pkcs11-tool: allow using SW tokens #2113
Conversation
|
I can think of a reason. pkcs11 is for accessing hardware devices that provide the real security. The hardware provides additional physical security. pkcs11 Base v2.40 Introduction: If you wanted to submit a PR with a parameter to ignored the CKF_HW flag that would be more acceptable. |
|
I agree that hardware provides additional security. But should pkcs11-tool care? (In particular, should I see these options:
Let me know what's best and I'll change it accordingly! |
|
I would vote for "Remove CKF_HW when a flag is specified" I would like to hear from others and what is the name of the option. |
|
I am OK with either one of these:
I do not see value in |
|
I vote for:
|
|
prefering a HW slot is what the tool should do. you may implement the commandline switch for SW tokens as suggested above. |
|
I am fine with either. The pkcs11-tool is just a tool to do some operations on pkcs11 library, whatever it provides. Indeed it would be good if it would prefer hw variants of the operations (not sure if it is possible/common to have the same mechanism in HW and not in HW in the same pkcs11 library). In any case, I consider pkcs11-tool as a testing tool rather than something that should be used for any production critical operations. We already have quite a lot configuration switches (which is good for testing various libraries, cards), but sometimes pain for testing pkcs11-tool itself and using. |
conradoplg
force-pushed
the
allow-testing-sw-token
branch
from
30c849a
to
2c0f605
Compare
|
I've updated the PR with |
|
Note that each mechanism can be reported with either CKF_HW or not, you can't have both, so it's not possible to pick up a software implementation instead of a hardware implementation. |
I wanted to test SoftHSM with
pkcs11-tool --testand had to removeCKF_HWfrom the mechanism filter, which is what this PR does.I can't think of a reason for only allowing HW mechanisms, but let me know if I'm missing something.