Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1110720
Summary: | Rebase to SoftHSM v2 in rawhide (F21) | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Petr Spacek <pspacek> | ||||
Component: | softhsm | Assignee: | Paul Wouters <pwouters> | ||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 21 | CC: | lslebodn, mbasti, mkosek, pwouters, thozza | ||||
Target Milestone: | --- | Keywords: | Rebase | ||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Rebase: Bug Fixes and Enhancements | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2015-01-26 14:47:09 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 998522, 1097752, 1129048 | ||||||
Attachments: |
|
Description
Petr Spacek
2014-06-18 10:33:42 UTC
I have asked OpenDNSSEC-user list for opinions on SoftHSM v2 stability. You can follow the thread here: http://lists.opendnssec.org/pipermail/opendnssec-user/2014-June/003005.html It would be great to migrate to softhsm-2 and use openssl instead of botan. However, we do need to look and check if we can automatically upgrade people, at least for those installs in /var/softhsm. I expect there are quite a few users of opendnssec that rely on a working softhsm setup Created attachment 910425 [details]
proof-of-concept SPEC file usable on Fedora 20
I needed to build version 2 on Fedora 20 to explore new softhsm2-keyconv utility so I have created proof-of-concept SPEC file.
(In reply to Petr Spacek from comment #3) > Created attachment 910425 [details] > proof-of-concept SPEC file usable on Fedora 20 > > I needed to build version 2 on Fedora 20 to explore new softhsm2-keyconv > utility so I have created proof-of-concept SPEC file. There is a small issue in your spec file. + autoreconf --install --force Can't exec "libtoolize": No such file or directory at /usr/share/autoconf/Autom4te/FileUtils.pm line 345, <GEN3> line 5. autoreconf: failed to run libtoolize: No such file or directory autoreconf: libtoolize is needed because this package uses Libtool error: Bad exit status from /var/tmp/rpm-tmp.eu3uAt (%build) Bad exit status from /var/tmp/rpm-tmp.eu3uAt (%build) RPM build errors: Simple change fixes this problem. --- softhsm.spec.orig 2014-06-20 13:07:38.188470186 +0200 +++ softhsm.spec 2014-06-20 13:08:09.633738475 +0200 @@ -8,6 +8,7 @@ Group: Applications/System BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: openssl-devel, cppunit-devel +BuilDrequires: libtool Requires(pre): shadow-utils %description Hello, softhsm2 contains the util, softhsm2-migrate, which converts v1 tokens to v2. It requires user-pin, path to v1 database. Should we try to do auto-migration after upgrade to v2? There is problem with unknown user-pin. Or should we at least show a message for a user to run softhsm2-migrate manually? Here are some required changes in spec file to build softhsm2-migrate: + BuildRequires: sqlite-devel, gcc-c++ + Requires: sqlite >= 3.4.2 - %configure --libdir=%{_libdir}/ --disable-gost + %configure --libdir=%{_libdir}/ --disable-gost --with-migrate Hello Paul, are we on track with new softhsm in F21? It seems to me that we have everything we need, including the migration scripts + proposed spec file so we should be fine. I have build softhsm v2 and opendnssec for epel6 for testing: ftp://ftp.nohats.ca/epel6/ However, the migration tools are buggy and there is one crasher in the softhsm v2 code. I've contacted upstream and they are working on fixing this. Moving the library location can only be done if we leave a symlink, as other tools that can be configured to use a pkcs11 library will have the name hardcoded in their config files. In this case, in conf.xml for opendnssec: <Module>/usr/lib64/softhsm/libsofthsm.so</Module> I have realized that DNSSEC in IPA depends on following code: https://github.com/opendnssec/SoftHSMv2/pull/90 https://github.com/opendnssec/SoftHSMv2/pull/91 Upstream promised to review the code this week. (OpenDNSSEC code is ready in upstream git so it is possible to start rebasing it, it doesn't depend on SoftHSM.) |