Hi Evan

On Sun, Dec 03, 2017 at 01:51:55AM +0000, Evan Hunt via RT wrote:
85;95;0c> > The description in the ARM about using BIND with PKCS #11 as OpenSSL
> > engine is very obsolete (not available any longer). This ticket should
> > update the ARM with a correct description of how to use BIND with PKCS
> > #11 OpenSSL engine on a modern distribution, with example of usage with
> > softhsm.
> 
> AFAIK the OpenSSL engine is still available (at least we're still
> shipping patches for it).

These are the patches. They're against obsolete versions of
OpenSSL. Only the 1.0.2 version is even recent, but isn't against the
latest version.

./bin/pkcs11/openssl-1.0.0t-patch
./bin/pkcs11/openssl-0.9.8zh-patch
./bin/pkcs11/openssl-1.0.2h-patch
./bin/pkcs11/openssl-1.0.1t-patch

They also are not the preferred way to get an OpenSSL PKCS #11
engine. The instructions require a custom version of OpenSSL to be built
using what we provide as crypto code, and a custom version of BIND
against it (with conditional ifdefs).

We should stop distributing the patches, and switch to use of the OpenSC
libp11 engine which can be installed as a plug-in to stock OpenSSL on
popular distributions and doesn't need any other modifications.

Also, the patches in the tree are large patches to a crypto library. Do
we want to actively develop this, be responsible for security
vulnerabilites in it?

> I agree the doc should be updated though. Native PKCS#11 is much more
> useful now and ought to be emphasized.

How is it more useful?

I want us to minimize the amount of crypto code we have in BIND tree. I
want us to drop the native PKCS #11 code and stick to the OpenSSL engine
code. With that we'll use a single crypto implementation in the tree.

		Mukund