Skip to content
SoftHSM version 2
Branch: develop
Clone or download
halderen Merge pull request #456 from Jakuje/allowed_mechanisms
Fix allowed mechanisms set directly to the objects
Latest commit e32ed84 Apr 30, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
aes_wrap_key_with_pad use OpenSSL EVP interface for AES key wrapping Oct 6, 2014
m4 Update doc and fix detection of EDDSA Jan 30, 2019
modules CMake: do not install static libsofthsm2 with ENABLE_STATIC=OFF Dec 11, 2018
src Merge pull request #456 from Jakuje/allowed_mechanisms Apr 30, 2019
testing Issue #351: Upgrade Travis CI with Botan 2.5.0 Apr 2, 2018
win32 Provide a new configuration option to allow enabling and disabling va… Mar 8, 2019
.appveyor.yml Issue #323: Fix Windows build Sep 20, 2017
.gitignore Provide a new configuration option to allow enabling and disabling va… Mar 8, 2019
.travis.yml Issue #230: Install p11-kit for the travis build Sep 30, 2016
CMAKE-NOTES.md Issue #362: Add CMAKE-NOTES.md May 30, 2018
CMakeLists.txt CMake: restore support for CMake 3.5 Dec 12, 2018
FIPS-NOTES.md Rebase OpenSSL FIPS stuff (todo: static, win32 and redhat) Nov 25, 2014
LICENSE remove $Id$ May 28, 2013
Makefile.am Issue #362: Add CMAKE-NOTES.md May 30, 2018
NEWS Adjust NEWS Jan 30, 2019
OSX-NOTES.md Issue #348: Document that OSX needs pkg-config to detect cppunit. Dec 15, 2017
README.md Move text in README Jan 30, 2019
WIN32-NOTES.md Merge pull request #402 from halderen/develop Jul 5, 2018
autogen.sh autogen failure on undefined macro AC_MSG_ERROR Mar 5, 2019
config.h.in.cmake Issue #362: Build with different crypto backend Apr 30, 2018
configure.ac Provide a new configuration option to allow enabling and disabling va… Mar 8, 2019
prepdist.sh Fix prepdist script, needs locally compiled Botan for full support. Feb 10, 2014
softhsm2.module.in Issue #230: Move configuration to an M4 script and update documentation Sep 30, 2016

README.md

SoftHSM version 2

SoftHSM is part of the OpenDNSSEC project. Read more at www.opendnssec.org.

Travis Build Status AppVeyor Build Status

Introduction

OpenDNSSEC handles and stores its cryptographic keys via the PKCS#11 interface. This interface specifies how to communicate with cryptographic devices such as HSM:s (Hardware Security Modules) and smart cards. The purpose of these devices is, among others, to generate cryptographic keys and sign information without revealing private-key material to the outside world. They are often designed to perform well on these specific tasks compared to ordinary processes in a normal computer.

A potential problem with the use of the PKCS#11 interface is that it might limit the wide spread use of OpenDNSSEC, since a potential user might not be willing to invest in a new hardware device. To counter this effect, OpenDNSSEC is providing a software implementation of a generic cryptographic device with a PKCS#11 interface, the SoftHSM. SoftHSM is designed to meet the requirements of OpenDNSSEC, but can also work together with other cryptographic products because of the PKCS#11 interface.

Developers

Dependencies

SoftHSM depends on a cryptographic library, Botan or OpenSSL. Minimum required versions:

  • Botan 1.10.0
  • OpenSSL 1.0.0

If you are using Botan, make sure that it has support for GNU MP (--with-gnump). This will improve the performance when doing public key operations.

The GNU Autotools (Autoconf, Automake, Libtool) are also required for building the software. It is also recommended to install pkg-config so that the configure script can find the installed software.

There is a migration tool for converting token databases from SoftHSMv1 into the new type of tokens. If this tool is built (--with-migrate), then SQLite3 is required (>= 3.4.2).

SQLite3 is also required if building with the database object store (--with-objectstore-backend-db).

To install SoftHSM as a PKCS#11 module on the system, please install libp11-kit-dev.

The unit tests requires CppUnit.

Installation

Building from the repository

If the code is downloaded directly from the code repository, you have to prepare the configuration scripts before continuing.

  1. You need to install automake, autoconf, libtool, libtool-ltdl-devel (RHEL/CentOS), pkg-config.
  2. Run the command 'sh autogen.sh'

Configure

Configure the installation/compilation scripts:

./configure

Options:

--disable-non-paged-memory
			Disable non-paged memory for secure storage
			(default enabled)
--enable-ecc		Enable support for ECC (default detect)
--enable-gost		Enable support for GOST (default detect)
--enable-eddsa		Enable support for EDDSA (default detect)
--disable-visibility	Disable hidden visibilty link mode [enabled]
--with-crypto-backend	Select crypto backend (openssl|botan)
--with-openssl=PATH	Specify prefix of path of OpenSSL
--with-botan=PATH	Specify prefix of path of Botan
--with-migrate		Build the migration tool. Used when migrating
			a SoftHSM v1 token database. Requires SQLite3
--with-objectstore-backend-db
			Build with database object store (SQLite3)
--with-sqlite3=PATH	Specify prefix of path of SQLite3
--disable-p11-kit	Disable p11-kit integration (default enabled)
--with-p11-kit=PATH	Specify install path of the p11-kit module, will
			override path given by pkg-config

For more options:

./configure --help

Compile

Compile the source code using the following command:

make

Unit tests

Running the unit tests requires CppUnit.

make check

Install Library

Install the library using the follow command:

sudo make install

Configure

The default location of the config file is /etc/softhsm2.conf. This location can be change by setting the environment variable.

export SOFTHSM2_CONF=/home/user/config.file

Details on the configuration can be found in "man softhsm2.conf".

Create the token directory you defined in your config file:

  mkdir <token_dir>

Initialize Tokens

Use either softhsm2-util or the PKCS#11 interface. The SO PIN can e.g. be used to re-initialize the token and the user PIN is handed out to the application so it can interact with the token.

  softhsm2-util --init-token --slot 0 --label "My token 1"

Type in SO PIN and user PIN. Once a token has been initialized, more slots will be added automatically with a new uninitialized token.

Initialized tokens will be reassigned to another slot (based on the token serial number). It is recommended to find and interact with the token by searching for the token label or serial number in the slot list / token info.

Link

Link to this library and use the PKCS#11 interface.

Backup

All of the tokens and their objects are stored in the location given by softhsm2.conf. Backup can thus be done as a regular file copy.

Log information

Log information is sent to syslog or the Windows event log and the log level is set in the configuration file. Each log event is prepended with the source file name and line number.

You can’t perform that action at this time.