[Opendnssec-develop] hsmutil test implemented

Roland van Rijswijk roland.vanrijswijk at surfnet.nl
Tue Aug 25 10:23:32 UTC 2009

Hi Jakob,

Jakob Schlyter wrote:
> On 25 aug 2009, at 12.06, Roland van Rijswijk wrote:
>> Having said the below, what do you actually use the random data for? I
>> suppose for salting in NSEC3?
>> find . -type f -name '*.c' | xargs grep 'hsm_random'
> ./enforcer/ksm/ksm_policy.c:                status =
> hsm_random_buffer(ctx, newsalt, policy->denial->saltlength);
> yes :-)
> and only that.


I guess a note somewhere in the documentation or perhaps in the HSM
Buyer's Guide? Perhaps a criterium should be: implements
C_GenerateRandom -- CKF_RNG set in the CK_TOKEN_INFO structure returned
by C_GetTokenInfo and C_GenerateRandom does not return CKR_RANDOM_NO_RNG.

And maybe a note about the quality of random data etc. would be useful.

IMHO it's completely out of scope to test the quality of the RNG we use
when using an external PKCS #11 module.




-- Roland M. van Rijswijk
-- SURFnet Middleware Services
-- t: +31-30-2305388
-- e: roland.vanrijswijk at surfnet.nl

More information about the Opendnssec-develop mailing list