According to the current design page of bind-dyndb-ldap [1], to provide DNSSEC feature BIND utilizes its own PKCS11 implementation to connect SoftHSM directly.
Such support for PKCS11 is configured during BIND build. For example,
--enable-native-pkcs11 \ --with-pkcs11=%{_libdir}/pkcs11/libsofthsm2.so
The main disadvantage of this is that distros have to have two sets of binaries and libraries, one of which performs crypto ops using OpenSSL, another one - SoftHSM.
As a result, this may become a blocker to support DNSSEC in FreeIPA installations. For example, for this reason, ALT Linux hasn't DNSSEC in FreeIPA [3].
Fortunately, there is a nice project libp11 [2], which provides pkcs11 engine plugin for the OpenSSL library for accessing PKCS#11 modules in a semi-transparent way.
pkcs11
With the help of libp11, FreeIPA could use the regular named (BIND) [4] and thereby improving the cross-platform support.
regular
At the time of this writing, libp11 and SoftHSM have merged the needed patches but haven't released yet.
[1] https://docs.pagure.org/bind-dyndb-ldap/BIND9/Design/DNSSEC/Keys/Shortterm.html#dnssec-key-rotation-shortterm [2] https://github.com/OpenSC/libp11 [3] https://gitlab.isc.org/isc-projects/bind9/issues/1228 [4] ftp://ftp.isc.org/isc/bind9/9.11.10/doc/arm/Bv9ARM.ch04.html#pkcs11
To make it usable we need also to rebase OpenDNSSEC and SoftHSM to newer versions (there were issues with OpenDNSSEC rebase) in downstreams
Yesterday news: https://www.opendnssec.org/2019/10/opendnssec-1-4-end-of-life-upgrading-and-testing-versions/
Actually, I've checked DNSSEC feature against OpenDNSSEC 1.4 branch. But, of course, I could try 2.x.
I filed https://bugzilla.redhat.com/show_bug.cgi?id=1759888 for RHEL. We'll probably need to create a change request for Fedora 32 too.
F30 and F31 have the bare libp11-0.4.10, while the list of required: https://github.com/OpenSC/libp11/pull/303 https://github.com/OpenSC/libp11/pull/308 https://github.com/OpenSC/libp11/pull/309
I could open tickets for Fedora. For which versions (Fedora) should I do it?
Let's start with rawhide.
The OpenSSL engine patch is failing in FIPS mode.
The OpenSSL PKCS11 engine does not set the RSA_FLAG_FIPS_METHOD flag set on the RSA ENGINE method. Therefore OpenSSL FIPS mode considers the method as non-FIPS compliant and RSA_new().
RSA_FLAG_FIPS_METHOD
RSA_new()
(gdb) n 93 if (FIPS_mode() && !(ret->meth->flags & RSA_FLAG_FIPS_METHOD)) { (gdb) n 94 RSAerr(RSA_F_RSA_NEW_METHOD, RSA_R_NON_FIPS_RSA_METHOD)
(gdb) bt #0 RSA_new_method (engine=engine@entry=0x0) at crypto/rsa/rsa_lib.c:94 #1 0x00007ffff7b5575b in RSA_new () at crypto/rsa/rsa_lib.c:22 #2 0x00007ffff7f1be2f in opensslrsa_fromdns (key=0x7ffff4d462f0, data=0x7ffff71c7a80) at ../../../lib/dns/opensslrsa_link.c:1254 #3 0x00007ffff7f20042 in frombuffer (name=name@entry=0x7ffff71c7b00, alg=alg@entry=8, flags=flags@entry=257, protocol=protocol@entry=3, rdclass=rdclass@entry=1, source=source@entry=0x7ffff71c7a80, mctx=0x5555556515a0, keyp=0x7ffff71c7968) at ../../../lib/dns/dst_api.c:1943 #4 0x00007ffff7f20240 in dst_key_fromdns (name=name@entry=0x7ffff71c7b00, rdclass=<optimized out>, source=source@entry=0x7ffff71c7a80, mctx=mctx@entry=0x5555556515a0, keyp=keyp@entry=0x7ffff71c7a08) at ../../../lib/dns/dst_api.c:794 #5 0x00005555555ae41a in dstkey_fromconfig (vconfig=vconfig@entry=0x0, key=0x7ffff72083f8, managed=managed@entry=true, target=target@entry=0x7ffff71c9d88, mctx=mctx@entry=0x5555556515a0) at ../../../bin/named/server.c:792 #6 0x00005555555ae592 in load_view_keys (keys=<optimized out>, vconfig=vconfig@entry=0x0, view=view@entry=0x7ffff00d2cf0, managed=managed@entry=true, keyname=keyname@entry=0x0, mctx=mctx@entry=0x5555556515a0) at ../../../bin/named/server.c:845 #7 0x00005555555af09b in configure_view_dnsseckeys (view=view@entry=0x7ffff00d2cf0, vconfig=vconfig@entry=0x0, config=config@entry=0x7ffff72018a8, bindkeys=bindkeys@entry=0x0, auto_root=auto_root@entry=false, mctx=mctx@entry=0x5555556515a0) at ../../../bin/named/server.c:1041 #8 0x00005555555bbdf6 in configure_view (view=<optimized out>, viewlist=viewlist@entry=0x7ffff71cc8c0, config=<optimized out>, vconfig=vconfig@entry=0x0, cachelist=cachelist@entry=0x7ffff71cc8e0, bindkeys=<optimized out>, mctx=<optimized out>, actx=<optimized out>, need_hints=<optimized out>) at ../../../bin/named/server.c:4705 #9 0x00005555555ca9ff in load_configuration (filename=<optimized out>, server=server@entry=0x7ffff71da010, first_time=first_time@entry=true) at ../../../bin/named/server.c:8125 #10 0x00005555555cbb02 in run_server (task=<optimized out>, event=<optimized out>) at ../../../bin/named/server.c:8887 #11 0x00007ffff7cbfebe in dispatch (manager=0x7ffff71d3010) at ../../../lib/isc/task.c:1145 #12 run (uap=0x7ffff71d3010) at ../../../lib/isc/task.c:1319 #13 0x00007ffff79444e2 in start_thread () from /lib64/libpthread.so.0 #14 0x00007ffff76e96a3 in clone () from /lib64/libc.so.6
(gdb) p *ret $5 = {pad = 0, version = 0, meth = 0x555555631b10, engine = 0x5555556375d0, n = 0x0, e = 0x0, d = 0x0, p = 0x0, q = 0x0, dmp1 = 0x0, dmq1 = 0x0, iqmp = 0x0, prime_infos = 0x0, pss = 0x0, ex_data = {sk = 0x0}, references = 1, flags = 0, _method_mod_n = 0x0, _method_mod_p = 0x0, _method_mod_q = 0x0, bignum_data = 0x0, blinding = 0x0, mt_blinding = 0x0, lock = 0x7ffff0000b60} (gdb) p *ret->engine $6 = {id = 0x7ffff5199000 "pkcs11", name = 0x7ffff5199016 "pkcs11 engine", rsa_meth = 0x555555631b10, dsa_meth = 0x0, dh_meth = 0x0, ec_meth = 0x555555631a90, rand_meth = 0x0, ciphers = 0x0, digests = 0x0, pkey_meths = 0x7ffff5196d80 <PKCS11_pkey_meths>, pkey_asn1_meths = 0x0, destroy = 0x7ffff518e760 <engine_destroy>, init = 0x7ffff518e730 <engine_init>, finish = 0x7ffff518e700 <engine_finish>, ctrl = 0x7ffff518e6b0 <engine_ctrl>, load_privkey = 0x7ffff518e600 <load_privkey>, load_pubkey = 0x7ffff518e670 <load_pubkey>, load_ssl_client_cert = 0x0, cmd_defns = 0x7ffff519e720, flags = 0, struct_ref = 7, funct_ref = 5, ex_data = {sk = 0x5555556311e0}, prev = 0x5555556376f0, next = 0x0
I have filed https://bugzilla.redhat.com/show_bug.cgi?id=1827535 for the openssl-pkcs11 engine problem.
openssl-pkcs11-0.4.10-6 fixes the issue. I'm going to add the new version to master copr until the build has reached stable F31 and F32.
master:
Metadata Update from @abbra: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.