From 291a2e0b6a37ffcc3325388c5fdad63d8f185130 Mon Sep 17 00:00:00 2001 From: Rob Austein Date: Mon, 22 Jun 2015 20:18:27 -0400 Subject: Convert from Cryptlib to libhal. Compiles, not yet tested otherwise. --- schema.sql | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 51 insertions(+), 2 deletions(-) (limited to 'schema.sql') diff --git a/schema.sql b/schema.sql index 82d9482..0ff5562 100644 --- a/schema.sql +++ b/schema.sql @@ -51,6 +51,55 @@ PRAGMA foreign_keys = ON; +-- Values we have to store somewhere and for which we have no better +-- place. This is a table with exactly one row (enforced by the CHECK +-- clause on the primary index). All columns must either allow NULL +-- or provide default values. + +CREATE TABLE IF NOT EXISTS global ( + global_id INTEGER PRIMARY KEY NOT NULL DEFAULT 1 CHECK (global_id = 1), + + -- Key-encryption-key (KEK) + -- + -- The KEK **really** should be somewhere else, like in RAM + -- protected by tamper detection circuitry, but we don't have + -- that yet. Not obvious that a separate file would be more + -- secure, so keep it here until we do have a better place. + + kek BLOB CHECK (kek IS NULL OR (typeof(kek) = "blob" AND length(kek) IN (16, 32))), + + -- PBKDF2-based PIN storage and check values. + -- + -- "so_pin" and "user_pin" are PBKDF2 output, so only + -- moderately sensitive. + -- + -- Not obvious that PKCS #11 ever really allows "so_pin" to be + -- unset, so it may want a NOT NULL constraint, but in that + -- case we'll need to provide a default value, which doesn't + -- seem like much of an improvement. "so_pin" probably + -- requires out-of-band initialization. "user-pin" is allowed + -- to be unset, there's an error code specifically for that + -- situation. + -- + -- Numeric minima for PBKDF2 iterations, length of PIN, and + -- length of PBKDF2 salt are somewhat arbitrary, and will + -- probably change over time (which is why they are minima). + -- Feel free to suggest better minima. + + pbkdf2_iterations INTEGER NOT NULL DEFAULT 100000, + so_pin BLOB, + user_pin BLOB, + so_pin_salt, BLOB, + user_pin_salt BLOB, + CHECK ((pbkdf2_iterations >= 100000) AND + (so_pin IS NULL OR (typeof(so_pin) = "blob" AND length(so_pin) >= 32)) AND + (user_pin IS NULL OR (typeof(user_pin) = "blob" AND length(user_pin) >= 32)) AND + (so_pin_salt IS NULL OR (typeof(so_pin_salt) = "blob" AND length(so_pin_salt) >= 16)) AND + (user_pin_salt IS NULL OR (typeof(user_pin_salt) = "blob" AND length(user_pin_salt) >= 16))) +); + +INSERT OR IGNORE INTO global DEFAULT VALUES; + CREATE TEMPORARY TABLE IF NOT EXISTS session ( session_id INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL, session_handle INTEGER NOT NULL UNIQUE @@ -75,7 +124,7 @@ CREATE TEMPORARY TABLE IF NOT EXISTS object ( CREATE TEMPORARY TABLE IF NOT EXISTS session_object ( session_object_id INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL, - keyid TEXT UNIQUE, + private_key BLOB UNIQUE, object_id INTEGER NOT NULL UNIQUE REFERENCES object ON DELETE CASCADE ON UPDATE CASCADE @@ -92,7 +141,7 @@ CREATE TEMPORARY TABLE IF NOT EXISTS session_attribute ( CREATE TABLE IF NOT EXISTS token_object ( token_object_id INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL, - keyid TEXT UNIQUE + private_key BLOB UNIQUE ); CREATE TABLE IF NOT EXISTS token_attribute ( -- cgit v1.2.3