[Opendnssec-develop] proposed libhsm API

Jakob Schlyter jakob at kirei.se
Thu Apr 23 14:46:29 UTC 2009

On 23 apr 2009, at 16.27, Rickard Bondesson wrote:

> How should we handle the sessions?

internally, without exposing to the user of libhsm.

> We want to allow signing with multiple threads. This needs one  
> session per thread. If we connect the session with the HSM, then we  
> can only use on thread per HSM. If we connect the session with the  
> key, then the threads can not sign with the same key.

it would be nice if we can have the library allocate a bunch of  
session and use them when needed, right?

> In other words we either need to keep track of the thread or give  
> out session ids via the libhsm interface. A session id which needs  
> to be translated to the session id within the HSM.

we could let libhsm return a hsm_context and pass that context around  
for each operation, makes sense?

do you pass credentionals to pkcs11 per session? if so, we probably  
need to create all sessions for a given library at attach time, but at  
that point we don't know about each token? do we require all tokens  
accessible with the same library to have shared credentials?

> Then we also would need some interface to open and close sessions...  
> and then we are almost creating a new PKCS#11 interface.

I'd say better since we do operations against all HSMs.


More information about the Opendnssec-develop mailing list