From: Mimi Zohar <zohar@linux.ibm.com>
To: Vitaly Chikunov <vt@altlinux.org>
Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
linux-integrity@vger.kernel.org
Subject: Re: [PATCH v3] ima-evm-utils: Convert sign v2 from RSA to EVP_PKEY API
Date: Tue, 28 May 2019 19:31:02 -0400 [thread overview]
Message-ID: <1559086262.4139.75.camel@linux.ibm.com> (raw)
In-Reply-To: <20190528224657.r6muelxxhjdgcyji@altlinux.org>
On Wed, 2019-05-29 at 01:46 +0300, Vitaly Chikunov wrote:
> Mimi,
>
> On Tue, May 28, 2019 at 02:57:13PM -0400, Mimi Zohar wrote:
> > On Sat, 2019-03-23 at 05:56 +0300, Vitaly Chikunov wrote:
> > > Convert sign_v2 and related to using EVP_PKEY API instead of RSA API.
> > > This enables more signatures to work out of the box.
> > >
> > > Remove RSA_ASN1_templates[] as it does not needed anymore. OpenSSL sign
> > > is doing proper PKCS1 padding automatically (tested to be compatible
> > > with previous version, except for MD4). This also fixes bug with MD4
> > > which produced wrong signature because of absence of the appropriate
> > > RSA_ASN1_template.
> >
> > Is there any way of breaking this patch up to simplify review?
>
> Hm. The main change is to replace key type from RSA with more abstract
> EVP_PKEY. All other changes are a consequence of it.
Yes, I understand.
>
> And because keys are now EVP_PKEY the templates are removed too, now
> that we are not dealing with keys on the too low level anymore.
There's no reason that removing RSA_ASN1_templates[] needs to be in
the same patch as the pkey change, nor does the MAX_SIGNATURE_SIZE
changes in sign_evm().
>
> I already tried to leave RSA handling as is for v1 signatures, because
> they are RSA specific anyway.
>
> Also, I tried to leave most (external) API the same, except
> calc_keyid_v2 which now gets EVP_PKEY instead of RSA. Internally,
> find_keyid now returns EVP_PKEY too.
>
> read_pub_key now extracts RSA from EVP_PKEY from read_pub_pkey.
Right. So why couldn't the first patch define read_pub_pkey(), but
only call it from read_pub_key(). Then subsequent patches could call
read_pub_pkey() directly.
Mimi
>
> And calc_keyid_v2 now works internally slightly differently (and
> generally) to handle all possible key types.
>
> Also, I run some tests with ASan.
> Thanks,
next prev parent reply other threads:[~2019-05-28 23:31 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-23 2:56 [PATCH v3] ima-evm-utils: Convert sign v2 from RSA to EVP_PKEY API Vitaly Chikunov
2019-05-28 18:57 ` Mimi Zohar
2019-05-28 22:46 ` Vitaly Chikunov
2019-05-28 23:31 ` Mimi Zohar [this message]
2019-06-12 14:30 ` Mimi Zohar
2019-06-12 14:46 ` Vitaly Chikunov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1559086262.4139.75.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=linux-integrity@vger.kernel.org \
--cc=vt@altlinux.org \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.