[Opendnssec-user] Network enabled SoftHSM

Tue Apr 12 13:51:32 UTC 2011

Op 12-04-11 14:55, Rickard Bellgrim schreef:
> Hi Casper
> 
> On 12 apr 2011, at 13.54, Casper Gielen wrote:
> 
>> I post this now because I'm looking for feedback on the general design
>> and I hope that other users will be able to help me develop this into
>> a complete solution.
>> If anybody knows of any other way of doing PKCS11/(soft)HSM over the
>> network I would be interested to know about it.
> 
> This sounds really interesting. Great that you are doing this work. 
> Your design is similar to what we have been discussing about.
> Are you going to release your work somewhere?

Good to hear that others have been thinking along the same lines.
I will certainly document my solution. Everything you need is already
in my previous post, but I will write a more extensive manual when/if
I get it to be stable.

Here is a slightly more elaborate example. The pkcs11-proxy package
is not in any public repositories as far I know, source can be found
at http://floss.commonit.com/pkcs11-proxy.html .

server1$ sudo aptitude install softhsm libsofthsm pkcs11-daemon stunnel
Most important part from /etc/stunnel/stunnel.conf
[pkcs11]
# listen on port 2345/ssl and forward it to localhost:2344
accept  = 2345
connect = localhost:2344

server1$ softhsm --init-token --slot 0 --label MyHSM
server1$ sudo /etc/init.d/stunnel start
server1$ PKCS11_DAEMON_SOCKET="tcp://127.0.0.1:2344" pkcs11-daemon /usr/lib/libsofthsm.so

server2$ sudo aptitude install pkcs11-proxy stunnel opendnssec

Most important part from /etc/stunnel/stunnel.conf
[pkcs11]
# listen on port localhost:2344 and forward it securely to server1:2345
accept  = localhost:2344
connect = server1:2345

Most important part from /etc/opendnssec/conf.xml
<Repository name="MyHSM">
	<Module>/opt/commonit/usr/lib/libpkcs11-proxy.so</Module>
        <TokenLabel>MyHSM</TokenLabel>

server1$ sudo /etc/init.d/stunnel start
server2$ PKCS11_PROXY_SOCKET="tcp://127.0.0.1:2344" ods-hsmspeed  -r MyHSM -i 1000 -t 8 
Opening HSM Library...
Generating temporary key...
Temporary key created: d3d66a8c68e1cdbe1263487a54f1a2e6
Signing 1000 RRsets with RSA/SHA1 using 8 threads...
Signer thread #0 started...
Signer thread #1 started...
Signer thread #4 started...
Signer thread #2 started...
Signer thread #3 started...
Signer thread #7 started...
Signer thread #6 started...
Signer thread #5 started...
Signer thread #5 done.
Signer thread #7 done.
Signer thread #1 done.
Signer thread #0 done.
Signer thread #4 done.
Signer thread #3 done.
Signer thread #2 done.
Signer thread #6 done.
Signing done.
8 threads, 1000 signatures per thread, 2619.31 sig/s (RSA 1024 bits)
Deleting temporary key...

Hope this helps (the example above has not been tested, it is reconstructed
from my logs & memory, both are imperfect).
-- 
Casper Gielen <cgielen at uvt.nl> | LIS UNIX
PGP fingerprint = 16BD 2C9F 8156 C242 F981  63B8 2214 083C F80E 4AF7

Universiteit van Tilburg | Postbus 90153, 5000 LE
Warandelaan 2 | Telefoon 013 466 4100 | G 236 | http://www.uvt.nl