add section explaining how to build with SoftHSM

2025-08-30 05:57:52 +00:00 · 2012-01-16 22:50:12 +00:00 · 2012-01-16 22:50:12 +00:00 · 122d2cf43d
commit 122d2cf43d
parent 4ff6e99c3c
1 changed files with 72 additions and 22 deletions
--- a/doc/arm/pkcs11.xml
+++ b/doc/arm/pkcs11.xml
@ -17,7 +17,7 @@
 - PERFORMANCE OF THIS SOFTWARE.
 -->

-<!-- $Id: pkcs11.xml,v 1.6 2012/01/16 19:09:01 each Exp $ -->
+<!-- $Id: pkcs11.xml,v 1.7 2012/01/16 22:50:12 each Exp $ -->

 <sect1 id="pkcs11">
  <title>PKCS #11 (Cryptoki) support</title>
@ -159,6 +159,45 @@ $ <userinput>./Configure solaris64-x86_64-cc \
      <para>After configuring, run 
      <command>make</command> and 
      <command>make test</command>.</para>
+    </sect3>
+    <sect3>
+      <!-- Example 3 -->
+      <title>Building OpenSSL for SoftHSM</title>
+      <para>SoftHSM is a software library provided by the OpenDNSSEC
+      project (http://www.opendnssec.org) which provides a PKCS#11
+      interface to a virtual HSM, implemented in the form of encrypted
+      data on the local filesystem.  It uses the Botan library for
+      encryption and SQLite3 for data storage.  Though less secure
+      than a true HSM, it can provide more secure key storage than
+      traditional key files, and can allow you to experiment with
+      PKCS#11 when an HSM is not available.</para>
+      <para>The SoftHSM cryptographic store must be installed and
+      initialized before using it with OpenSSL, and the SOFTHSM_CONF
+      environment variable must always point to the SoftHSM configuration
+      file:</para>
+      <screen>
+$ <userinput> cd softhsm-1.3.0 </userinput>
+$ <userinput> configure --prefix=/opt/pkcs11/usr </userinput>
+$ <userinput> make </userinput>
+$ <userinput> make install </userinput>
+$ <userinput> export SOFTHSM_CONF=/opt/pkcs11/softhsm.conf </userinput>
+$ <userinput> echo "0:/opt/pkcs11/softhsm.db" > $SOFTHSM_CONF </userinput>
+$ <userinput> /opt/pkcs11/usr/bin/softhsm --init-token 0 --slot 0 --label softhsm </userinput>
+</screen>
+      <para>SoftHSM can perform all cryptographic operations, but
+      since it only uses your system CPU, there is no need to use it
+      for anything but signing.  Therefore, we choose the 'sign-only'
+      flavor when building OpenSSL.</para>
+      <screen>
+$ <userinput>cd openssl-0.9.8s</userinput>
+$ <userinput>./Configure linux-x86_64 -pthread \
+            --pk11-libname=/opt/pkcs11/usr/lib/libpkcs11.so \
+            --pk11-flavor=sign-only \
+            --prefix=/opt/pkcs11/usr</userinput>
+</screen>
+      <para>After configuring, run "<command>make</command>"
+      and "<command>make test</command>".</para>
+    </sect3>
    <para>Once you have built OpenSSL, run
    "<command>apps/openssl engine pkcs11</command>" to confirm
    that PKCS #11 support was compiled in correctly. The output
@ -180,15 +219,14 @@ $ <userinput>./Configure solaris64-x86_64-cc \
    "<command>make install</command>" which will install the
    modified OpenSSL suite to 
    <filename>/opt/pkcs11/usr</filename>.</para>
-    </sect3>
  </sect2>
  <sect2>
    <title>Building BIND 9 with PKCS#11</title>
    <para>When building BIND 9, the location of the custom-built
    OpenSSL library must be specified via configure.</para>
    <sect3>
-      <!-- Example 3 -->
-      <title>Configuring BIND 9 for Linux</title>
+      <!-- Example 4 -->
+      <title>Configuring BIND 9 for Linux with the AEP Keyper</title>
      <para>To link with the PKCS #11 provider, threads must be
      enabled in the BIND 9 build.</para>
      <para>The PKCS #11 library for the AEP Keyper is currently
@ -203,8 +241,8 @@ $ <userinput>./configure CC="gcc -m32" --enable-threads \
 </screen>
    </sect3>
    <sect3>
-      <!-- Example 4 -->
-      <title>Configuring BIND 9 for Solaris</title>
+      <!-- Example 5 -->
+      <title>Configuring BIND 9 for Solaris with the SCA 6000</title>
      <para>To link with the PKCS #11 provider, threads must be
      enabled in the BIND 9 build.</para>
      <screen>
@ -220,10 +258,22 @@ $ <userinput>./configure CC="cc -xarch=amd64" --enable-threads \
      same as the --prefix argument to the OpenSSL
      Configure).</para>
    </sect3>
+    <sect3>
+      <!-- Example 6 -->
+      <title>Configuring BIND 9 for SoftHSM</title>
+      <screen>
+$ <userinput>cd ../bind9</userinput>
+$ <userinput>./configure --enable-threads \
+           --with-openssl=/opt/pkcs11/usr \
+           --with-pkcs11=/opt/pkcs11/usr/lib/libpkcs11.so</userinput>
+</screen>
+    </sect3>
    <para>After configuring, run
    "<command>make</command>",
    "<command>make test</command>" and
    "<command>make install</command>".</para>
+    <para>(Note: If "make test" fails in the "pkcs11" system test, you may
+    have forgotten to set the SOFTHSM_CONF environment variable.)</para>
  </sect2>
  <sect2>
    <title>PKCS #11 Tools</title>