[Opendnssec-develop] Creating tokens for SoftHSM

Rick van Rein rick at openfortress.nl
Wed Feb 11 11:04:09 UTC 2009

Hi Rickard,

> During the last meeting we said that only one user PIN should be used per token. And that a security officer (SO) should be able to create a number of tokens. Is it ok to utilize the C_InitToken for this task?

No, that is not the intention of this function.  This function is used when
a token is present in a slot, but yet has to be initialised.  As Roland
explained, there is no PKCS #11 support for creating a new token.

If I were you, I'd simply use a simple configuration file to setup the
softHSM's out-of-band creation of new instances, or otherwise, I'd use
a simple commandline option or run some special command to create new
instances.  Or you could simply run the daemon in multiple processes.

The reason why we are a bit pesky about keeping PKCS #11 implemented as
cleanly as possible by the SoftHSM is that we don't want OpenDNSSEC (or
any other clients using the SoftHSM) to rely on non-standard functionality.
If the SoftHSM is to service as a prepare-for-the-real-thing-device, it
better behave like the real-thing-device :)

> This means that no slots will exist from scratch. By giving an arbitrary slotID, C_InitToken will create a new token and tie it to that slotID. Thus can everything be handled via the PKCS#11 interface.

You cannot call C_InitToken if there's no token in the slot.  Doing so would
(as far as I recall) violate the standard.

Hope this helps,


Rick van Rein

More information about the Opendnssec-develop mailing list