+++ /dev/null
-/* OpenSSL tool
- *
- * usage: PEM_write_pubkey -e engine -p pin -k keyname -f filename
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <openssl/engine.h>
-#include <openssl/conf.h>
-#include <unistd.h>
-#include <errno.h>
-
-extern int PEM_write_PUBKEY(FILE *fp, EVP_PKEY *x);
-
-int
-main(int argc, char *argv[])
-{
- ENGINE *e;
- EVP_PKEY *pub_key;
- FILE *fp;
- char *engine = NULL;
- char *pin = NULL;
- char *keyname = NULL;
- char *filename = NULL;
- int c, errflg = 0;
- extern char *optarg;
- extern int optopt;
-
- while ((c = getopt(argc, argv, ":e:p:k:f:")) != -1) {
- switch (c) {
- case 'e':
- engine = optarg;
- break;
- case 'p':
- pin = optarg;
- break;
- case 'k':
- keyname = optarg;
- break;
- case 'f':
- filename = optarg;
- break;
- case ':':
- fprintf(stderr, "Option -%c requires an operand\n", optopt);
- errflg++;
- break;
- case '?':
- default:
- fprintf(stderr, "Unrecognised option: -%c\n", optopt);
- errflg++;
- }
- }
- if ((errflg) || (!engine) || (!filename) || (!keyname)) {
- fprintf(stderr,
- "usage: PEM_write_pubkey -e engine [-p pin] "
- "-k keyname -f filename\n");
- exit(1);
- }
-
- /* Load the config file */
- OPENSSL_config(NULL);
-
- /* Register engine */
- e = ENGINE_by_id(engine);
- if (!e) {
- /* the engine isn't available */
- printf("The engine isn't available\n");
- ERR_print_errors_fp(stderr);
- exit(1);
- }
-
- /* Send PIN to engine */
- if (pin && !ENGINE_ctrl_cmd_string(e, "PIN", pin, 0)){
- printf("Error sending PIN to engine\n");
- ERR_print_errors_fp(stderr);
- ENGINE_free(e);
- exit(1);
- }
-
- if (!ENGINE_init(e)) {
- /* the engine couldn't initialise, release 'e' */
- printf("The engine couldn't initialise\n");
- ERR_print_errors_fp(stderr);
- ENGINE_free(e);
- exit(1);
- }
-
- if (!ENGINE_register_RSA(e)){
- /* This should only happen when 'e' can't initialise, but the previous
- * statement suggests it did. */
- printf("This should not happen\n");
- ERR_print_errors_fp(stderr);
- exit(1);
- }
-
- /* Load public key */
- pub_key = ENGINE_load_public_key(e, keyname, NULL, NULL);
- if (pub_key == NULL) {
- /* No public key */
- printf("Error loading public key\n");
- ERR_print_errors_fp(stderr);
- ENGINE_free(e);
- exit(1);
- }
-
- /* write public key to file in PEM format */
- fp = fopen(filename, "w");
- if (fp == NULL) {
- printf("Error opening output file.\n");
- ENGINE_free(e);
- exit(1);
- }
-
- if (!PEM_write_PUBKEY(fp, pub_key)) {
- /* Error writing public key */
- printf("Error writing public key");
- ERR_print_errors_fp(stderr);
- ENGINE_free(e);
- exit(1);
- }
-
- fclose(fp);
- exit(0);
-}
+++ /dev/null
-
- BIND-9 PKCS#11 support
-
-Prerequisite
-
-The PKCS#11 support needs a PKCS#11 OpenSSL engine based on the Solaris one,
-released the 2008-12-02 for OpenSSL 0.9.8i, with back port of key by reference
-and some improvements, including user friendly PIN management. You may also
-use the original engine code.
-
-Compilation
-
-"configure --with-pkcs11 ..."
-
-PKCS#11 Libraries
-
-Tested with Solaris one with a SCA board and with openCryptoki with the
-software token. Known to work on Linux and Windows 2003 server so
-should work on most operating systems. For AEP Keyper or any device used
-only for its protected key store, please switch to the sign-only engine.
-
-OpenSSL Engines
-
-With PKCS#11 support the PKCS#11 engine is statically loaded but at its
-initialization it dynamically loads the PKCS#11 objects.
-Even the pre commands are therefore unused they are defined with:
- SO_PATH:
- define: PKCS11_SO_PATH
- default: /usr/local/lib/engines/engine_pkcs11.so
- MODULE_PATH:
- define: PKCS11_MODULE_PATH
- default: /usr/lib/libpkcs11.so
-Without PKCS#11 support, a specific OpenSSL engine can be still used
-by defining ENGINE_ID at compile time.
-
-PKCS#11 tools
-
-The contrib/pkcs11-keygen directory contains a set of experimental tools
-to handle keys stored in a Hardware Security Module at the benefit of BIND.
-
-The patch for OpenSSL 0.9.8i is in this directory. Read its README.pkcs11
-for the way to use it (these are the original notes so with the original
-path, etc. Define HAVE_GETPASSPHRASE if you have getpassphrase() on
-a operating system which is not Solaris.)
-
-Not all tools are supported on AEP Keyper but genkey and dnssec-keyfromlabel
-are functional.
-
-PIN management
-
-With the just fixed PKCS#11 OpenSSL engine, the PIN should be entered
-each time it is required. With the improved engine, the PIN should be
-entered the first time it is required or can be configured in the
-OpenSSL configuration file (aka. openssl.cnf) by adding in it:
- - at the beginning:
- openssl_conf = openssl_def
- - at any place these sections:
- [ openssl_def ]
- engines = engine_section
- [ engine_section ]
- pkcs11 = pkcs11_section
- [ pkcs11_section ]
- PIN = put__your__pin__value__here
-
-Slot management
-
-The engine tries to use the first best slot but it is recommended
-to simply use the slot 0 (usual default, meta-slot on Solaris).
-
-Sign-only engine
-
-openssl.../crypto/engine/hw_pk11-kp.c and hw_pk11_pub-kp.c contain
-a stripped down version of hw_pk11.c and hw_pk11_pub.c files which
-has only the useful functions (i.e., signature with a RSA private
-key in the device protected key store and key loading).
-
-This engine should be used with a device which provides mainly
-a protected store and no acceleration. AEP Keyper is an example
-of such a device (BTW with the fully capable engine, key export
-must be enabled on this device and this configuration is not yet
-supported).
-
-Original engine
-
-If you are using the original engine and getpassphrase() is not defined, add:
-#define getpassphrase(x) getpass(x)
-in openssl.../crypto/engine/hw_pk11_pub.c
-
-Notes
-
-Some names here are registered trademarks, at least Solaris is a trademark
-of Sun Microsystems Inc...
-Include files are from RSA Labs., PKCS#11 version is 2.20 amendment 3.
-The PKCS#11 support is compatible with the forthcoming FIPS 140-2 support.
+++ /dev/null
-This is a set of utilities that when used together create rsa keys in
-a PKCS11 keystore. The keys will have a label of "zone,zsk|ksk,xxx" and
-an id of the keytag in hex.
-
-Run genkey.sh to generate a new key and call the other programs in turn.
-Run writekey.sh to load key to the key store from Kxxx.{key,private}.
-Run genkey, dnssec-keyfromlabel and optionally set_key_id when you have
-no perl or no Net::DNS::SEC perl module.
-
-genkey[.c] uses PKCS11 calls to generate keys.
-PEM_write_pubkey[.c] uses OpenSSL to write a public key from the key store
- into a file in PEM format.
-keyconv.pl uses Net::DNS::SEC to calculate the key tag and to write out
- a DNSKEY RR into a file.
-set_key_id[.c] uses PKCS11 to set to the key id == keytag in the key store.
-readkey[.c] and writekey[.c] extracts and loads a key from/to the key store.
-keydump.pl uses Net::DNS::SEC to get the key from a Kxxx.private file and
- write it into a file in PEM format.
-
-listobjs and destroyobjs browse the key store, prints or destroys objects.
projects / thirdparty / bind9.git / commitdiff
