[Opendnssec-develop] SoftHSM back-end database

Rickard Bondesson Rickard.Bondesson at iis.se
Mon Dec 15 08:39:13 UTC 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi

I changed the database design to be more general. One table for object Ids and corresponding hashed PIN. The other table is a general table for the attributes (object id, type, value (blob), length). I am using SQLite3.

The down side is that the attributes for the private keys are unencrypted, thus viewable for any one with access to the database.

// Rickard

> 
> - What database are you going to use?
> 
> - I assume that attributes like CKA_MODULUS, etc. will be 
> derived from the X509_public_key field? The same goes for the 
> private key
> 
> - The CKA_ID value should not be stored as a string; it is 
> defined as a byte array, so storing at as a string in a 
> database could cause trouble (unless you store it Base64 encoded)
> 
> - How are you going to encrypt the PKCS #8?
> 
> - Are you really going to limit the possible values of a 
> field such as CKA_CLASS?
> 
> - I've never seen CKA_WRAP_WITH_TRUSTED being used. So you 
> could make that one gray...
> 
> - I would propose that you add a general "other attributes" 
> blob, in which you can store - for instance in DER encoding - 
> any attributes for which you have not created any fields; in 
> this way you don't limit the types of attributes that can be 
> stored without having to create fields for all possible attributes.
> 
> Hope this helps.
> 
> Cheers,
> 
> Roland.
> 
> --
> -- Roland M. van Rijswijk
> -- SURFnet Middleware Services
> -- t: +31-30-2305388
> -- e: roland.vanrijswijk at surfnet.nl
> 
-----BEGIN PGP SIGNATURE-----
Version: 9.8.3 (Build 4028)
Charset: utf-8

wsBVAwUBSUYXseCjgaNTdVjaAQg/0Af/fA5WrvWs/kIV4ghz/fqw2vIgPx4r8QEW
SyoPekUY6JPKmkwXNu1bDctePFcYFZlmSOogFDwz1HCjgDw5RxF0M+gFLeiXF7qz
Cowf5vB5a69G1FzG8VkUZMM27QZDjfwHs2Rrl5ALjPSKcAY2ByOXwYX+iTNICuHB
E+LRLD6K2syE1xi4jvR5fjkkh48QHoMuz9WAzhMLQLw0xM3a8HvmmeiGY7ZH4v3I
g7Czq+zjhuv5adj2HAf2GcQokrH/DKlBwJ5TiTd9IO0otaqFxt6e/aywqm2Wb4OK
QR/f82cHTKlFA2zAZAUiukDfWsj/HhwuBorKcEk7AYZEZPRcFrfG8A==
=0New
-----END PGP SIGNATURE-----



More information about the Opendnssec-develop mailing list