[Opendnssec-user] Re: Distributed backend for SoftHSMv2
Francis Dupont
fdupont at isc.org
Thu Mar 6 15:44:55 UTC 2014
Petr Spacek writes:
> Definitely. We want to contribute the code to SoftHSMv2 instead
> of reinventing the wheel, I'm sorry if it wasn't clear.
=> as you can see from my E-mail address I am not at all a member of
the SoftHSMv2 team but I contributed a lot the code so this could
be more than possible.
> What we are trying to achieve:
>
> We want to integrate SoftHSMv2 in a way which separates key material
> from the process using PKCS#11 interface (naturally this applies
> only if euid != root) .
>
> The first idea is:
>
> - Write a thin library with PKCS#11 interface which serializes a
> request from application and sends it via socket a daemon (running
> under other user - separation happens here)
=> IMHO it is better to cut at the crypto library entry.
BTW many PKCS#11 providers are designed this way, for instance
hash operations are performed locally but private keys and anything
which involves them are handled by the (remote) hardware.
Another point: the pk11 open source code has a PKCS#11 spy,
i.e., something which offers a PKCS#11 server on one side
and a PKCS#11 client on the other.
> - The daemon will unpack the request and call SoftHSMv2 library
> (with necessary configuration etc.)
> - <network_backend and crypto magic happens now inside SoftHSMv2>
> - The response will be serialized and sent back from the daemon to
> the caller
=> so you add a RPC layer to PKCS#11. The way PKCS#11 handles variable
sized returned values will be a (trackable) problem.
> And of course, this whole machinery has to serve multiple applications from
> multiple users simultaneously.
=> IMHO you'll have to run multiple SoftHSMv2 processes. BTW storage
backends are supposed to handle reasonable concurrent accesses.
Regards
Francis Dupont <fdupont at isc.org>
More information about the Opendnssec-user
mailing list