-
Type:
Support
-
Status: Resolved
-
Priority:
Minor
-
Resolution: Cannot Reproduce
-
Affects Version/s: OpenDNSSEC 2.1
-
Fix Version/s: None
-
Component/s: Configuration
-
Labels:None
-
Environment:
master
Hello,
I am sorry for previous invalid duplicate reports on the same issue, please keep this one.
In the configure script I can see explicit PKCS#11 settings that are used during build:
$ ./configure --help | grep pkcs11 --with-pkcs11-softhsm=PATH --with-pkcs11-sca6000=PATH /usr/lib/libpkcs11.so) --with-pkcs11-etoken=PATH --with-pkcs11-opensc=PATH /usr/lib/pkcs11/opensc-pkcs11.so) --with-pkcs11-ncipher=PATH /opt/nfast/toolkits/pkcs11/libcknfast.so) --with-pkcs11-aepkeyper=PATH /opt/Keyper/PKCS11Provider/pkcs11.so)
This is very odd, PKCS#11 interface is a dynamic standard interface for programs to interact with crypto devices, the applications that support PKCS#11 should have a configuration of which provider to load at runtime.
PKCS#11 should not be determine at build time unless application is severely broken and requires tweaks that are provider specific that are hardwired into the code.
The best practice for PKCS#11 aware application is to be able to load any PKCS#11 provider at runtime based on configuration and have a set of configurations with the subset of PKCS#11 spec to use (when applicable).
During build the application should be agnostic to the PKCS#11 provider(s) that will be used during runtime.
Build time can specify a default, however, this is an assumption that in most cases cannot be made, so better to have this as mandatory manual configuration.
Thanks!
Alon