2711. [port] win32: Add the bin/pkcs11 tools into the full

build. [RT #20372]
2025-08-31 14:35:26 +00:00 · 2009-10-12 16:41:13 +00:00
parent 30bb4870da
commit 6a90baa0d5
8 changed files with 697 additions and 600 deletions
--- a/3
+++ b/3
@@ -1,3 +1,6 @@
+2711.	[port]		win32: Add the bin/pkcs11 tools into the full
+			build. [RT #20372]
+
 2710.	[func]		New 'dnssec-signzone -x' flag and 'dnskey-ksk-only'
 			zone option cause a zone to be signed with only KSKs
 			signing the DNSKEY RRset, not ZSKs.  This reduces
--- a/README.pkcs11
+++ b/README.pkcs11
@@ -41,16 +41,16 @@ choice depends on the HSM hardware:
   secure key storage devices, but lack hardware acceleration.  These
   devices are highly secure, but are not necessarily any faster at
   cryptography than the system CPU--often, they are slower.  It is
-   therefore most efficient to use them only for those operation
+   therefore most efficient to use them only for those cryptographic
   functions that require access to the secured private key, such as
   zone signing, and to use the system CPU for all other computationally-
   intensive operations.  The AEP Keyper is an example of such a device.

-The modified OpenSSL code is included in BIND 9.7.0b1 release in the form
-of a context diff against OpenSSL 0.9.8k.  Before building BIND 9 with
-PKCS #11 support, it will be necessary to build OpenSSL with this patch
-in place and inform it of the path to the HSM-specific PKCS #11 provider
-library.
+The modified OpenSSL code is included in the BIND 9.7.0b1 release, in the
+form of a context diff against OpenSSL 0.9.8k.  Before building BIND 9
+with PKCS #11 support, it will be necessary to build OpenSSL with this
+patch in place and inform it of the path to the HSM-specific PKCS #11
+provider library.

 Obtain OpenSSL 0.9.8k:

@@ -65,8 +65,8 @@ Apply the patch from the BIND 9 release:
    patch -p1 -d openssl-0.9.8k \
            < bind-9.7.0b1/bin/pkcs11/openssl-0.9.8k-patch 

-(Note that the patch file may not be compatible with the "patch" utility
-on all operating systems.  You may need to install GNU patch.)
+(Note that the patch file may not be compatible with the "patch"
+utility on all operating systems.  You may need to install GNU patch.)

 When building OpenSSL, place it in a non-standard location so that it
 does not interfere with OpenSSL libraries elsewhere on the system.
@@ -175,17 +175,18 @@ Configure).

 After configuring, run "make", "make test" and "make install".

+PKCS #11 TOOLS
+
 BIND 9 includes a minimal set of tools to operate the HSM, including
 "pkcs11-keygen" to generate a new key pair within the HSM, "pkcs11-list"
 to list objects currently available, and "pkcs11-destroy" to remove
 objects.

-These tools are built if BIND 9 is configured with the --with-pkcs11
-option.  (NOTE: If --with-pkcs11 is set to "yes", rather than to the
-path of the PKCS #11 provider, then the tools will be built but the
-provider will be left undefined.  Use the -m option or the
-PKCS11_PROVIDER environment variable to specify the path to the
-provider.)
+In UNIX/Linux builds, these tools are built only if BIND 9 is configured
+with the --with-pkcs11 option.  (NOTE: If --with-pkcs11 is set to "yes",
+rather than to the path of the PKCS #11 provider, then the tools will be
+built but the provider will be left undefined.  Use the -m option or the
+PKCS11_PROVIDER environment variable to specify the path to the provider.)

 USING THE HSM

@@ -238,8 +239,8 @@ arguments:
    pkcs11-keygen -b 1024 -l sample-zsk
    dnssec-keyfromlabel -l sample-zsk example.net

-Alternatively, you may prefer to generate a conventional on-disk key, using
-dnssec-keygen:
+Alternatively, you may prefer to generate a conventional on-disk key,
+using dnssec-keygen:

    dnssec-keygen example.net

--- a/config.h.win32
+++ b/config.h.win32
@@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: config.h.win32,v 1.22 2009/09/02 23:43:54 each Exp $ */
+/* $Id: config.h.win32,v 1.23 2009/10/12 16:41:12 each Exp $ */

 /*
 * win32 configuration file
@@ -248,3 +248,9 @@ typedef long off_t;
 * of libisc, libdns, etc, this must be removed.
 */
 #define BIND9 1
+
+/*
+ * Define if PKCS11 is to be used.
+ */
+/* #undef USE_PKCS11 */
+
--- a/win32utils/BINDBuild.dsw
+++ b/win32utils/BINDBuild.dsw
--- a/win32utils/BuildAll.bat
+++ b/win32utils/BuildAll.bat
@@ -113,6 +113,12 @@ nmake /nologo -f revoke.mak CFG="revoke - Win32 Release"  NO_EXTERNAL_DEPS="1"
 nmake /nologo -f settime.mak CFG="settime - Win32 Release"  NO_EXTERNAL_DEPS="1"
 cd ..\..

+cd pkcs11\win32
+nmake /nologo -f pk11keygen.mak CFG="pk11keygen - Win32 Release"  NO_EXTERNAL_DEPS="1"
+nmake /nologo -f pk11list.mak CFG="pk11list - Win32 Release"  NO_EXTERNAL_DEPS="1"
+nmake /nologo -f pk11destroy.mak CFG="pk11destroy - Win32 Release"  NO_EXTERNAL_DEPS="1"
+cd ..\..
+
 rem This is the BIND 9 Installer

 cd win32\BINDInstall
--- a/win32utils/BuildSetup.bat
+++ b/win32utils/BuildSetup.bat
@@ -64,6 +64,9 @@ copy ..\bin\dnssec\dnssec-keygen.html ..\Build\Release
 copy ..\bin\dnssec\dnssec-signzone.html ..\Build\Release
 copy ..\bin\dnssec\dnssec-dsfromkey.html ..\Build\Release
 copy ..\bin\dnssec\dnssec-keyfromlabel.html ..\Build\Release
+copy ..\bin\pkcs11\pkcs11-keygen.html ..\Build\Release
+copy ..\bin\pkcs11\pkcs11-list.html ..\Build\Release
+copy ..\bin\pkcs11\pkcs11-destroy.html ..\Build\Release

 echo Copying the migration notes.

--- a/win32utils/setpk11provider.pl
+++ b/win32utils/setpk11provider.pl
@@ -14,16 +14,16 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.

-# $Id: setpk11provider.pl,v 1.1 2009/10/06 22:14:13 each Exp $
+# $Id: setpk11provider.pl,v 1.2 2009/10/12 16:41:13 each Exp $

-# setpk11provider
+# setpk11provider.pl
 # This script sets the PKCS#11 provider name in the build scripts.
 #
-# for instance: perl setpk11provider bp201w32HSM
+# for instance: setpk11provider.pl bp201w32HSM
 #

 if ($#ARGV != 0) {
-	die "Usage: perl setpk11provider <pkcs11_provider_dll_name>\n"
+	die "Usage: perl setpk11provider.pl <pkcs11_provider_dll_name>\n"
 }

 my $provider=$ARGV[0];
@@ -31,12 +31,12 @@ my $provider=$ARGV[0];
 $provider =~ s|\.[dD][lL][lL]$||;

 # List of files that need to be updated
-@filelist = ("../bin/pkcs11/win32/pk11keygen.mak",
-             "../bin/pkcs11/win32/pk11keygen.dsp",
-	     "../bin/pkcs11/win32/pk11list.mak",
-             "../bin/pkcs11/win32/pk11list.dsp",
-	     "../bin/pkcs11/win32/pk11destroy.mak",
-             "../bin/pkcs11/win32/pk11destroy.dsp");
+@filelist = ("../bin/pkcs11/win32//pk11keygen.mak",
+             "../bin/pkcs11/win32//pk11keygen.dsp",
+	     "../bin/pkcs11/win32//pk11list.mak",
+             "../bin/pkcs11/win32//pk11list.dsp",
+	     "../bin/pkcs11/win32//pk11destroy.mak",
+             "../bin/pkcs11/win32//pk11destroy.dsp");

 # function to replace the provider define
 sub updatefile {
@@ -62,6 +62,33 @@ sub updatefile {
        close(RFILE);
 }

+# update config.h to define or undefine USE_PKCS11
+sub updateconfig {
+   my($havexml, $substr, $line);
+   my(@Lines);
+
+   $havexml = $_[0];
+
+   open (RFILE, "../config.h") || die "Can't open config.h";
+   @Lines = <RFILE>;
+   close (RFILE);
+
+   foreach $line (@Lines) {
+      if ($havexml) {
+         $line =~ s/^.*#undef USE_PKCS11.*$/define USE_PKCS11 1/;
+      } else {
+         $line =~ s/^#define USE_PKCS11 .*$/\/\* #undef USE_PKCS11 \*\//;
+      }
+   }
+
+   open (RFILE, ">../config.h") || die "Can't open config.h";
+   print "Updating file ../config.h\n";
+   foreach $line (@Lines) {
+      print RFILE $line;
+   }
+   close(RFILE);
+}
+
 #Update the list of files
 if ($provider ne 0) {
   $ind = 0;
@@ -71,4 +98,8 @@ if ($provider ne 0) {
 	updatefile($file, $provider);
 	$ind++;
   }
+   updateconfig(1);
+} else {
+   updateconfig(0);
 }
+
--- a/win32utils/win32-build.txt
+++ b/win32utils/win32-build.txt
@@ -2,7 +2,7 @@ Copyright (C) 2004, 2005, 2008, 2009  Internet Systems Consortium, Inc. ("ISC")
 Copyright (C) 2001, 2002  Internet Software Consortium.
 See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.

-$Id: win32-build.txt,v 1.17 2009/09/24 13:03:39 fdupont Exp $
+$Id: win32-build.txt,v 1.18 2009/10/12 16:41:13 each Exp $

       BIND 9.7 for Win32 Source Build Instructions.  02-Jul-2009

@@ -66,6 +66,12 @@ to see if the build instructions have changed:
  ms\do_masm
  nmake /f ms\ntdll.mak

+If you wish to use PKCS #11 to control a cryptographic hardware service
+module, please see bind9\README.pkcs11.  You will need to apply the patch
+in bind9\bin\pkcs11\openssl-0.9.8k-patch (this can be done using the Cygwin
+'patch' utility) and add --pk11-libname and --pk11-flavor to the Configure
+command above.
+
 Step 2: Download and build libxml2

 Download and untar the libxml2 sources from ftp://xmlsoft.org/libxml2.
@@ -88,6 +94,11 @@ From the command prompt cd to the win32utils directory under
 the BIND9 root:

  cd bind-9.7.0\win32utils
+
+If you wish to use PKCS #11 to control a cryptographic hardware service
+module, set the path to the PKCS #11 provider library:
+
+  perl setpk11provider.pl <DLL path>
  
 If using VC++ 6.0, run the BuildAll.bat file: