[Opendnssec-develop] Creating tokens for SoftHSM

Roy Arends roy at nominet.org.uk
Wed Feb 11 23:25:21 UTC 2009

Rick van Rein wrote on 02/11/2009 10:42:30 PM:

> Hi,
> > sure, but it would sure be nice if the softhsm utility could export/ 
> > import keys directly into the database, yes?
> It sounds like a waste of time to me, as PKCS #11 and relating tools can 
do it.
> Also it sounds like a way to get things done that oughtn't be doable.

I'm ambivalent about this. I'd leave this one to Rickard. Note that many 
HSM providers, though PKCS11 compatible, also allow for proprietary 
methods to import keys. My point is that I agree with the notion that this 
can be done using PKCS#11, though that the assertion that this is a way to 
get things done that should not be doable is false.
> > when you change the config file, you plug/unplug. you cannot do this 
> > after the softhsm has initialized itself (i.e. opened the database).
> OK.  Removing a token from a slot usually indicates doing so while the
> PKCS #11 library is operational.  I suppose what you are saying is that
> the SoftHSM, which runs as a library to implement PKCS #11, cannot
> actually plug/unplug tokens into/from slots.

Jakob is saying, when you want to emulate plug/unplug, change the config 

> As said before, this (un)plugging behaviour would only be useful when
> mimicing a USB-token or smart card; an HSM would not have this 
> Note that tokens are so low-cost (EUR 50 range) that simulating them is
> not really necessary.

I want to make a general statement, addressed to the group, not 
particularly to the discussion at hand.

I want to iterate that the need for a software emulated HSM is to 
provision for OpenDNSSEC, since that uses the pkcs11 API. There is no 
requirement from our OpenDNSSEC project on softHSM to be fully compatible 
with all the functionality that a HSM (be it smartcards, usb sticks, 
appliances, PCIe cards or what not) might possibly provide. Furthermore, 
we have the resources to test OpenDNSSEC with a plethora of HSM's. This 
restricts OpenDNSSEC to only use a minimal set of necessary calls to still 
be pkcs11 compliant (i.e. not violate the specification). These calls need 
to be implemented in SoftHSM.


Roy Arends
Sr. Researcher
Nominet UK

More information about the Opendnssec-develop mailing list