[Opendnssec-user] SoftHSM question

[Bud P. Bruegger]

Hello everyone,

I'm playing around with SoftHSM and would like to ask some (hopefully
not overy stupid) questions:

I'm trying to generate a keypair and export it as follows:

   softhsm --init-token --slot 4 --label "token4" --so-pin 12345678
   --pin 1234

    > The token has been initialized.   

   pkcs11-tool --module /usr/local/lib/libsofthsm.so --slot 4 -l -p 1234
   -k --id A1B2 --key-type rsa:1024

    > Private Key Object; RSA 
    >   label:      
    >   ID:         a1b2
    >   Usage:      decrypt, sign, unwrap
    > Public Key Object; RSA 1024 bits
    >   label:      
    >   ID:         a1b2
    >   Usage:      encrypt, verify, wrap
   
   softhsm --export kPair4B2.p8 --slot 4 --id A1B2 --pin 1234

    > The key pair has been written to kPair4B2.p8

Now this all looks good, but when I look at the file  kPair4B2.p8, it contains
only a private key.  

Also, if I check with 

    pkcs11-tool --module /usr/local/lib/libsofthsm.so --slot 4 -l -p 1234 -O

I only see the private key:

    > Private Key Object; RSA 
    >   label:      
    >   ID:         a1b2
    >   Usage:      decrypt, sign, unwrap

Any idea what I'm doing wrong?

Another question is whether anyone has tried to use SoftHSM from Mozilla Firefox?  Is it possible to store a certificate on SoftHSM (I verified that C_CreateObject is there) and are there any issues with non standard pkcs11 behavior by NSS that you know of?

many thanks in advance!

-b