Use OpenSSL provider with BIND for Fedora 41+ and RHEL10+

[abbra]

OpenSSL Engine API is deprecated and ability to compile against it is removed in RHEL10. OpenSSL provider API is the future.

Fedora 41+ also defaults to OpenSSL provider. With pkcs11-provider, the same PKCS#11 modules can be loaded transparently like with OpenSSL engines. Thus, we can update configuration to use the provider API.

TODO:

• dnssec-keyfromlabel does not work without engine, needs backport from bind 9.20

Fixes: https://pagure.io/freeipa/issue/9696

Summary by Sourcery

This pull request updates the configuration to use the OpenSSL provider API instead of the deprecated OpenSSL Engine API for BIND on Fedora 41+ and RHEL 10+.

Enhancements:

• Replaces the OpenSSL Engine API with the OpenSSL provider API for BIND configuration, improving compatibility with newer systems.
• Updates the configuration files and system settings to utilize the OpenSSL provider, ensuring seamless loading of PKCS#11 modules.
• Modifies the URI format for key installation to be compatible with the OpenSSL provider API.
• Adjusts the named options to remove '-E pkcs11' when using the OpenSSL provider.
• Updates the upgrade process to handle the transition to OpenSSL provider.
• Adds new templates for OpenSSL provider configuration files.
• Updates platform constants to define whether to use OpenSSL provider or engine based on the OS version.
• Updates the Makefile to include the new OpenSSL provider configuration templates.

[sourcery-ai]

Reviewer's Guide by Sourcery

This pull request introduces support for the OpenSSL provider API in BIND configuration for Fedora 41+ and RHEL 10+. It modifies the configuration setup, named sysconfig, dnssec-keyfromlabel command, and upgrade process to accommodate the transition from the OpenSSL engine to the provider API. New configuration templates are added for the OpenSSL provider.

Sequence diagram for setting up OpenSSL config for BIND with provider API

sequenceDiagram
    participant dnskeysyncd
    participant ipautil
    participant directivesetter

    dnskeysyncd->>dnskeysyncd: setup_named_openssl_conf()
    alt constants.NAMED_OPENSSL_PROVIDER is not None
        dnskeysyncd->>ipautil: template_file(bind.openssl.provider.cnf.template, conf_file_dict)
        ipautil-->>dnskeysyncd: named_openssl_txt
    end
    dnskeysyncd->>dnskeysyncd: setup_named_sysconfig()
    alt constants.NAMED_OPENSSL_PROVIDER is not None
        dnskeysyncd->>directivesetter: set_directive(sysconfig, OPENSSL_CONF, paths.DNSSEC_OPENSSL_CONF)
    end
    dnskeysyncd->>dnskeysyncd: setup_ipa_dnskeysyncd_sysconfig()
    alt constants.NAMED_OPENSSL_PROVIDER is not None
        dnskeysyncd->>directivesetter: set_directive(sysconfig, OPENSSL_CONF, paths.DNSSEC_OPENSSL_CONF)
    end

Loading

File-Level Changes

Change	Details	Files
Introduce OpenSSL provider API support for BIND configuration on Fedora 41+ and RHEL 10+.	Added platform-specific constants to enable OpenSSL provider API usage. Modified the OpenSSL configuration setup to use provider-specific templates when appropriate. Updated the named sysconfig to handle the transition from OpenSSL engine to provider API. Adjusted the dnssec-keyfromlabel command to work with the OpenSSL provider API. Modified the upgrade process to configure the OpenSSL provider API. Added new OpenSSL provider configuration templates.	ipaserver/install/dnskeysyncinstance.py ipaserver/dnssec/bindmgr.py ipaserver/install/server/upgrade.py ipaplatform/fedora/constants.py ipaplatform/rhel/constants.py install/share/Makefile.am ipaplatform/base/constants.py install/share/bind.openssl.provider.cnf.template install/share/bind.openssl.provider.crp.cnf.template
Remove '-E pkcs11' from OPTIONS when using OpenSSL provider.	Remove '-E pkcs11' from OPTIONS when using OpenSSL provider.	ipaserver/install/dnskeysyncinstance.py

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!
• Generate a plan of action for an issue: Comment @sourcery-ai plan on
  an issue to generate a plan of action for it.

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey @abbra - I've reviewed your changes - here's some feedback:

Overall Comments:

• Consider using a helper function to encapsulate the logic for setting directives in setup_named_sysconfig and setup_ipa_dnskeysyncd_sysconfig to reduce code duplication.
• The logic for removing '-E pkcs11' from options could be simplified by using str.replace.

Here's what I looked at during the review

• 🟢 General issues: all looks good
• 🟢 Security: all looks good
• 🟢 Testing: all looks good
• 🟡 Complexity: 1 issue found
• 🟢 Documentation: all looks good

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

issue (code-quality): Replace interpolated string formatting with f-string [×5] (replace-interpolation-with-fstring)

[sourcery-ai]

issue (code-quality): We've found these issues:

• Extract code out into method (extract-method)
• Replace call to format with f-string (use-fstring-for-formatting)