Bug 794793 - Review Request: openssl-ibmpkcs11 - An openssl PKCS#11 engine
Summary: Review Request: openssl-ibmpkcs11 - An openssl PKCS#11 engine
Keywords:
Status: CLOSED DUPLICATE of bug 1536990
Alias: None
Product: Fedora
Classification: Fedora
Component: Package Review
Version: rawhide
Hardware: s390x
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Dan Horák
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: ZedoraTracker 1274387 1525184
TreeView+ depends on / blocked
 
Reported: 2012-02-17 16:44 UTC by Kent Yoder
Modified: 2018-01-22 08:44 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-01-22 08:44:20 UTC
Type: ---
Embargoed:
dan: fedora-review?

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
IBM Linux Technology Center 87865 0 None None None 2019-07-25 10:53:16 UTC

Description Kent Yoder 2012-02-17 16:44:19 UTC 
Spec URL: http://kyoder.users.sourceforge.net/openssl-ibmpkcs11.spec
SRPM URL: http://kyoder.users.sourceforge.net/openssl-ibmpkcs11-1.0.0-0.src.rpm
Description: This package contains a shared object OpenSSL dynamic engine for the use with a PKCS#11 implementation such as openCryptoki.

This package provides a library that will bridge the gap between a PKCS#11 implementation, which provides support for storage of keys and certificates and cryptographic hardware support, to the openssl libcrypto library.

Testing:
1. Install openCryptoki:
# rpm -ivh opencryptoki-2.3.3-2.fc15.i686.rpm opencryptoki-libs-2.3.3-2.fc15.i686.rpm opencryptoki-swtok-2.3.3-2.fc15.i686.rpm

2. Configure openCryptoki:
# /etc/init.d/pkcsslotd start
[root@localhost ~]# pkcsconf -t
Token #0 Info:
	Label: IBM OS PKCS#11                  
	Manufacturer: IBM Corp.                       
	Model: IBM SoftTok     
	Serial Number: 123             
	Flags: 0x880045 (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN|USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED)
	Sessions: -1/-1
	R/W Sessions: -1/-1
	PIN Length: 4-8
	Public Memory: 0xFFFFFFFF/0xFFFFFFFF
	Private Memory: 0xFFFFFFFF/0xFFFFFFFF
	Hardware Version: 1.0
	Firmware Version: 1.0
	Time: 10:01:00 AM
[root@localhost ~]# pkcsconf -I -c 0
Enter the SO PIN:                                  # (default is 87654321)
Enter a unique token label: kentinit
[root@localhost ~]# pkcsconf -P -c 0
Enter the SO PIN: 
Enter the new SO PIN: 
Re-enter the new SO PIN: 
[root@localhost ~]# pkcsconf -u -c 0
Enter the SO PIN: 
Enter the new user PIN: 
Re-enter the new user PIN: 
[root@localhost ~]# pkcsconf -t
Token #0 Info:
	Label: kentinit                        
	Manufacturer: IBM Corp.                       
	Model: IBM SoftTok     
	Serial Number: 123             
	Flags: 0x44D (RNG|LOGIN_REQUIRED|USER_PIN_INITIALIZED|CLOCK_ON_TOKEN|TOKEN_INITIALIZED)
	Sessions: -1/-1
	R/W Sessions: -1/-1
	PIN Length: 4-8
	Public Memory: 0xFFFFFFFF/0xFFFFFFFF
	Private Memory: 0xFFFFFFFF/0xFFFFFFFF
	Hardware Version: 1.0
	Firmware Version: 1.0
	Time: 10:01:44 AM

3. Point openssl at the new engine:
[root@localhost ~]# openssl engine -t
(aesni) Intel AES-NI engine (no-aesni)
     [ available ]
(dynamic) Dynamic engine loading support
     [ unavailable ]
[root@localhost ~]# OPENSSL_CONF=/usr/share/doc/openssl-ibmpkcs11-1.0.0/openssl.cnf.sample openssl engine -t
(aesni) Intel AES-NI engine (no-aesni)
     [ available ]
(dynamic) Dynamic engine loading support
     [ unavailable ]
(ibmpkcs11) PKCS#11 hardware engine support
     [ available ]

4. Run an openssl speed test using the engine:
[root@localhost ~]# OPENSSL_CONF=/usr/share/doc/openssl-ibmpkcs11-1.0.0/openssl.cnf.sample openssl engine -c
(aesni) Intel AES-NI engine (no-aesni)
(dynamic) Dynamic engine loading support
(ibmpkcs11) PKCS#11 hardware engine support
 [RSA, RAND, DES-ECB, DES-CBC, DES-EDE3, DES-EDE3-CBC, AES-128-ECB, AES-128-CBC, AES-192-ECB, AES-192-CBC, AES-256-ECB, AES-256-CBC, MD5, SHA1, RSA-SHA1, hmacWithSHA1]
[root@localhost ~]# OPENSSL_CONF=/usr/share/doc/openssl-ibmpkcs11-1.0.0/openssl.cnf.sample openssl speed -engine ibmpkcs11 -evp des-ecb
engine "ibmpkcs11" set.
Doing des-ecb for 3s on 16 size blocks: 3601074 des-ecb's in 2.97s
Doing des-ecb for 3s on 64 size blocks: 1724899 des-ecb's in 2.97s
Doing des-ecb for 3s on 256 size blocks: 545990 des-ecb's in 2.90s
Doing des-ecb for 3s on 1024 size blocks: 156847 des-ecb's in 2.97s
Doing des-ecb for 3s on 8192 size blocks: 19434 des-ecb's in 2.97s
OpenSSL 1.0.0e-fips 6 Sep 2011
built on: Wed Sep  7 18:44:05 UTC 2011
options:bn(64,32) md2(int) rc4(8x,mmx) des(ptr,risc1,16,long) aes(partial) blowfish(idx) 
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i686 -mtune=atom -fasynchronous-unwind-tables -Wa,--noexecstack -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DWHIRLPOOL_ASM
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
des-ecb          19399.73k    37169.54k    48197.74k    54077.89k    53603.81k
[root@localhost ~]#
Comment 1 Dan Horák 2013-01-15 10:33:35 UTC 
taking for review
Comment 2 Kent Yoder 2013-03-06 15:01:42 UTC 
Hi Dan, any status?

Thanks,
Kent
Comment 3 IBM Bug Proxy 2013-03-06 15:04:34 UTC 
any update here?
This should really make Fedora 19 ... to make RHEL xx based on F19
Thx in advance
Comment 4 Dan Horák 2013-03-19 11:19:52 UTC 
first notes:
- Release must start with 1 for released projects, %{?dist} is missing - see https://fedoraproject.org/wiki/Packaging:NamingGuidelines#Release_Tag
- use an acronym for License, see https://fedoraproject.org/wiki/Licensing:Main?rd=Licensing#Good_Licenses for license list, also the licensing is unclear in the source code, simple inclusion of OpenSSL license in the LICENSE file is not sufficient, best option is to include licensing header in all source files or at least a notice in README (any file created by the authors), also read https://fedoraproject.org/wiki/Licensing:FAQ?rd=Licensing/FAQ
- Group is wrong, see /usr/share/doc/rpm-*/GROUPS for a list, or omit Group compeltely
- you can drop BuildRoot, %defattr and whole %clean because rpm will take care of it itself
- there should be no need export CFLAGS/CPPFLAGS, teh %configure macro already does it
- use -q in %setup, drop -n, the %{name}-%{version} format is used by default
- I'd drop the license header on top of the spec completely (if possible), see https://fedoraproject.org/wiki/Licensing:Main?rd=Licensing#License_of_Fedora_SPEC_Files

For more information about packaging rules in Fedora please see https://fedoraproject.org/wiki/Packaging:Guidelines?rd=Packaging/Guidelines and if you have any questions please ask.
Comment 5 Dan Horák 2013-03-19 11:22:18 UTC 
Also I think the %post/%pre ldconfig calls are not necessary if the module is opened by dlopen() from inside of the openssl library, and apps are not directly linked to it (https://fedoraproject.org/wiki/Packaging:Guidelines?rd=Packaging/Guidelines#Shared_Libraries)
Comment 6 IBM Bug Proxy 2015-11-29 09:40:36 UTC 
------- Comment From mgrf.com 2013-03-06 15:01 EDT-------
Comment 7 Hanns-Joachim Uhl 2016-02-25 19:30:15 UTC 
(In reply to Kent Yoder from comment #0)
> Spec URL: http://kyoder.users.sourceforge.net/openssl-ibmpkcs11.spec
> SRPM URL:
> http://kyoder.users.sourceforge.net/openssl-ibmpkcs11-1.0.0-0.src.rpm
> Description: This package contains a shared object OpenSSL dynamic engine
> for the use with a PKCS#11 implementation such as openCryptoki.
> 
> This package provides a library that will bridge the gap between a PKCS#11
> implementation, which provides support for storage of keys and certificates
> and cryptographic hardware support, to the openssl libcrypto library.
> 
.
for the records ... the current upstream location for this package is
https://sourceforge.net/projects/opencryptoki/files/PKCS%2311%20OpenSSL%20Engine/openssl-ibmpkcs11/ ...
Comment 8 IBM Bug Proxy 2016-03-17 12:40:48 UTC 
------- Comment From hannsj_uhl.com 2016-03-17 08:39 EDT-------
*** Bug 139187 has been marked as a duplicate of this bug. ***
Comment 9 Georg Markgraf 2017-01-30 12:35:47 UTC 
Dan, Claudio, are there still questions on this, or is all resolved ?
Comment 10 IBM Bug Proxy 2017-01-31 11:40:48 UTC 
------- Comment From ebarretto.com 2017-01-31 06:38 EDT-------
Hi Dan and Hans-Georg,

the openssl-ibmpkcs11 is since last semester under my responsibility as well as opencryptoki.

I'm working on make it stable, whenever I have a break from opencryptoki, as there are many issues on it.

I was not aware of this Fedora requirement and I will make sure as soon as it gets stable that I will implement it.

I don't have a specific date yet for this to be done.

If you need more information or requests just let me know.

Eduardo
Comment 11 IBM Bug Proxy 2017-12-11 11:10:52 UTC 
------- Comment From mgrf.com 2017-12-11 06:03 EDT-------
There is a new version of  OpenSSL-ibmpkcs11 available upstream
You can easily grab this release in tarball format on Github:
https://github.com/opencryptoki/openssl-ibmpkcs11/archive/v1.0.1.tar.gz

Please integrate into Fedora
Comment 12 Dan Horák 2018-01-22 08:44:20 UTC 

*** This bug has been marked as a duplicate of bug 1536990 ***
Note You need to log in before you can comment on or make changes to this bug.