[Opendnssec-develop] HSM test program -> develop against SoftHSM?
rickard.bondesson at iis.se
Wed May 6 06:30:09 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
> I am working on the HSM testing program, and wondering how to
> test the test program, other than sticking to the PKCS #11
> specification as tightly as possible.
I think that you should write the code as you think that PKCS#11 should work according to the API. The question is whether you should write a test program that allows some minor problems in some corner cases that won't do any bad, or tightly according to the API?
> One approach would be to absolutely ignore the SoftHSM and
> test on another device. But whichever way I turn it, it will
> always be a test against something concrete, not against a
> generic thing like the spec, which it would ideally be.
You have to test the real things (SCA6000, AEP Keyper, SoftHSM, ...) since RSA Labs do not have a soft implementation or otherwise we would not need SoftHSM.
> I am now thinking that I could test against the SoftHSM, and "wrestle"
> with Rickard over who is right/wrong when differences pop up.
> Since the HSM Test code was written in total ignorance of
> the SoftHSM code, and since I will continue to discuss with
> Rickard instead of his code, we would actually end up testing
> to see if the specs are properly implemented on either end.
That is a good idea. Because I am trying to write a HSM according to the API and you are trying to test according to the API. Then we can have a common view. A potential problem might be that the other vendors might have another view, thus breaking the tests. But we can always discuss what might be the problem behind the failure.
> If either of you (or the Cc'd list) sees a formal problem
> with such testing against the SoftHSM then please speak now
> or otherwise I shall proceed.
-----BEGIN PGP SIGNATURE-----
Version: 9.8.3 (Build 4028)
-----END PGP SIGNATURE-----
More information about the Opendnssec-develop