Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1110720 - Rebase to SoftHSM v2 in rawhide (F21)
Summary: Rebase to SoftHSM v2 in rawhide (F21)
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: softhsm
Version: 21
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Paul Wouters
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 998522 1097752 1129048
TreeView+ depends on / blocked
 
Reported: 2014-06-18 10:33 UTC by Petr Spacek
Modified: 2015-01-26 14:49 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Rebase: Bug Fixes and Enhancements
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-01-26 14:47:09 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)
proof-of-concept SPEC file usable on Fedora 20 (3.09 KB, text/x-rpm-spec)
2014-06-19 14:53 UTC, Petr Spacek 		no flags Details
View All

Description Petr Spacek 2014-06-18 10:33:42 UTC 
According to BIND release notes, PKCS#11 support in BIND 9.10 depends on full PKCS#11 support in HSM:
http://ftp.isc.org/isc/bind9/9.10.0-P2/RELEASE-NOTES-BIND-9.10.0-P2.txt

Unfortunatelly, SoftHSM v1 has only limited PKCS#11 support so SoftHSM needs rebase to v2.

According to
https://issues.opendnssec.org/browse/SOFTHSM
it seems that it should work and my sanity testing with BIND 9.10 confirms that.

Would it be possible to rebase to v2 in rawhide (F21)?
Comment 1 Petr Spacek 2014-06-18 11:59:23 UTC 
I have asked OpenDNSSEC-user list for opinions on SoftHSM v2 stability. You can follow the thread here:
http://lists.opendnssec.org/pipermail/opendnssec-user/2014-June/003005.html
Comment 2 Paul Wouters 2014-06-18 20:50:56 UTC 
It would be great to migrate to softhsm-2 and use openssl instead of botan. 

However, we do need to look and check if we can automatically upgrade people, at least for those installs in /var/softhsm. I expect there are quite a few users of opendnssec that rely on a working softhsm setup
Comment 3 Petr Spacek 2014-06-19 14:53:30 UTC 
Created attachment 910425 [details]
proof-of-concept SPEC file usable on Fedora 20

I needed to build version 2 on Fedora 20 to explore new softhsm2-keyconv utility so I have created proof-of-concept SPEC file.
Comment 4 Lukas Slebodnik 2014-06-20 11:18:29 UTC 
(In reply to Petr Spacek from comment #3)
> Created attachment 910425 [details]
> proof-of-concept SPEC file usable on Fedora 20
> 
> I needed to build version 2 on Fedora 20 to explore new softhsm2-keyconv
> utility so I have created proof-of-concept SPEC file.

There is a small issue in your spec file.

+ autoreconf --install --force
Can't exec "libtoolize": No such file or directory at /usr/share/autoconf/Autom4te/FileUtils.pm line 345, <GEN3> line 5.
autoreconf: failed to run libtoolize: No such file or directory
autoreconf: libtoolize is needed because this package uses Libtool
error: Bad exit status from /var/tmp/rpm-tmp.eu3uAt (%build)
    Bad exit status from /var/tmp/rpm-tmp.eu3uAt (%build)
RPM build errors:

Simple change fixes this problem.
--- softhsm.spec.orig    2014-06-20 13:07:38.188470186 +0200
+++ softhsm.spec         2014-06-20 13:08:09.633738475 +0200
@@ -8,6 +8,7 @@
 Group: Applications/System
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildRequires: openssl-devel, cppunit-devel
+BuilDrequires: libtool
 Requires(pre): shadow-utils
 
 %description
Comment 5 Martin Bašti 2014-07-14 16:03:16 UTC 
Hello,

softhsm2 contains the util, softhsm2-migrate, which converts v1 tokens to v2.
It requires user-pin, path to v1 database. Should we try to do auto-migration after upgrade to v2? There is problem with unknown user-pin. Or should we at least show a message for a user to run softhsm2-migrate manually? 


Here are some required changes in spec file to build softhsm2-migrate:
+ BuildRequires: sqlite-devel, gcc-c++
+ Requires: sqlite >= 3.4.2

- %configure --libdir=%{_libdir}/ --disable-gost
+ %configure --libdir=%{_libdir}/ --disable-gost --with-migrate
Comment 6 Martin Kosek 2014-07-29 10:48:14 UTC 
Hello Paul, are we on track with new softhsm in F21? It seems to me that we have everything we need, including the migration scripts + proposed spec file so we should be fine.
Comment 7 Paul Wouters 2014-08-12 19:16:18 UTC 
I have build softhsm v2 and opendnssec for epel6 for testing: ftp://ftp.nohats.ca/epel6/

However, the migration tools are buggy and there is one crasher in the softhsm v2 code. I've contacted upstream and they are working on fixing this.

Moving the library location can only be done if we leave a symlink, as other tools that can be configured to use a pkcs11 library will have the name hardcoded in their config files. In this case, in conf.xml for opendnssec:

<Module>/usr/lib64/softhsm/libsofthsm.so</Module>
Comment 8 Petr Spacek 2014-10-06 12:11:47 UTC 
I have realized that DNSSEC in IPA depends on following code:
https://github.com/opendnssec/SoftHSMv2/pull/90
https://github.com/opendnssec/SoftHSMv2/pull/91

Upstream promised to review the code this week. (OpenDNSSEC code is ready in upstream git so it is possible to start rebasing it, it doesn't depend on SoftHSM.)
Comment 9 Petr Spacek 2015-01-26 14:47:09 UTC 
Done:
http://koji.fedoraproject.org/koji/buildinfo?buildID=585676
Note You need to log in before you can comment on or make changes to this bug.