[Opendnssec-develop] Refactoring of libhsm
Rickard Bellgrim
rickard at opendnssec.org
Mon Aug 15 08:04:05 UTC 2011
>>> Private vs. Public keys
>>> ---------------------------------
>>>
>>> There are two options here.
>>> 1. Detect what algorithm the key object belongs to. Will probably
>>> degrade the performance somewhat.
>>> 2. Recommend that user to disable the option<SkipPublicKey> if they
>>> plan to run DAS or GOST.
>>>
>>> What do you think?
>>
>> I think option 1 unless the performance hit is really significant... Option
>> 2 sounds like requiring users to know in advance how the system might be
>> used in the future.
>
> I can see if there is a simple solution.
The key algorithm is not known in the libhsm key structure. It is
looked up by calling hsm_get_key_algorithm(). Should we add a call to
it hsm_key_new_privkey_object_handle() and store it in the key
structure? The only downside is that it is called for each key pair
when listing keys in the HSM, but that is an operation that the user
does and not OpenDNSSEC. Thus not affecting the signing performance.
The RSA public key was removed to save space and that we did not need
to search for public key with a matching CKA_ID. This would however
introduce a call where we fetch an attribute. The search for CKA_ID is
however more expensive than getting an attribute.
// Rickard
More information about the Opendnssec-develop
mailing list