Spec URL: http://kyoder.users.sourceforge.net/openssl-ibmpkcs11.spec SRPM URL: http://kyoder.users.sourceforge.net/openssl-ibmpkcs11-1.0.0-0.src.rpm Description: This package contains a shared object OpenSSL dynamic engine for the use with a PKCS#11 implementation such as openCryptoki. This package provides a library that will bridge the gap between a PKCS#11 implementation, which provides support for storage of keys and certificates and cryptographic hardware support, to the openssl libcrypto library. Testing: 1. Install openCryptoki: # rpm -ivh opencryptoki-2.3.3-2.fc15.i686.rpm opencryptoki-libs-2.3.3-2.fc15.i686.rpm opencryptoki-swtok-2.3.3-2.fc15.i686.rpm 2. Configure openCryptoki: # /etc/init.d/pkcsslotd start [root@localhost ~]# pkcsconf -t Token #0 Info: Label: IBM OS PKCS#11 Manufacturer: IBM Corp. Model: IBM SoftTok Serial Number: 123 Flags: 0x880045 (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN|USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED) Sessions: -1/-1 R/W Sessions: -1/-1 PIN Length: 4-8 Public Memory: 0xFFFFFFFF/0xFFFFFFFF Private Memory: 0xFFFFFFFF/0xFFFFFFFF Hardware Version: 1.0 Firmware Version: 1.0 Time: 10:01:00 AM [root@localhost ~]# pkcsconf -I -c 0 Enter the SO PIN: # (default is 87654321) Enter a unique token label: kentinit [root@localhost ~]# pkcsconf -P -c 0 Enter the SO PIN: Enter the new SO PIN: Re-enter the new SO PIN: [root@localhost ~]# pkcsconf -u -c 0 Enter the SO PIN: Enter the new user PIN: Re-enter the new user PIN: [root@localhost ~]# pkcsconf -t Token #0 Info: Label: kentinit Manufacturer: IBM Corp. Model: IBM SoftTok Serial Number: 123 Flags: 0x44D (RNG|LOGIN_REQUIRED|USER_PIN_INITIALIZED|CLOCK_ON_TOKEN|TOKEN_INITIALIZED) Sessions: -1/-1 R/W Sessions: -1/-1 PIN Length: 4-8 Public Memory: 0xFFFFFFFF/0xFFFFFFFF Private Memory: 0xFFFFFFFF/0xFFFFFFFF Hardware Version: 1.0 Firmware Version: 1.0 Time: 10:01:44 AM 3. Point openssl at the new engine: [root@localhost ~]# openssl engine -t (aesni) Intel AES-NI engine (no-aesni) [ available ] (dynamic) Dynamic engine loading support [ unavailable ] [root@localhost ~]# OPENSSL_CONF=/usr/share/doc/openssl-ibmpkcs11-1.0.0/openssl.cnf.sample openssl engine -t (aesni) Intel AES-NI engine (no-aesni) [ available ] (dynamic) Dynamic engine loading support [ unavailable ] (ibmpkcs11) PKCS#11 hardware engine support [ available ] 4. Run an openssl speed test using the engine: [root@localhost ~]# OPENSSL_CONF=/usr/share/doc/openssl-ibmpkcs11-1.0.0/openssl.cnf.sample openssl engine -c (aesni) Intel AES-NI engine (no-aesni) (dynamic) Dynamic engine loading support (ibmpkcs11) PKCS#11 hardware engine support [RSA, RAND, DES-ECB, DES-CBC, DES-EDE3, DES-EDE3-CBC, AES-128-ECB, AES-128-CBC, AES-192-ECB, AES-192-CBC, AES-256-ECB, AES-256-CBC, MD5, SHA1, RSA-SHA1, hmacWithSHA1] [root@localhost ~]# OPENSSL_CONF=/usr/share/doc/openssl-ibmpkcs11-1.0.0/openssl.cnf.sample openssl speed -engine ibmpkcs11 -evp des-ecb engine "ibmpkcs11" set. Doing des-ecb for 3s on 16 size blocks: 3601074 des-ecb's in 2.97s Doing des-ecb for 3s on 64 size blocks: 1724899 des-ecb's in 2.97s Doing des-ecb for 3s on 256 size blocks: 545990 des-ecb's in 2.90s Doing des-ecb for 3s on 1024 size blocks: 156847 des-ecb's in 2.97s Doing des-ecb for 3s on 8192 size blocks: 19434 des-ecb's in 2.97s OpenSSL 1.0.0e-fips 6 Sep 2011 built on: Wed Sep 7 18:44:05 UTC 2011 options:bn(64,32) md2(int) rc4(8x,mmx) des(ptr,risc1,16,long) aes(partial) blowfish(idx) compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i686 -mtune=atom -fasynchronous-unwind-tables -Wa,--noexecstack -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DWHIRLPOOL_ASM The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes des-ecb 19399.73k 37169.54k 48197.74k 54077.89k 53603.81k [root@localhost ~]#
taking for review
Hi Dan, any status? Thanks, Kent
any update here? This should really make Fedora 19 ... to make RHEL xx based on F19 Thx in advance
first notes: - Release must start with 1 for released projects, %{?dist} is missing - see https://fedoraproject.org/wiki/Packaging:NamingGuidelines#Release_Tag - use an acronym for License, see https://fedoraproject.org/wiki/Licensing:Main?rd=Licensing#Good_Licenses for license list, also the licensing is unclear in the source code, simple inclusion of OpenSSL license in the LICENSE file is not sufficient, best option is to include licensing header in all source files or at least a notice in README (any file created by the authors), also read https://fedoraproject.org/wiki/Licensing:FAQ?rd=Licensing/FAQ - Group is wrong, see /usr/share/doc/rpm-*/GROUPS for a list, or omit Group compeltely - you can drop BuildRoot, %defattr and whole %clean because rpm will take care of it itself - there should be no need export CFLAGS/CPPFLAGS, teh %configure macro already does it - use -q in %setup, drop -n, the %{name}-%{version} format is used by default - I'd drop the license header on top of the spec completely (if possible), see https://fedoraproject.org/wiki/Licensing:Main?rd=Licensing#License_of_Fedora_SPEC_Files For more information about packaging rules in Fedora please see https://fedoraproject.org/wiki/Packaging:Guidelines?rd=Packaging/Guidelines and if you have any questions please ask.
Also I think the %post/%pre ldconfig calls are not necessary if the module is opened by dlopen() from inside of the openssl library, and apps are not directly linked to it (https://fedoraproject.org/wiki/Packaging:Guidelines?rd=Packaging/Guidelines#Shared_Libraries)
------- Comment From mgrf.com 2013-03-06 15:01 EDT-------
(In reply to Kent Yoder from comment #0) > Spec URL: http://kyoder.users.sourceforge.net/openssl-ibmpkcs11.spec > SRPM URL: > http://kyoder.users.sourceforge.net/openssl-ibmpkcs11-1.0.0-0.src.rpm > Description: This package contains a shared object OpenSSL dynamic engine > for the use with a PKCS#11 implementation such as openCryptoki. > > This package provides a library that will bridge the gap between a PKCS#11 > implementation, which provides support for storage of keys and certificates > and cryptographic hardware support, to the openssl libcrypto library. > . for the records ... the current upstream location for this package is https://sourceforge.net/projects/opencryptoki/files/PKCS%2311%20OpenSSL%20Engine/openssl-ibmpkcs11/ ...
------- Comment From hannsj_uhl.com 2016-03-17 08:39 EDT------- *** Bug 139187 has been marked as a duplicate of this bug. ***
Dan, Claudio, are there still questions on this, or is all resolved ?
------- Comment From ebarretto.com 2017-01-31 06:38 EDT------- Hi Dan and Hans-Georg, the openssl-ibmpkcs11 is since last semester under my responsibility as well as opencryptoki. I'm working on make it stable, whenever I have a break from opencryptoki, as there are many issues on it. I was not aware of this Fedora requirement and I will make sure as soon as it gets stable that I will implement it. I don't have a specific date yet for this to be done. If you need more information or requests just let me know. Eduardo
------- Comment From mgrf.com 2017-12-11 06:03 EDT------- There is a new version of OpenSSL-ibmpkcs11 available upstream You can easily grab this release in tarball format on Github: https://github.com/opencryptoki/openssl-ibmpkcs11/archive/v1.0.1.tar.gz Please integrate into Fedora
*** This bug has been marked as a duplicate of bug 1536990 ***