Bug 2123076

Summary: [RFE] Support for pkcs11 provider in OpenSSL3
Product: [Fedora] Fedora Reporter: Petr Menšík <pemensik>
Component: bindAssignee: Petr Menšík <pemensik>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: aegorenkov.91, anon.amish, dns-sig, mruprich, pemensik, pspacek, rhel-cs-infra-services-qe, vonsch, zdohnal
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: bind-9.18.35-2.fc42 bind-9.18.35-2.fc43 Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: 2011993 Environment:
Last Closed: 2025-07-29 13:07:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2011993, 2242853    
Bug Blocks:    

Description Petr Menšík 2022-08-31 17:35:14 UTC 
+++ This bug was initially created as a clone of Bug #2011993 +++

Description of problem:
OpenSSL 3 deprecated use of Engines[1], which we use and require from freeipa as a bridge with opendnssec. It seems providers [2] should be used instead to fetch different implementations of algorithms.  We need PKCS11 interface now, so more recent interface should be used. But there seems no pkcs11 provider exists yet. Not provided by openssl-pkcs11 package yet, there seems no better support for it.

Once there is better interface, it should be switched to providers. Seems too fresh now.

1. https://www.openssl.org/docs/man1.0.2/man3/engine.html
2. https://www.openssl.org/docs/manmaster/man7/provider.html
3. https://github.com/OpenSC/libp11

Version-Release number of selected component (if applicable):
openssl-3.0.0-2.el9.x86_64
bind-9.16.20-2.el9.x86_64

--- Additional comment from Petr Menšík on 2022-08-31 19:33:50 CEST ---

ISC upstream has a report that latchset on github [1] should be on a good tracks. But it does not have yet even first release, so it does not seem to be ready for production.

1. https://github.com/latchset/pkcs11-provider/
Comment 1 Petr Menšík 2024-01-19 14:04:25 UTC 
Upstream is tracking some progress at issue:
https://gitlab.isc.org/isc-projects/bind9/-/issues/2996

They have even separate tag for PKCS11 related issues:
https://gitlab.isc.org/isc-projects/bind9/-/issues/?label_name%5B%5D=PKCS%2311
Comment 2 Petr Menšík 2024-01-19 14:18:33 UTC 
There is PR #7276 [1]. Although that itself is not merged, it seems existing parts of it were merged independently, without referencing issue #2996.
Crypto [2] tag shows not a small count of changes were already merged

1. https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/7276
2. https://gitlab.isc.org/isc-projects/bind9/-/merge_requests?scope=all&state=merged&label_name[]=Crypto
Comment 3 Petr Menšík 2024-01-19 14:40:42 UTC 
Merged PR are:

https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/8170
https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/8258
Comment 4 Petr Menšík 2025-07-29 12:57:22 UTC 
This should have been added with rebase to 9.18.36, 9.18.35-2 contains it already.
Comment 5 Petr Menšík 2025-07-29 13:07:17 UTC 
This were implemented by

Patch31: bind-9.18-pkcs11-provider.patch

Should work and be used since f42.
Comment 6 Petr Menšík 2025-07-29 14:11:58 UTC 
Fixed in updates:

- https://bodhi.fedoraproject.org/updates/FEDORA-2025-a97bd2a08c
- https://bodhi.fedoraproject.org/updates/FEDORA-2025-ba58df94bd