Hello, Looking around I noticed NetBSD and Debian had a few (somewhat different) fixes for the softhsm tool creating some sensitive files with too wide permissions.
This has been handled upstream in SOFTHSM-101: https://issues.opendnssec.org/browse/SOFTHSM-101 It was merged to the development branch in git commit e853dc5b34d00a09e3e114cb4914b06c01c72b1c. I have exported the diff using the following URL: https://github.com/opendnssec/SoftHSMv1/commit/e853dc5b34d00a09e3e114cb4914b06c01c72b1c.diff After removing the part modifying NEWS I applied the diff using patch(1): === # patch -p1 -i e853dc5b34d00a09e3e114cb4914b06c01c72b1c.diff === I have verified that this makes the files created by softhsm --export as well has softhsm-keyconv have 0600 permissions. See below for diff against the port which also adds REVISION=0 to the Makefile. -- Patrik Lundin Index: Makefile =================================================================== RCS file: /cvs/ports/security/softhsm/Makefile,v retrieving revision 1.2 diff -u -p -u -r1.2 Makefile --- Makefile 21 Sep 2015 09:36:33 -0000 1.2 +++ Makefile 21 Sep 2015 12:38:30 -0000 @@ -8,6 +8,8 @@ COMMENT= software PKCS\#11 cryptographic DISTNAME= softhsm-1.3.7 +REVISION= 0 + CATEGORIES= security HOMEPAGE= http://www.opendnssec.org/softhsm/ Index: patches/patch-src_bin_softhsm-keyconv_cpp =================================================================== RCS file: patches/patch-src_bin_softhsm-keyconv_cpp diff -N patches/patch-src_bin_softhsm-keyconv_cpp --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-src_bin_softhsm-keyconv_cpp 21 Sep 2015 12:38:30 -0000 @@ -0,0 +1,100 @@ +$OpenBSD$ +--- src/bin/softhsm-keyconv.cpp.orig Wed May 28 07:59:14 2014 ++++ src/bin/softhsm-keyconv.cpp Mon Sep 21 14:25:56 2015 +@@ -48,6 +48,10 @@ + #include <iostream> + #include <fstream> + #include <stdint.h> ++#include <fcntl.h> ++#include <sys/types.h> ++#include <sys/stat.h> ++#include <errno.h> + + void usage() { + printf("Converting between BIND .private-key format and PKCS#8 key file format.\n"); +@@ -391,6 +395,15 @@ int to_pkcs8(char *in_path, char *out_path, char *file + return 1; + } + ++ // Create and set file permissions if the file does not exist. ++ int fd = open(out_path, O_CREAT, S_IRUSR | S_IWUSR); ++ if (fd == -1) { ++ fprintf(stderr, "ERROR: Could not open the output file: %s (errno %i)\n", ++ out_path, errno); ++ return 1; ++ } ++ close(fd); ++ + // Save the the key to the disk + switch(algorithm) { + case DNS_KEYALG_ERROR: +@@ -735,8 +748,16 @@ int save_rsa_bind(char *name, int ttl, Botan::Private_ + snprintf(priv_out, MAX_LINE, "K%s+%03i+%05i.private", name, algorithm, key_tag); + snprintf(pub_out, MAX_LINE, "K%s+%03i+%05i.key", name, algorithm, key_tag); + +- // Create the private key file ++ // Create and set file permissions if the file does not exist. ++ int fd = open(priv_out, O_CREAT, S_IRUSR | S_IWUSR); ++ if (fd == -1) { ++ fprintf(stderr, "ERROR: Could not open the output file: %s (errno %i)\n", ++ priv_out, errno); ++ return 1; ++ } ++ close(fd); + ++ // Create the private key file + file_pointer = fopen(priv_out, "w"); + if (!file_pointer) { + fprintf(stderr, "Error: Could not open output file %.100s for writing.\n", priv_out); +@@ -786,8 +807,16 @@ int save_rsa_bind(char *name, int ttl, Botan::Private_ + + printf("The private key has been written to %s\n", priv_out); + +- // Create the public key file ++ // Create and set file permissions if the file does not exist. ++ fd = open(pub_out, O_CREAT, S_IRUSR | S_IWUSR); ++ if (fd == -1) { ++ fprintf(stderr, "ERROR: Could not open the output file: %s (errno %i)\n", ++ pub_out, errno); ++ return 1; ++ } ++ close(fd); + ++ // Create the public key file + file_pointer = fopen(pub_out, "w"); + if (!file_pointer) { + fprintf(stderr, "Error: Could not open output file %.100s for writing.\n", pub_out); +@@ -836,6 +865,15 @@ int save_dsa_bind(char *name, int ttl, Botan::Private_ + snprintf(priv_out, MAX_LINE, "K%s+%03i+%05i.private", name, algorithm, key_tag); + snprintf(pub_out, MAX_LINE, "K%s+%03i+%05i.key", name, algorithm, key_tag); + ++ // Create and set file permissions if the file does not exist. ++ int fd = open(priv_out, O_CREAT, S_IRUSR | S_IWUSR); ++ if (fd == -1) { ++ fprintf(stderr, "ERROR: Could not open the output file: %s (errno %i)\n", ++ priv_out, errno); ++ return 1; ++ } ++ close(fd); ++ + file_pointer = fopen(priv_out, "w"); + if (!file_pointer) { + fprintf(stderr, "Error: Could not open output file %.100s for writing.\n", priv_out); +@@ -873,8 +911,16 @@ int save_dsa_bind(char *name, int ttl, Botan::Private_ + + printf("The private key has been written to %s\n", priv_out); + +- // Create the public key file ++ // Create and set file permissions if the file does not exist. ++ fd = open(pub_out, O_CREAT, S_IRUSR | S_IWUSR); ++ if (fd == -1) { ++ fprintf(stderr, "ERROR: Could not open the output file: %s (errno %i)\n", ++ pub_out, errno); ++ return 1; ++ } ++ close(fd); + ++ // Create the public key file + file_pointer = fopen(pub_out, "w"); + if (!file_pointer) { + fprintf(stderr, "Error: Could not open output file %.100s for writing.\n", pub_out); Index: patches/patch-src_bin_softhsm_cpp =================================================================== RCS file: patches/patch-src_bin_softhsm_cpp diff -N patches/patch-src_bin_softhsm_cpp --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-src_bin_softhsm_cpp 21 Sep 2015 12:38:30 -0000 @@ -0,0 +1,71 @@ +$OpenBSD$ +--- src/bin/softhsm.cpp.orig Wed May 28 07:59:22 2014 ++++ src/bin/softhsm.cpp Mon Sep 21 14:25:56 2015 +@@ -46,6 +46,10 @@ + #include <iostream> + #include <fstream> + #include <sched.h> ++#include <fcntl.h> ++#include <sys/types.h> ++#include <sys/stat.h> ++#include <errno.h> + + #ifdef HAVE_DLOPEN + #include <dlfcn.h> +@@ -1005,6 +1009,15 @@ int removeSessionObjs(char *dbPath) { + CK_BBOOL ckFalse = CK_FALSE; + int retVal = 0; + ++ // Create and set file permissions if the DB does not exist. ++ int fd = open(dbPath, O_CREAT, S_IRUSR | S_IWUSR); ++ if(fd == -1) { ++ fprintf(stderr, "Could not open the token database. errno=%i. " ++ "Probably wrong privileges: %s", errno, dbPath); ++ return 1; ++ } ++ close(fd); ++ + if(sqlite3_open(dbPath, &db) != 0) { + fprintf(stderr, "ERROR: Could not connect to database.\n"); + return 1; +@@ -1278,6 +1291,15 @@ CK_RV writeKeyToDisk(char *filePath, char *filePIN, Bo + return CKR_GENERAL_ERROR; + } + ++ // Create and set file permissions if the file does not exist. ++ int fd = open(filePath, O_CREAT, S_IRUSR | S_IWUSR); ++ if (fd == -1) { ++ fprintf(stderr, "ERROR: Could not open the output file: %s (errno %i)\n", ++ filePath, errno); ++ return CKR_GENERAL_ERROR; ++ } ++ close(fd); ++ + std::ofstream privFile(filePath); + + if(!privFile) { +@@ -1468,6 +1490,15 @@ Botan::Private_Key* getPrivKey(char *dbPath, CK_OBJECT + sqlite3_stmt *select_sql = NULL; + Botan::Private_Key *privKey = NULL; + ++ // Create and set file permissions if the DB does not exist. ++ int fd = open(dbPath, O_CREAT, S_IRUSR | S_IWUSR); ++ if(fd == -1) { ++ fprintf(stderr, "Could not open the token database. errno=%i. " ++ "Probably wrong privileges: %s", errno, dbPath); ++ return NULL; ++ } ++ close(fd); ++ + if(sqlite3_open(dbPath, &db) == 0 && sqlite3_prepare_v2(db, select_str, -1, &select_sql, NULL) == 0) { + if(getObjectClass(select_sql, oHandle) == CKO_PRIVATE_KEY && getKeyType(select_sql, oHandle) == CKK_RSA) { + Botan::BigInt bigN = getBigIntAttribute(select_sql, oHandle, CKA_MODULUS); +@@ -1477,7 +1508,7 @@ Botan::Private_Key* getPrivKey(char *dbPath, CK_OBJECT + Botan::BigInt bigQ = getBigIntAttribute(select_sql, oHandle, CKA_PRIME_2); + + Botan::AutoSeeded_RNG *rng = new Botan::AutoSeeded_RNG(); +- ++ + try { + privKey = new Botan::RSA_PrivateKey(*rng, bigP, bigQ, bigE, bigD, bigN); + }