SV: [Opendnssec-develop] SoftHSM
Roland van Rijswijk
roland.vanrijswijk at surfnet.nl
Tue Dec 2 12:46:20 UTC 2008
Hi Rickard,
Rickard Bondesson wrote:
> Does the quotation below imply that you HAVE to assign the other
> values, given by the user, to the generated key?
>
> "Other attributes supported by the RSA public and private key types
> (specifically, the flags indicating which functions the keys support)
> may also be specified in the templates for the keys, or else are
> assigned default initial values."
>
> With for example CKM_RSA_PKCS_KEY_PAIR_GEN: Is it ok to just take the
> CKA_MODULUS_BITS and CKA_PUBLIC_EXPONENT (default 65537) from the
> template and ignore the the other values? Then for example assign
> CKA_SIGN = TRUE in our case, since that is what the purpose is with
> the generated keys in the SoftHSM.
The correct way to implement it is as follows:
- It is not mandatory to specify any key attributes. If none are
specified, none are supposed to be set on the object; this means that no
default values should be assigned
- The values specified by the user should not be overridden; you should
copy the values that the user specifies
- The attributes must be enforced by the PKCS #11 module when calls to
functions like C_SignInit are made
- It is up to the implementor of the module whether or not changes are
allowed to these attributes once the object has been created
Summarising: you should not assign a value yourself and you should not
ignore what is in the template. This would go against the PKCS #11
specification.
I hope this answers your question.
Cheers,
Roland.
--
-- Roland M. van Rijswijk
-- SURFnet Middleware Services
-- t: +31-30-2305388
-- e: roland.vanrijswijk at surfnet.nl
More information about the Opendnssec-develop
mailing list