[Opendnssec-develop] Creating tokens for SoftHSM
Rick van Rein
rick at openfortress.nl
Wed Feb 11 11:04:09 UTC 2009
> During the last meeting we said that only one user PIN should be used per token. And that a security officer (SO) should be able to create a number of tokens. Is it ok to utilize the C_InitToken for this task?
No, that is not the intention of this function. This function is used when
a token is present in a slot, but yet has to be initialised. As Roland
explained, there is no PKCS #11 support for creating a new token.
If I were you, I'd simply use a simple configuration file to setup the
softHSM's out-of-band creation of new instances, or otherwise, I'd use
a simple commandline option or run some special command to create new
instances. Or you could simply run the daemon in multiple processes.
The reason why we are a bit pesky about keeping PKCS #11 implemented as
cleanly as possible by the SoftHSM is that we don't want OpenDNSSEC (or
any other clients using the SoftHSM) to rely on non-standard functionality.
If the SoftHSM is to service as a prepare-for-the-real-thing-device, it
better behave like the real-thing-device :)
> This means that no slots will exist from scratch. By giving an arbitrary slotID, C_InitToken will create a new token and tie it to that slotID. Thus can everything be handled via the PKCS#11 interface.
You cannot call C_InitToken if there's no token in the slot. Doing so would
(as far as I recall) violate the standard.
Hope this helps,
Rick van Rein
More information about the Opendnssec-develop