HSM/OpenCryptoki

OpenDNSSEC > HSM > OpenCryptoki

*  http://sourceforge.net/projects/opencryptoki

Notes on using the soft token

Full instructions are in the documentation provided in the tarball.

pkcs11 based applications can use the keystore by linking to PKCS11_API.so. For example the OpenSC pkcs11-tool can be used to access the key store like this 

pkcs11-tool --module=/opt/cryptoki/lib/pkcs11/PKCS11_API.so  -p jadjad -L
Available slots:
Slot 0           Linux 2.6.18-53.1.21.el5 Linux (Soft)
  token label:   jadtest
  token manuf:   IBM Corp.
  token model:   IBM SoftTok
  token flags:   rng, login required, PIN initialized, token initialized, other flags=0x800040
  serial num  :  123

pkcs11-tool --module=/opt/cryptoki/lib/pkcs11/PKCS11_API.so  -p jadjad -O
Private Key Object; RSA
  label:      jad1024
  Usage:      decrypt, sign, unwrap
Private Key Object; RSA
  label:      jadkey1024
  Usage:      decrypt, sign, unwrap

pkcs11-tool --module=/opt/cryptoki/lib/pkcs11/PKCS11_API.so  -p jadjad -M
Supported mechanisms:
  RSA-PKCS-KEY-PAIR-GEN, keypairgen
  DES-KEY-GEN, other flags=0x8000
  DES3-KEY-GEN, other flags=0x8000
  RSA-PKCS, sign, verify, wrap, unwrap, encrypt, decrypt, other flags=0x25000
  RSA-X-509, sign, verify, wrap, unwrap, encrypt, decrypt, other flags=0x25000
  MD5-RSA-PKCS, sign, verify
  SHA1-RSA-PKCS, sign, verify
  DH-PKCS-DERIVE, other flags=0x80000
  DH-PKCS-KEY-PAIR-GEN, keypairgen
  DES-ECB, wrap, unwrap, encrypt, decrypt, other flags=0x20000
  DES-CBC, wrap, unwrap, encrypt, decrypt, other flags=0x20000
  DES-CBC-PAD, wrap, unwrap, encrypt, decrypt, other flags=0x20000
  DES3-ECB, wrap, unwrap, encrypt, decrypt, other flags=0x20000
  DES3-CBC, wrap, unwrap, encrypt, decrypt, other flags=0x20000
  DES3-CBC-PAD, wrap, unwrap, encrypt, decrypt, other flags=0x20000
  SHA-1, digest
  SHA-1-HMAC, sign, verify
  SHA-1-HMAC-GENERAL, sign, verify
  SHA256, digest
  mechtype-593, sign, verify
  mechtype-594, sign, verify
  MD5, digest
  MD5-HMAC, sign, verify
  MD5-HMAC-GENERAL, sign, verify
  SSL3-PRE-MASTER-KEY-GEN, other flags=0x8000
  SSL3-MASTER-KEY-DERIVE, other flags=0x80000
  SSL3-KEY-AND-MAC-DERIVE, other flags=0x80000
  SSL3-MD5-MAC, sign, verify
  SSL3-SHA1-MAC, sign, verify
  AES-KEY-GEN
  AES-ECB, wrap, unwrap, encrypt, decrypt, other flags=0x20000
  AES-CBC, wrap, unwrap, encrypt, decrypt, other flags=0x20000
  AES-MAC, sign, verify
  AES-MAC-GENERAL, sign, verify
  AES-CBC-PAD, wrap, unwrap, encrypt, decrypt, other flags=0x20000