Bug 2123076 - [RFE] Support for pkcs11 provider in OpenSSL3
Summary: [RFE] Support for pkcs11 provider in OpenSSL3
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: bind
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Petr Menšík
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On: 2011993 2242853
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-08-31 17:35 UTC by Petr Menšík
Modified: 2025-07-29 14:14 UTC (History)
9 users (show)

Fixed In Version: bind-9.18.35-2.fc42 bind-9.18.35-2.fc43
Clone Of: 2011993
Environment:
Last Closed: 2025-07-29 13:07:17 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Internet Systems Consortium (ISC) isc-projects bind9 issues 2996 0 None opened Migrate PKCS11 from "engine" to "provider" 2024-01-19 14:04:24 UTC
Internet Systems Consortium (ISC) isc-projects bind9 merge_requests 7276 0 None closed Support OpenSSL 3 Providers 2024-01-19 14:18:33 UTC
Internet Systems Consortium (ISC) isc-projects bind9 merge_requests 8170 0 None merged Enable keyfromlabel and enginepkcs11 systemtests for pkcs11-provider 2024-01-19 14:40:41 UTC
Internet Systems Consortium (ISC) isc-projects bind9 merge_requests 8258 0 None merged Update PKCS#11 section in the ARM 2024-01-19 14:40:41 UTC
Red Hat Issue Tracker RHEL-33729 0 None None None 2025-03-26 12:39:55 UTC

Description Petr Menšík 2022-08-31 17:35:14 UTC 
+++ This bug was initially created as a clone of Bug #2011993 +++

Description of problem:
OpenSSL 3 deprecated use of Engines[1], which we use and require from freeipa as a bridge with opendnssec. It seems providers [2] should be used instead to fetch different implementations of algorithms.  We need PKCS11 interface now, so more recent interface should be used. But there seems no pkcs11 provider exists yet. Not provided by openssl-pkcs11 package yet, there seems no better support for it.

Once there is better interface, it should be switched to providers. Seems too fresh now.

1. https://www.openssl.org/docs/man1.0.2/man3/engine.html
2. https://www.openssl.org/docs/manmaster/man7/provider.html
3. https://github.com/OpenSC/libp11

Version-Release number of selected component (if applicable):
openssl-3.0.0-2.el9.x86_64
bind-9.16.20-2.el9.x86_64

--- Additional comment from Petr Menšík on 2022-08-31 19:33:50 CEST ---

ISC upstream has a report that latchset on github [1] should be on a good tracks. But it does not have yet even first release, so it does not seem to be ready for production.

1. https://github.com/latchset/pkcs11-provider/
Comment 1 Petr Menšík 2024-01-19 14:04:25 UTC 
Upstream is tracking some progress at issue:
https://gitlab.isc.org/isc-projects/bind9/-/issues/2996

They have even separate tag for PKCS11 related issues:
https://gitlab.isc.org/isc-projects/bind9/-/issues/?label_name%5B%5D=PKCS%2311
Comment 2 Petr Menšík 2024-01-19 14:18:33 UTC 
There is PR #7276 [1]. Although that itself is not merged, it seems existing parts of it were merged independently, without referencing issue #2996.
Crypto [2] tag shows not a small count of changes were already merged

1. https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/7276
2. https://gitlab.isc.org/isc-projects/bind9/-/merge_requests?scope=all&state=merged&label_name[]=Crypto
Comment 3 Petr Menšík 2024-01-19 14:40:42 UTC 
Merged PR are:

https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/8170
https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/8258
Comment 4 Petr Menšík 2025-07-29 12:57:22 UTC 
This should have been added with rebase to 9.18.36, 9.18.35-2 contains it already.
Comment 5 Petr Menšík 2025-07-29 13:07:17 UTC 
This were implemented by

Patch31: bind-9.18-pkcs11-provider.patch

Should work and be used since f42.
Comment 6 Petr Menšík 2025-07-29 14:11:58 UTC 
Fixed in updates:

- https://bodhi.fedoraproject.org/updates/FEDORA-2025-a97bd2a08c
- https://bodhi.fedoraproject.org/updates/FEDORA-2025-ba58df94bd
Note You need to log in before you can comment on or make changes to this bug.