Report information
The Basics
Id:
46749
Status:
open
Priority:
Low/Low
Queue:
bind9-public
People
Owner:
Nobody in particular
Requestors:
Cc:
AdminCc:
BugTracker
Version Fixed:
(no value)
Version Found:
(no value)
Versions Affected:
(no value)
Versions Planned:
(no value)
Priority:
(no value)
Severity:
(no value)
CVSS Score:
(no value)
CVE ID:
(no value)
Component:
(no value)
Area:
feature
Dates
Created:Sat, 02 Dec 2017 09:23:33 -0500
Updated:Mon, 04 Dec 2017 06:01:49 -0500
Closed:Not set

This bug tracker is no longer active.

Please go to our Gitlab to submit issues (both feature requests and bug reports) for active projects maintained by Internet Systems Consortium (ISC).

Due to security and confidentiality requirements, full access is limited to the primary maintainers.

History
  Sat, 02 Dec 2017 09:23:35 -0500 Mukund Sivaraman <muks@isc.org> - Ticket created
Subject: Update PKCS #11 OpenSSL engine usage documentation in ARM
Date: Sat, 2 Dec 2017 19:53:23 +0530
From: "Mukund Sivaraman" <muks@isc.org>
To: bind9-public@isc.org

The description in the ARM about using BIND with PKCS #11 as OpenSSL engine is very obsolete (not available any longer). This ticket should update the ARM with a correct description of how to use BIND with PKCS #11 OpenSSL engine on a modern distribution, with example of usage with softhsm. Mukund
  Sat, 02 Dec 2017 20:51:47 -0500 Evan Hunt <each@isc.org> - Correspondence added
From: "Evan Hunt" <each@isc.org>
Subject: Re: [ISC-Bugs #46749] Update PKCS #11 OpenSSL engine usage documentation in ARM
To: "Mukund Sivaraman via RT" <bind9-public@isc.org>
Date: Sun, 3 Dec 2017 01:51:27 +0000
CC:

> The description in the ARM about using BIND with PKCS #11 as OpenSSL > engine is very obsolete (not available any longer). This ticket should > update the ARM with a correct description of how to use BIND with PKCS > #11 OpenSSL engine on a modern distribution, with example of usage with > softhsm. AFAIK the OpenSSL engine is still available (at least we're still shipping patches for it). I agree the doc should be updated though. Native PKCS#11 is much more useful now and ought to be emphasized.
Sat, 02 Dec 2017 20:51:57 -0500 The RT System itself - Status changed from 'new' to 'open'
  Sat, 02 Dec 2017 23:04:33 -0500 Mukund Sivaraman <muks@isc.org> - Correspondence added
Date: Sun, 3 Dec 2017 09:34:22 +0530
From: "Mukund Sivaraman" <muks@isc.org>
Subject: Re: [ISC-Bugs #46749] Update PKCS #11 OpenSSL engine usage documentation in ARM
To: "Evan Hunt via RT" <bind9-public@isc.org>

Hi Evan On Sun, Dec 03, 2017 at 01:51:55AM +0000, Evan Hunt via RT wrote: 85;95;0c> > The description in the ARM about using BIND with PKCS #11 as OpenSSL > > engine is very obsolete (not available any longer). This ticket should > > update the ARM with a correct description of how to use BIND with PKCS > > #11 OpenSSL engine on a modern distribution, with example of usage with > > softhsm. > > AFAIK the OpenSSL engine is still available (at least we're still > shipping patches for it). These are the patches. They're against obsolete versions of OpenSSL. Only the 1.0.2 version is even recent, but isn't against the latest version. ./bin/pkcs11/openssl-1.0.0t-patch ./bin/pkcs11/openssl-0.9.8zh-patch ./bin/pkcs11/openssl-1.0.2h-patch ./bin/pkcs11/openssl-1.0.1t-patch They also are not the preferred way to get an OpenSSL PKCS #11 engine. The instructions require a custom version of OpenSSL to be built using what we provide as crypto code, and a custom version of BIND against it (with conditional ifdefs). We should stop distributing the patches, and switch to use of the OpenSC libp11 engine which can be installed as a plug-in to stock OpenSSL on popular distributions and doesn't need any other modifications. Also, the patches in the tree are large patches to a crypto library. Do we want to actively develop this, be responsible for security vulnerabilites in it? > I agree the doc should be updated though. Native PKCS#11 is much more > useful now and ought to be emphasized. How is it more useful? I want us to minimize the amount of crypto code we have in BIND tree. I want us to drop the native PKCS #11 code and stick to the OpenSSL engine code. With that we'll use a single crypto implementation in the tree. Mukund
  Sun, 03 Dec 2017 02:13:14 -0500 Evan Hunt <each@isc.org> - Correspondence added
Date: Sun, 3 Dec 2017 07:13:12 +0000
CC:
Subject: Re: [ISC-Bugs #46749] Update PKCS #11 OpenSSL engine usage documentation in ARM
From: "Evan Hunt" <each@isc.org>
To: "Mukund Sivaraman via RT" <bind9-public@isc.org>

> > I agree the doc should be updated though. Native PKCS#11 is much more > > useful now and ought to be emphasized. > > How is it more useful? I meant it's more useful than it was when we first shipped it, because there are more HSMs that support it now. > I want us to minimize the amount of crypto code we have in BIND tree. I > want us to drop the native PKCS #11 code and stick to the OpenSSL engine > code. With that we'll use a single crypto implementation in the tree. Okay, I misunderstood you then, and I disagree. Unless things have changed substantially since I last looked, OpenSSL doesn't support PKCS#11; the pkcs11 engine is implemented by the patches we provide, which were never accepted by the upstream maintainers, and they don't really work all that well; debugging is huge pain. I think if we're going to support PKCS#11, native is the better way to go. If I recall correctly, the only reason we kept OpenSSL PKCS#11 was that you couldn't run native PKCS#11 with the AEP Keyper. (And that may not even be true anymore.)
  Sun, 03 Dec 2017 03:04:33 -0500 Mukund Sivaraman <muks@isc.org> - Correspondence added
Date: Sun, 3 Dec 2017 13:34:17 +0530
To: "Evan Hunt via RT" <bind9-public@isc.org>
From: "Mukund Sivaraman" <muks@isc.org>
Subject: Re: [ISC-Bugs #46749] Update PKCS #11 OpenSSL engine usage documentation in ARM

On Sun, Dec 03, 2017 at 07:13:16AM +0000, Evan Hunt via RT wrote: > > > I agree the doc should be updated though. Native PKCS#11 is much more > > > useful now and ought to be emphasized. > > > > How is it more useful? > > I meant it's more useful than it was when we first shipped it, > because there are more HSMs that support it now. > > > I want us to minimize the amount of crypto code we have in BIND tree. I > > want us to drop the native PKCS #11 code and stick to the OpenSSL engine > > code. With that we'll use a single crypto implementation in the tree. > > Okay, I misunderstood you then, and I disagree. Unless things have > changed substantially since I last looked, OpenSSL doesn't support > PKCS#11; the pkcs11 engine is implemented by the patches we provide, > which were never accepted by the upstream maintainers, and they don't > really work all that well; debugging is huge pain. Francis also came back to me with similar arguments about OpenSSL PKCS #11 support. I have checked that his specific claims are untrue. If you can list things that don't work, I can check these too. Look at: https://github.com/OpenSC/libp11 This is the better way to install a PKCS #11 OpenSSL engine, not our OpenSSL patching and custom build method. -- As example, with Fedora you can install this as the "engine_pkcs11" package. If you also have p11-kit installed, you don't have to configure anything except the HSM provider (there's no need to configure the OpenSSL engine). p11-kit list-modules should show you the crypto providers that are available. With softhsm2 as module, you can use softhsm2-util to configure the HSM (create tokens and configure PIN to access them). To create keys on the tokens, you can use p11tool provided by gnutls-utils. After that, OpenSSL can be passed a label string that selects a particular <hsm-provider,token,key-by-label>, e.g., using dnssec-keyfromlabel -E pkcs11 -l "<selector>". If there are any quirks (such as debug logging for extra cases that are not already provided by the engine), it is better to address them as patches to the pkcs11 engine rather than implement it BIND. > I think if we're going to support PKCS#11, native is the better way to > go. If I recall correctly, the only reason we kept OpenSSL PKCS#11 was > that you couldn't run native PKCS#11 with the AEP Keyper. (And that > may not even be true anymore.) We currently have 2 implementations of code to do crypto in BIND (3 if you also consider hashing). Which other server maintains so many forms of crypto? Application level crypto code should not be like this. How many operators does native PKCS #11 benefit? Why should we have it in BIND? From what we have right now, one would imagine root and TLD operators (and the handful of others who need to use a HSM) would be funding upwards of a million dollars to hire more people to maintain native PKCS #11 for their benefit for us to deal with CVEs due to it. Mukund
  Sun, 03 Dec 2017 03:06:30 -0500 Mukund Sivaraman <muks@isc.org> - Correspondence added
Subject: Re: [ISC-Bugs #46749] Update PKCS #11 OpenSSL engine usage documentation in ARM
From: "Mukund Sivaraman" <muks@isc.org>
To: "Evan Hunt via RT" <bind9-public@isc.org>
Date: Sun, 3 Dec 2017 13:36:23 +0530

On Sun, Dec 03, 2017 at 07:13:16AM +0000, Evan Hunt via RT wrote: > Okay, I misunderstood you then, and I disagree. Unless things have In any case, this ticket is not about native PKCS #11. It is limited to changing documentation to use engine_pkcs11 which is the better way to use OpenSSL PKCS #11. Mukund
  Sun, 03 Dec 2017 10:21:27 -0500 Francis Dupont <Francis_Dupont@isc.org> - Correspondence added

You assume the decision to no longer support the PKCS#11 OpenSSL engine patches was taken. Even I am not against the idea (*) as far as I know this decision was not yet taken... (*) of course I support this idea!
  Sun, 03 Dec 2017 10:26:55 -0500 Francis Dupont <Francis_Dupont@isc.org> - Correspondence added

On Sun Dec 03 04:04:33 2017, muks wrote: > I want us to minimize the amount of crypto code we have in BIND tree. > I > want us to drop the native PKCS #11 code and stick to the OpenSSL > engine > code. With that we'll use a single crypto implementation in the tree. => definitely NO. If you want to drop things, the PKCS#11 OpenSSL engine patches are a good candidate, and the builtin crypto is a second. Note for the second it means we agree to make DNSSEC no optional. If you agree can I change the title into "Drop" (vs "Update")?
  Sun, 03 Dec 2017 10:31:05 -0500 Francis Dupont <Francis_Dupont@isc.org> - Correspondence added

On Sun Dec 03 07:13:14 2017, each@isc.org wrote: > I think if we're going to support PKCS#11, native is the better way to > go. If I recall correctly, the only reason we kept OpenSSL PKCS#11 was > that you couldn't run native PKCS#11 with the AEP Keyper. (And that may > not even be true anymore.) => I confirm the last statement. In fact any HSM which can be supported by a PKCS#11 OpenSSL engine ("a" means our and others) should work with native PKCS#11 code.
  Sun, 03 Dec 2017 10:34:09 -0500 Francis Dupont <Francis_Dupont@isc.org> - Correspondence added

On Sun Dec 03 08:04:33 2017, muks wrote: > Francis also came back to me with similar arguments about OpenSSL > PKCS #11 support. I have checked that his specific claims are untrue. > > If you can list things that don't work, I can check these too. > > Look at: https://github.com/OpenSC/libp11 > > This is the better way to install a PKCS #11 OpenSSL engine, not our > OpenSSL patching and custom build method. => libp11 did not support fetch per key label the last time I looked the code. BTW it is simple to check: build bind with it and verify dnssec-keyfromlabel does what it is expected to do.
  Sun, 03 Dec 2017 10:37:44 -0500 Mukund Sivaraman <muks@isc.org> - Correspondence added
To: "Francis Dupont via RT" <bind9-public@isc.org>
From: "Mukund Sivaraman" <muks@isc.org>
Date: Sun, 3 Dec 2017 21:07:34 +0530
Subject: Re: [ISC-Bugs #46749] Update PKCS #11 OpenSSL engine usage documentation in ARM

On Sun, Dec 03, 2017 at 03:26:56PM +0000, Francis Dupont via RT wrote: > On Sun Dec 03 04:04:33 2017, muks wrote: > > I want us to minimize the amount of crypto code we have in BIND tree. > > I > > want us to drop the native PKCS #11 code and stick to the OpenSSL > > engine > > code. With that we'll use a single crypto implementation in the tree. > > => definitely NO. > If you want to drop things, the PKCS#11 OpenSSL engine patches > are a good candidate, and the builtin crypto is a second. > Note for the second it means we agree to make DNSSEC no optional. > > If you agree can I change the title into "Drop" (vs "Update")? No, please don't change the ticket's title. If you want to suggest dropping OpenSSL PKCS #11, create a different ticket for it. The topic of this ticket is to update the documentation to use engine_pkcs11. Mukund
  Sun, 03 Dec 2017 10:41:19 -0500 Francis Dupont <Francis_Dupont@isc.org> - Correspondence added

On Sun Dec 03 15:37:44 2017, muks wrote: > No, please don't change the ticket's title. If you want to suggest > dropping OpenSSL PKCS #11, create a different ticket for it. > > The topic of this ticket is to update the documentation to use > engine_pkcs11. => hum, I give up on the title but instead of simply updating the text I propose to remove it and to write a fresh text about engine_pkcs11/lib11 & co. BTW was engine_pkcs11/lib11 updated to support more than RSA?
  Mon, 04 Dec 2017 06:01:48 -0500 Ondrej Sury <ondrej@isc.org> - Correspondence added

Mukund, I think it is a great idea to update the usage of engine_pkcs11 in OpenSSL and dropping the custom OpenSSL patches. Please go ahead. Also the question of removal of native-pkcs11 is not topic of this issues, so let's not discuss it here and now. However, I would appreciate that instead of throwing strong opinions at each other we will do (informal) cost-benefit analysis of a feature in question and make an informed decision based on technical facts and hard data and not personal feelings and opinions.