[Opendnssec-develop] Creating tokens for SoftHSM

John Dickinson jad at jadickinson.co.uk
Wed Feb 11 12:44:46 UTC 2009

On 11 Feb 2009, at 11:04, Rick van Rein wrote:

> Hi Rickard,
>> During the last meeting we said that only one user PIN should be  
>> used per token. And that a security officer (SO) should be able to  
>> create a number of tokens. Is it ok to utilize the C_InitToken for  
>> this task?
> No, that is not the intention of this function.  This function is  
> used when
> a token is present in a slot, but yet has to be initialised.  As  
> Roland
> explained, there is no PKCS #11 support for creating a new token.
> If I were you, I'd simply use a simple configuration file to setup the
> softHSM's out-of-band creation of new instances, or otherwise, I'd use
> a simple commandline option or run some special command to create new
> instances.  Or you could simply run the daemon in multiple processes.

There is no daemon.

> The reason why we are a bit pesky about keeping PKCS #11 implemented  
> as
> cleanly as possible by the SoftHSM is that we don't want OpenDNSSEC  
> (or
> any other clients using the SoftHSM) to rely on non-standard  
> functionality.
> If the SoftHSM is to service as a prepare-for-the-real-thing-device,  
> it
> better behave like the real-thing-device :)

I don't really understand what is wrong with the current softHSM. It  
works with the tools like Roy's hsm-toolkit, opensc's pkcs11-tool etc.  
What is non-standard about these that you are worried about?

As I understand it the difference is only that you don't have to go  
through the step of initializing the HSM before you use it by setting  
the SO pin and user PIN. The fact that this step is missing doesn't  
have any effect on OpenDNSSEC. Rather it only changes the setup  
instructions for the HSM.

That said, I am all for softHSM working properly.


John Dickinson

More information about the Opendnssec-develop mailing list