0

I'm doing a task about SoftHSM. I have built an application in Java as a server. So, I config the connection in a softhsm.cfg file

library = F:\SoftHSM2\lib\softhsm2-x64.dll
slot = 767671965
attributes(generate, *, *) = {
     CKA_TOKEN = true
}
attributes(generate, CKO_CERTIFICATE, *) = {
     CKA_PRIVATE = false
}
attributes(generate, CKO_PUBLIC_KEY, *) = {
     CKA_PRIVATE = false
}

Then I use SunPKCS11 provider to connect from my client to SoftHSM server

SunPKCS11 provider = new SunPKCS11(Constant.CONFIG_NAME);
            if (Security.getProvider(Constant.PROVIDER_NAME) != null) {
                Security.removeProvider(Constant.PROVIDER_NAME);
            }
            Security.addProvider(provider);
            log.info("Name of provider :{}", provider.getName());
            // Load the key store
            char[] pin = bean.getPin().toCharArray();
            KeyStore ks = KeyStore.getInstance(Constant.KEYSTORE_TYPE, provider);
            ks.load(null, pin);

            KeyPair keyPair = generateKeyPair();
            PrivateKey privateKey = keyPair.getPrivate();

            X509Certificate[] chain = generateV3Certificate(keyPair);
            ks.setKeyEntry(bean.getAliasName(), privateKey, bean.getPin().toCharArray(), chain);

I put keys into keystore and get them to do cryptographic operations

All above things, I only connect a client to server. But, now I want 3 or more clients connecting to SoftHSM server. I want to each client possess different PIN to do cryptographic operations. How can I do?

1 Answers1

0

Yes it is possible.

Just create two configs, and USE different names otherwise it will use always the same first one

pkcs11.slot1.conf
    name = Slot1
    library = /usr/local/lib/softhsm/libsofthsm2.so
    slot=225432144


pkcs11.slot2.conf
    name = Slot2
    library = /usr/local/lib/softhsm/libsofthsm2.so
    slot=1288498471

In Java you could do something like this to load different slots configs:

Provider providerPKCS11 = Security.getProvider("SunPKCS11");
if (providerId != null && providerId.equals("1")) {
        providerPKCS11 =providerPKCS11.configure("pkcs11.slot1.conf");

} else {
        providerPKCS11 =providerPKCS11.configure("pkcs11.slot2.conf");

}
Security.addProvider(providerPKCS11);

KeyStore ks = KeyStore.getInstance("PKCS11", providerPKCS11);
...
..
.
Manuel Pardo
  • 699
  • 7
  • 6