The requirements for the SoftHSM are based on the HSM requirements.

1. General

• Must be a library that can be linked with other software.
• Must implement the PKCS#11 interface v2.20, specified by RSA Labratories.
• Must be licensed under a BSD license.
• Must use a cryptographic library that is licensed under BSD.
• The user must be able to specify the number of tokens to use and its corresponding slots.
• Should keep a log of important events.

2. Algorithms

• Must handle RSA, SHA1, and SHA256.
• Should handle RIPEMD160, SHA384, and SHA512.

3. Key management

• Must be able to protect the keys by using a PIN via the PKCS#11 interface.
• Must be possible to do backup of the keys.
• Must be able to manage 1000 1024-bit RSA key pairs.

4. Key generation

• Must be able to generate RSA keys of length 1024 and 2048 bits.
• Should be able to generate RSA keys of length greater than 512 bits, but limited to maximum 4096.
• The user must be able to specify the exponent when generating the RSA keys.

5. Sessions

• Must handle at least 2048 concurrent sessions.

6. Functions

• Must be able to create a hash with a given algorithm.
• Must be able to sign with a given algorithm.
• Should be able to verify with a given algorithm.

7. Support program: softhsm

• Must be able to initialize a token with SO PIN, user PIN, and label.
• Must be able to show which tokens that are available.
• Must be able to import/export RSA keys in PKCS#8 format.
• Must handle both encrypted and unencrypted PKCS#8 files.

8. Support program: softhsm-keyconv

• Must be able to convert from BIND .private format to PKCS#8.
• Must be able to convert from PKCS#8 format to BIND .private and .key format.
• Must handle both encrypted and unencrypted PKCS#8 files.
• Must support the algorithms: RSAMD5, DSA, RSASHA1, DSA-NSEC3-SHA1, RSASHA1-NSEC3-SHA1, RSASHA256, RSASHA512