[Opendnssec-develop] Creating tokens for SoftHSM
jakob at kirei.se
Wed Feb 11 19:33:26 UTC 2009
On 11 feb 2009, at 15.55, Rick van Rein wrote:
>> 1. the SO can create a token using a program (called "softhsm"). one
>> database file per token.
> Sounds good. Of course there would be no check that it was the SO,
> so it would actually be any user. Unless he sets himself up as the
> SO, which may be the intention of the PIN you are referring to below.
in my view, there is no real SO for SoftHSM.
> So it is the user PIN, and not the SO-PIN?
> (which is fine, it just means that the user runs the program and
> not anyone in an SO capacity -- which is right as we don't have
> that role at all.)
yes, it is the user PIN. the only USER.
>> also, the softhsm utility could be used to export keys in standard
> This is normally done through PKCS #11 and there are tools that do it.
> Of course, the access scrutiny of the token is applied -- which I
> is the proper setup to support. If you cannot export it through
> PKCS #11
> then your code is off -- which is just the sort of thing that you
> want to
> learn from using the SoftHSM.
sure, but it would sure be nice if the softhsm utility could export/
import keys directly into the database, yes?
>> ultimately this should only be done by the SO,
> 1. We have no SO role in the SoftHSM
> 2. Anyone with the proper privileges may export their own keys; the SO
> role is for managing users and tokens, not so much for managing
>> this scheme would also let you "unplug" the token from the slot and
>> move it somewhere else. just like a smartcard.
> Do note that we're simulating an HSM, not a smart card or crypto-token
> setup, but yes, that is a good degree of flexibility. Although I
> seen concrete commands for doing this plugging and unplugging.
when you change the config file, you plug/unplug. you cannot do this
after the softhsm has initialized itself (i.e. opened the database).
More information about the Opendnssec-develop