[Opendnssec-user] Information about SoftHSM v2 - signing operation

Elizabeta elizabeta.fourneret at gmail.com
Tue Apr 14 13:21:09 UTC 2015

Hi Roland,

I have a set of CPPUNIT tests for PKCS#11 that I'm using to discover SoftHSM, based on the SoftHSM v2 test configuration. 
For key generation, I'm using the generateKey function (see SignVerifyTests.cpp in the SoftHSM v2 test folder).

However, the outcome of my tests, even if the CKA_PRIVATE attribute is CK_TRUE, is that I'm managing to sign without authentication.


Le 14 avr. 2015 à 13:54, Roland van Rijswijk - Deij <Roland.vanRijswijk at surfnet.nl> a écrit :

> Hi Elizabeta,
> Elizabeta wrote:
>> I'm new to opendnsec. I've tried to use SoftHSM v2 and I was able to sign a message without logging in.
>> Is that fine for SoftHSM ? since in the PKCS#11 specification it is written that some tokens may not require any type of authentication to make the usage of its cryptographic functions.
> To answer your question we'll need a little bit more context. When you
> say sign, do you mean that you have (created) a program that used
> SoftHSM v2 as a PKCS #11 library? And if so, how did you create the keys
> that you were using to sign? If the private key was created with the
> CKA_PRIVATE attribute set to CK_FALSE, then you can create signatures
> without logging in on the token.
> Cheers,
> Roland
> -- 
> -- Roland M. van Rijswijk - Deij
> -- SURFnet bv
> -- w: http://www.surf.nl/en/about-surf/subsidiaries/surfnet
> -- e: roland.vanrijswijk at surfnet.nl

More information about the Opendnssec-user mailing list