[Opendnssec-develop] Refactoring of libhsm

Rickard Bellgrim rickard at opendnssec.org
Fri Aug 5 14:40:42 UTC 2011


Hi

We had one task where we wanted to refactor libhsm. The main issues
where lost connections and listing keys.

Lost connections
-------------------------
Some HSMs will close down a session if it has not been used for some
time. The idea was to redesign libhsm to handle this. Most of the
actions in libhsm has something to do with a session, so it would be a
lot of work to be able to restore the session. I think it would more
suitable for the application to handle this. Like the Enforcer does
it, to reload libhsm or make sure to close down the connections if
they are not going to be used.

Listing keys
-----------------
The problem was that it takes long time to list keys when using both
private and public keys.

Public and private keys are stored as separate objects in PKCS#11, but
we bundle them with the same ID. There are however no way of searching
for key pairs in PKCS#11, so we have to first find all private keys.
Extract the ID and then find the corresponding public key using that
ID. This is also the way it is done in libhsm. There are thus nothing
we can change in libhsm to make it faster.

Private vs. Public keys
---------------------------------
RSA keys also have the public key material in the private key. We can
thus save space by not storing the public key and save some
performance because we do not need to search for the public key.
PKCS#11 does not guarantee that the public key material is available
in the private key, but all HSMs we have been in contact with does so.
OpenDNSSEC utilize this by adding an option to the repository list.

This does not however work for DSA and GOST. If you want to extract
the public key material, then you need the public key object. Public
value Y from DSA and the curve point P(X, Y) for GOST.

There are two options here.
1. Detect what algorithm the key object belongs to. Will probably
degrade the performance somewhat.
2. Recommend that user to disable the option <SkipPublicKey> if they
plan to run DAS or GOST.

What do you think?

// Rickard



More information about the Opendnssec-develop mailing list