[Cryptech Core] dnssec signer

[Rob Austein]

At Wed, 15 Jul 2015 13:57:01 +0200, Jakob Schlyter wrote:
> 
> On 14 jul 2015, at 05:21, Paul Selkirk <paul at psgd.org> wrote:
> > 
> > Except we don't have the last part. The install ends with libpkcs11.so.
> > AIUI, we need the opendnssec signer working over this pkcs11, or we need
> > to quickly implement increment hashing, so we can use the bind9 signer
> > (see ticket #39).
> 
> How hard is it do add increment hashing?

Need ability to save and restore hash core state, because breaking
hashing up into multiple PKCS #11 API calls means that we're releasing
the lock between hash updates, thus have no control over what else
might also be trying to use the same hash core.

Other than that, it's trivial, or at least straightforward.

> And is it only BIND9 that uses it?

I doubt it.  The incremental hashing API in PKCS #11 more closely
resembles what all the library APIs do.  All-at-once is just an API
optimization over the incremental API.

> OpenDNSSEC hashes outside of PKCS#11, I though (wrongly?) that BIND9
> did that as well.

BIND 9.10 in native PKCS #11 mode (ie, without OpenSSL, its engine
API, and one of the several flaky engine-to-PKCS #11 shims) uses PKCS
#11 for all cryptographic operations.

Improbable though it may seem, they're trying to reduce the amount of
code in BIND 9.  The stated goal is to get rid of OpenSSL completely
some day.  Haven't finished the job yet, in part because so few HSMs
provide all the necessary functions.