[Opendnssec-user] SoftHSM question
Rickard Bellgrim
rickard.bellgrim at iis.se
Tue Jun 8 10:56:39 UTC 2010
> pkcs11-tool --module /usr/local/lib/libsofthsm.so --slot 4 -l -p 1234
> -k --id A1B2 --key-type rsa:1024
>
>> Private Key Object; RSA
>> label:
>> ID: a1b2
>> Usage: decrypt, sign, unwrap
>> Public Key Object; RSA 1024 bits
>> label:
>> ID: a1b2
>> Usage: encrypt, verify, wrap
pkcs11-tool set the public key to a session object, which means that it is removed when the tool closes the session.
> Now this all looks good, but when I look at the file kPair4B2.p8, it contains
> only a private key.
When I export the key pair, I only look in the private key object. Because it contains both the private and public key. And when you save the pkcs#8 file, you only save the private key. It contains both the private and public key.
> Also, if I check with
>
> pkcs11-tool --module /usr/local/lib/libsofthsm.so --slot 4 -l -p 1234 -O
>
> I only see the private key:
>
>> Private Key Object; RSA
>> label:
>> ID: a1b2
>> Usage: decrypt, sign, unwrap
>
> Any idea what I'm doing wrong?
This is because pkcs11-tool only save the private key and not the public key.
> Another question is whether anyone has tried to use SoftHSM from Mozilla Firefox? Is it possible to store a certificate on SoftHSM (I verified that C_CreateObject is there) and are there any issues with non standard pkcs11 behavior by NSS that you know of?
There is a patch in our ticket system for certificate support. Version 2.0 after this summer will have support for certificates.
// Rickard
More information about the Opendnssec-user
mailing list