[Opendnssec-develop] True Random Number Generator
John Dickinson
jad at jadickinson.co.uk
Mon Jan 12 16:49:30 UTC 2009
On 8 Jan 2009, at 13:41, Rickard Bondesson wrote:
>
>> I agree this should only be done if it is a question of
>> supporting the correct attributes or something simple. Adding
>> certs or symmetric keys is too much. I did try getting the
>> opensc engine to talk to softHSM and it kept complaining
>> about things (they seemed minor) but I didn't note down what
>> they were - I will try again and post a summary.
>
> Ohh. Bug reports are always nice :)
Well I really like softHSM - it is so easy to use and I really like
the fact that it sort of creates users every time you use a different
pin. - So simple :)
How about a debug mode where softHSM logs all the pkcs11 calls to a
file (maybe something simple like if you link to a version of the lib
called libsofthsm-DEBUG.so. (I am thinking of the debug mode of a AEP
Keyper where it logs if you access it via a host name of HSML instead
of HSM.)
These are my notes on trying to use it with a pkcs11 engine from opensc:
#latest softHSM from svn on ubuntu
#install Botan
cd softHSM
./configure --prefix=/opt/softHSM
make
make install
cd libp11-0.2.4
./configure
make
sudo make install
cd engine_pkcs11-0.1.5
./configure
make
sudo make install
# clean up
cd
rm -rf .softHSM/
# Access the softHSM
pkcs11-tool --module=/opt/softHSM/lib/libsofthsm.so -L
Available slots:
Slot 1 SoftHSM
token label: SoftHSM
token manuf: SoftHSM
token model: SoftHSM
token flags: rng, login required, PIN initialized, token
initialized
serial num : 1
# Create a key
pkcs11-tool --module=/opt/softHSM/lib/libsofthsm.so -k --key-type rsa:
1024 -l -p 12345678
Key pair generated:
Private Key Object; RSA
label: 090109122259177677
ID: 303930313039313232323539313737363737
Usage: decrypt, sign, unwrap
Public Key Object; RSA 1024 bits
label: 090109122259177677
ID: 303930313039313232323539313737363737
Usage: encrypt, verify, wrap
# List objects
pkcs11-tool --module=/opt/softHSM/lib/libsofthsm.so -O -l -p 12345678
Public Key Object; RSA 1024 bits
label: 090109122259177677
ID: 303930313039313232323539313737363737
Usage: encrypt, verify, wrap
Private Key Object; RSA
label: 090109122259177677
ID: 303930313039313232323539313737363737
Usage: decrypt, sign, unwrap
#Test with openssl speed
# Create a openssl conf file /etc/ssl/openssl.cnf that looks like this:
openssl_conf = openssl_def
[openssl_def]
engines = engine_section
[engine_section]
pkcs11 = pkcs11_section
[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/local/lib/engines/engine_pkcs11.so
MODULE_PATH = /opt/softHSM/lib/libsofthsm.so
PIN = 12345678
init = 0
[req]
distinguished_name = req_distinguished_name
[req_distinguished_name]
#end /etc/ssl/openssl.cnf
#then try running it
jad at test1:~$ openssl speed -engine pkcs11
unable to load module /opt/softHSM/lib/libsofthsm.so
can't use that engine
14170:error:80001007:Vendor defined:PKCS11_CTX_load:Invalid
arguments:p11_load.c:74:
14170:error:260B806D:engine routines:ENGINE_TABLE_REGISTER:init
failed:eng_table.c:161:
As you can see the problem seems to be with the opensc libp11. Line 74
appears to be checking for errors resulting from calling C_Initialize.
I tried commenting out line 74 to force it to ignore the error and it
continues but comes up with a similar error later.
John
More information about the Opendnssec-develop
mailing list