[Opendnssec-develop] Creating tokens for SoftHSM

Rick van Rein rick at openfortress.nl
Wed Feb 11 14:55:09 UTC 2009


Good, constructive ideas!

> 1. the SO can create a token using a program (called "softhsm"). one  
> database file per token.

Sounds good.  Of course there would be no check that it was the SO,
so it would actually be any user.  Unless he sets himself up as the
SO, which may be the intention of the PIN you are referring to below.

> 	softhsm --init --pin mekmitasdigoat /var/lib/softhsm/mytoken.db
> 	(if --pin is omitted, it will ask for the pin)

Great, especially the 2nd line ;-)

Creating users can all be done when logged in.

> the private keys of the token is possible encrypted with the pin.

So it is the user PIN, and not the SO-PIN?
	(which is fine, it just means that the user runs the program and
	 not anyone in an SO capacity -- which is right as we don't have
	 that role at all.)

> also, the softhsm utility could be used to export keys in standard PEM  
> format.

This is normally done through PKCS #11 and there are tools that do it.
Of course, the access scrutiny of the token is applied -- which I think
is the proper setup to support.  If you cannot export it through PKCS #11
then your code is off -- which is just the sort of thing that you want to
learn from using the SoftHSM.

> ultimately this should only be done by the SO,

1. We have no SO role in the SoftHSM
2. Anyone with the proper privileges may export their own keys; the SO
   role is for managing users and tokens, not so much for managing keys.

> 2. a configuration file is used to map each file data to slot ("insert  
> the token into the slot")
> 	/etc/softhsm.conf
> 	slot0 = /var/lib/softhsm/mytoken.db
> 	slot1 = /var/lib/softhsm/yourtoken.db
> 	...

Yeah, that's the sort of configfile I was thinking about.  Thanks for
being as concrete as perhaps I should have been.  Good stuff.

> 3. the app links to the softhsm library and authenticates using the pin.


> this scheme would also let you "unplug" the token from the slot and  
> move it somewhere else. just like a smartcard.

Do note that we're simulating an HSM, not a smart card or crypto-token
setup, but yes, that is a good degree of flexibility.  Although I haven't
seen concrete commands for doing this plugging and unplugging.

> would this be a resonable solution?

Given the remarks I made, yes indeed.


More information about the Opendnssec-develop mailing list