[Opendnssec-user] SoftHSM devel list?

Petr Spacek pspacek at redhat.com
Tue Jun 24 10:49:46 UTC 2014


I'm looking for the right place to discuss SoftHSM development, SoftHSM 
feature/patch submission guidelines etc.

Should I use opendnssec-user for this purpose?

Is pull request on Github the preferred way to submit patches?

Is it okay to send output from Coverity static analyzer here or to 
issues.opendnssec.org? Sometimes it points to security problems in the code 
and I would like to know what is your policy about this.

I have ran the scan on source from current HEAD of develop branch (fd5bdfd).

Also, I would like to add support for CKM_RSA_PKCS and CKM_RSA_PKCS_OAEP key 
wrapping mechanisms and I'm looking for guidance on this.

The current implementation of SoftHSM::C_WrapKey() assumes that symmetric-key 
is used as wrapping key, which will not be true anymore when CKM_RSA_PKCS is 

To me it seems that the code would be easier to read, extend, and maintain if 
C_WrapKey is split to few smaller functions. Would it be okay to somehow split 
current big C_WrapKey? Do you see any security implications of doing so?

For example, first auxiliary function SoftHSM::WrapPreCheck() function could 
do all the algorithm-independent checks like haveRead(), CKA_EXTRACTABLE, 

Then we could have AsymWrap and SymWrap functions (similarly to C_EncryptInit 
-> AsymEncryptInit, SymEncryptInit chain).

I can prepare patch if you are okay with the proposed approach.

My next question is what is the right approach to add wrapKey support for RSA.

Class OSSLRSA doesn't have wrapKey/unwrapKey functions but if I understand it 
correctly, in CKM_RSA_PKCS and CKM_RSA_PKCS_OAEP cases there are no 
differences between encrypt() and wrapKey().

Should I simply call AsymmetricAlgorithm->encrypt() for CKM_RSA_PKCS and 
CKM_RSA_PKCS_OAEP implementation?

I'm not cryptographer so any advice on this is more than welcome :-)

Thank you very much.

Petr Spacek  @  Red Hat

More information about the Opendnssec-user mailing list