[Opendnssec-develop] Creating tokens for SoftHSM

[Jakob Schlyter]

On 11 feb 2009, at 15.55, Rick van Rein wrote:

>> 1. the SO can create a token using a program (called "softhsm"). one
>> database file per token.
>
> Sounds good.  Of course there would be no check that it was the SO,
> so it would actually be any user.  Unless he sets himself up as the
> SO, which may be the intention of the PIN you are referring to below.

in my view, there is no real SO for SoftHSM.

> So it is the user PIN, and not the SO-PIN?
> 	(which is fine, it just means that the user runs the program and
> 	 not anyone in an SO capacity -- which is right as we don't have
> 	 that role at all.)

yes, it is the user PIN. the only USER.

>> also, the softhsm utility could be used to export keys in standard  
>> PEM
>> format.
>
> This is normally done through PKCS #11 and there are tools that do it.
> Of course, the access scrutiny of the token is applied -- which I  
> think
> is the proper setup to support.  If you cannot export it through  
> PKCS #11
> then your code is off -- which is just the sort of thing that you  
> want to
> learn from using the SoftHSM.

sure, but it would sure be nice if the softhsm utility could export/ 
import keys directly into the database, yes?

>> ultimately this should only be done by the SO,
>
> 1. We have no SO role in the SoftHSM
> 2. Anyone with the proper privileges may export their own keys; the SO
>   role is for managing users and tokens, not so much for managing  
> keys.

correct.

>> this scheme would also let you "unplug" the token from the slot and
>> move it somewhere else. just like a smartcard.
>
> Do note that we're simulating an HSM, not a smart card or crypto-token
> setup, but yes, that is a good degree of flexibility.  Although I  
> haven't
> seen concrete commands for doing this plugging and unplugging.

when you change the config file, you plug/unplug. you cannot do this  
after the softhsm has initialized itself (i.e. opened the database).

	jakob