[Opendnssec-develop] Creating tokens for SoftHSM
Jakob Schlyter
jakob at kirei.se
Wed Feb 11 13:08:22 UTC 2009
what about this idea:
1. the SO can create a token using a program (called "softhsm"). one
database file per token.
softhsm --init --pin mekmitasdigoat /var/lib/softhsm/mytoken.db
(if --pin is omitted, it will ask for the pin)
the private keys of the token is possible encrypted with the pin.
also, the softhsm utility could be used to export keys in standard PEM
format. ultimately this should only be done by the SO, but since the
app needs to be able to decrypt the keys, I guess we can allow export
using the user PIN only.
softhsm --export --pin mekmitasdigoat --label mykey --out mykey.key /
var/lib/softhsm/mytoken.db
(and no, normally you wouldn't specify the pin on the command-line -
softhsm would ask for it on the tty)
2. a configuration file is used to map each file data to slot ("insert
the token into the slot")
/etc/softhsm.conf
slot0 = /var/lib/softhsm/mytoken.db
slot1 = /var/lib/softhsm/yourtoken.db
...
3. the app links to the softhsm library and authenticates using the pin.
this scheme would also let you "unplug" the token from the slot and
move it somewhere else. just like a smartcard.
would this be a resonable solution?
jakob
More information about the Opendnssec-develop
mailing list