[Opendnssec-user] Network enabled SoftHSM
Casper Gielen
c.gielen at uvt.nl
Tue Apr 12 11:54:37 UTC 2011
Hello,
I'm constructing a network enabled version of SoftHSM. Although it's
not yet complete I think it is time to share my work with the world.
I post this now because I'm looking for feedback on the general design
and I hope that other users will be able to help me develop this into
a complete solution.
If anybody knows of any other way of doing PKCS11/(soft)HSM over the
network I would be interested to know about it.
Design
My HSM consists of three parts: softhsm, pkcs11-proxy and stunnel
softHSM is the backend which handles most of the work.
pcks11-proxy speaks pkcs11 over the network.
stunnel is a general-purpose ssl-wrapper to make the entire thing secure
against network-sniffing.
Schema
ods-signer -> libpkcs11-proxy.so -> stunnel-client ->
<the network> ->
stunnel-server -> pkcs11-proxy-daemon -> libsofthsm.so
Status
The system works, but is not stable. Small scale tests work fine, but it
crashes during longer runs. I'm not sure which part should be blamed but
I'm confident that it can be fixed.
I'm willing to share my configs if anybody is interested, just ask.
--
Casper Gielen <cgielen at uvt.nl> | LIS UNIX
PGP fingerprint = 16BD 2C9F 8156 C242 F981 63B8 2214 083C F80E 4AF7
Universiteit van Tilburg | Postbus 90153, 5000 LE
Warandelaan 2 | Telefoon 013 466 4100 | G 236 | http://www.uvt.nl
More information about the Opendnssec-user
mailing list