[Opendnssec-develop] SoftHSM back-end database
Rickard.Bondesson at iis.se
Mon Dec 15 09:39:13 CET 2008
-----BEGIN PGP SIGNED MESSAGE-----
I changed the database design to be more general. One table for object Ids and corresponding hashed PIN. The other table is a general table for the attributes (object id, type, value (blob), length). I am using SQLite3.
The down side is that the attributes for the private keys are unencrypted, thus viewable for any one with access to the database.
> - What database are you going to use?
> - I assume that attributes like CKA_MODULUS, etc. will be
> derived from the X509_public_key field? The same goes for the
> private key
> - The CKA_ID value should not be stored as a string; it is
> defined as a byte array, so storing at as a string in a
> database could cause trouble (unless you store it Base64 encoded)
> - How are you going to encrypt the PKCS #8?
> - Are you really going to limit the possible values of a
> field such as CKA_CLASS?
> - I've never seen CKA_WRAP_WITH_TRUSTED being used. So you
> could make that one gray...
> - I would propose that you add a general "other attributes"
> blob, in which you can store - for instance in DER encoding -
> any attributes for which you have not created any fields; in
> this way you don't limit the types of attributes that can be
> stored without having to create fields for all possible attributes.
> Hope this helps.
> -- Roland M. van Rijswijk
> -- SURFnet Middleware Services
> -- t: +31-30-2305388
> -- e: roland.vanrijswijk at surfnet.nl
-----BEGIN PGP SIGNATURE-----
Version: 9.8.3 (Build 4028)
-----END PGP SIGNATURE-----
More information about the Opendnssec-develop