[Cryptech-Commits] [sw/pkcs11] 05/05: Remove SQLite3 from build, no longer needed.

git at cryptech.is git at cryptech.is
Tue Nov 22 05:27:40 UTC 2016


This is an automated email from the git hooks/post-receive script.

sra at hactrn.net pushed a commit to branch ksng
in repository sw/pkcs11.

commit 543fc948aaf35f31ef5100a3897bf15cf5fa0d0d
Author: Rob Austein <sra at hactrn.net>
AuthorDate: Tue Nov 22 00:22:48 2016 -0500

    Remove SQLite3 from build, no longer needed.
---
 .gitignore                 |   4 --
 Makefile                   |  34 ++-----------
 README.md                  |  40 ---------------
 schema.sql                 | 119 ---------------------------------------------
 scripts/convert-schema.sed |  62 -----------------------
 sqlite3/Makefile           |   8 ---
 unit_tests.py              |  24 ---------
 7 files changed, 3 insertions(+), 288 deletions(-)

diff --git a/.gitignore b/.gitignore
index f901fb1..a258b72 100644
--- a/.gitignore
+++ b/.gitignore
@@ -29,7 +29,3 @@ libhal/utils/cores
 libhal/utils/eim_peek_poke
 libtfm/tfm.h
 p11util
-schema.h
-sqlite3/build
-sqlite3/sqlite3
-sqlite3/sqlite3.h
diff --git a/Makefile b/Makefile
index 9d72087..86a8c57 100644
--- a/Makefile
+++ b/Makefile
@@ -44,10 +44,6 @@ LIBHAL_BLD	?= ${PKCS11_DIR}/libhal
 LIBTFM_SRC	?= ${CRYPTECH_ROOT}/sw/thirdparty/libtfm
 LIBTFM_BLD	?= ${PKCS11_DIR}/libtfm
 
-SQLITE3_SRC	?= ${CRYPTECH_ROOT}/sw/thirdparty/sqlite3
-SQLITE3_BLD	?= ${PKCS11_DIR}/sqlite3
-
-
 # Whether to enable threading.  Main reason for being able to turn it
 # off is that gdb on the Novena (sometimes) goes bananas when
 # threading is enabled.
@@ -65,10 +61,6 @@ ENABLE_DEBUGGING ?= no
 
 ENABLE_FOOTNOTE_WARNINGS ?= yes
 
-# Whether to build and use our own copy of the sqlite3 library.
-
-ENABLE_OWN_SQLITE_LIBRARY ?= $(if $(wildcard ${CRYPTECH_ROOT}/sw/thirdparty/sqlite3),yes,no)
-
 # Target platform for shared library.  Every platform has its own
 # kinks, as does GNU libtool, so we just suck it up and do the
 # necessary kinks for the platforms we support.  Yuck.
@@ -118,13 +110,6 @@ ifeq "${ENABLE_DEBUGGING}" "yes"
   CFLAGS += -DDEBUG_HAL=1 -DDEBUG_PKCS11=1
 endif
 
-ifeq "${ENABLE_OWN_SQLITE_LIBRARY}" "yes"
-  CFLAGS  += -I${SQLITE3_BLD}
-  SOFLAGS += ${SQLITE3_BLD}/libsqlite3.a
-else
-  SOFLAGS += -lsqlite3
-endif
-
 ifndef OBJCOPY
   OBJCOPY := objcopy
 endif
@@ -132,12 +117,9 @@ endif
 all: ${SONAME} p11util py11/attribute_map.py
 
 clean:
-	rm -rf *.o ${SONAME}* p11util schema.h attributes.h py11/*.pyc
+	rm -rf *.o ${SONAME}* p11util attributes.h py11/*.pyc
 	${MAKE} -C libtfm  $@
 	${MAKE} -C libhal  $@
-ifeq "${ENABLE_OWN_SQLITE_LIBRARY}" "yes"
-	${MAKE} -C sqlite3 $@
-endif
 
 distclean: clean
 	rm -f TAGS
@@ -150,25 +132,15 @@ ${LIBTFM_BLD}/libtfm.a: .FORCE
 ${LIBHAL_BLD}/libhal.a: .FORCE ${LIBTFM_BLD}/libtfm.a
 	${MAKE} -C libhal ${LIBHAL_TARGET}
 
-${SQLITE3_BLD}/libsqlite3.a: .FORCE
-	${MAKE} -C sqlite3
-
-schema.h: schema.sql scripts/convert-schema.sed Makefile
-	sed -f scripts/convert-schema.sed <schema.sql >schema.h
-
 attributes.h: attributes.yaml scripts/build-attributes Makefile
 	python scripts/build-attributes attributes.yaml attributes.h
 
 py11/attribute_map.py: attributes.yaml scripts/build-py11-attributes Makefile
 	python scripts/build-py11-attributes attributes.yaml py11/attribute_map.py
 
-pkcs11.o: pkcs11.c schema.h attributes.h ${LIBS}
+pkcs11.o: pkcs11.c attributes.h ${LIBS}
 	${CC} ${CFLAGS} -c $<
 
-ifeq "${ENABLE_OWN_SQLITE_LIBRARY}" "yes"
-  pkcs11.o: ${SQLITE3_BLD}/libsqlite3.a
-endif
-
 ifeq "${UNAME}" "Darwin"
 
   ${SONAME}: pkcs11.o ${LIBS}
@@ -183,7 +155,7 @@ else
 
 endif
 
-p11util.o: p11util.c schema.h
+p11util.o: p11util.c
 	${CC} ${CFLAGS} -c $<
 
 p11util: p11util.o ${LIBS}
diff --git a/README.md b/README.md
index 7f7972c..7cee87d 100644
--- a/README.md
+++ b/README.md
@@ -38,9 +38,6 @@ extensible.
 The underlying cryptographic support comes from the [Cryptech][]
 `libhal` package.
 
-The object store is currently implemented using [SQLite3][], which may
-also need to change (more on this below).
-
 Testing to date has been done using the `bin/pkcs11/` tools from the
 BIND9 distribution, the `hsmcheck` and `ods-hsmutil` tools from the
 OpenDNSSEC distribution, the `hsmbully` diagnostic tool, and a
@@ -56,42 +53,6 @@ signatures, and passes some fairly basic tests.  More testing would be
 a really good idea.
 
 
-## Open issue: SQLite3 ##
-
-The choice to use use of [SQLite3][] as the PKCS #11 object store was
-made with full knowledge that we might need to change it later.  That
-said, we made the initial choice with several factors in mind:
-
-* Relative ease of development (it's all just SQL schemas and queries);
-
-* Relative ease of data normalization (foreign key constraints,
-  etcetera) and debugging (command line tool available for arbitrary
-  direct queries against stored data);
-
-* Licensing (SQLite3 is explictly public domain);
-
-* Support for embedded systems; and
-
-* Surprisingly small object code size (everything I found that was
-  significantly smaller had license issues, eg, gdbm).
-
-Overall, this has worked relatively well, but it's not necessarily
-what we want in the long run, if only because it fails the minimum
-complexity test.
-
-The current implementation keeps much of the SQL data in an in-memory
-database: only "token objects" are stored in on disk.  This matches
-the required PKCS #11 semantics, and using the same mechanism to
-handle both session objects and token objects simplifies the code
-considerably, but it does mean that much of the SQL code is really
-just dealing with a weird encoding of in-memory data structures.
-
-At this point the schema may be stable enough that it would make sense
-to consider reimplementing without SQL.  It's not urgent as long as
-we're just doing proof-of-concept work, but is something we should
-consider seriously before deciding that this is ready for "production"
-status.
-
 ## Copyright status ##
 
 The [PKCS11][] header files are "derived from the RSA Security Inc.
@@ -102,6 +63,5 @@ Code written for the [Cryptech][] project is under the usual Cryptech
 BSD-style license.
 
 [PKCS11]:    http://www.cryptsoft.com/pkcs11doc/STANDARD/       "PKCS #11"
-[SQLite3]:   https://www.sqlite.org/                            "SQLite3"
 [DNSPython]: http://www.dnspython.org/                          "DNSPython"
 [Cryptech]:  https://cryptech.is/                               "Cryptech"
diff --git a/schema.sql b/schema.sql
deleted file mode 100644
index c79b3c0..0000000
--- a/schema.sql
+++ /dev/null
@@ -1,119 +0,0 @@
--- SQLite3 schema for Cryptech PKCS #11 implementation.
---
--- Author: Rob Austein
--- Copyright (c) 2015-2016, NORDUnet A/S
--- All rights reserved.
---
--- Redistribution and use in source and binary forms, with or without
--- modification, are permitted provided that the following conditions are
--- met:
--- - Redistributions of source code must retain the above copyright notice,
---   this list of conditions and the following disclaimer.
---
--- - Redistributions in binary form must reproduce the above copyright
---   notice, this list of conditions and the following disclaimer in the
---   documentation and/or other materials provided with the distribution.
---
--- - Neither the name of the NORDUnet nor the names of its contributors may
---   be used to endorse or promote products derived from this software
---   without specific prior written permission.
---
--- THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
--- IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
--- TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
--- PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
--- HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
--- SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
--- TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
--- PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
--- LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
--- NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
--- SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
--- Notes:
---
--- The CHECK constraints in the attribute tables are checking
--- CKA_TOKEN, to make sure we don't accidently file token objects in
--- the session table or vice versa.
---
--- temp.object.token_object_id is a foreign-key reference to
--- main.token_object.id, but we can't use a real foreign key reference
--- because they're in different databases.  If we're careful about how
--- we do our joins, this is harmless, but may lead to some clutter if
--- a long running session has handles on token objects which some
--- other process deletes from the database.  If this happens and we
--- care for some reason, we can clean up such clutter with something
--- like:
---
---     WITH
---         known AS (SELECT token_object_id FROM token_object)
---     DELETE FROM object
---     WHERE  token_object_id IS NOT NULL
---     AND    token_object_id NOT IN known;
-
-PRAGMA foreign_keys = ON;
-
-CREATE TEMPORARY TABLE IF NOT EXISTS session (
-        session_id              INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL,
-        session_handle          INTEGER NOT NULL UNIQUE
-                                CHECK (session_handle > 0 AND session_handle <= 0xFFFFFFFF)
-);
-
-CREATE TEMPORARY TABLE IF NOT EXISTS object (
-        object_id               INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL,
-        object_handle           INTEGER NOT NULL UNIQUE
-                                CHECK (object_handle > 0 AND object_handle <= 0xFFFFFFFF),
-        session_id              INTEGER REFERENCES session
-                                ON DELETE CASCADE ON UPDATE CASCADE
-                                DEFERRABLE INITIALLY DEFERRED,
-        token_object_id         INTEGER,
-        session_object_id       INTEGER REFERENCES session_object
-                                ON DELETE CASCADE ON UPDATE CASCADE
-                                DEFERRABLE INITIALLY DEFERRED,
-        CHECK                   (token_object_id IS NULL OR (session_id IS NULL AND session_object_id IS NULL)),
-        UNIQUE                  (token_object_id),
-        UNIQUE                  (session_id, session_object_id)
-);
-
-CREATE TEMPORARY TABLE IF NOT EXISTS session_object (
-        session_object_id       INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL,
-        hal_pkey_uuid           BLOB,
-        object_id               INTEGER NOT NULL UNIQUE
-                                REFERENCES object
-                                ON DELETE CASCADE ON UPDATE CASCADE
-);
-
-CREATE TEMPORARY TABLE IF NOT EXISTS session_attribute (
-        type                    INTEGER NOT NULL,
-        session_object_id       INTEGER NOT NULL REFERENCES session_object
-                                ON DELETE CASCADE ON UPDATE CASCADE,
-        value                   BLOB NOT NULL,
-        UNIQUE                  (type, session_object_id),
-        CHECK                   (type <> 1 OR value = X'00')
-);
-
-CREATE TABLE IF NOT EXISTS token_object (
-        token_object_id         INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL,
-        hal_pkey_uuid           BLOB
-);
-
-CREATE TABLE IF NOT EXISTS token_attribute (
-        type                    INTEGER NOT NULL,
-        token_object_id         INTEGER NOT NULL REFERENCES token_object
-                                ON DELETE CASCADE ON UPDATE CASCADE,
-        value                   BLOB NOT NULL,
-        UNIQUE                  (type, token_object_id),
-        CHECK                   (type <> 1 OR value <> X'00')
-);
-
--- http://sqlite.org/foreignkeys.html says we might want these.
-
-CREATE INDEX IF NOT EXISTS temp.object__session                         ON object(session_id);
-CREATE INDEX IF NOT EXISTS temp.object__session_object                  ON object(session_object_id);
-CREATE INDEX IF NOT EXISTS temp.session_object__object                  ON session_object(object_id);
-CREATE INDEX IF NOT EXISTS temp.session_attribute__session_object       ON session_attribute(session_object_id);
-CREATE INDEX IF NOT EXISTS token_attribute__token_object                ON token_attribute(token_object_id);
-
--- Local variables:
--- indent-tabs-mode: nil
--- End:
diff --git a/scripts/convert-schema.sed b/scripts/convert-schema.sed
deleted file mode 100644
index 3362ce5..0000000
--- a/scripts/convert-schema.sed
+++ /dev/null
@@ -1,62 +0,0 @@
-# Generate schema.h from schema.sql.
-#
-# If this script gets any more complicated, it should probably be
-# recoded in Python and have done.
-#
-# Author: Rob Austein
-# Copyright (c) 2015, NORDUnet A/S
-# All rights reserved.
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are
-# met:
-# - Redistributions of source code must retain the above copyright notice,
-#   this list of conditions and the following disclaimer.
-#
-# - Redistributions in binary form must reproduce the above copyright
-#   notice, this list of conditions and the following disclaimer in the
-#   documentation and/or other materials provided with the distribution.
-#
-# - Neither the name of the NORDUnet nor the names of its contributors may
-#   be used to endorse or promote products derived from this software
-#   without specific prior written permission.
-#
-# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
-# IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
-# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
-# PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
-# TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
-# PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
-# LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
-# NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
-# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-
-# Add header.  Note that both newlines and leading spaces need to be
-# quoted with backslashes, be careful....
-1i\
- /*\
-\ * Automatically generated from schema.sql, edit that file instead of this one.\
-\ */\
-\
-
-# Debugging hack: ordinarily we keep all the per-session stuff in the
-# "temp" database, but debugging is easier when we let it all go to
-# disk.  Uncomment these lines to remove all the "TEMPORARY" and
-# "temp." qualifiers.
-#s/ TEMPORARY / /g
-#s/ temp[.]/ /g
-
-# Delete comment lines, trailing whitespace, and blank lines.
-/^[ 	]*--/d
-s/[ 	]*$//
-/^$/d
-
-# Quote backslashes and doublequotes, if any.
-s/\\/\\\\/g
-s/"/\\"/g
-
-# Quote each line of text.
-s/^.*$/" &" "\\n"/
diff --git a/sqlite3/Makefile b/sqlite3/Makefile
deleted file mode 100644
index ed0d982..0000000
--- a/sqlite3/Makefile
+++ /dev/null
@@ -1,8 +0,0 @@
-ifndef CRYPTECH_ROOT
-  CRYPTECH_ROOT := $(abspath ../../..)
-endif
-
-REPO    = ${CRYPTECH_ROOT}/sw/thirdparty/sqlite3
-TARBALL = ${REPO}/$(notdir ${URL})
-
-include ${REPO}/Makefile
diff --git a/unit_tests.py b/unit_tests.py
index 02863c8..f9bff67 100644
--- a/unit_tests.py
+++ b/unit_tests.py
@@ -50,8 +50,6 @@ def parse_arguments(argv = ()):
     parser.add_argument("--slot",       default = 0, type = int,                        help = "slot number")
     parser.add_argument("--libpkcs11",  default = libpkcs11_default,                    help = "PKCS #11 library")
     parser.add_argument("--all-tests",  action = "store_true",                          help = "enable tests usually skipped")
-    parser.add_argument("--sql-file",   default = "unit_tests.db",                      help = "SQLite3 database")
-    parser.add_argument("--ks-client",  default = "unit_tests.ks-client",               help = "client keystore (ks_mmap only)")
     parser.add_argument("--only-test",  default = [], nargs = "+",                      help = "only run tests named here")
     return parser.parse_args(argv)
 
@@ -59,36 +57,14 @@ args = parse_arguments()
 p11  = None
 
 def setUpModule():
-    from os import unlink, environ
-    from os.path import abspath, isfile
     global p11
 
-    def new_file(fn):
-        fn = abspath(fn)
-        if isfile(fn):
-            unlink(fn)
-        return fn
-
-    environ["PKCS11_DATABASE"]   = new_file(args.sql_file)
-    environ["CRYPTECH_KEYSTORE"] = new_file(args.ks_client)
-
     log("Loading PKCS #11 library {}".format(args.libpkcs11))
     p11 = PKCS11(args.libpkcs11)
 
     log("Setup complete")
 
 
-def tearDownModule():
-    from os import unlink
-    from os.path import isfile
-
-    if isfile(args.sql_file):
-        unlink(args.sql_file)
-
-    if isfile(args.ks_client):
-        unlink(args.ks_client)
-
-
 # Subclass a few bits of unittest to add timing reports for individual tests.
 
 class TestCase(unittest.TestCase):



More information about the Commits mailing list