According to BIND release notes, PKCS#11 support in BIND 9.10 depends on full PKCS#11 support in HSM: http://ftp.isc.org/isc/bind9/9.10.0-P2/RELEASE-NOTES-BIND-9.10.0-P2.txt Unfortunatelly, SoftHSM v1 has only limited PKCS#11 support so SoftHSM needs rebase to v2. According to https://issues.opendnssec.org/browse/SOFTHSM it seems that it should work and my sanity testing with BIND 9.10 confirms that. Would it be possible to rebase to v2 in rawhide (F21)?
I have asked OpenDNSSEC-user list for opinions on SoftHSM v2 stability. You can follow the thread here: http://lists.opendnssec.org/pipermail/opendnssec-user/2014-June/003005.html
It would be great to migrate to softhsm-2 and use openssl instead of botan. However, we do need to look and check if we can automatically upgrade people, at least for those installs in /var/softhsm. I expect there are quite a few users of opendnssec that rely on a working softhsm setup
Created attachment 910425 [details] proof-of-concept SPEC file usable on Fedora 20 I needed to build version 2 on Fedora 20 to explore new softhsm2-keyconv utility so I have created proof-of-concept SPEC file.
(In reply to Petr Spacek from comment #3) > Created attachment 910425 [details] > proof-of-concept SPEC file usable on Fedora 20 > > I needed to build version 2 on Fedora 20 to explore new softhsm2-keyconv > utility so I have created proof-of-concept SPEC file. There is a small issue in your spec file. + autoreconf --install --force Can't exec "libtoolize": No such file or directory at /usr/share/autoconf/Autom4te/FileUtils.pm line 345, <GEN3> line 5. autoreconf: failed to run libtoolize: No such file or directory autoreconf: libtoolize is needed because this package uses Libtool error: Bad exit status from /var/tmp/rpm-tmp.eu3uAt (%build) Bad exit status from /var/tmp/rpm-tmp.eu3uAt (%build) RPM build errors: Simple change fixes this problem. --- softhsm.spec.orig 2014-06-20 13:07:38.188470186 +0200 +++ softhsm.spec 2014-06-20 13:08:09.633738475 +0200 @@ -8,6 +8,7 @@ Group: Applications/System BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: openssl-devel, cppunit-devel +BuilDrequires: libtool Requires(pre): shadow-utils %description
Hello, softhsm2 contains the util, softhsm2-migrate, which converts v1 tokens to v2. It requires user-pin, path to v1 database. Should we try to do auto-migration after upgrade to v2? There is problem with unknown user-pin. Or should we at least show a message for a user to run softhsm2-migrate manually? Here are some required changes in spec file to build softhsm2-migrate: + BuildRequires: sqlite-devel, gcc-c++ + Requires: sqlite >= 3.4.2 - %configure --libdir=%{_libdir}/ --disable-gost + %configure --libdir=%{_libdir}/ --disable-gost --with-migrate
Hello Paul, are we on track with new softhsm in F21? It seems to me that we have everything we need, including the migration scripts + proposed spec file so we should be fine.
I have build softhsm v2 and opendnssec for epel6 for testing: ftp://ftp.nohats.ca/epel6/ However, the migration tools are buggy and there is one crasher in the softhsm v2 code. I've contacted upstream and they are working on fixing this. Moving the library location can only be done if we leave a symlink, as other tools that can be configured to use a pkcs11 library will have the name hardcoded in their config files. In this case, in conf.xml for opendnssec: <Module>/usr/lib64/softhsm/libsofthsm.so</Module>
I have realized that DNSSEC in IPA depends on following code: https://github.com/opendnssec/SoftHSMv2/pull/90 https://github.com/opendnssec/SoftHSMv2/pull/91 Upstream promised to review the code this week. (OpenDNSSEC code is ready in upstream git so it is possible to start rebasing it, it doesn't depend on SoftHSM.)
Done: http://koji.fedoraproject.org/koji/buildinfo?buildID=585676