Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
Summary: Review Request: openssl-ibmpkcs11 - An openssl PKCS#11 engine
https://bugzilla.redhat.com/show_bug.cgi?id=794793
Summary: Review Request: openssl-ibmpkcs11 - An openssl PKCS#11 engine Product: Fedora Version: rawhide Platform: All OS/Version: Linux Status: NEW Severity: medium Priority: medium Component: Package Review AssignedTo: nobody@fedoraproject.org ReportedBy: key@linux.vnet.ibm.com QAContact: extras-qa@fedoraproject.org CC: notting@redhat.com, package-review@lists.fedoraproject.org Classification: Fedora Story Points: --- Type: --- Regression: --- Mount Type: --- Documentation: ---
Spec URL: http://kyoder.users.sourceforge.net/openssl-ibmpkcs11.spec SRPM URL: http://kyoder.users.sourceforge.net/openssl-ibmpkcs11-1.0.0-0.src.rpm Description: This package contains a shared object OpenSSL dynamic engine for the use with a PKCS#11 implementation such as openCryptoki.
This package provides a library that will bridge the gap between a PKCS#11 implementation, which provides support for storage of keys and certificates and cryptographic hardware support, to the openssl libcrypto library.
Testing: 1. Install openCryptoki: # rpm -ivh opencryptoki-2.3.3-2.fc15.i686.rpm opencryptoki-libs-2.3.3-2.fc15.i686.rpm opencryptoki-swtok-2.3.3-2.fc15.i686.rpm
2. Configure openCryptoki: # /etc/init.d/pkcsslotd start [root@localhost ~]# pkcsconf -t Token #0 Info: Label: IBM OS PKCS#11 Manufacturer: IBM Corp. Model: IBM SoftTok Serial Number: 123 Flags: 0x880045 (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN|USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED) Sessions: -1/-1 R/W Sessions: -1/-1 PIN Length: 4-8 Public Memory: 0xFFFFFFFF/0xFFFFFFFF Private Memory: 0xFFFFFFFF/0xFFFFFFFF Hardware Version: 1.0 Firmware Version: 1.0 Time: 10:01:00 AM [root@localhost ~]# pkcsconf -I -c 0 Enter the SO PIN: # (default is 87654321) Enter a unique token label: kentinit [root@localhost ~]# pkcsconf -P -c 0 Enter the SO PIN: Enter the new SO PIN: Re-enter the new SO PIN: [root@localhost ~]# pkcsconf -u -c 0 Enter the SO PIN: Enter the new user PIN: Re-enter the new user PIN: [root@localhost ~]# pkcsconf -t Token #0 Info: Label: kentinit Manufacturer: IBM Corp. Model: IBM SoftTok Serial Number: 123 Flags: 0x44D (RNG|LOGIN_REQUIRED|USER_PIN_INITIALIZED|CLOCK_ON_TOKEN|TOKEN_INITIALIZED) Sessions: -1/-1 R/W Sessions: -1/-1 PIN Length: 4-8 Public Memory: 0xFFFFFFFF/0xFFFFFFFF Private Memory: 0xFFFFFFFF/0xFFFFFFFF Hardware Version: 1.0 Firmware Version: 1.0 Time: 10:01:44 AM
3. Point openssl at the new engine: [root@localhost ~]# openssl engine -t (aesni) Intel AES-NI engine (no-aesni) [ available ] (dynamic) Dynamic engine loading support [ unavailable ] [root@localhost ~]# OPENSSL_CONF=/usr/share/doc/openssl-ibmpkcs11-1.0.0/openssl.cnf.sample openssl engine -t (aesni) Intel AES-NI engine (no-aesni) [ available ] (dynamic) Dynamic engine loading support [ unavailable ] (ibmpkcs11) PKCS#11 hardware engine support [ available ]
4. Run an openssl speed test using the engine: [root@localhost ~]# OPENSSL_CONF=/usr/share/doc/openssl-ibmpkcs11-1.0.0/openssl.cnf.sample openssl engine -c (aesni) Intel AES-NI engine (no-aesni) (dynamic) Dynamic engine loading support (ibmpkcs11) PKCS#11 hardware engine support [RSA, RAND, DES-ECB, DES-CBC, DES-EDE3, DES-EDE3-CBC, AES-128-ECB, AES-128-CBC, AES-192-ECB, AES-192-CBC, AES-256-ECB, AES-256-CBC, MD5, SHA1, RSA-SHA1, hmacWithSHA1] [root@localhost ~]# OPENSSL_CONF=/usr/share/doc/openssl-ibmpkcs11-1.0.0/openssl.cnf.sample openssl speed -engine ibmpkcs11 -evp des-ecb engine "ibmpkcs11" set. Doing des-ecb for 3s on 16 size blocks: 3601074 des-ecb's in 2.97s Doing des-ecb for 3s on 64 size blocks: 1724899 des-ecb's in 2.97s Doing des-ecb for 3s on 256 size blocks: 545990 des-ecb's in 2.90s Doing des-ecb for 3s on 1024 size blocks: 156847 des-ecb's in 2.97s Doing des-ecb for 3s on 8192 size blocks: 19434 des-ecb's in 2.97s OpenSSL 1.0.0e-fips 6 Sep 2011 built on: Wed Sep 7 18:44:05 UTC 2011 options:bn(64,32) md2(int) rc4(8x,mmx) des(ptr,risc1,16,long) aes(partial) blowfish(idx) compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i686 -mtune=atom -fasynchronous-unwind-tables -Wa,--noexecstack -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DWHIRLPOOL_ASM The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes des-ecb 19399.73k 37169.54k 48197.74k 54077.89k 53603.81k [root@localhost ~]#
Product: Fedora https://bugzilla.redhat.com/show_bug.cgi?id=794793
Dan Horák dan@danny.cz changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED CC| |dan@danny.cz Assignee|nobody@fedoraproject.org |dan@danny.cz Flags| |fedora-review?
--- Comment #1 from Dan Horák dan@danny.cz --- taking for review
Product: Fedora https://bugzilla.redhat.com/show_bug.cgi?id=794793
--- Comment #2 from Kent Yoder key@linux.vnet.ibm.com --- Hi Dan, any status?
Thanks, Kent
Product: Fedora https://bugzilla.redhat.com/show_bug.cgi?id=794793
--- Comment #3 from IBM Bug Proxy bugproxy@us.ibm.com --- any update here? This should really make Fedora 19 ... to make RHEL xx based on F19 Thx in advance
Product: Fedora https://bugzilla.redhat.com/show_bug.cgi?id=794793
--- Comment #4 from Dan Horák dan@danny.cz --- first notes: - Release must start with 1 for released projects, %{?dist} is missing - see https://fedoraproject.org/wiki/Packaging:NamingGuidelines#Release_Tag - use an acronym for License, see https://fedoraproject.org/wiki/Licensing:Main?rd=Licensing#Good_Licenses for license list, also the licensing is unclear in the source code, simple inclusion of OpenSSL license in the LICENSE file is not sufficient, best option is to include licensing header in all source files or at least a notice in README (any file created by the authors), also read https://fedoraproject.org/wiki/Licensing:FAQ?rd=Licensing/FAQ - Group is wrong, see /usr/share/doc/rpm-*/GROUPS for a list, or omit Group compeltely - you can drop BuildRoot, %defattr and whole %clean because rpm will take care of it itself - there should be no need export CFLAGS/CPPFLAGS, teh %configure macro already does it - use -q in %setup, drop -n, the %{name}-%{version} format is used by default - I'd drop the license header on top of the spec completely (if possible), see https://fedoraproject.org/wiki/Licensing:Main?rd=Licensing#License_of_Fedora...
For more information about packaging rules in Fedora please see https://fedoraproject.org/wiki/Packaging:Guidelines?rd=Packaging/Guidelines and if you have any questions please ask.
Product: Fedora https://bugzilla.redhat.com/show_bug.cgi?id=794793
--- Comment #5 from Dan Horák dan@danny.cz --- Also I think the %post/%pre ldconfig calls are not necessary if the module is opened by dlopen() from inside of the openssl library, and apps are not directly linked to it (https://fedoraproject.org/wiki/Packaging:Guidelines?rd=Packaging/Guidelines#...)
https://bugzilla.redhat.com/show_bug.cgi?id=794793
--- Comment #6 from IBM Bug Proxy bugproxy@us.ibm.com --- ------- Comment From mgrf@de.ibm.com 2013-03-06 15:01 EDT-------
https://bugzilla.redhat.com/show_bug.cgi?id=794793
Hanns-Joachim Uhl hannsj_uhl@de.ibm.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |467765 (ZedoraTracker)
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=467765 [Bug 467765] Fedora for System z (s390): Bug Tracker
https://bugzilla.redhat.com/show_bug.cgi?id=794793
Hanns-Joachim Uhl hannsj_uhl@de.ibm.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1274387
https://bugzilla.redhat.com/show_bug.cgi?id=794793
Hanns-Joachim Uhl hannsj_uhl@de.ibm.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Hardware|All |s390x
https://bugzilla.redhat.com/show_bug.cgi?id=794793
Hanns-Joachim Uhl hannsj_uhl@de.ibm.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |mgrf@de.ibm.com Flags| |needinfo?(bugproxy@us.ibm.c | |om)
--- Comment #7 from Hanns-Joachim Uhl hannsj_uhl@de.ibm.com --- (In reply to Kent Yoder from comment #0)
Spec URL: http://kyoder.users.sourceforge.net/openssl-ibmpkcs11.spec SRPM URL: http://kyoder.users.sourceforge.net/openssl-ibmpkcs11-1.0.0-0.src.rpm Description: This package contains a shared object OpenSSL dynamic engine for the use with a PKCS#11 implementation such as openCryptoki.
This package provides a library that will bridge the gap between a PKCS#11 implementation, which provides support for storage of keys and certificates and cryptographic hardware support, to the openssl libcrypto library.
. for the records ... the current upstream location for this package is https://sourceforge.net/projects/opencryptoki/files/PKCS%2311%20OpenSSL%20En... ...
https://bugzilla.redhat.com/show_bug.cgi?id=794793
Hanns-Joachim Uhl hannsj_uhl@de.ibm.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|Review Request: |Fedora - Review Request: |openssl-ibmpkcs11 - An |openssl-ibmpkcs11 - An |openssl PKCS#11 engine |openssl PKCS#11 engine
https://bugzilla.redhat.com/show_bug.cgi?id=794793
Hanns-Joachim Uhl hannsj_uhl@de.ibm.com changed:
What |Removed |Added ---------------------------------------------------------------------------- External Bug ID| |IBM Linux Technology Center | |139187
https://bugzilla.redhat.com/show_bug.cgi?id=794793
Hanns-Joachim Uhl hannsj_uhl@de.ibm.com changed:
What |Removed |Added ---------------------------------------------------------------------------- External Bug ID|IBM Linux Technology Center |IBM Linux Technology Center |139187 |87865
https://bugzilla.redhat.com/show_bug.cgi?id=794793
--- Comment #8 from IBM Bug Proxy bugproxy@us.ibm.com --- ------- Comment From hannsj_uhl@de.ibm.com 2016-03-17 08:39 EDT------- *** Bug 139187 has been marked as a duplicate of this bug. ***
https://bugzilla.redhat.com/show_bug.cgi?id=794793
IBM Bug Proxy bugproxy@us.ibm.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(bugproxy@us.ibm.c | |om) |
https://bugzilla.redhat.com/show_bug.cgi?id=794793
Hanns-Joachim Uhl hannsj_uhl@de.ibm.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(bugproxy@us.ibm.c | |om)
https://bugzilla.redhat.com/show_bug.cgi?id=794793
Georg Markgraf mgrf@de.ibm.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(dan@danny.cz)
--- Comment #9 from Georg Markgraf mgrf@de.ibm.com --- Dan, Claudio, are there still questions on this, or is all resolved ?
https://bugzilla.redhat.com/show_bug.cgi?id=794793
Neal Gompa ngompa13@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |ngompa13@gmail.com Summary|Fedora - Review Request: |Review Request: |openssl-ibmpkcs11 - An |openssl-ibmpkcs11 - An |openssl PKCS#11 engine |openssl PKCS#11 engine
https://bugzilla.redhat.com/show_bug.cgi?id=794793
--- Comment #10 from IBM Bug Proxy bugproxy@us.ibm.com --- ------- Comment From ebarretto@br.ibm.com 2017-01-31 06:38 EDT------- Hi Dan and Hans-Georg,
the openssl-ibmpkcs11 is since last semester under my responsibility as well as opencryptoki.
I'm working on make it stable, whenever I have a break from opencryptoki, as there are many issues on it.
I was not aware of this Fedora requirement and I will make sure as soon as it gets stable that I will implement it.
I don't have a specific date yet for this to be done.
If you need more information or requests just let me know.
Eduardo
https://bugzilla.redhat.com/show_bug.cgi?id=794793
Hanns-Joachim Uhl hannsj_uhl@de.ibm.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1498619
https://bugzilla.redhat.com/show_bug.cgi?id=794793
Joshua Miller jomiller@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks|1498619 |
https://bugzilla.redhat.com/show_bug.cgi?id=794793
--- Comment #11 from IBM Bug Proxy bugproxy@us.ibm.com --- ------- Comment From mgrf@de.ibm.com 2017-12-11 06:03 EDT------- There is a new version of OpenSSL-ibmpkcs11 available upstream You can easily grab this release in tarball format on Github: https://github.com/opencryptoki/openssl-ibmpkcs11/archive/v1.0.1.tar.gz
Please integrate into Fedora
https://bugzilla.redhat.com/show_bug.cgi?id=794793
Hanns-Joachim Uhl hannsj_uhl@de.ibm.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1525184
https://bugzilla.redhat.com/show_bug.cgi?id=794793
Dan Horák dan@danny.cz changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |CLOSED Resolution|--- |DUPLICATE Flags|needinfo?(bugproxy@us.ibm.c | |om) needinfo?(dan@danny.cz) | Last Closed| |2018-01-22 03:44:20
--- Comment #12 from Dan Horák dan@danny.cz ---
*** This bug has been marked as a duplicate of bug 1536990 ***
package-review@lists.fedoraproject.org