running named built with --enable-native-pkcs11 without HSM provider library

Evan Hunt each at isc.org
Wed Aug 6 19:42:06 UTC 2014 

On Wed, Aug 06, 2014 at 02:02:33PM -0400, Tomas Hozza wrote:
> As far as I understand, without native-pkcs11 OpenSSL is used for crypto
> operations if the provided PKCS#11 library did not support some operation, or
> if the PKCS#11 provider library was not provided/was not available at all.
> 
> With native-pkcs11 the the PKCS#11 provider library has to be provided
> and available all the time. I'm interested if there is any chance to
> fall-back to OpenSSL in that case OR specify OpenSSL as provider library
> (however preferably without the needed patch) during the build and if needed,
> specify e.g. the SoftHSMv2 provider library on the command line using '-E'
> during the runtime.

There are currently three possible ways to provide crypto in BIND.

- Link with OpenSSL (this is the default).

- PKCS#11 via patched OpenSSL.  This requires an alternate version of
  OpenSSL that originated as part of the OpenSolaris project (which is
  no more).  The patches were never accepted upstream by the OpenSSL
  maintainers, so ISC has been supporting them: they're included with
  the BIND source.

  In this model, BIND calls crypto functions in OpenSSL as usual, but
  OpenSSL passes along some of the requests as PKCS#11 primitives to an
  HSM instead of handling them itself.  Functions not provided by the HSM
  are handled by OpenSSL.

  This works with several HSMs, but it's complex, difficult to debug,
  and cumbersome to have to use a nonstandard OpenSSL.  Also, frankly
  we'd prefer not to have to maintain the patches forever, so we're
  hoping to deprecate this model in time.

- Native PKCS#11, introduced in BIND 9.10.  In this model, BIND speaks
  directly to a PKCS#11 provider; OpenSSL isn't in the picture at all.

  For it to work, we need the provider to have a *full* implementation of
  the PKCS#11 API, because the provider needs to serve *all* of BIND's
  cryptographic needs -- not just signing but also validation, hashing,
  random number generation, etc.  Currently I only know of two PKCS#11
  providers that work:  Thales, and SoftHSMv2.

  There isn't currently any mechanism to have BIND switch back and forth
  between providers.  You can use the -E option to select a provider
  at runtime, but there's no way to alter that selection except to
  restart the server.  That's what the "shim" I mentioned would be for.

  Unfortunately, I can't tell you anything about when such a thing is
  likely to get written; we've got a lot of other tasks lined up
  ahead of it, and not enough pairs of hands.  Contributed code or
  offers of sponsorship would be lovely.

-- 
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.

More information about the bind-users mailing list