[Opendnssec-develop] proposed libhsm API
jakob at kirei.se
Thu Apr 23 14:46:29 UTC 2009
On 23 apr 2009, at 16.27, Rickard Bondesson wrote:
> How should we handle the sessions?
internally, without exposing to the user of libhsm.
> We want to allow signing with multiple threads. This needs one
> session per thread. If we connect the session with the HSM, then we
> can only use on thread per HSM. If we connect the session with the
> key, then the threads can not sign with the same key.
it would be nice if we can have the library allocate a bunch of
session and use them when needed, right?
> In other words we either need to keep track of the thread or give
> out session ids via the libhsm interface. A session id which needs
> to be translated to the session id within the HSM.
we could let libhsm return a hsm_context and pass that context around
for each operation, makes sense?
do you pass credentionals to pkcs11 per session? if so, we probably
need to create all sessions for a given library at attach time, but at
that point we don't know about each token? do we require all tokens
accessible with the same library to have shared credentials?
> Then we also would need some interface to open and close sessions...
> and then we are almost creating a new PKCS#11 interface.
I'd say better since we do operations against all HSMs.
More information about the Opendnssec-develop