Use OpenSSL provider with BIND for Fedora 41+ and RHEL10+ #7589

abbra · 2024-11-06T08:44:03Z

OpenSSL Engine API is deprecated and ability to compile against it is removed in RHEL10. OpenSSL provider API is the future.

Fedora 41+ also defaults to OpenSSL provider. With pkcs11-provider, the same PKCS#11 modules can be loaded transparently like with OpenSSL engines. Thus, we can update configuration to use the provider API.

Fixes: https://pagure.io/freeipa/issue/9696

OpenSSL Engine API is deprecated and ability to compile against it is removed in RHEL10. OpenSSL provider API is the future. Fedora 41+ also defaults to OpenSSL provider. With pkcs11-provider, the same PKCS#11 modules can be loaded transparently like with OpenSSL engines. Thus, we can update configuration to use the provider API. TODO: - dnssec-keyfromlabel does not work without engine, needs backport from bind 9.20 Fixes: https://pagure.io/freeipa/issue/9696 Signed-off-by: Alexander Bokovoy <[email protected]>

abbra · 2024-11-06T12:32:39Z

Current investigation results:

named from bind 9.18 can be made running with OpenSSL configuration that references OpenSSL providers instead of engines. It seems to be working just fine.
dnssec-keyfromlabel cannot be used because it expects engine to handle keys specified by the labels.
dnssec-keygen will happily generate a new key without offloading the operation to the PKCS#11 token. We have no way to specify the token to use because the key to generate is specified by the DNS domain name:

# SOFTHSM2_CONF=`pwd`/softhsm2.conf OPENSSL_CONF=./ipa-openssl.cnf strace -f -e trace=file dnssec-keygen -a RSASHA256 ipa1.test

[...]
openat(AT_FDCWD, "./ipa-openssl.cnf", O_RDONLY) = 3
newfstatat(AT_FDCWD, "/etc/crypto-policies/back-ends/opensslcnf.config", {st_mode=S_IFREG|0644, st_size=831, ...}, 0) = 0
openat(AT_FDCWD, "/etc/crypto-policies/back-ends/opensslcnf.config", O_RDONLY) = 4
openat(AT_FDCWD, "/usr/lib64/ossl-modules/pkcs11.so", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/var/lib/ipa/dnssec/softhsm_pin", O_RDONLY) = 3
Generating key pair.....+............+..+..........+......+...+..+...+.......+........+.+.....+.+...+.................+....+.....+....+..+...+....+..+...+............+....+.........+.....+......+.......+..+...............+.+.....+....+..+.+.........+.....+.+...+++++++++++++++++++++++++++++++++++++++*...+........................+......+.......+........+....+........+...+....+..+.+...+..+...+....+..+.+...+......+........+...+++++++++++++++++++++++++++++++++++++++*...+...+.+...+......+..+.......+...+.........+...+.....+.+..+..........+........+.........+......+..........+..+....+......+..++++++ ..+....+++++++++++++++++++++++++++++++++++++++*..+...+.........+..+++++++++++++++++++++++++++++++++++++++*.......+.........+...+....+.....+....+..+.......+......+......+...+...+..+.+...........+....+......+...+.....+.......+.....+...................+..+.........+...+...+.......+...+...+......+...+..+..........+........+...+..........+..+......+............+...+.........+.+.........+..+.............+......+............+.........+.....+...+.+.....+....+........+....+.....+....+..+...+.......+..+..........+.....+.+.....+.......+..............+....+.....+.........+......+.......+..............+.+..............+.+..+.+...........+....+.....+.+...+......+..............+.+......+........+...+............+..........+...............+...+...++++++ 
openat(AT_FDCWD, ".", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
openat(AT_FDCWD, "./Kipa1.test.+008+15904.20ikgl", O_RDWR|O_CREAT|O_EXCL, 0600) = 3
openat(AT_FDCWD, "/etc/localtime", O_RDONLY|O_CLOEXEC) = 4
rename("./Kipa1.test.+008+15904.20ikgl", "./Kipa1.test.+008+15904.key") = 0
newfstatat(AT_FDCWD, "./Kipa1.test.+008+15904.private", 0x7ffc58d2f780, 0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "./Kipa1.test.+008+15904.mkWeU4", O_RDWR|O_CREAT|O_EXCL, 0600) = 3
rename("./Kipa1.test.+008+15904.mkWeU4", "./Kipa1.test.+008+15904.private") = 0
Kipa1.test.+008+15904
+++ exited with 0 +++
[root@master1 dnssec]# ll
total 28
-r--r-----. 1 root ods    566 Nov  1 10:28 ipa-dnskeysyncd.keytab
-rw-r--r--. 1 root root   536 Nov  6 11:57 ipa-openssl.cnf
-rw-r--r--. 1 root root   602 Nov  6 12:14 Kipa1.test.+008+15904.key
-rw-------. 1 root root  1776 Nov  6 12:14 Kipa1.test.+008+15904.private
-rw-r-----. 1 root named  423 Nov  1 10:28 openssl.cnf
-rw-r--r--. 1 root root   145 Nov  1 10:28 softhsm2.conf
-r--------. 1 root root    30 Nov  1 10:28 softhsm_pin_so
[root@master1 dnssec]# cat Kipa1.test.+008+15904.private 
Private-key-format: v1.3
Algorithm: 8 (RSASHA256)
Modulus: xAOcU9JAp0ZnvecxATW7V+jhQ+0iRC2D39lObOlJjZxHg4nNxKKCRnxplxZQRXp6k0j+FOqkOjKvAZFeQkZLTr/cC1sWAciHGGgKByzGYIrERLLx2wxUIZHcR38lnihUrfwWzI9plq68RUHFw1nPlk/jKV9rV0pNC712RT9qzA0uqacfZ7t6z/lLqb7e8KPYs4NVOCMgX3u33NlBAnx4/TNwagaLlzofH4zLE9g3PrVZ3+h0iyiIfDx70/8KVBhU/IvyngeSJatNhQKYPpXmUrulMepmQDSorG0u4PmR7NS6wV569yYVxhen/U0mUET6h29GVa2NEiXronpmmGDkDw==
PublicExponent: AQAB
PrivateExponent: S9dvzbjs3iwuKLrC6cpt/fIz8vHWT9XikCLHJvnOxVWiEAGqVbphOL+bpWNzVKaytblI4jP1rjT9JNinxXHoYoR2sgggyDjcGLPsqWEIMsOOdFxemxg2lzSWLC3EkuDc/uKquaSFwNFENHHiAJeH7AtmBBSQ9lnf3LqGf/2tJ10GOnMiHBhxykN1pO8UBOO86sHYqSrvk6exUY0Hrko8wbXLR93hiT3zgVUISNcvvIXVpgaOKMngzuw4ZqxC47A/Xasx/1ZVO5Im7SxMMC0ZYcryrpVRM73o3g0OrS6hlKuIWElkh8ZR/YzSlZVybwpMbJaHcjTLqB/MBeOBMhImTQ==
Prime1: 9peJUdbbUuIgzZEgVCyhEQj1t4zoQxDJV15JkEf6wPtO5gynwIY9JcgAnBBfi968Agv3lbIk3yBkQF7BaR6rXhVgb/qMV8EqEnezIYAYKCd95V+1RxYF43PoTixqe4jIdZ733BeVlMhIaKxL0PN5ICpJPIBoAQ9JzfkmemLcAOM=
Prime2: y34UnD3MUGz1DyBFAR35ueK/dCz5FXvPuvGY9fnu8BqzxgxpajFGLhLbRYsSNo+va8798pDpMeOZr8F0wZxzP5o9mZnNJf2D77Mwgcn7btF+JQEYwAh1BQ5MxNvwWzHOTYu9yHh9VGAG3OFBn0xIVR4oSMrI8Brpw4Ah32wT0+U=
Exponent1: VUbCblLnNhqNTYnKrFFiwglfMELCb672cghhWEwMI4DFIDlwKdxCeTZZP59J64zzZ6HL1TDuH1uMT9Z0/G1mxfqOhysWLaLXcduDTyqFMB24JAKdJiAvmSEUTTR+/omnCUYYYTymtfUtVUWAUppgYQc+nHWrgfJPi7OF4v0dKBE=
Exponent2: o9EZGHqre2drlMS+qFqQSnPe+tClqQTmQzHxmLue/g4RAXPGfSWzwK2PdhmyDNh5OQoG5/p+sJnwhEvyCVdAdEhgJMJrI5VGXHZdq26GCj1+Fp4eZaGpSuurI6OHiHK9CTJhEvzksEMp4zE32dzYMiW3+nm9b4XLAIarPijMgX0=
Coefficient: QnkhEncAOpQ/moxR7A3ZqDRrs9YyKHuDHky70JuSeCgXZwKPLPihH6dZ6eeilp420NvwUcaRv4y8XDuGP0LkfeJCdzRpiXLG4bDYg4/uev33XLc5dPanjKe/z1EySAP3PGJaJX4GgOrvhbfDbBAlruoXwqslwQrxvDXm/m6vvwE=
Created: 20241106121401
Publish: 20241106121401
Activate: 20241106121401
[root@master1 dnssec]# cat Kipa1.test.+008+15904.key 
; This is a zone-signing key, keyid 15904, for ipa1.test.
; Created: 20241106121401 (Wed Nov  6 12:14:01 2024)
; Publish: 20241106121401 (Wed Nov  6 12:14:01 2024)
; Activate: 20241106121401 (Wed Nov  6 12:14:01 2024)
ipa1.test. IN DNSKEY 256 3 8 AwEAAcQDnFPSQKdGZ73nMQE1u1fo4UPtIkQtg9/ZTmzpSY2cR4OJzcSi gkZ8aZcWUEV6epNI/hTqpDoyrwGRXkJGS06/3AtbFgHIhxhoCgcsxmCK xESy8dsMVCGR3Ed/JZ4oVK38FsyPaZauvEVBxcNZz5ZP4ylfa1dKTQu9 dkU/aswNLqmnH2e7es/5S6m+3vCj2LODVTgjIF97t9zZQQJ8eP0zcGoG i5c6Hx+MyxPYNz61Wd/odIsoiHw8e9P/ClQYVPyL8p4HkiWrTYUCmD6V 5lK7pTHqZkA0qKxtLuD5kezUusFeevcmFcYXp/1NJlBE+odvRlWtjRIl 66J6Zphg5A8=

abbra · 2024-11-06T12:34:04Z

In order to make it working, we need changes to dnssec-keyfromlabel to load EVP_KEY structure from the URI we pass (e.g. label).

flo-renaud · 2024-11-12T12:17:10Z

I tried applying the patch on c10s, works for me, IPA can be installed and server can be configured. Note that openssl-pkcs11 is still needed by bind-dyndb-ldap.

abbra added the WIP Work in progress - not ready yet for review label Nov 6, 2024

abbra force-pushed the use-openssl-provider branch 6 times, most recently from ee1a7be to e82cc80 Compare November 6, 2024 11:02

abbra force-pushed the use-openssl-provider branch from e82cc80 to ace726c Compare November 6, 2024 12:24

abbra added the re-run Trigger a new run of PR-CI label Nov 6, 2024

freeipa-pr-ci removed the re-run Trigger a new run of PR-CI label Nov 6, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Use OpenSSL provider with BIND for Fedora 41+ and RHEL10+ #7589

Use OpenSSL provider with BIND for Fedora 41+ and RHEL10+ #7589

abbra commented Nov 6, 2024

abbra commented Nov 6, 2024

abbra commented Nov 6, 2024

flo-renaud commented Nov 12, 2024

Use OpenSSL provider with BIND for Fedora 41+ and RHEL10+ #7589

Are you sure you want to change the base?

Use OpenSSL provider with BIND for Fedora 41+ and RHEL10+ #7589

Conversation

abbra commented Nov 6, 2024

abbra commented Nov 6, 2024

abbra commented Nov 6, 2024

flo-renaud commented Nov 12, 2024