
View file

@ -731,9 +731,6 @@ export NSUPDATE
export NZD2NZF
export PERL
export PIPEQUERIES
export PK11DEL
export PK11GEN
export PK11LIST
export PSSUSPEND
export PYTHON
export RESOLVE

5
bin/tests/system/conf.sh.in
View file

@ -48,9 +48,6 @@ NSEC3HASH=$TOP_BUILDDIR/bin/tools/nsec3hash
NSLOOKUP=$TOP_BUILDDIR/bin/dig/nslookup
NSUPDATE=$TOP_BUILDDIR/bin/nsupdate/nsupdate
NZD2NZF=$TOP_BUILDDIR/bin/tools/named-nzd2nzf
PK11DEL="$TOP_BUILDDIR/bin/pkcs11/pkcs11-destroy -s ${SLOT:-0} -p ${HSMPIN:-1234} -w 0"
PK11GEN="$TOP_BUILDDIR/bin/pkcs11/pkcs11-keygen -q -s ${SLOT:-0} -p ${HSMPIN:-1234}"
PK11LIST="$TOP_BUILDDIR/bin/pkcs11/pkcs11-list -s ${SLOT:-0} -p ${HSMPIN:-1234}"
RESOLVE=$TOP_BUILDDIR/bin/tests/system/resolve
REVOKE=$TOP_BUILDDIR/bin/dnssec/dnssec-revoke
RNDC=$TOP_BUILDDIR/bin/rndc/rndc
@ -77,7 +74,7 @@ KRB5_KTNAME=dns.keytab
#
# Construct the lists of tests to run
#
SEQUENTIAL_UNIX="@PKCS11_TEST@"
SEQUENTIAL_UNIX=""
SEQUENTIALDIRS="$SEQUENTIAL_COMMON $SEQUENTIAL_UNIX"
PARALLEL_UNIX="@DNSTAP@

6
bin/tests/system/dnssec/tests.sh
View file

@ -3366,12 +3366,6 @@ do
;;
15|16)
key1=$($KEYGEN -a "$alg" -n zone "$zone" 2> "keygen-$alg.err" || true)
# Soft-fail in case HSM doesn't support Edwards curves
if grep "not found" "keygen-$alg.err" > /dev/null && [ "$CRYPTO" = "pkcs11" ]; then
echo_i "Algorithm $alg not supported by HSM: skipping"
alg=$((alg+1))
continue
fi
;;
*)
key1=$($KEYGEN -a "$alg" -n zone "$zone" 2> "keygen-$alg.err" || true)

20
bin/tests/system/pkcs11/2037-pk11_numbits-crash-test.pkt
View file

@ -1,20 +0,0 @@
edda 2800 0001 0000 0001 0000 0972 7361
7368 6132 3536 0765 7861 6d70 6c65 0000
0600 01c0 0c00 3000 0100 0001 2c01 0801
0003 0803 0100 0100 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 00

19
bin/tests/system/pkcs11/clean.sh
View file

@ -1,19 +0,0 @@
#!/bin/sh
#
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
set -e
rm -f K* ns1/K* keyset-* dsset-* ns1/*.db ns1/*.signed ns1/*.jnl
rm -f dig.out* pin upd.log* upd.cmd* pkcs11-list.out*
rm -f ns1/*.ksk ns1/*.zsk ns1/named.memstats
rm -f supported
rm -f ns*/named.run ns*/named.lock ns*/named.conf
rm -f ns*/managed-keys.bind*

22
bin/tests/system/pkcs11/ns1/example.db.in
View file

@ -1,22 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA ns root (
2000082401 ; serial
1800 ; refresh (30 minutes)
1800 ; retry (30 minutes)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.1
txt TXT "recursed"

34
bin/tests/system/pkcs11/ns1/named.conf.in
View file

@ -1,34 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
controls { /* empty */ };
options {
query-source address 10.53.0.1;
notify-source 10.53.0.1;
transfer-source 10.53.0.1;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.1; };
listen-on-v6 { none; };
recursion no;
dnssec-validation no;
notify no;
};
key rndc_key {
secret "1234abcd8765";
algorithm hmac-sha256;
};
controls {
inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};

91
bin/tests/system/pkcs11/setup.sh
View file

@ -1,91 +0,0 @@
#!/bin/sh
#
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
set -eu
# shellcheck source=conf.sh
. ../conf.sh
echo_i "Generating keys for Native PKCS#11" >&2
infile=ns1/example.db.in
printf '%s' "${HSMPIN:-1234}" > pin
PWD=$(pwd)
copy_setports ns1/named.conf.in ns1/named.conf
get_random() {
dd if=/dev/urandom bs=1 count=2 2>/dev/null | od -tu2 -An
}
genpkcs() (
alg="$1"
bits="$2"
label="$3"
id="$(get_random)"
$PK11DEL -l "$label" -w0 >/dev/null || true
$PK11GEN -a "$alg" -b "$bits" -l "$label" -i "$id" >/dev/null
)
keyfrlab() (
alg="$1"
bits="$2"
label="$3"
zone="$4"
shift 4
$KEYFRLAB -a "$alg" -l "pkcs11:object=$label;pin-source=$PWD/pin" "$@" "$zone"
)
genzsk() (
genpkcs "$@"
keyfrlab "$@"
)
genksk() (
genpkcs "$@"
keyfrlab "$@" -f ksk
)
algs=
for algbits in rsasha256:2048 rsasha512:2048 ecdsap256sha256:256 ecdsap384sha384:384 ed25519:256 ed448:456; do
alg=$(echo "$algbits" | cut -f 1 -d :)
bits=$(echo "$algbits" | cut -f 2 -d :)
zone="$alg.example"
zonefile="ns1/$alg.example.db"
if $SHELL ../testcrypto.sh "$alg"; then
echo "$alg" >> supported
algs="$algs$alg "
zsk1=$(genzsk "$alg" "$bits" "pkcs11-$alg-zsk1" "$zone")
zsk2=$(genzsk "$alg" "$bits" "pkcs11-$alg-zsk2" "$zone")
ksk1=$(genksk "$alg" "$bits" "pkcs11-$alg-ksk1" "$zone")
ksk2=$(genksk "$alg" "$bits" "pkcs11-$alg-ksk2" "$zone")
cat "$infile" "$zsk1.key" "$ksk1.key" > "$zonefile"
$SIGNER -a -P -g -o "$zone" "$zonefile" > /dev/null
cp "$zsk2.key" "ns1/$alg.zsk"
cp "$ksk2.key" "ns1/$alg.ksk"
mv "K$alg"* ns1/
cat >> ns1/named.conf <<EOF
zone "$alg.example." {
type primary;
file "$alg.example.db.signed";
allow-update { any; };
};
EOF
fi
done
echo_i "Generated keys for Native PKCS#11: $algs"

146
bin/tests/system/pkcs11/tests.sh
View file

@ -1,146 +0,0 @@
#!/bin/sh
#
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
set -e
# shellcheck source=conf.sh
. ../conf.sh
count_rrsigs() (
grep -c "IN[[:space:]]*RRSIG" "$@" || true
)
dig_with_opts() (
$DIG +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@"
)
dig_for_rr() (
alg=$1
rrtype=$2
count0=$3
dig_with_opts "$alg.example." @10.53.0.1 "$rrtype" > "dig.out.$rrtype.$alg" &&
count=$(count_rrsigs "dig.out.$rrtype.$alg") &&
test "$count" -gt "$count0"
)
test_done() {
if [ $ret -ne 0 ]; then echo_i "failed"; fi
status=$((status+ret))
ret=0
}
status=0
ret=0
n=0
while read -r alg; do
zonefile=ns1/$alg.example.db
echo_i "testing PKCS#11 key generation ($alg)"
count=$($PK11LIST | grep -c "pkcs11-$alg-ksk" || true)
[ "$count" -eq 4 ] || ret=1
test_done
echo_i "testing offline signing with PKCS#11 keys ($alg)"
count=$(grep -c "[0-9][[:space:]]*RRSIG" "$zonefile.signed")
[ "$count" -eq 9 ] || ret=1
test_done
echo_i "testing inline signing with new PKCS#11 ZSK ($alg)"
dig_with_opts "$alg.example." @10.53.0.1 "SOA" > "dig.out.SOA.$alg.0" || ret=1
countSOA0=$(count_rrsigs "dig.out.SOA.$alg.0")
new_zsk=$(grep -v ';' "ns1/$alg.zsk")
cat > "upd.cmd.ZSK.$alg" <<EOF
server 10.53.0.1 $PORT
ttl 300
zone $alg.example.
update add $new_zsk
send
EOF
$NSUPDATE -v > "upd.log.ZSK.$alg" < "upd.cmd.ZSK.$alg" || ret=1
retry_quiet 20 dig_for_rr "$alg" "SOA" "$countSOA0" || ret=1
test_done
echo_i "testing inline signing with new PKCS#11 KSK ($alg)"
dig_with_opts "$alg.example." @10.53.0.1 "DNSKEY" > "dig.out.DNSKEY.$alg.0" || ret=1
countDNSKEY0=$(count_rrsigs "dig.out.DNSKEY.$alg.0")
new_ksk=$(grep -v ';' "ns1/$alg.ksk")
cat > "upd.cmd.KSK.$alg" <<EOF
server 10.53.0.1 $PORT
ttl 300
zone $alg.example.
update add $new_ksk
send
EOF
$NSUPDATE -v > "upd.log.KSK.$alg" < "upd.cmd.KSK.$alg" || ret=1
retry_quiet 20 dig_for_rr "$alg" "DNSKEY" "$countDNSKEY0" || ret=1
test_done
echo_i "testing PKCS#11 key destroy ($alg)"
# Lookup all existing keys
echo_i "looking up all existing keys ($alg)"
$PK11LIST > "pkcs11-list.out.id.$alg" || ret=1
test_done
echo_i "destroying key with 'pkcs11-$alg-ksk1' label ($alg)"
$PK11DEL -l "pkcs11-$alg-ksk1" > /dev/null 2>&1 || ret=1
test_done
echo_i "destroying key with 'pkcs11-$alg-zsk1' label ($alg)"
$PK11DEL -l "pkcs11-$alg-zsk1" > /dev/null 2>&1 || ret=1
test_done
id=$(awk -v label="'pkcs11-$alg-ksk2'" '{ if ($7 == label) { print $9; exit; } }' < "pkcs11-list.out.id.$alg")
echo_i "destroying key with $id id ($alg)"
if [ -n "$id" ]; then
$PK11DEL -i "$id" > /dev/null 2>&1 || ret=1
else
ret=1
fi
test_done
id=$(awk -v label="'pkcs11-$alg-zsk2'" '{ if ($7 == label) { print $9; exit; } }' < "pkcs11-list.out.id.$alg")
echo_i "destroying key with $id id ($alg)"
if [ -n "$id" ]; then
$PK11DEL -i "$id" > /dev/null 2>&1 || ret=1
else
ret=1
fi
test_done
echo_i "checking if all keys have been destroyed ($alg)"
$PK11LIST > "pkcs11-list.out.$alg" || ret=1
count=$(grep -c "pkcs11-$alg-[kz]sk[0-9]*" "pkcs11-list.out.$alg" || true)
[ "$count" -eq 0 ] || ret=1
test_done
n=$((n+1))
done < supported
echo_i "Checking if all supported algorithms were tested"
[ "$n" -eq "$(wc -l < supported)" ] || ret=1
test_done
echo_i "Checking for assertion failure in pk11_numbits()"
$PERL ../packet.pl -a "10.53.0.1" -p "$PORT" -t udp 2037-pk11_numbits-crash-test.pkt
dig_with_opts @10.53.0.1 version.bind. CH TXT > dig.out.pk11_numbits || ret=1
test_done
echo_i "exit status: $status"
[ "$status" -eq 0 ] || exit 1

1
bin/tests/system/pkcs11/usepkcs11
View file

@ -1 +0,0 @@
This test relies on PKCS#11!

5
bin/tests/system/rsabigexponent/bigkey.c
View file

@ -74,8 +74,6 @@ main(int argc, char **argv) {
UNUSED(argc);
UNUSED(argv);
#if !USE_PKCS11
rsa = RSA_new();
e = BN_new();
pkey = EVP_PKEY_new();
@ -151,9 +149,6 @@ main(int argc, char **argv) {
dst_lib_destroy();
isc_mem_destroy(&mctx);
return (0);
#else /* !USE_PKCS11 */
return (1);
#endif /* !USE_PKC11 */
}
/*! \file */

12
bin/tests/system/run.sh.in
View file

@ -161,18 +161,6 @@ else
exit 77
fi
# Check for PKCS#11 support
if
test ! -f "$systest/usepkcs11" || $SHELL cleanpkcs11.sh
then
: pkcs11 ok
else
echowarn "I:$systest:Need PKCS#11, skipping test."
echowarn "R:$systest:PKCS11ONLY"
echoend "E:$systest:$(date_with_args)"
exit 0
fi
# Clean up files left from any potential previous runs except when
# started with the --restart option.
if ! $restart; then

2
bin/tests/system/testcrypto.sh
View file

@ -66,8 +66,6 @@ then
else
if test $quiet -eq 0; then
echo_i "This test requires support for $msg" >&2
echo_i "configure with --with-openssl, or --enable-native-pkcs11" \
"--with-pkcs11" >&2
fi
exit 255
fi

2
bin/tests/system/tkey/keycreate.c
View file

@ -27,8 +27,6 @@
#include <isc/timer.h>
#include <isc/util.h>
#include <pk11/site.h>
#include <dns/dispatch.h>
#include <dns/fixedname.h>
#include <dns/keyvalues.h>

2
bin/tests/system/tkey/keydelete.c
View file

@ -27,8 +27,6 @@
#include <isc/timer.h>
#include <isc/util.h>
#include <pk11/site.h>
#include <dns/dispatch.h>
#include <dns/fixedname.h>
#include <dns/keyvalues.h>

47
configure.ac
View file

@ -747,43 +747,6 @@ AX_RESTORE_FLAGS([openssl])
AC_SUBST([OPENSSL_CFLAGS])
AC_SUBST([OPENSSL_LIBS])
#
# was --enable-native-pkcs11 specified?
#
# [pairwise: --enable-native-pkcs11, --disable-native-pkcs11]
AC_ARG_ENABLE([native-pkcs11],
AS_HELP_STRING([--enable-native-pkcs11],
[use native PKCS11 for public-key crypto [default=no]]),
[:], [enable_native_pkcs11="no"])
AC_MSG_CHECKING([for PKCS11 for Public-Key Cryptography])
AS_CASE([$enable_native_pkcs11],
[no],[AC_MSG_RESULT([no])],
[yes],[CRYPTO=pkcs11
AC_MSG_RESULT([yes])
AC_CHECK_FUNCS([getpassphrase])
])
AM_CONDITIONAL([HAVE_PKCS11], [test "$CRYPTO" = "pkcs11"])
AC_SUBST([CRYPTO])
AS_CASE([$CRYPTO],
[pkcs11],[AC_DEFINE([USE_PKCS11], [1], [define if PKCS11 is used for Public-Key Cryptography])],
[AC_DEFINE([USE_OPENSSL], [1], [define if OpenSSL is used for Public-Key Cryptography])])
#
# was --with-pkcs11 specified?
#
# [pairwise: skip]
AC_ARG_WITH([pkcs11],
[AS_HELP_STRING([--with-pkcs11[=PATH]],
[Build with PKCS11 support [no|path] (PATH is for the PKCS11 provider)])],
[:], [with_pkcs11="undefined"])
AS_CASE([$with_pkcs11],
[yes|auto],[AC_MSG_ERROR([--with-pkcs11 needs explicit path to the PKCS11 library])],
[no|undefined],[with_pkcs11="undefined"])
AC_DEFINE_UNQUOTED([PK11_LIB_LOCATION], ["$with_pkcs11"], [define the default PKCS11 library path])
AC_CHECK_FUNCS([clock_gettime])
# [pairwise: --with-gssapi=yes, --with-gssapi=auto, --without-gssapi]
@ -1634,7 +1597,6 @@ AC_CONFIG_FILES([bin/Makefile
bin/nsupdate/Makefile
bin/check/Makefile
bin/confgen/Makefile
bin/pkcs11/Makefile
bin/plugins/Makefile])
# Libraries
@ -1742,11 +1704,6 @@ report() {
test "auto" = "$validation_default" && echo " DNSSEC validation active by default (--enable-auto-validation)"
test "$CRYPTO" = "pkcs11" && (
echo " Using PKCS#11 for Public-Key Cryptography (--with-native-pkcs11)"
echo " PKCS#11 module (--with-pkcs11): $with_pkcs11"
)
echo " Dynamically loadable zone (DLZ) drivers:"
test "no" = "$with_dlz_bdb" || \
echo " Berkeley DB (--with-dlz-bdb)"
@ -1798,10 +1755,6 @@ report() {
test "yes" = "$validation_default" && echo " DNSSEC validation requires configuration (--enable-auto-validation)"
test "$CRYPTO" = "pkcs11" || (
echo " Using PKCS#11 for Public-Key Cryptography (--with-native-pkcs11)"
)
test "yes" = "$enable_querytrace" || \
echo " Very verbose query trace logging (--enable-querytrace)"
test "yes" = "$enable_singletrace" || \

4
doc/arm/manpages.rst
View file

@ -40,10 +40,6 @@ Manual Pages
.. include:: ../../bin/tools/nsec3hash.rst
.. include:: ../../bin/dig/nslookup.rst
.. include:: ../../bin/nsupdate/nsupdate.rst
.. include:: ../../bin/pkcs11/pkcs11-destroy.rst
.. include:: ../../bin/pkcs11/pkcs11-keygen.rst
.. include:: ../../bin/pkcs11/pkcs11-list.rst
.. include:: ../../bin/pkcs11/pkcs11-tokens.rst
.. include:: ../../bin/confgen/rndc-confgen.rst
.. include:: ../../bin/rndc/rndc.conf.rst
.. include:: ../../bin/rndc/rndc.rst

273
doc/arm/pkcs11.rst
View file

@ -17,26 +17,15 @@ Public Key Cryptography Standard #11 (PKCS#11) defines a
platform-independent API for the control of hardware security modules
(HSMs) and other cryptographic support devices.
BIND 9 is known to work with three HSMs: the AEP Keyper, which has been
tested with Debian Linux, Solaris x86, and Windows Server 2003; the
Thales nShield, tested with Debian Linux; and the Sun SCA 6000
cryptographic acceleration board, tested with Solaris x86. In addition,
BIND can be used with all current versions of SoftHSM, a software-based
HSM simulator library produced by the OpenDNSSEC project.
PKCS#11 uses a "provider library": a dynamically loadable
library which provides a low-level PKCS#11 interface to drive the HSM
hardware. The PKCS#11 provider library comes from the HSM vendor, and it
is specific to the HSM to be controlled.
There are two available mechanisms for PKCS#11 support in BIND 9:
OpenSSL-based PKCS#11 and native PKCS#11. With OpenSSL-based PKCS#11,
BIND uses a modified version of OpenSSL, which loads the
provider library and operates the HSM indirectly; any cryptographic
operations not supported by the HSM can be carried out by OpenSSL
instead. Native PKCS#11 enables BIND to bypass OpenSSL completely;
BIND loads the provider library itself, and uses the PKCS#11 API to
drive the HSM directly.
BIND 9 uses OpenSSL engine_pkcs11 from the OpenSC project. The engine is
dynamically loaded into OpenSSL and the HSM is operated indirectly; any
cryptographic operations not supported by the HSM can be carried out by OpenSSL
instead.
Prerequisites
~~~~~~~~~~~~~
@ -44,34 +33,6 @@ Prerequisites
See the documentation provided by the HSM vendor for information about
installing, initializing, testing, and troubleshooting the HSM.
Native PKCS#11
~~~~~~~~~~~~~~
Native PKCS#11 mode only works with an HSM capable of carrying out
*every* cryptographic operation BIND 9 may need. The HSM's provider
library must have a complete implementation of the PKCS#11 API, so that
all these functions are accessible. As of this writing, only the Thales
nShield HSM and SoftHSMv2 can be used in this fashion. For other HSMs,
including the AEP Keyper, Sun SCA 6000, and older versions of SoftHSM,
use OpenSSL-based PKCS#11. (Note: Eventually, when more HSMs become
capable of supporting native PKCS#11, it is expected that OpenSSL-based
PKCS#11 will be deprecated.)
To build BIND with native PKCS#11, configure it as follows:
::
$ cd bind9
$ ./configure --enable-native-pkcs11 \
--with-pkcs11=provider-library-path
This causes all BIND tools, including ``named`` and the ``dnssec-*``
and ``pkcs11-*`` tools, to use the PKCS#11 provider library specified in
provider-library-path for cryptography. (The provider library path can
be overridden using the ``-E`` argument in ``named`` and the ``dnssec-*`` tools,
or the ``-m`` argument in the ``pkcs11-*`` tools.)
Building SoftHSMv2
^^^^^^^^^^^^^^^^^^
@ -99,156 +60,163 @@ with BIND.
$ make install
$ /opt/pkcs11/usr/bin/softhsm-util --init-token 0 --slot 0 --label softhsmv2
OpenSSL-based PKCS#11
~~~~~~~~~~~~~~~~~~~~~
OpenSSL-based PKCS#11 uses engine_pkcs11 OpenSSL engine from libp11 project.
For more information, see https://gitlab.isc.org/isc-projects/bind9/-/wikis/BIND-9-PKCS11
engine_pkcs11 tries to fit the PKCS#11 API within the engine API of OpenSSL.
That is, it provides a gateway between PKCS#11 modules and the OpenSSL engine
API. One has to register the engine with OpenSSL and one has to provide the
path to the PKCS#11 module which should be gatewayed to. This can be done by
editing the OpenSSL configuration file, by engine specific controls, or by using
the p11-kit proxy module.
PKCS#11 Tools
~~~~~~~~~~~~~
It is recommended, that libp11 >= 0.4.12 is used.
BIND 9 includes a minimal set of tools to operate the HSM, including
``pkcs11-keygen`` to generate a new key pair within the HSM,
``pkcs11-list`` to list objects currently available, ``pkcs11-destroy``
to remove objects, and ``pkcs11-tokens`` to list available tokens.
For more detailed howto including the examples, we recommend reading:
In UNIX/Linux builds, these tools are built only if BIND 9 is configured
with the ``--with-pkcs11`` option. (Note: If ``--with-pkcs11`` is set to ``yes``,
rather than to the path of the PKCS#11 provider, the tools are
built but the provider is left undefined. Use the ``-m`` option or the
``PKCS11_PROVIDER`` environment variable to specify the path to the
provider.)
https://gitlab.isc.org/isc-projects/bind9/-/wikis/BIND-9-PKCS11
Using the HSM
~~~~~~~~~~~~~
For OpenSSL-based PKCS#11, the runtime environment must first be set up
so the OpenSSL and PKCS#11 libraries can be loaded:
The canonical documentation for configuring engine_pkcs11 is in the
`libp11/README.md`_, but here's copy of working configuration for
your convenience:
.. _`libp11/README.md`: https://github.com/OpenSC/libp11/blob/master/README.md#pkcs-11-module-configuration
We are going to use our own custom copy of OpenSSL configuration, again it's
driven by an environment variable, this time called OPENSSL_CONF. We are
going to copy the global OpenSSL configuration (often found in
``etc/ssl/openssl.conf``) and customize it to use engines_pkcs11.
::
cp /etc/ssl/openssl.cnf /opt/bind9/etc/openssl.cnf
and export the environment variable:
::
export OPENSSL_CONF=/opt/bind9/etc/openssl.cnf
Now add following line at the top of file, before any sections (in square
brackets) are defined:
::
openssl_conf = openssl_init
And add following lines at the bottom of the file:
::
[openssl_init]
engines=engine_section
[engine_section]
pkcs11 = pkcs11_section
[pkcs11_section]
engine_id = pkcs11
dynamic_path = <PATHTO>/pkcs11.so
MODULE_PATH = <FULL_PATH_TO_HSM_MODULE>
init = 0
Key Generation
~~~~~~~~~~~~~~
HSM keys can now be created and used. We are going to assume that you already
have a BIND 9 installed, either from a package, or from the sources, and the
tools are readily available in the ``$PATH``.
For generating the keys, we are going to use ``pkcs11-tool`` available from the
OpenSC suite. On both DEB-based and RPM-based distributions, the package is
called opensc.
We need to generate at least two RSA keys:
::
$ export LD_LIBRARY_PATH=/opt/pkcs11/usr/lib:${LD_LIBRARY_PATH}
pkcs11-tool --module <FULL_PATH_TO_HSM_MODULE> -l -k --key-type rsa:2048 --label example.net-ksk --pin <PIN>
pkcs11-tool --module <FULL_PATH_TO_HSM_MODULE> -l -k --key-type rsa:2048 --label example.net-ksk --pin <PIN>
This causes ``named`` and other binaries to load the OpenSSL library
from ``/opt/pkcs11/usr/lib``, rather than from the default location. This
step is not necessary when using native PKCS#11.
Remember that each key should have unique label and we are going to use that
label to reference the private key.
Some HSMs require other environment variables to be set. For example,
when operating an AEP Keyper, the location of
the "machine" file, which stores information about the Keyper for use by
the provider library, must be specified. If the machine file is in
``/opt/Keyper/PKCS11Provider/machine``, use:
Convert the RSA keys stored in the HSM into a format that BIND 9 understands.
The ``dnssec-keyfromlabel`` tool from BIND 9 can link the raw keys stored in the
HSM with the ``K<zone>+<alg>+<id>`` files. You'll need to provide the OpenSSL
engine name (``pkcs11``), the algorithm (``RSASHA256``) and the PKCS#11 label
that specify the token (we asume that it has been initialized as bind9), the
name of the PKCS#11 object (called label when generating the keys using
``pkcs11-tool``) and the HSM PIN.
Convert the KSK:
::
dnssec-keyfromlabel -E pkcs11 -a RSASHA256 -l "token=bind9;object=example.net-ksk;pin-value=0000" -f KSK example.net
$ export KEYPER_LIBRARY_PATH=/opt/Keyper/PKCS11Provider
Such environment variables must be set when running any tool that
uses the HSM, including ``pkcs11-keygen``, ``pkcs11-list``,
``pkcs11-destroy``, ``dnssec-keyfromlabel``, ``dnssec-signzone``,
``dnssec-keygen``, and ``named``.
HSM keys can now be created and used. In this case, we will create
a 2048-bit key and give it the label "sample-ksk":
and ZSK:
::
dnssec-keyfromlabel -E pkcs11 -a RSASHA256 -l "token=bind9;object=example.net-zsk;pin-value=0000" example.net
$ pkcs11-keygen -b 2048 -l sample-ksk
To confirm that the key exists:
NOTE: you can use PIN stored on disk, by specifying ``pin-source=<path_to>/<file>``, f.e.:
::
(umask 0700 && echo -n 0000 > /opt/bind9/etc/pin.txt)
$ pkcs11-list
Enter PIN:
object[0]: handle 2147483658 class 3 label[8] 'sample-ksk' id[0]
object[1]: handle 2147483657 class 2 label[8] 'sample-ksk' id[0]
Before using this key to sign a zone, we must create a pair of BIND 9
key files. The ``dnssec-keyfromlabel`` utility does this. In this case, we
are using the HSM key "sample-ksk" as the key-signing key for
"example.net":
and then use in the label specification:
::
pin-source=/opt/bind9/etc/pin.txt
$ dnssec-keyfromlabel -l sample-ksk -f KSK example.net
The resulting K*.key and K*.private files can now be used to sign the
zone. Unlike normal K\* files, which contain both public and private key
data, these files contain only the public key data, plus an
identifier for the private key which remains stored within the HSM.
Signing with the private key takes place inside the HSM.
To generate a second key in the HSM for use as a
zone-signing key, follow the same procedure above, using a different
keylabel, a smaller key size, and omitting ``-f KSK`` from the
``dnssec-keyfromlabel`` arguments:
Confirm that you have one KSK and one ZSK present in the current directory:
::
ls -l K*
$ pkcs11-keygen -b 1024 -l sample-zsk
$ dnssec-keyfromlabel -l sample-zsk example.net
Alternatively, a conventional on-disk key can be generated
using ``dnssec-keygen``:
The output should look like this (the second number will be different):
::
Kexample.net.+008+31729.key
Kexample.net.+008+31729.private
Kexample.net.+008+42231.key
Kexample.net.+008+42231.private
$ dnssec-keygen example.net
This provides less security than an HSM key, but since HSMs can be slow
or cumbersome to use for security reasons, it may be more efficient to
reserve HSM keys for use in the less frequent key-signing operation. The
zone-signing key can be rolled more frequently, if desired, to
compensate for a reduction in key security. (Note: When using native
PKCS#11, there is no speed advantage to using on-disk keys, as
cryptographic operations are done by the HSM.)
Now the zone can be signed. Please note that, if the -S option is not used for
``dnssec-signzone``, the contents of both
``K*.key`` files must be added to the zone master file before signing it.
::
$ dnssec-signzone -S example.net
Enter PIN:
Verifying the zone using the following algorithms:
NSEC3RSASHA1.
Zone signing complete:
Algorithm: NSEC3RSASHA1: ZSKs: 1, KSKs: 1 active, 0 revoked, 0 stand-by
example.net.signed
Specifying the Engine on the Command Line
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
When using OpenSSL-based PKCS#11, the "engine" to be used by OpenSSL can
be specified in ``named`` and all of the BIND ``dnssec-*`` tools by
using the ``-E <engine>`` command line option. If BIND 9 is built with the
``--with-pkcs11`` option, this option defaults to "pkcs11". Specifying the
engine is generally not necessary unless
a different OpenSSL engine is used.
When using OpenSSL-based PKCS#11, the "engine" to be used by OpenSSL can be
specified in ``named`` and all of the BIND ``dnssec-*`` tools by using the ``-E
<engine>`` command line option. Specifying the engine is generally not necessary
unless a different OpenSSL engine is used.
To disable use of the "pkcs11" engine - for
troubleshooting purposes, or because the HSM is unavailable - set
the engine to the empty string. For example:
The zone signing commences as usual, with only one small difference. We need to
provide the name of the OpenSSL engine using the -E command line option.
::
$ dnssec-signzone -E '' -S example.net
This causes ``dnssec-signzone`` to run as if it were compiled without
the ``--with-pkcs11`` option.
When built with native PKCS#11 mode, the "engine" option has a different
meaning: it specifies the path to the PKCS#11 provider library. This may
be useful when testing a new provider library.
dnssec-signzone -E pkcs11 -S -o example.net example.net
Running ``named`` With Automatic Zone Re-signing
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The zone can also be signed automatically by named. Again, we need to provide
the name of the OpenSSL engine using the -E command line option.
::
named -E pkcs11 -c named.conf
and the logs should have lines like:
::
Fetching example.net/RSASHA256/31729 (KSK) from key repository.
DNSKEY example.net/RSASHA256/31729 (KSK) is now published
DNSKEY example.net/RSA256SHA256/31729 (KSK) is now active
Fetching example.net/RSASHA256/42231 (ZSK) from key repository.
DNSKEY example.net/RSASHA256/42231 (ZSK) is now published
DNSKEY example.net/RSA256SHA256/42231 (ZSK) is now active
For ``named`` to dynamically re-sign zones using HSM keys,
and/or to sign new records inserted via nsupdate, ``named`` must
have access to the HSM PIN. In OpenSSL-based PKCS#11, this is
@ -273,14 +241,3 @@ Here is a sample ``openssl.cnf``:
This also allows the ``dnssec-\*`` tools to access the HSM without PIN
entry. (The ``pkcs11-\*`` tools access the HSM directly, not via OpenSSL, so
a PIN is still required to use them.)
In native PKCS#11 mode, the PIN can be provided in a file specified as
an attribute of the key's label. For example, if a key had the label
``pkcs11:object=local-zsk;pin-source=/etc/hsmpin``, then the PIN would
be read from the file ``/etc/hsmpin``.
.. warning::
Placing the HSM's PIN in a text file in this manner may reduce the
security advantage of using an HSM. Use caution
when configuring the system in this way.

22
doc/man/Makefile.am
View file

@ -32,10 +32,6 @@ MANPAGES_RST = \
nsec3hash.rst \
nslookup.rst \
nsupdate.rst \
pkcs11-destroy.rst \
pkcs11-keygen.rst \
pkcs11-list.rst \
pkcs11-tokens.rst \
rndc-confgen.rst \
rndc.conf.rst \
rndc.rst \
@ -59,10 +55,6 @@ MANPAGES_RST = \
../../bin/dnssec/dnssec-verify.rst \
../../bin/named/named.rst \
../../bin/nsupdate/nsupdate.rst \
../../bin/pkcs11/pkcs11-destroy.rst \
../../bin/pkcs11/pkcs11-keygen.rst \
../../bin/pkcs11/pkcs11-list.rst \
../../bin/pkcs11/pkcs11-tokens.rst \
../../bin/plugins/filter-aaaa.rst \
../../bin/plugins/filter-a.rst \
../../bin/rndc/rndc.conf.rst \
@ -119,22 +111,10 @@ man_MANS += \
named-nzd2nzf.1
endif HAVE_LMDB
if HAVE_PKCS11
man_MANS += \
pkcs11-destroy.1 \
pkcs11-keygen.1 \
pkcs11-list.1 \
pkcs11-tokens.1
endif HAVE_PKCS11
MANPAGES_IN = \
$(man_MANS:=in) \
dnstap-read.1in \
named-nzd2nzf.1in \
pkcs11-destroy.1in \
pkcs11-keygen.1in \
pkcs11-list.1in \
pkcs11-tokens.1in
named-nzd2nzf.1in
EXTRA_DIST = \
conf.py \

4
doc/man/conf.py
View file

@ -95,10 +95,6 @@ man_pages = [
('nsec3hash', 'nsec3hash', 'generate NSEC3 hash', author, 1),
('nslookup', 'nslookup', 'query Internet name servers interactively', author, 1),
('nsupdate', 'nsupdate', 'dynamic DNS update utility', author, 1),
('pkcs11-destroy', 'pkcs11-destroy', 'destroy PKCS#11 objects', author, 1),
('pkcs11-keygen', 'pkcs11-keygen', 'generate keys on a PKCS#11 device', author, 1),
('pkcs11-list', 'pkcs11-list', 'list PKCS#11 objects', author, 1),
('pkcs11-tokens', 'pkcs11-tokens', 'list PKCS#11 available tokens', author, 1),
('rndc-confgen', 'rndc-confgen', 'rndc key generation tool', author, 8),
('rndc.conf', 'rndc.conf', 'rndc configuration file', author, 5),
('rndc', 'rndc', 'name server control utility', author, 8),

20
doc/man/dnssec-keyfromlabel.1in
View file

@ -78,10 +78,7 @@ This option specifies the cryptographic hardware to use.
.sp
When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
engine identifier that drives the cryptographic accelerator or
hardware service module (usually \fBpkcs11\fP). When BIND is
built with native PKCS#11 cryptography (\fB\-\-enable\-native\-pkcs11\fP), it
defaults to the path of the PKCS#11 provider library specified via
\fB\-\-with\-pkcs11\fP\&.
hardware service module (usually \fBpkcs11\fP).
.TP
.B \fB\-l label\fP
This option specifies the label for a key pair in the crypto hardware.
@ -90,21 +87,6 @@ When BIND 9 is built with OpenSSL\-based PKCS#11 support, the label is
an arbitrary string that identifies a particular key. It may be
preceded by an optional OpenSSL engine name, followed by a colon, as
in \fBpkcs11:keylabel\fP\&.
.sp
When BIND 9 is built with native PKCS#11 support, the label is a
PKCS#11 URI string in the format
\fBpkcs11:keyword\e =value[;\e keyword\e =value;...]\fP\&. Keywords
include \fBtoken\fP, which identifies the HSM; \fBobject\fP, which identifies
the key; and \fBpin\-source\fP, which identifies a file from which the
HSM\(aqs PIN code can be obtained. The label is stored in the
on\-disk \fBprivate\fP file.
.sp
If the label contains a \fBpin\-source\fP field, tools using the
generated key files are able to use the HSM for signing and other
operations without any need for an operator to manually enter a PIN.
Note: Making the HSM\(aqs PIN accessible in this manner may reduce the
security advantage of using an HSM; use caution
with this feature.
.TP
.B \fB\-n nametype\fP
This option specifies the owner type of the key. The value of \fBnametype\fP must

5
doc/man/dnssec-keygen.1in
View file

@ -105,10 +105,7 @@ This option specifies the cryptographic hardware to use, when applicable.
.sp
When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
engine identifier that drives the cryptographic accelerator or
hardware service module (usually \fBpkcs11\fP). When BIND is
built with native PKCS#11 cryptography (\fB\-\-enable\-native\-pkcs11\fP), it
defaults to the path of the PKCS#11 provider library specified via
\fB\-\-with\-pkcs11\fP\&.
hardware service module (usually \fBpkcs11\fP).
.TP
.B \fB\-f flag\fP
This option sets the specified flag in the flag field of the KEY/DNSKEY record.

5
doc/man/dnssec-revoke.1in
View file

@ -61,10 +61,7 @@ This option specifies the cryptographic hardware to use, when applicable.
.sp
When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
engine identifier that drives the cryptographic accelerator or
hardware service module (usually \fBpkcs11\fP). When BIND is
built with native PKCS#11 cryptography (\fB\-\-enable\-native\-pkcs11\fP), it
defaults to the path of the PKCS#11 provider library specified via
\fB\-\-with\-pkcs11\fP\&.
hardware service module (usually \fBpkcs11\fP).
.TP
.B \fB\-f\fP
This option indicates a forced overwrite and causes \fBdnssec\-revoke\fP to write the new key pair,

5
doc/man/dnssec-settime.1in
View file

@ -104,10 +104,7 @@ This option specifies the cryptographic hardware to use, when applicable.
.sp
When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
engine identifier that drives the cryptographic accelerator or
hardware service module (usually \fBpkcs11\fP). When BIND is
built with native PKCS#11 cryptography (\fB\-\-enable\-native\-pkcs11\fP), it
defaults to the path of the PKCS#11 provider library specified via
\fB\-\-with\-pkcs11\fP\&.
hardware service module (usually \fBpkcs11\fP).
.UNINDENT
.SH TIMING OPTIONS
.sp

5
doc/man/dnssec-signzone.1in
View file

@ -71,10 +71,7 @@ operations, such as a secure key store used for signing, when applicable.
.sp
When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
engine identifier that drives the cryptographic accelerator or
hardware service module (usually \fBpkcs11\fP). When BIND is
built with native PKCS#11 cryptography (\fB\-\-enable\-native\-pkcs11\fP), it
defaults to the path of the PKCS#11 provider library specified via
\fB\-\-with\-pkcs11\fP\&.
hardware service module (usually \fBpkcs11\fP).
.TP
.B \fB\-g\fP
This option indicates that DS records for child zones should be generated from a \fBdsset\-\fP or \fBkeyset\-\fP

5
doc/man/dnssec-verify.1in
View file

@ -49,10 +49,7 @@ This option specifies the cryptographic hardware to use, when applicable.
.sp
When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
engine identifier that drives the cryptographic accelerator or
hardware service module (usually \fBpkcs11\fP). When BIND is
built with native PKCS#11 cryptography (\fB\-\-enable\-native\-pkcs11\fP), it
defaults to the path of the PKCS#11 provider library specified via
\fB\-\-with\-pkcs11\fP\&.
hardware service module (usually \fBpkcs11\fP).
.TP
.B \fB\-I input\-format\fP
This option sets the format of the input zone file. Possible formats are \fBtext\fP

5
doc/man/named.8in
View file

@ -74,10 +74,7 @@ operations, such as a secure key store used for signing.
.sp
When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
engine identifier that drives the cryptographic accelerator or
hardware service module (usually \fBpkcs11\fP). When BIND is
built with native PKCS#11 cryptography (\fB\-\-enable\-native\-pkcs11\fP), it
defaults to the path of the PKCS#11 provider library specified via
\fB\-\-with\-pkcs11\fP\&.
hardware service module (usually \fBpkcs11\fP).
.TP
.B \fB\-f\fP
This option runs the server in the foreground (i.e., do not daemonize).

74
doc/man/pkcs11-destroy.1in
View file

@ -1,74 +0,0 @@
.\" Man page generated from reStructuredText.
.
.TH "PKCS11-DESTROY" "1" "@RELEASE_DATE@" "@PACKAGE_VERSION@" "BIND 9"
.SH NAME
pkcs11-destroy \- destroy PKCS#11 objects
.
.nr rst2man-indent-level 0
.
.de1 rstReportMargin
\\$1 \\n[an-margin]
level \\n[rst2man-indent-level]
level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
-
\\n[rst2man-indent0]
\\n[rst2man-indent1]
\\n[rst2man-indent2]
..
.de1 INDENT
.\" .rstReportMargin pre:
. RS \\$1
. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
. nr rst2man-indent-level +1
.\" .rstReportMargin post:
..
.de UNINDENT
. RE
.\" indent \\n[an-margin]
.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
.nr rst2man-indent-level -1
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
pkcs11\-destroy \- destroy PKCS#11 objects
.sp
\fBpkcs11\-destroy\fP [\fB\-m\fP module] [\fB\-s\fP slot] [\fB\-i\fP ID] [\fB\-l\fP label] [\fB\-p\fP PIN] [\fB\-w\fP seconds]
.sp
\fBpkcs11\-destroy\fP destroys keys stored in a PKCS#11 device, identified
by their \fBID\fP or \fBlabel\fP\&.
.sp
Matching keys are displayed before being destroyed. By default, there is
a five\-second delay to allow the user to interrupt the process before
the destruction takes place.
.INDENT 0.0
.TP
.B \fB\-m module\fP
This option specifies the PKCS#11 provider module. This must be the full path to a
shared library object implementing the PKCS#11 API for the device.
.TP
.B \fB\-s slot\fP
This option opens the session with the given PKCS#11 slot. The default is slot 0.
.TP
.B \fB\-i ID\fP
This option destroys keys with the given object ID.
.TP
.B \fB\-l label\fP
This option destroys keys with the given label.
.TP
.B \fB\-p PIN\fP
This option specifies the \fBPIN\fP for the device. If no \fBPIN\fP is provided on the command
line, \fBpkcs11\-destroy\fP prompts for it.
.TP
.B \fB\-w seconds\fP
This option specifies how long, in seconds, to pause before carrying out key destruction. The
default is 5 seconds. If set to \fB0\fP, destruction is
immediate.
.UNINDENT
.sp
\fBpkcs11\-keygen(8)\fP, \fBpkcs11\-list(8)\fP, \fBpkcs11\-tokens(8)\fP
.SH AUTHOR
Internet Systems Consortium
.SH COPYRIGHT
2021, Internet Systems Consortium
.\" Generated by docutils manpage writer.
.

13
doc/man/pkcs11-destroy.rst
View file

@ -1,13 +0,0 @@
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, you can obtain one at https://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
:orphan:
.. include:: ../../bin/pkcs11/pkcs11-destroy.rst

95
doc/man/pkcs11-keygen.1in
View file

@ -1,95 +0,0 @@
.\" Man page generated from reStructuredText.
.
.TH "PKCS11-KEYGEN" "1" "@RELEASE_DATE@" "@PACKAGE_VERSION@" "BIND 9"
.SH NAME
pkcs11-keygen \- generate keys on a PKCS#11 device
.
.nr rst2man-indent-level 0
.
.de1 rstReportMargin
\\$1 \\n[an-margin]
level \\n[rst2man-indent-level]
level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
-
\\n[rst2man-indent0]
\\n[rst2man-indent1]
\\n[rst2man-indent2]
..
.de1 INDENT
.\" .rstReportMargin pre:
. RS \\$1
. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
. nr rst2man-indent-level +1
.\" .rstReportMargin post:
..
.de UNINDENT
. RE
.\" indent \\n[an-margin]
.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
.nr rst2man-indent-level -1
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
.SH SYNOPSIS
.sp
\fBpkcs11\-keygen\fP [\fB\-a\fP algorithm] [\fB\-b\fP keysize] [\fB\-e\fP] [\fB\-i\fP id] [\fB\-m\fP module] [\fB\-P\fP] [\fB\-p\fP PIN] [\fB\-q\fP] [\fB\-S\fP] [\fB\-s\fP slot] label
.SH DESCRIPTION
.sp
\fBpkcs11\-keygen\fP causes a PKCS#11 device to generate a new key pair
with the given \fBlabel\fP (which must be unique) and with \fBkeysize\fP
bits of prime.
.SH OPTIONS
.INDENT 0.0
.TP
.B \fB\-a algorithm\fP
This option specifies the key algorithm class: supported classes are RSA, DSA, DH,
ECC, and ECX. In addition to these strings, the \fBalgorithm\fP can be
specified as a DNSSEC signing algorithm to be used with this
key; for example, NSEC3RSASHA1 maps to RSA, ECDSAP256SHA256 maps to
ECC, and ED25519 to ECX. The default class is \fBRSA\fP\&.
.TP
.B \fB\-b keysize\fP
This option creates the key pair with \fBkeysize\fP bits of prime. For ECC keys, the
only valid values are 256 and 384, and the default is 256. For ECX
keys, the only valid values are 256 and 456, and the default is 256.
.TP
.B \fB\-e\fP
For RSA keys only, this option specifies use of a large exponent.
.TP
.B \fB\-i id\fP
This option creates key objects with \fBid\fP\&. The ID is either an unsigned short 2\-byte
or an unsigned long 4\-byte number.
.TP
.B \fB\-m module\fP
This option specifies the PKCS#11 provider module. This must be the full path to a
shared library object implementing the PKCS#11 API for the device.
.TP
.B \fB\-P\fP
This option sets the new private key to be non\-sensitive and extractable, and
allows the private key data to be read from the PKCS#11 device. The
default is for private keys to be sensitive and non\-extractable.
.TP
.B \fB\-p PIN\fP
This option specifies the \fBPIN\fP for the device. If no \fBPIN\fP is provided on the command
line, \fBpkcs11\-keygen\fP prompts for it.
.TP
.B \fB\-q\fP
This option sets quiet mode, which suppresses unnecessary output.
.TP
.B \fB\-S\fP
For Diffie\-Hellman (DH) keys only, this option specifies use of a special prime of 768\-, 1024\-,
or 1536\-bit size and base (AKA generator) 2. If not specified, bit
size defaults to 1024.
.TP
.B \fB\-s slot\fP
This option opens the session with the given PKCS#11 slot. The default is slot 0.
.UNINDENT
.SH SEE ALSO
.sp
\fBpkcs11\-destroy(8)\fP, \fBpkcs11\-list(8)\fP, \fBpkcs11\-tokens(8)\fP, \fBdnssec\-keyfromlabel(8)\fP
.SH AUTHOR
Internet Systems Consortium
.SH COPYRIGHT
2021, Internet Systems Consortium
.\" Generated by docutils manpage writer.
.

13
doc/man/pkcs11-keygen.rst
View file

@ -1,13 +0,0 @@
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, you can obtain one at https://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
:orphan:
.. include:: ../../bin/pkcs11/pkcs11-keygen.rst

73
doc/man/pkcs11-list.1in
View file

@ -1,73 +0,0 @@
.\" Man page generated from reStructuredText.
.
.TH "PKCS11-LIST" "1" "@RELEASE_DATE@" "@PACKAGE_VERSION@" "BIND 9"
.SH NAME
pkcs11-list \- list PKCS#11 objects
.
.nr rst2man-indent-level 0
.
.de1 rstReportMargin
\\$1 \\n[an-margin]
level \\n[rst2man-indent-level]
level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
-
\\n[rst2man-indent0]
\\n[rst2man-indent1]
\\n[rst2man-indent2]
..
.de1 INDENT
.\" .rstReportMargin pre:
. RS \\$1
. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
. nr rst2man-indent-level +1
.\" .rstReportMargin post:
..
.de UNINDENT
. RE
.\" indent \\n[an-margin]
.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
.nr rst2man-indent-level -1
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
.sp
\fBpkcs11\-list\fP [\fB\-P\fP] [\fB\-m\fP module] [\fB\-s\fP slot] [\fB\-i\fP ID \fB] [\-l\fP label] [\fB\-p\fP PIN]
.SH DESCRIPTION
.sp
\fBpkcs11\-list\fP lists the PKCS#11 objects with \fBID\fP or \fBlabel\fP or, by
default, all objects. The object class, label, and ID are displayed for
all keys. For private or secret keys, the extractability attribute is
also displayed, as either \fBtrue\fP, \fBfalse\fP, or \fBnever\fP\&.
.SH OPTIONS
.INDENT 0.0
.TP
.B \fB\-P\fP
This option lists only the public objects. (Note that on some PKCS#11 devices, all
objects are private.)
.TP
.B \fB\-m module\fP
This option specifies the PKCS#11 provider module. This must be the full path to a
shared library object implementing the PKCS#11 API for the device.
.TP
.B \fB\-s slot\fP
This option opens the session with the given PKCS#11 slot. The default is slot 0.
.TP
.B \fB\-i ID\fP
This option lists only key objects with the given object ID.
.TP
.B \fB\-l label\fP
This option lists only key objects with the given label.
.TP
.B \fB\-p PIN\fP
This option specifies the \fBPIN\fP for the device. If no \fBPIN\fP is provided on the command
line, \fBpkcs11\-list\fP prompts for it.
.UNINDENT
.SH SEE ALSO
.sp
\fBpkcs11\-destroy(8)\fP, \fBpkcs11\-keygen(8)\fP, \fBpkcs11\-tokens(8)\fP
.SH AUTHOR
Internet Systems Consortium
.SH COPYRIGHT
2021, Internet Systems Consortium
.\" Generated by docutils manpage writer.
.

13
doc/man/pkcs11-list.rst
View file

@ -1,13 +0,0 @@
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, you can obtain one at https://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
:orphan:
.. include:: ../../bin/pkcs11/pkcs11-list.rst

58
doc/man/pkcs11-tokens.1in
View file

@ -1,58 +0,0 @@
.\" Man page generated from reStructuredText.
.
.TH "PKCS11-TOKENS" "1" "@RELEASE_DATE@" "@PACKAGE_VERSION@" "BIND 9"
.SH NAME
pkcs11-tokens \- list PKCS#11 available tokens
.
.nr rst2man-indent-level 0
.
.de1 rstReportMargin
\\$1 \\n[an-margin]
level \\n[rst2man-indent-level]
level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
-
\\n[rst2man-indent0]
\\n[rst2man-indent1]
\\n[rst2man-indent2]
..
.de1 INDENT
.\" .rstReportMargin pre:
. RS \\$1
. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
. nr rst2man-indent-level +1
.\" .rstReportMargin post:
..
.de UNINDENT
. RE
.\" indent \\n[an-margin]
.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
.nr rst2man-indent-level -1
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
.SH SYNOPSIS
.sp
\fBpkcs11\-tokens\fP [\fB\-m\fP module] [\fB\-v\fP]
.SH DESCRIPTION
.sp
\fBpkcs11\-tokens\fP lists the PKCS#11 available tokens with defaults from
the slot/token scan performed at application initialization.
.SH OPTIONS
.INDENT 0.0
.TP
.B \fB\-m module\fP
This option specifies the PKCS#11 provider module. This must be the full path to a
shared library object implementing the PKCS#11 API for the device.
.TP
.B \fB\-v\fP
This option makes the PKCS#11 libisc initialization verbose.
.UNINDENT
.SH SEE ALSO
.sp
\fBpkcs11\-destroy(8)\fP, \fBpkcs11\-keygen(8)\fP, \fBpkcs11\-list(8)\fP
.SH AUTHOR
Internet Systems Consortium
.SH COPYRIGHT
2021, Internet Systems Consortium
.\" Generated by docutils manpage writer.
.

13
doc/man/pkcs11-tokens.rst
View file

@ -1,13 +0,0 @@
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, you can obtain one at https://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
:orphan:
.. include:: ../../bin/pkcs11/pkcs11-tokens.rst

3
doc/notes/notes-current.rst
View file

@ -29,7 +29,8 @@ New Features
Removed Features
~~~~~~~~~~~~~~~~
- None.
- Native PKCS#11 support has been removed; BIND 9 now uses OpenSSL engine_pkcs11 from the
OpenSC project. :gl:`#2691`
Feature Changes
~~~~~~~~~~~~~~~

2
lib/bind9/check.c
View file

@ -40,8 +40,6 @@
#include <isc/symtab.h>
#include <isc/util.h>
#include <pk11/site.h>
#include <dns/acl.h>
#include <dns/dnstap.h>
#include <dns/fixedname.h>

17
lib/dns/Makefile.am
View file

@ -176,7 +176,6 @@ libdns_la_SOURCES = \
dst_openssl.h \
dst_parse.c \
dst_parse.h \
dst_pkcs11.h \
dst_result.c \
dyndb.c \
ecs.c \
@ -205,6 +204,9 @@ libdns_la_SOURCES = \
nta.c \
openssl_link.c \
openssldh_link.c \
opensslecdsa_link.c \
openssleddsa_link.c \
opensslrsa_link.c \
order.c \
peer.c \
private.c \
@ -256,19 +258,6 @@ libdns_la_SOURCES += \
gssapi_link.c
endif
if HAVE_PKCS11
libdns_la_SOURCES += \
pkcs11.c \
pkcs11ecdsa_link.c \
pkcs11eddsa_link.c \
pkcs11rsa_link.c
else !HAVE_PKCS11
libdns_la_SOURCES += \
opensslecdsa_link.c \
openssleddsa_link.c \
opensslrsa_link.c
endif
if HAVE_GEOIP2
libdns_la_SOURCES += \
geoip2.c

2
lib/dns/dnssec.c
View file

@ -24,8 +24,6 @@
#include <isc/string.h>
#include <isc/util.h>
#include <pk11/site.h>
#include <dns/db.h>
#include <dns/diff.h>
#include <dns/dnssec.h>

18
lib/dns/dst_api.c
View file

@ -45,8 +45,6 @@
#include <isc/time.h>
#include <isc/util.h>
#include <pk11/site.h>
#define DST_KEY_INTERNAL
#include <dns/fixedname.h>
@ -203,7 +201,6 @@ dst_lib_init(isc_mem_t *mctx, const char *engine) {
RETERR(dst__hmacsha512_init(&dst_t_func[DST_ALG_HMACSHA512]));
RETERR(dst__openssl_init(engine));
RETERR(dst__openssldh_init(&dst_t_func[DST_ALG_DH]));
#if USE_OPENSSL
RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA1],
DST_ALG_RSASHA1));
RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1],
@ -220,19 +217,7 @@ dst_lib_init(isc_mem_t *mctx, const char *engine) {
#ifdef HAVE_OPENSSL_ED448
RETERR(dst__openssleddsa_init(&dst_t_func[DST_ALG_ED448]));
#endif /* ifdef HAVE_OPENSSL_ED448 */
#endif /* USE_OPENSSL */
#if USE_PKCS11
RETERR(dst__pkcs11_init(mctx, engine));
RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA1]));
RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1]));
RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA256]));
RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA512]));
RETERR(dst__pkcs11ecdsa_init(&dst_t_func[DST_ALG_ECDSA256]));
RETERR(dst__pkcs11ecdsa_init(&dst_t_func[DST_ALG_ECDSA384]));
RETERR(dst__pkcs11eddsa_init(&dst_t_func[DST_ALG_ED25519]));
RETERR(dst__pkcs11eddsa_init(&dst_t_func[DST_ALG_ED448]));
#endif /* USE_PKCS11 */
#if HAVE_GSSAPI
RETERR(dst__gssapi_init(&dst_t_func[DST_ALG_GSSAPI]));
#endif /* HAVE_GSSAPI */
@ -259,9 +244,6 @@ dst_lib_destroy(void) {
}
}
dst__openssl_destroy();
#if USE_PKCS11
(void)dst__pkcs11_destroy();
#endif /* USE_PKCS11 */
}
bool

39
lib/dns/dst_internal.h
View file

@ -28,6 +28,12 @@
#include <inttypes.h>
#include <stdbool.h>
#include <openssl/dh.h>
#include <openssl/err.h>
#include <openssl/evp.h>
#include <openssl/objects.h>
#include <openssl/rsa.h>
#include <isc/buffer.h>
#include <isc/hmac.h>
#include <isc/lang.h>
@ -38,17 +44,6 @@
#include <isc/stdtime.h>
#include <isc/types.h>
#if USE_PKCS11
#include <pk11/pk11.h>
#include <pk11/site.h>
#endif /* USE_PKCS11 */
#include <openssl/dh.h>
#include <openssl/err.h>
#include <openssl/evp.h>
#include <openssl/objects.h>
#include <openssl/rsa.h>
#include <dns/time.h>
#include <dst/dst.h>
@ -99,12 +94,7 @@ struct dst_key {
void *generic;
dns_gss_ctx_id_t gssctx;
DH *dh;
#if USE_OPENSSL
EVP_PKEY *pkey;
#endif /* if USE_OPENSSL */
#if USE_PKCS11
pk11_object_t *pkey;
#endif /* if USE_PKCS11 */
dst_hmac_key_t *hmac_key;
} keydata; /*%< pointer to key in crypto pkg fmt */
@ -149,9 +139,6 @@ struct dst_context {
dst_gssapi_signverifyctx_t *gssctx;
isc_hmac_t *hmac_ctx;
EVP_MD_CTX *evp_md_ctx;
#if USE_PKCS11
pk11_context_t *pk11_ctx;
#endif /* if USE_PKCS11 */
} ctxdata;
};
@ -203,7 +190,6 @@ struct dst_func {
*/
isc_result_t
dst__openssl_init(const char *engine);
#define dst__pkcs11_init pk11_initialize
isc_result_t
dst__hmacmd5_init(struct dst_func **funcp);
@ -219,7 +205,6 @@ isc_result_t
dst__hmacsha512_init(struct dst_func **funcp);
isc_result_t
dst__openssldh_init(struct dst_func **funcp);
#if USE_OPENSSL
isc_result_t
dst__opensslrsa_init(struct dst_func **funcp, unsigned char algorithm);
isc_result_t
@ -228,17 +213,6 @@ dst__opensslecdsa_init(struct dst_func **funcp);
isc_result_t
dst__openssleddsa_init(struct dst_func **funcp);
#endif /* HAVE_OPENSSL_ED25519 || HAVE_OPENSSL_ED448 */
#endif /* USE_OPENSSL */
#if USE_PKCS11
isc_result_t
dst__pkcs11rsa_init(struct dst_func **funcp);
isc_result_t
dst__pkcs11dsa_init(struct dst_func **funcp);
isc_result_t
dst__pkcs11ecdsa_init(struct dst_func **funcp);
isc_result_t
dst__pkcs11eddsa_init(struct dst_func **funcp);
#endif /* USE_PKCS11 */
#if HAVE_GSSAPI
isc_result_t
dst__gssapi_init(struct dst_func **funcp);
@ -249,7 +223,6 @@ dst__gssapi_init(struct dst_func **funcp);
*/
void
dst__openssl_destroy(void);
#define dst__pkcs11_destroy pk11_finalize
/*%
* Memory allocators using the DST memory pool.

2
lib/dns/dst_parse.c
View file

@ -38,8 +38,6 @@
#include <isc/string.h>
#include <isc/util.h>
#include <pk11/site.h>
#include <dns/log.h>
#include <dns/time.h>

41
lib/dns/dst_pkcs11.h
View file

@ -1,41 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
#ifndef DST_PKCS11_H
#define DST_PKCS11_H 1
#include <isc/lang.h>
#include <isc/log.h>
#include <isc/result.h>
ISC_LANG_BEGINDECLS
isc_result_t
dst__pkcs11_toresult(const char *funcname, const char *file, int line,
isc_result_t fallback, CK_RV rv);
#define PK11_CALL(func, args, fallback) \
((void)(((rv = (func)args) == CKR_OK) || \
((ret = dst__pkcs11_toresult(#func, __FILE__, __LINE__, \
fallback, rv)), \
0)))
#define PK11_RET(func, args, fallback) \
((void)(((rv = (func)args) == CKR_OK) || \
((ret = dst__pkcs11_toresult(#func, __FILE__, __LINE__, \
fallback, rv)), \
0))); \
if (rv != CKR_OK) \
goto err;
ISC_LANG_ENDDECLS
#endif /* DST_PKCS11_H */

2
lib/dns/hmac_link.c
View file

@ -36,8 +36,6 @@
#include <isc/string.h>
#include <isc/util.h>
#include <pk11/site.h>
#include <dst/result.h>
#include "dst_internal.h"

1
lib/dns/include/dns/tsig.h
View file

@ -26,7 +26,6 @@
#include <dns/types.h>
#include <dst/dst.h>
#include <pk11/site.h>
/*
* Algorithms.

2
lib/dns/openssldh_link.c
View file

@ -36,8 +36,6 @@
#include <isc/string.h>
#include <isc/util.h>
#include <pk11/site.h>
#include <dst/result.h>
#include "dst_internal.h"

2
lib/dns/opensslrsa_link.c
View file

@ -24,8 +24,6 @@
#include <isc/string.h>
#include <isc/util.h>
#include <pk11/site.h>
#include <dst/result.h>
#include "dst_internal.h"

33
lib/dns/pkcs11.c
View file

@ -1,33 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
#include <isc/util.h>
#include <pk11/internal.h>
#include <pk11/pk11.h>
#include <dns/log.h>
#include <dns/result.h>
#include "dst_internal.h"
#include "dst_pkcs11.h"
isc_result_t
dst__pkcs11_toresult(const char *funcname, const char *file, int line,
isc_result_t fallback, CK_RV rv) {
isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_CRYPTO,
ISC_LOG_WARNING, "%s:%d: %s: Error = 0x%.8lX\n", file,
line, funcname, rv);
if (rv == CKR_HOST_MEMORY) {
return (ISC_R_NOMEMORY);
}
return (fallback);
}

1149
lib/dns/pkcs11ecdsa_link.c
View file

File diff suppressed because it is too large Load diff

1119
lib/dns/pkcs11eddsa_link.c
View file

File diff suppressed because it is too large Load diff

2102
lib/dns/pkcs11rsa_link.c
View file

File diff suppressed because it is too large Load diff

2
lib/dns/rcode.c
View file

@ -24,8 +24,6 @@
#include <isc/types.h>
#include <isc/util.h>
#include <pk11/site.h>
#include <dns/cert.h>
#include <dns/ds.h>
#include <dns/dsdigest.h>

2
lib/dns/tests/dh_test.c
View file

@ -25,8 +25,6 @@
#include <isc/string.h>
#include <isc/util.h>
#include <pk11/site.h>
#include <dns/name.h>
#include <dst/result.h>

2
lib/dns/tests/rsa_test.c
View file

@ -26,8 +26,6 @@
#include <isc/print.h>
#include <isc/util.h>
#include <pk11/site.h>
#include "../dst_internal.h"
#include "dnstest.h"

6
lib/dns/tkey.c
View file

@ -29,8 +29,6 @@
#include <isc/string.h>
#include <isc/util.h>
#include <pk11/site.h>
#include <dns/dnssec.h>
#include <dns/fixedname.h>
#include <dns/keyvalues.h>
@ -53,10 +51,6 @@
#define TEMP_BUFFER_SZ 8192
#define TKEY_RANDOM_AMOUNT 16
#if USE_PKCS11
#include <pk11/pk11.h>
#endif /* if USE_PKCS11 */
#define RETERR(x) \
do { \
result = (x); \

2
lib/dns/tsec.c
View file

@ -12,8 +12,6 @@
#include <isc/mem.h>
#include <isc/util.h>
#include <pk11/site.h>
#include <dns/result.h>
#include <dns/tsec.h>
#include <dns/tsig.h>

2
lib/dns/tsig.c
View file

@ -24,8 +24,6 @@
#include <isc/time.h>
#include <isc/util.h>
#include <pk11/site.h>
#include <dns/fixedname.h>
#include <dns/keyvalues.h>
#include <dns/log.h>

17
lib/isc/Makefile.am
View file

@ -106,22 +106,8 @@ libisc_la_HEADERS = \
include/isc/utf8.h \
include/isc/util.h
pk11dir = $(includedir)/pk11
pk11_HEADERS = \
include/pk11/constants.h \
include/pk11/internal.h \
include/pk11/pk11.h \
include/pk11/result.h \
include/pk11/site.h
pkcs11dir = $(includedir)/pkcs11
pkcs11_HEADERS = \
include/pkcs11/pkcs11.h
libisc_la_SOURCES = \
$(libisc_la_HEADERS) \
$(pk11_HEADERS) \
$(pkcs11_HEADERS) \
netmgr/netmgr-int.h \
netmgr/netmgr.c \
netmgr/tcp.c \
@ -186,9 +172,6 @@ libisc_la_SOURCES = \
openssl_shim.h \
os.c \
parseint.c \
pk11.c \
pk11_api.c \
pk11_result.c \
pool.c \
portset.c \
queue.c \

35
lib/isc/include/pk11/constants.h
View file

@ -1,35 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
#pragma once
#include <inttypes.h>
/*! \file pk11/constants.h */
/*%
* Static arrays of data used for key template initialization
*/
#define PK11_ECC_PRIME256V1 \
(uint8_t[]) { \
0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07 \
}
#define PK11_ECC_SECP384R1 \
(uint8_t[]) { 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22 }
#define PK11_ECX_ED25519 \
(uint8_t[]) { \
0x13, 0xc, 'e', 'd', 'w', 'a', 'r', 'd', 's', '2', '5', '5', \
'1', '9' \
}
#define PK11_ECX_ED448 \
(uint8_t[]) { \
0x13, 0xa, 'e', 'd', 'w', 'a', 'r', 'd', 's', '4', '4', '8' \
}

Some files were not shown because too many files have changed in this diff Show more