Remove all pkcs11 variants

Recent freeipa uses openssl backend pkcs11 to offload keys to secure storage. Remove duplicate native builds of pkcs11 tools and daemon. Do not build tools like pkcs11-tokens, rely or more advanced tools p11tool and pkcs11-tool. Keep setup-named-softhsm as part of named package.
2022-06-28 20:19:10 +02:00 · 2022-06-28 20:19:10 +02:00 · 989a3e3876
commit 989a3e3876
parent 411463dad7
2 changed files with 8 additions and 169 deletions
--- a/bind.spec
+++ b/bind.spec
@ -7,9 +7,6 @@
 # bcond_with is built only when --with X is passed to build
 %bcond_with    SYSTEMTEST
 %bcond_without GSSTSIG
-# it is not possible to build the package without PKCS11 sub-package
-# due to extensive changes to Makefiles
-%bcond_with PKCS11 # TODO: Remove
 %bcond_without JSON
 # FIXME: Not ready. Should it be worked on?
 %bcond_without DLZ
@ -92,7 +89,6 @@ Source42: generate-rndc-key.sh
 Source43: named.rwtab
 Source44: named-chroot-setup.service
 Source46: named-setup-rndc.service
-Source47: named-pkcs11.service
 Source48: setup-named-softhsm.sh
 Source49: named-chroot.files

@ -111,6 +107,7 @@ Requires(post): grep
 Requires:       %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
 Recommends:     %{name}-utils %{name}-dnssec-utils
 %upname_compat %{upname}
+Obsoletes:      %{name}-pkcs11 < 32:9.18.4-2

 BuildRequires:  gcc, make
 BuildRequires:  openssl-devel, libtool, autoconf, pkgconfig, libcap-devel
@ -131,7 +128,7 @@ BuildRequires:  openldap-devel, libpq-devel, sqlite-devel, mariadb-connector-c-d
 # make unit dependencies
 BuildRequires:  libcmocka-devel
 %endif
-%if %{with PKCS11} && (%{with UNITTEST} || %{with SYSTEMTEST})
+%if %{with UNITTEST} || %{with SYSTEMTEST}
 BuildRequires:  softhsm
 %endif
 %if %{with SYSTEMTEST}
@ -175,60 +172,12 @@ which resolves host names to IP addresses; a resolver library
 (routines for applications to use when interfacing with DNS); and
 tools for verifying that the DNS server is operating properly.

-%if %{with PKCS11}
-%package pkcs11
-Summary: Bind with native PKCS#11 functionality for crypto
-Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release}
-Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
-Requires: %{name}-pkcs11-libs%{?_isa} = %{epoch}:%{version}-%{release}
-Recommends: softhsm
-
-%description pkcs11
-This is a version of BIND server built with native PKCS#11 functionality.
-It is important to have SoftHSM v2+ installed and some token initialized.
-For other supported HSM modules please check the BIND documentation.
-
-# TODO: Those utils can be used also without pkcs11 variant, but are not?
-%package pkcs11-utils
-Summary: Bind tools with native PKCS#11 for using DNSSEC
-Obsoletes: %{name}-pkcs11 < 32:9.9.4-16.P2
-Requires: %{name}-dnssec-doc = %{epoch}:%{version}-%{release}
-%if %{with PKCS11}
-Requires: %{name}-pkcs11-libs%{?_isa} = %{epoch}:%{version}-%{release}
-%endif
-
-%description pkcs11-utils
-This is a set of PKCS#11 utilities that when used together create rsa
-keys in a PKCS11 keystore.
-%if %{with PKCS11}
-Also utilities for working with DNSSEC
-compiled with native PKCS#11 functionality are included.
-%endif
-
-%package pkcs11-libs
-Summary: Bind libraries compiled with native PKCS#11
-Requires: %{name}-license = %{epoch}:%{version}-%{release}
-Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
-
-%description pkcs11-libs
-This is a set of BIND libraries (dns, isc) compiled with native PKCS#11
-functionality.
-
-%package pkcs11-devel
-Summary: Development files for Bind libraries compiled with native PKCS#11
-Requires: %{name}-pkcs11-libs%{?_isa} = %{epoch}:%{version}-%{release}
-Requires: %{name}-devel%{?_isa} = %{epoch}:%{version}-%{release}
-
-%description pkcs11-devel
-This a set of development files for BIND libraries (dns, isc) compiled
-with native PKCS#11 functionality.
-%endif
-
 %package libs
 Summary: Libraries used by the BIND DNS packages
 Requires: %{name}-license = %{epoch}:%{version}-%{release}
 Provides: %{name}-libs-lite = %{epoch}:%{version}-%{release}
 Obsoletes: %{name}-libs-lite < 32:9.16.13
+Obsoletes: %{name}-pkcs11-libs < 32:9.18.4-2

 %description libs
 Contains heavyweight version of BIND suite libraries used by both named DNS
@ -246,6 +195,7 @@ Summary: Utilities for querying DNS name servers
 Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
 # For compatibility with Debian package
 Provides: dnsutils = %{epoch}:%{version}-%{release}
+Obsoletes: %{name}-pkcs11-utils < 32:9.18.4-2
 %upname_compat %{upname}-utils

 %description utils
@ -262,8 +212,8 @@ servers.
 Summary: DNSSEC keys and zones management utilities
 Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
 Recommends: %{name}-utils
-Requires: %{name}-dnssec-doc = %{epoch}:%{version}-%{release}
 Obsoletes: python3-%{name} < 32:9.18.0
+Obsoletes: %{name}-dnssec-doc < 32:9.18.4
 %upname_compat %{upname}-dnssec-utils

 %description dnssec-utils
@ -274,14 +224,6 @@ revocation and verification of keys and DNSSEC signatures in zone files.
 You should install %{name}-dnssec-utils if you need to sign a DNS zone
 or maintain keys for it.

-%package dnssec-doc
-Summary: Manual pages of DNSSEC utilities
-Requires: %{name}-license = %{epoch}:%{version}-%{release}
-BuildArch:noarch
-
-%description dnssec-doc
-%{name}-dnssec-doc contains manual pages for %{name}-dnssec-utils.
-
 %package devel
 Summary:  Header files and libraries needed for bind-dyndb-ldap
 Provides: %{name}-lite-devel = %{epoch}:%{version}-%{release}
@ -441,10 +383,6 @@ export LIBDIR_SUFFIX
 %if %{with GEOIP2}
  --with-maxminddb \
 %endif
-%if %{with PKCS11}
-  --enable-native-pkcs11 \
-  --with-pkcs11=%{_libdir}/pkcs11/libsofthsm2.so \
-%endif
 %if %{with GSSTSIG}
  --with-gssapi=yes \
 %endif
@ -499,7 +437,7 @@ popd # build
 %systemtest_prepare_build build

 %check
-%if %{with PKCS11} && (%{with UNITTEST} || %{with SYSTEMTEST})
+%if %{with UNITTEST} || %{with SYSTEMTEST}
  # Tests require initialization of pkcs11 token
  eval "$(bash %{SOURCE48} -A "`pwd`/softhsm-tokens")"
 %endif
@ -594,17 +532,11 @@ install -m 644 %{SOURCE38} ${RPM_BUILD_ROOT}%{_unitdir}
 install -m 644 %{SOURCE44} ${RPM_BUILD_ROOT}%{_unitdir}
 install -m 644 %{SOURCE46} ${RPM_BUILD_ROOT}%{_unitdir}

-%if %{with PKCS11}
-install -m 644 %{SOURCE47} ${RPM_BUILD_ROOT}%{_unitdir}
-%endif
-
 mkdir -p ${RPM_BUILD_ROOT}%{_libexecdir}
 install -m 755 %{SOURCE41} ${RPM_BUILD_ROOT}%{_libexecdir}/setup-named-chroot.sh
 install -m 755 %{SOURCE42} ${RPM_BUILD_ROOT}%{_libexecdir}/generate-rndc-key.sh

-%if %{with PKCS11}
 install -m 755 %{SOURCE48} ${RPM_BUILD_ROOT}%{_libexecdir}/setup-named-softhsm.sh
-%endif

 install -m 644 %SOURCE3 ${RPM_BUILD_ROOT}/etc/logrotate.d/named
 mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig
@ -639,22 +571,6 @@ popd
 # Remove libtool .la files:
 find ${RPM_BUILD_ROOT}/%{_libdir} -name '*.la' -exec '/bin/rm' '-f' '{}' ';';

-# PKCS11 versions manpages
-%if %{with PKCS11}
-pushd ${RPM_BUILD_ROOT}%{_mandir}/man8
-ln -s named.8.gz named-pkcs11.8.gz
-ln -s dnssec-checkds.8.gz dnssec-checkds-pkcs11.8.gz
-ln -s dnssec-dsfromkey.8.gz dnssec-dsfromkey-pkcs11.8.gz
-ln -s dnssec-importkey.8.gz dnssec-importkey-pkcs11.8.gz
-ln -s dnssec-keyfromlabel.8.gz dnssec-keyfromlabel-pkcs11.8.gz
-ln -s dnssec-keygen.8.gz dnssec-keygen-pkcs11.8.gz
-ln -s dnssec-revoke.8.gz dnssec-revoke-pkcs11.8.gz
-ln -s dnssec-settime.8.gz dnssec-settime-pkcs11.8.gz
-ln -s dnssec-signzone.8.gz dnssec-signzone-pkcs11.8.gz
-ln -s dnssec-verify.8.gz dnssec-verify-pkcs11.8.gz
-popd
-%endif
-
 # 9.16.4 installs even manual pages for tools not generated
 %if %{without DNSTAP}
 rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/dnstap-read.1* || true
@ -770,20 +686,6 @@ fi
 # Package upgrade, not uninstall
 %systemd_postun_with_restart named.service

-%if %{with PKCS11}
-%post pkcs11
-# Initial installation
-%systemd_post named-pkcs11.service
-
-%preun pkcs11
-# Package removal, not upgrade
-%systemd_preun named-pkcs11.service
-
-%postun pkcs11
-# Package upgrade, not uninstall
-%systemd_postun_with_restart named-pkcs11.service
-%endif
-
 # Fix permissions on existing device files on upgrade
 %define chroot_fix_devices() \
 if [ $1 -gt 1 ]; then \
@ -813,10 +715,6 @@ fi

 %ldconfig_scriptlets libs

-%if %{with PKCS11}
-%ldconfig_scriptlets pkcs11-libs
-%endif
-
 %post chroot
 %systemd_post named-chroot.service
 %chroot_fix_devices %{chroot_prefix}
@ -859,6 +757,7 @@ fi;
 %{_sbindir}/rndc*
 %{_sbindir}/named-checkconf
 %{_libexecdir}/generate-rndc-key.sh
+%{_libexecdir}/setup-named-softhsm.sh
 %{_mandir}/man1/mdig.1*
 %{_mandir}/man1/named-rrchecker.1*
 %{_mandir}/man5/named.conf.5*
@ -947,15 +846,7 @@ fi;

 %files dnssec-utils
 %{_bindir}/dnssec*
-%if %{with PKCS11}
-%exclude %{_sbindir}/dnssec*pkcs11
-%endif
-
-%files dnssec-doc
 %{_mandir}/man1/dnssec*.1*
-%if %{with PKCS11}
-%exclude %{_mandir}/man1/dnssec*-pkcs11.1*
-%endif

 %files devel
 %{_libdir}/libbind9.so
@ -1012,33 +903,6 @@ fi;
 %dir %{chroot_prefix}/run/named
 %{chroot_prefix}%{_localstatedir}/run

-%if %{with PKCS11}
-%files pkcs11
-%{_sbindir}/named-pkcs11
-%{_unitdir}/named-pkcs11.service
-%{_mandir}/man8/named-pkcs11.8*
-%{_libexecdir}/setup-named-softhsm.sh
-
-%files pkcs11-utils
-%{_bindir}/pkcs11-destroy
-%{_bindir}/pkcs11-keygen
-%{_bindir}/pkcs11-list
-%{_bindir}/pkcs11-tokens
-%{_mandir}/man1/pkcs11-*.1*
-%if %{with PKCS11}
-%{_bindir}/dnssec*pkcs11
-%{_mandir}/man1/dnssec*-pkcs11.1*
-%endif
-
-%files pkcs11-libs
-%{_libdir}/libdns-pkcs11-%{version}*.so
-%{_libdir}/libns-pkcs11-%{version}*.so
-
-%files pkcs11-devel
-%{_libdir}/libdns-pkcs11.so
-%{_libdir}/libns-pkcs11.so
-%endif
-
 %if %{with DLZ}
 %files dlz-filesystem
 %{_libdir}/{named,bind}/dlz_filesystem_dynamic.so
@ -1072,6 +936,7 @@ fi;
 * Wed Jul 20 2022 Petr Menšík <pemensik@redhat.com> - 32:9.18.4-2
 - Stop enabling selinux booleans on every upgrade
 - Deprecate python3-bind for smooth upgrade
+- Remove PKCS1111 native utilities, libs and daemon

 * Wed Jul 20 2022 Petr Menšík <pemensik@redhat.com> - 32:9.18.4-1
 - Update to 9.18.4 (#2057493)
--- a/named-pkcs11.service
+++ b/named-pkcs11.service
@ -1,26 +0,0 @@
-[Unit]
-Description=Berkeley Internet Name Domain (DNS) with native PKCS#11
-Wants=nss-lookup.target
-Wants=named-setup-rndc.service
-Before=nss-lookup.target
-After=network.target
-After=named-setup-rndc.service
-
-[Service]
-Type=forking
-Environment=NAMEDCONF=/etc/named.conf
-EnvironmentFile=-/etc/sysconfig/named
-Environment=KRB5_KTNAME=/etc/named.keytab
-PIDFile=/run/named/named.pid
-
-ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/bin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
-ExecStart=/usr/sbin/named-pkcs11 -u named -c ${NAMEDCONF} $OPTIONS
-
-ExecReload=/bin/sh -c 'if /usr/sbin/rndc null > /dev/null 2>&1; then /usr/sbin/rndc reload; else /bin/kill -HUP $MAINPID; fi'
-
-ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'
-
-PrivateTmp=true
-
-[Install]
-WantedBy=multi-user.target