New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pkcs11-tool: allow using SW tokens #2113
Conversation
I can think of a reason. pkcs11 is for accessing hardware devices that provide the real security. The hardware provides additional physical security. pkcs11 Base v2.40 Introduction: If you wanted to submit a PR with a parameter to ignored the CKF_HW flag that would be more acceptable. |
I agree that hardware provides additional security. But should pkcs11-tool care? (In particular, should I see these options:
Let me know what's best and I'll change it accordingly! |
I would vote for "Remove CKF_HW when a flag is specified" I would like to hear from others and what is the name of the option. |
I am OK with either one of these:
I do not see value in |
I vote for:
|
prefering a HW slot is what the tool should do. you may implement the commandline switch for SW tokens as suggested above. |
I am fine with either. The pkcs11-tool is just a tool to do some operations on pkcs11 library, whatever it provides. Indeed it would be good if it would prefer hw variants of the operations (not sure if it is possible/common to have the same mechanism in HW and not in HW in the same pkcs11 library). In any case, I consider pkcs11-tool as a testing tool rather than something that should be used for any production critical operations. We already have quite a lot configuration switches (which is good for testing various libraries, cards), but sometimes pain for testing pkcs11-tool itself and using. |
30c849a
to
2c0f605
Compare
I've updated the PR with |
Note that each mechanism can be reported with either CKF_HW or not, you can't have both, so it's not possible to pick up a software implementation instead of a hardware implementation. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the contribution and clarification. Looks good to me.
I wanted to test SoftHSM with
pkcs11-tool --test
and had to removeCKF_HW
from the mechanism filter, which is what this PR does.I can't think of a reason for only allowing HW mechanisms, but let me know if I'm missing something.