diff --git a/bin/pkcs11/pkcs11-destroy.8 b/bin/pkcs11/pkcs11-destroy.8
new file mode 100644
index 0000000000..c10de4ab4e
--- /dev/null
+++ b/bin/pkcs11/pkcs11-destroy.8
@@ -0,0 +1,82 @@
+.\" Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+.\"
+.\" Permission to use, copy, modify, and/or distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id: pkcs11-destroy.8,v 1.2 2009/10/05 12:11:53 fdupont Exp $
+.\"
+.hy 0
+.ad l
+.\" Title: pkcs11\-destroy
+.\" Author:
+.\" Generator: DocBook XSL Stylesheets v1.71.1
+.\" Date: Sep 18, 2009
+.\" Manual: BIND9
+.\" Source: BIND9
+.\"
+.TH "PKCS11\-DESTROY" "8" "Sep 18, 2009" "BIND9" "BIND9"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+pkcs11\-destroy \- destroy PKCS#11 objects
+.SH "SYNOPSIS"
+.HP 15
+\fBpkcs11\-destroy\fR [\fB\-m\ \fR\fB\fImodule\fR\fR] [\fB\-s\ \fR\fB\fIslot\fR\fR] {\-i\ \fIID\fR | \-l\ \fIlabel\fR} [\fB\-p\ \fR\fB\fIPIN\fR\fR]
+.SH "DESCRIPTION"
+.PP
+\fBpkcs11\-destroy\fR
+destroys keys stored in a PKCS#11 device, identified by their
+\fBID\fR
+or
+\fBlabel\fR.
+.PP
+Matching keys are displayed before being destroyed. There is a five second delay to allow the user to interrupt the process before the destruction takes place.
+.SH "ARGUMENTS"
+.PP
+\-m \fImodule\fR
+.RS 4
+Specify the PKCS#11 provider module. This must be the full path to a shared library object implementing the PKCS#11 API for the device.
+.RE
+.PP
+\-s \fIslot\fR
+.RS 4
+Open the session with the given PKCS#11 slot. The default is slot 0.
+.RE
+.PP
+\-i \fIID\fR
+.RS 4
+Destroy keys with the given object ID.
+.RE
+.PP
+\-l \fIlabel\fR
+.RS 4
+Destroy keys with the given label.
+.RE
+.PP
+\-p \fIPIN\fR
+.RS 4
+Specify the PIN for the device. If no PIN is provided on the command line,
+\fBpkcs11\-destroy\fR
+will prompt for it.
+.RE
+.SH "SEE ALSO"
+.PP
+\fBpkcs11\-list\fR(3),
+\fBpkcs11\-keygen\fR(3)
+.SH "AUTHOR"
+.PP
+Internet Systems Consortium
+.SH "COPYRIGHT"
+Copyright \(co 2009 Internet Systems Consortium, Inc. ("ISC")
+.br
diff --git a/bin/pkcs11/pkcs11-destroy.html b/bin/pkcs11/pkcs11-destroy.html
new file mode 100644
index 0000000000..3f0adf4538
--- /dev/null
+++ b/bin/pkcs11/pkcs11-destroy.html
@@ -0,0 +1,88 @@
+
+
+
+
+
+
+
+
Name
+
pkcs11-destroy — destroy PKCS#11 objects
+
+
+
Synopsis
+
pkcs11-destroy [-m module] [-s slot] { -i ID | -l label } [-p PIN]
+
+
+
DESCRIPTION
+
+ pkcs11-destroy destroys keys stored in a
+ PKCS#11 device, identified by their ID or
+ label.
+
+
+ Matching keys are displayed before being destroyed. There is a
+ five second delay to allow the user to interrupt the process
+ before the destruction takes place.
+
+
+
+
ARGUMENTS
+
+- -m
module
+
+ Specify the PKCS#11 provider module. This must be the full
+ path to a shared library object implementing the PKCS#11 API
+ for the device.
+
+- -s
slot
+
+ Open the session with the given PKCS#11 slot. The default is
+ slot 0.
+
+- -i
ID
+
+ Destroy keys with the given object ID.
+
+- -l
label
+
+ Destroy keys with the given label.
+
+- -p
PIN
+
+ Specify the PIN for the device. If no PIN is provided on the
+ command line, pkcs11-destroy will prompt for it.
+
+
+
+
+
SEE ALSO
+
+ pkcs11-list(3),
+ pkcs11-keygen(3)
+
+
+
+
AUTHOR
+
Internet Systems Consortium
+
+
+
+
diff --git a/bin/pkcs11/pkcs11-keygen.8 b/bin/pkcs11/pkcs11-keygen.8
new file mode 100644
index 0000000000..db761ad63b
--- /dev/null
+++ b/bin/pkcs11/pkcs11-keygen.8
@@ -0,0 +1,93 @@
+.\" Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+.\"
+.\" Permission to use, copy, modify, and/or distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id: pkcs11-keygen.8,v 1.2 2009/10/05 12:11:53 fdupont Exp $
+.\"
+.hy 0
+.ad l
+.\" Title: pkcs11\-keygen
+.\" Author:
+.\" Generator: DocBook XSL Stylesheets v1.71.1
+
+
+
Name
+
pkcs11-keygen — generate RSA keys on a PKCS#11 device
+
+
+
Synopsis
+
pkcs11-keygen [-P] [-m module] [-s slot] {-b keysize} {-l label} [-p PIN]
+
+
+
DESCRIPTION
+
+ pkcs11-keygen causes a PKCS#11 device to generate
+ a new RSA key pair with the specified label and
+ with keysize bits of modulus.
+
+
+
+
ARGUMENTS
+
+- -P
+
+ Set the new private key to be non-sensitive and extractable.
+ The allows the private key data to be read from the PKCS#11
+ device. The default is for private keys to be sensitive and
+ non-extractable.
+
+- -m
module
+
+ Specify the PKCS#11 provider module. This must be the full
+ path to a shared library object implementing the PKCS#11 API
+ for the device.
+
+- -s
slot
+
+ Open the session with the given PKCS#11 slot. The default is
+ slot 0.
+
+- -b
keysize
+
+ Create the key pair with keysize bits of
+ modulus.
+
+- -l
label
+
+ Create key objects with the given label.
+
+- -p
PIN
+
+ Specify the PIN for the device. If no PIN is provided on the
+ command line, pkcs11-keygen will prompt for it.
+
+
+
+
+
SEE ALSO
+
+ pkcs11-list(3),
+ pkcs11-destroy(3)
+
+
+
+
CAVEAT
+
The public exponent is hard-wired to 65537.
+
The command should optionally set the object ID too.
+
+
+
AUTHOR
+
Internet Systems Consortium
+
+
+
+
diff --git a/bin/pkcs11/pkcs11-list.8 b/bin/pkcs11/pkcs11-list.8
new file mode 100644
index 0000000000..dd3f21f8df
--- /dev/null
+++ b/bin/pkcs11/pkcs11-list.8
@@ -0,0 +1,86 @@
+.\" Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+.\"
+.\" Permission to use, copy, modify, and/or distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id: pkcs11-list.8,v 1.2 2009/10/05 12:11:53 fdupont Exp $
+.\"
+.hy 0
+.ad l
+.\" Title: pkcs11\-list
+.\" Author:
+.\" Generator: DocBook XSL Stylesheets v1.71.1
+
+
+
Name
+
pkcs11-list — list PKCS#11 objects
+
+
+
Synopsis
+
pkcs11-list [-P] [-m module] [-s slot] [-i ID] [-l label] [-p PIN]
+
+
+
DESCRIPTION
+
+ pkcs11-list
+ lists the PKCS#11 objects with ID or
+ label or by default all objects.
+
+
+
+
ARGUMENTS
+
+- -P
+
+ List only the public objects. (Note that on some PKCS#11
+ devices, all objects are private.)
+
+- -m
module
+
+ Specify the PKCS#11 provider module. This must be the full
+ path to a shared library object implementing the PKCS#11 API
+ for the device.
+
+- -s
slot
+
+ Open the session with the given PKCS#11 slot. The default is
+ slot 0.
+
+- -i
ID
+
+ List only key objects with the given object ID.
+
+- -l
label
+
+ List only key objects with the given label.
+
+- -p
PIN
+
+ Specify the PIN for the device. If no PIN is provided on the
+ command line, pkcs11-list will prompt for it.
+
+
+
+
+
SEE ALSO
+
+ pkcs11-keygen(3),
+ pkcs11-destroy(3)
+
+
+
+
AUTHOR
+
Internet Systems Consortium
+
+
+
+
diff --git a/configure b/configure
index 97cb06f8f8..96a47c54bc 100755
--- a/configure
+++ b/configure
@@ -14,7 +14,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
#
-# $Id: configure,v 1.467 2009/10/02 06:28:27 marka Exp $
+# $Id: configure,v 1.468 2009/10/05 12:09:35 fdupont Exp $
#
# Portions Copyright (C) 1996-2001 Nominum, Inc.
#
@@ -29,7 +29,7 @@
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
# OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-# From configure.in Revision: 1.481 .
+# From configure.in Revision: 1.482 .
# Guess values for system-dependent variables and create Makefiles.
# Generated by GNU Autoconf 2.61.
#
@@ -896,6 +896,8 @@ DST_OPENSSL_INC
ISC_PLATFORM_OPENSSLHASH
ISC_OPENSSL_INC
USE_PKCS11
+PKCS11_PROVIDER
+PKCS11_TOOLS
ISC_PLATFORM_HAVEGSSAPI
ISC_PLATFORM_GSSAPIHEADER
USE_GSSAPI
@@ -1679,7 +1681,8 @@ Optional Packages:
--with-tags[=TAGS] include additional configurations [automatic]
--with-openssl=PATH Build with OpenSSL yes|no|path.
(Required for DNSSEC)
- --with-pkcs11 Build with PKCS11 support
+ --with-pkcs11=PATH Build with PKCS11 support yes|no|path
+ (PATH is for the PKCS11 provider)
--with-gssapi=PATH Specify path for system-supplied GSSAPI
--with-randomdev=PATH Specify path for random device
--with-ptl2 on NetBSD, use the ptl2 thread library (experimental)
@@ -3957,7 +3960,7 @@ ia64-*-hpux*)
;;
*-*-irix6*)
# Find out which ABI we are using.
- echo '#line 3960 "configure"' > conftest.$ac_ext
+ echo '#line 3963 "configure"' > conftest.$ac_ext
if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
(eval $ac_compile) 2>&5
ac_status=$?
@@ -6905,11 +6908,11 @@ else
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
- (eval echo "\"\$as_me:6908: $lt_compile\"" >&5)
+ (eval echo "\"\$as_me:6911: $lt_compile\"" >&5)
(eval "$lt_compile" 2>conftest.err)
ac_status=$?
cat conftest.err >&5
- echo "$as_me:6912: \$? = $ac_status" >&5
+ echo "$as_me:6915: \$? = $ac_status" >&5
if (exit $ac_status) && test -s "$ac_outfile"; then
# The compiler can only warn and ignore the option if not recognized
# So say no if there are warnings other than the usual output.
@@ -7195,11 +7198,11 @@ else
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
- (eval echo "\"\$as_me:7198: $lt_compile\"" >&5)
+ (eval echo "\"\$as_me:7201: $lt_compile\"" >&5)
(eval "$lt_compile" 2>conftest.err)
ac_status=$?
cat conftest.err >&5
- echo "$as_me:7202: \$? = $ac_status" >&5
+ echo "$as_me:7205: \$? = $ac_status" >&5
if (exit $ac_status) && test -s "$ac_outfile"; then
# The compiler can only warn and ignore the option if not recognized
# So say no if there are warnings other than the usual output.
@@ -7299,11 +7302,11 @@ else
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
- (eval echo "\"\$as_me:7302: $lt_compile\"" >&5)
+ (eval echo "\"\$as_me:7305: $lt_compile\"" >&5)
(eval "$lt_compile" 2>out/conftest.err)
ac_status=$?
cat out/conftest.err >&5
- echo "$as_me:7306: \$? = $ac_status" >&5
+ echo "$as_me:7309: \$? = $ac_status" >&5
if (exit $ac_status) && test -s out/conftest2.$ac_objext
then
# The compiler can only warn and ignore the option if not recognized
@@ -9663,7 +9666,7 @@ else
lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
lt_status=$lt_dlunknown
cat > conftest.$ac_ext <