Comments (10)
In PKCS#11 there is no concept of deleting a token. So we need a tool specific for SoftHSM.
All tokens are located in the directory given in the configuration file. The slot numbers are assigned according to the order of which the token directories are loaded from disc. The name of the token directory is a 16 byte random UUID.
When initializing a new token, its slot number will always be N+1. N is the number of existing tokens. But once the new token has been initialized and you reload the library, it is a high probability that it will be assigned a new slot number (because of the random directory name).
To avoid any confusion, e.g. people scripting softhsm2-util --init-token --slot X
and softhsm2-util --delete-token --slot X
, we should use the token label or token serial as the identifier.
We should also ask the user to verify the action (--force
to ignore the question) and that the user login as the SO.
Or we could just document the manual procedure of removing the correct token. --show-slots
will display the token serial which is the second half of the tokens directory name.
from softhsmv2.
I agree that slot numbers would be a bad reference for the actual tokens. Being able to delete with the token label or serial would be sufficient. It may also be good to remove the requirement to specify a slot number to initialization (i.e., softhsm2-util --init-token --slot 0), and simply initialize the next free token.
from softhsmv2.
Question: Is this somewhere stated in the documentation?
- Are slot-sumbers stable?
- Should they be stable?
- Labels are not forced to be unique and I see problems incoming, if it would be forced
- So how do I guarantee a stable identification to my Keys over the lifetime of my store?
- Will the serial-number be guaranteed to be stable?
Currently we're in the process of evaluating SoftHSM2 for DNSSEC with PowerDNS and what makes it quite difficult is the fact, that the slotnumber (which is also used to identify the slot) possibly can change when we add new slots.
from softhsmv2.
Keys, and other objects on a token, identified by a identifier (CKA_ID) and an optional label (CKA_LABEL). Tokens are identified by their label as well as their serial number. There is no real guarantee for uniqueness among any of these identifiers. However, tokens created by SoftHSM has certain properties.
As long as we warn the user about potential conflicts, I don't see a problem deleting by any currently unique property. If there is only one token with label X and the administrator wants to delete X, we're good. If there are two tokens with label X, the administrator should be notified that more qualifiers are needed to uniquely identify the target.
from softhsmv2.
To add to what Jakob has already said: none of the identifiers in PKCS
#11 are guaranteed to be or supposed to be unique. This is also the
reason why all calls in PKCS #11 have the following semantic:
Call #1: supply NULL array and CK_ULONG_PTR pointing to a CK_ULONG, PKCS
#11 library returns the number of items
Call #2: supply suitable size array on call
This is also the case for e.g. C_GetSlotList
Also: slots are not what you actually connect to, you connect to a token
in a slot. This semantic stems from the fact that PKCS #11 can also be
used for e.g. smart cards. If a machine has multiple smart card readers
than these are the slots, whereas an actual smart card inserted into
them is the token you actually (want to) talk to.
Summarising: Rickard, Nikos and Jakob are right, we should refer to the
token by token label or serial number. Also: AFAIK the way SoftHSM v2
generates token serials means that these are virtually guaranteed to be
unique.
Jakob Schlyter wrote:
Keys, and other objects on a token, identified by a identifier (CKA_ID)
and an optional label (CKA_LABEL). Tokens are identified by their label
as well as their serial number. There is no real guarantee for
uniqueness among any of these identifiers. However, tokens created by
SoftHSM has certain properties.As long as we warn the user about potential conflicts, I don't see a
problem deleting by any currently unique property. If there is only one
token with label X and the administrator wants to delete X, we're good.
If there are two tokens with label X, the administrator should be
notified that more qualifiers are needed to uniquely identify the target.—
Reply to this email directly or view it on GitHub
#143 (comment).
-- Roland M. van Rijswijk - Deij
-- SURFnet bv
-- w: http://www.surf.nl/en/about-surf/subsidiaries/surfnet
-- e: [email protected]
from softhsmv2.
Fixed in #214
from softhsmv2.
The fact that there is no API exposed to delete a token and the fact that token labels need not be unique makes deleting and re-initaliazing a slot/token very hard unless one uses softhsm-util. Are there any works arounds to delete the token short of invoking a shell command to invoke softhsmutil from within our application to delete the token
from softhsmv2.
from softhsmv2.
In our application we are trying to use softhsm as our primary keystore to save PKI certs and Pvt and Public keys. Multiple applications will be using this softhsm keystore hosted on our infrastructure and each app initializes its own application specific token. So i need a way to create multiple tokens using the API . The other usecase we need to support is re-init token. This is when running unit test, we want to destroy the previous token and reinit for a fresh run of test. we are currently using https://github.com/miekg/pkcs11 pkc11 Go library to interface with softhsm. The problem I'm facing is for initToken there is no option in API to choose --free like we use in softhsm-util. The softhsm2-util --init-token --slot 0 --label xyz will only work if its the first slot in hsm. Once there is a slot present, slot 0 is no longer accepted as a staging slot. I want to be able to create tokens via API. We did implement logic to find a Token which returns 0 or CKR_INVALID_SLOT_ID if token is not present, which is good, but at that point I don't have a way to create a token in a new slot. using the --slot 0 will not work if there is already one token present and for initToken i haven't found an option to use --free as a part of API call.
from softhsmv2.
from softhsmv2.
Related Issues (20)
- Configure fails with >= botan 3.0.0
- C_Decrypt sometimes fails to decrypt properly
- Import fails with RSA-PSS keys HOT 1
- SIGSEGV using OpenSSL 3 PKCS11 provider with SoftHSM2 + Botan HOT 1
- ECB is not supported by Botan HOT 1
- Getting SIGSEGV in EVP_MD_CTX_free HOT 1
- Implements RFC5649 as CKM_AES_KEY_WRAP_PAD but should actually be CKM_AES_KEY_WRAP_KWP
- Per-slot configuration
- openssl operations involving pcks11 and softHSM result in segfault on exit HOT 9
- AES/GCM multi-part decryption fails with CKR_BUFFER_TOO_SMALL HOT 1
- Unit Tests fails HOT 4
- Make check test fails on OS X HOT 2
- AES key file format for import HOT 1
- Possible problem with v2.6.1 with RHEL8 in FIPS mode and using Java 17 HOT 4
- Documentation for SoftHSM is inaccessible HOT 4
- Coredump / Alma/rhel 9 HOT 2
- decrypting scrambled ciphered text with RSA succeeded on RHEL9 unexpectedly
- SoftHSM on AIX
- Issues with configure option `--with-openssl=PATH`
- Any chance for SignRecover and VerifyRecover implementation? HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from softhsmv2.