[Opendnssec-develop] HSM test program -> develop against SoftHSM?

Rickard Bondesson rickard.bondesson at iis.se
Wed May 6 06:30:09 UTC 2009

Hash: SHA256

> I am working on the HSM testing program, and wondering how to 
> test the test program, other than sticking to the PKCS #11 
> specification as tightly as possible.

I think that you should write the code as you think that PKCS#11 should work according to the API. The question is whether you should write a test program that allows some minor problems in some corner cases that won't do any bad, or tightly according to the API?

> One approach would be to absolutely ignore the SoftHSM and 
> test on another device.  But whichever way I turn it, it will 
> always be a test against something concrete, not against a 
> generic thing like the spec, which it would ideally be.

You have to test the real things (SCA6000, AEP Keyper, SoftHSM, ...) since RSA Labs do not have a soft implementation or otherwise we would not need SoftHSM.

> I am now thinking that I could test against the SoftHSM, and "wrestle"
> with Rickard over who is right/wrong when differences pop up. 
>  Since the HSM Test code was written in total ignorance of 
> the SoftHSM code, and since I will continue to discuss with 
> Rickard instead of his code, we would actually end up testing 
> to see if the specs are properly implemented on either end.

That is a good idea. Because I am trying to write a HSM according to the API and you are trying to test according to the API. Then we can have a common view. A potential problem might be that the other vendors might have another view, thus breaking the tests. But we can always discuss what might be the problem behind the failure.

> If either of you (or the Cc'd list) sees a formal problem 
> with such testing against the SoftHSM then please speak now 
> or otherwise I shall proceed.


// Rickard
Version: 9.8.3 (Build 4028)
Charset: utf-8


More information about the Opendnssec-develop mailing list