Create private keys with PKCS#11 object

If there is a keystore configured with a PKCS#11 URI, zones that are using a dnssec-policy that uses such a keystore should create keys via the PKCS#11 interface. Those keys are generally stored inside an HSM. Some changes to the code are required, to store the engine reference into the keystore.
2025-08-30 22:15:20 +00:00 · 2022-02-28 11:50:43 +01:00
parent d795710541
commit f096472eb4
10 changed files with 314 additions and 41 deletions
--- a/lib/dns/opensslrsa_link.c
+++ b/lib/dns/opensslrsa_link.c
@@ -366,13 +366,17 @@ progress_cb(int p, int n, BN_GENCB *cb) {
 }

 static isc_result_t
-opensslrsa_generate_pkey(unsigned int key_size, BIGNUM *e,
+opensslrsa_generate_pkey(unsigned int key_size, const char *object, BIGNUM *e,
 			 void (*callback)(int), EVP_PKEY **retkey) {
-	RSA *rsa = RSA_new();
-	EVP_PKEY *pkey = EVP_PKEY_new();
+	RSA *rsa = NULL;
+	EVP_PKEY *pkey = NULL;
 	BN_GENCB *cb = NULL;
 	isc_result_t ret;

+	UNUSED(object);
+
+	rsa = RSA_new();
+	pkey = EVP_PKEY_new();
 	if (rsa == NULL || pkey == NULL) {
 		DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
 	}
@@ -493,11 +497,69 @@ progress_cb(EVP_PKEY_CTX *ctx) {
 }

 static isc_result_t
-opensslrsa_generate_pkey(unsigned int key_size, BIGNUM *e,
+opensslrsa_generate_pkey_with_object(size_t key_size, const char *object,
+				     EVP_PKEY **retkey) {
+	EVP_PKEY_CTX *ctx = NULL;
+	OSSL_PARAM params[4];
+	unsigned char id[16];
+	char *label = UNCONST(object);
+	isc_result_t ret;
+	int status;
+
+	status = RAND_bytes(id, 16);
+	if (status != 1) {
+		DST_RET(dst__openssl_toresult2("RAND_bytes",
+					       DST_R_OPENSSLFAILURE));
+	}
+
+	params[0] = OSSL_PARAM_construct_utf8_string("pkcs11_key_label", label,
+						     0);
+	params[1] = OSSL_PARAM_construct_octet_string("pkcs11_key_id", id, 16);
+	params[2] = OSSL_PARAM_construct_size_t("rsa_keygen_bits", &key_size);
+	params[3] = OSSL_PARAM_construct_end();
+
+	ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", "provider=pkcs11");
+	if (ctx == NULL) {
+		DST_RET(dst__openssl_toresult2("EVP_PKEY_CTX_new_from_name",
+					       DST_R_OPENSSLFAILURE));
+	}
+
+	status = EVP_PKEY_keygen_init(ctx);
+	if (status != 1) {
+		DST_RET(dst__openssl_toresult2("EVP_PKEY_keygen_init",
+					       DST_R_OPENSSLFAILURE));
+	}
+
+	status = EVP_PKEY_CTX_set_params(ctx, params);
+	if (status != 1) {
+		DST_RET(dst__openssl_toresult2("EVP_PKEY_CTX_set_params",
+					       DST_R_OPENSSLFAILURE));
+	}
+
+	status = EVP_PKEY_generate(ctx, retkey);
+	if (status != 1) {
+		DST_RET(dst__openssl_toresult2("EVP_PKEY_generate",
+					       DST_R_OPENSSLFAILURE));
+	}
+
+	ret = ISC_R_SUCCESS;
+err:
+	EVP_PKEY_CTX_free(ctx);
+	return (ret);
+}
+
+static isc_result_t
+opensslrsa_generate_pkey(unsigned int key_size, const char *object, BIGNUM *e,
 			 void (*callback)(int), EVP_PKEY **retkey) {
-	EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL);
+	EVP_PKEY_CTX *ctx;
 	isc_result_t ret;

+	if (object != NULL) {
+		return (opensslrsa_generate_pkey_with_object(key_size, object,
+							     retkey));
+	}
+
+	ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL);
 	if (ctx == NULL) {
 		DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
 	}
@@ -669,7 +731,8 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
 		BN_set_bit(e, 32);
 	}

-	ret = opensslrsa_generate_pkey(key->key_size, e, callback, &pkey);
+	ret = opensslrsa_generate_pkey(key->key_size, key->object, e, callback,
+				       &pkey);
 	if (ret != ISC_R_SUCCESS) {
 		goto err;
 	}