SV: [Opendnssec-develop] SoftHSM

Roland van Rijswijk roland.vanrijswijk at
Tue Dec 2 12:46:20 UTC 2008

Hi Rickard,

Rickard Bondesson wrote:
> Does the quotation below imply that you HAVE to assign the other
> values, given by the user, to the generated key?
> "Other attributes supported by the RSA public and private key types
> (specifically, the flags indicating which functions the keys support)
> may also be specified in the templates for the keys, or else are
> assigned default initial values."
> With for example CKM_RSA_PKCS_KEY_PAIR_GEN: Is it ok to just take the
> CKA_MODULUS_BITS and CKA_PUBLIC_EXPONENT (default 65537) from the
> template and ignore the the other values? Then for example assign
> CKA_SIGN = TRUE in our case, since that is what the purpose is with
> the generated keys in the SoftHSM.

The correct way to implement it is as follows:

- It is not mandatory to specify any key attributes. If none are
specified, none are supposed to be set on the object; this means that no
default values should be assigned

- The values specified by the user should not be overridden; you should
copy the values that the user specifies

- The attributes must be enforced by the PKCS #11 module when calls to
functions like C_SignInit are made

- It is up to the implementor of the module whether or not changes are
allowed to these attributes once the object has been created

Summarising: you should not assign a value yourself and you should not
ignore what is in the template. This would go against the PKCS #11

I hope this answers your question.




-- Roland M. van Rijswijk
-- SURFnet Middleware Services
-- t: +31-30-2305388
-- e: roland.vanrijswijk at

More information about the Opendnssec-develop mailing list