[Opendnssec-develop] Make the keys extractable from HSM?

Rickard Bellgrim rickard.bellgrim at iis.se
Wed Dec 2 14:38:37 UTC 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> Note that according to the C_WrapKey specification, setting
> CKA_EXTRACTABLE
> on its own is insufficient for key wrapping; you also need to set
> CKA_WRAP
> on the key.

That is on the key that you want to wrap your private key with. OpenDNSSEC will not do any wrapping, but another application might do that. And it is that application that creates the wrapping key (which must have the CKA_WRAP set to true).

-----BEGIN PGP SIGNATURE-----
Version: 9.8.3 (Build 4028)
Charset: utf-8

wsBVAwUBSxZ77eCjgaNTdVjaAQhymAf/Roy4rr7wX7RpgV0JctXpzy7UC/+Gjt3Y
bQVwG/6Yfq8oxJ20lXj8v+nea6889+rjOiQxEIeeQKZ4OKfImDoNfdBwM+SlR6cB
5BpfQ535vhzuEo1dSTSkLOkCyQPc0GyYPXZd5shHOJelPsPLSNHF2u0pmVUNrsmd
vUgxPChsPMqgCymjV9i/SCM23TTYPm0YL06H+34vpK0UhnlPI6nOj5tfeuOJ1FhE
mlMYimrud+yRKklt5G2qEpce6Hs5zxC82kTGgi+ziZ/1jwmzji7m8UI6vZBx5UIF
SpDHSFy49C8w5qVyMjuYsO81556akCjYoiDfLv49ghsMPEKGUby6mw==
=2A2j
-----END PGP SIGNATURE-----


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20091202/83c76677/attachment.htm>


More information about the Opendnssec-develop mailing list