[Opendnssec-develop] SoftHSM back-end database
Rickard Bondesson
Rickard.Bondesson at iis.se
Mon Dec 15 08:39:13 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hi
I changed the database design to be more general. One table for object Ids and corresponding hashed PIN. The other table is a general table for the attributes (object id, type, value (blob), length). I am using SQLite3.
The down side is that the attributes for the private keys are unencrypted, thus viewable for any one with access to the database.
// Rickard
>
> - What database are you going to use?
>
> - I assume that attributes like CKA_MODULUS, etc. will be
> derived from the X509_public_key field? The same goes for the
> private key
>
> - The CKA_ID value should not be stored as a string; it is
> defined as a byte array, so storing at as a string in a
> database could cause trouble (unless you store it Base64 encoded)
>
> - How are you going to encrypt the PKCS #8?
>
> - Are you really going to limit the possible values of a
> field such as CKA_CLASS?
>
> - I've never seen CKA_WRAP_WITH_TRUSTED being used. So you
> could make that one gray...
>
> - I would propose that you add a general "other attributes"
> blob, in which you can store - for instance in DER encoding -
> any attributes for which you have not created any fields; in
> this way you don't limit the types of attributes that can be
> stored without having to create fields for all possible attributes.
>
> Hope this helps.
>
> Cheers,
>
> Roland.
>
> --
> -- Roland M. van Rijswijk
> -- SURFnet Middleware Services
> -- t: +31-30-2305388
> -- e: roland.vanrijswijk at surfnet.nl
>
-----BEGIN PGP SIGNATURE-----
Version: 9.8.3 (Build 4028)
Charset: utf-8
wsBVAwUBSUYXseCjgaNTdVjaAQg/0Af/fA5WrvWs/kIV4ghz/fqw2vIgPx4r8QEW
SyoPekUY6JPKmkwXNu1bDctePFcYFZlmSOogFDwz1HCjgDw5RxF0M+gFLeiXF7qz
Cowf5vB5a69G1FzG8VkUZMM27QZDjfwHs2Rrl5ALjPSKcAY2ByOXwYX+iTNICuHB
E+LRLD6K2syE1xi4jvR5fjkkh48QHoMuz9WAzhMLQLw0xM3a8HvmmeiGY7ZH4v3I
g7Czq+zjhuv5adj2HAf2GcQokrH/DKlBwJ5TiTd9IO0otaqFxt6e/aywqm2Wb4OK
QR/f82cHTKlFA2zAZAUiukDfWsj/HhwuBorKcEk7AYZEZPRcFrfG8A==
=0New
-----END PGP SIGNATURE-----
More information about the Opendnssec-develop
mailing list