[Opendnssec-user] Re: Distributed backend for SoftHSMv2

Petr Spacek pspacek at redhat.com
Thu Mar 6 15:15:18 UTC 2014 

On 6.3.2014 15:04, Francis Dupont wrote:
> Jerry Lundström writes:
>>
>> I'm separating the SoftHSMv2 into a new thread.
>
> => the SoftHSMv2 backend is abstract and simple, in particular
> only a few datatypes are used. It needs a documentation update
> to cover recent changes but IMHO it is easy to plug another storage
> backend to SoftHSMv2 (easier than to plug another crypto backend).
>
>>> Imagine that the data store is in fact a remote database. You want to
>> be able to use the keys stored in the token even if the connection to
>> the backend database is down.
>
> => if your database API supports it why not?
>
>> That should be handled by the backend code then, if it needs to cache
>> locally etc.
>
> => even if you cache locally you need to know if the state change
> (for example to handle new keys). So it can't be solved on the
> SoftHSMv2 side (but can be on the storage side).
>
>>> Anyway, we are going to investigate if SoftHSMv2 can work on top of
>> our existing database code or not. I'm not saying 'no', I'm just saying
>> that it is not that easy as it may seem.
>
> => the so called database SoftHSMv2 backend uses a dedicated API,
> but from my experience with similar projects, it should not be hard
> to code a backend for another database API.
>
>> I understand that, your basically trying to make a network distributed
>> HSM and we have seen big companies take their time to make it really
>> work.
>
> => if it can be reduced to a distributed existing database I can't see
> why it couldn't be done. BTW there are some physical HSMs using
> remote (i.e., not on the physical device) distributed (i.e., not in
> a single place) storage of its PKCS#11 objects.

Definitely. We want to contribute the code to SoftHSMv2 instead of reinventing 
the wheel, I'm sorry if it wasn't clear.

We are going to look into backend API and environmental requirements so you 
can expect bunch of questions :-)


What we are trying to achieve:

We want to integrate SoftHSMv2 in a way which separates key material from the 
process using PKCS#11 interface (naturally this applies only if euid != root).

The first idea is:
- Write a thin library with PKCS#11 interface which serializes a request from 
application and sends it via socket a daemon (running under other user - 
separation happens here)
- The daemon will unpack the request and call SoftHSMv2 library (with 
necessary configuration etc.)
- <network_backend and crypto magic happens now inside SoftHSMv2>
- The response will be serialized and sent back from the daemon to the caller

And of course, this whole machinery has to serve multiple applications from 
multiple users simultaneously.

-- 
Petr^2 Spacek

More information about the Opendnssec-user mailing list