SV: [Opendnssec-develop] SoftHSM

[Roland van Rijswijk]

Hi Rickard,

Rickard Bondesson wrote:
> Does the quotation below imply that you HAVE to assign the other
> values, given by the user, to the generated key?
> 
> "Other attributes supported by the RSA public and private key types
> (specifically, the flags indicating which functions the keys support)
> may also be specified in the templates for the keys, or else are
> assigned default initial values."
> 
> With for example CKM_RSA_PKCS_KEY_PAIR_GEN: Is it ok to just take the
> CKA_MODULUS_BITS and CKA_PUBLIC_EXPONENT (default 65537) from the
> template and ignore the the other values? Then for example assign
> CKA_SIGN = TRUE in our case, since that is what the purpose is with
> the generated keys in the SoftHSM.

The correct way to implement it is as follows:

- It is not mandatory to specify any key attributes. If none are
specified, none are supposed to be set on the object; this means that no
default values should be assigned

- The values specified by the user should not be overridden; you should
copy the values that the user specifies

- The attributes must be enforced by the PKCS #11 module when calls to
functions like C_SignInit are made

- It is up to the implementor of the module whether or not changes are
allowed to these attributes once the object has been created

Summarising: you should not assign a value yourself and you should not
ignore what is in the template. This would go against the PKCS #11
specification.

I hope this answers your question.

Cheers,

Roland.

-- 

-- Roland M. van Rijswijk
-- SURFnet Middleware Services
-- t: +31-30-2305388
-- e: roland.vanrijswijk at surfnet.nl