From: Mimi Zohar <zohar@linux.ibm.com>
To: Vitaly Chikunov <vt@altlinux.org>
Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
linux-integrity@vger.kernel.org
Subject: Re: [PATCH v3] ima-evm-utils: Convert sign v2 from RSA to EVP_PKEY API
Date: Tue, 28 May 2019 19:31:02 -0400 [thread overview]
Message-ID: <1559086262.4139.75.camel@linux.ibm.com> (raw)
In-Reply-To: <20190528224657.r6muelxxhjdgcyji@altlinux.org>
On Wed, 2019-05-29 at 01:46 +0300, Vitaly Chikunov wrote:
> Mimi,
>
> On Tue, May 28, 2019 at 02:57:13PM -0400, Mimi Zohar wrote:
> > On Sat, 2019-03-23 at 05:56 +0300, Vitaly Chikunov wrote:
> > > Convert sign_v2 and related to using EVP_PKEY API instead of RSA API.
> > > This enables more signatures to work out of the box.
> > >
> > > Remove RSA_ASN1_templates[] as it does not needed anymore. OpenSSL sign
> > > is doing proper PKCS1 padding automatically (tested to be compatible
> > > with previous version, except for MD4). This also fixes bug with MD4
> > > which produced wrong signature because of absence of the appropriate
> > > RSA_ASN1_template.
> >
> > Is there any way of breaking this patch up to simplify review?
>
> Hm. The main change is to replace key type from RSA with more abstract
> EVP_PKEY. All other changes are a consequence of it.
Yes, I understand.
>
> And because keys are now EVP_PKEY the templates are removed too, now
> that we are not dealing with keys on the too low level anymore.
There's no reason that removing RSA_ASN1_templates[] needs to be in
the same patch as the pkey change, nor does the MAX_SIGNATURE_SIZE
changes in sign_evm().
>
> I already tried to leave RSA handling as is for v1 signatures, because
> they are RSA specific anyway.
>
> Also, I tried to leave most (external) API the same, except
> calc_keyid_v2 which now gets EVP_PKEY instead of RSA. Internally,
> find_keyid now returns EVP_PKEY too.
>
> read_pub_key now extracts RSA from EVP_PKEY from read_pub_pkey.
Right. So why couldn't the first patch define read_pub_pkey(), but
only call it from read_pub_key(). Then subsequent patches could call
read_pub_pkey() directly.
Mimi
>
> And calc_keyid_v2 now works internally slightly differently (and
> generally) to handle all possible key types.
>
> Also, I run some tests with ASan.
> Thanks,
next prev parent reply other threads:[~2019-05-28 23:31 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-23 2:56 [PATCH v3] ima-evm-utils: Convert sign v2 from RSA to EVP_PKEY API Vitaly Chikunov
2019-05-28 18:57 ` Mimi Zohar
2019-05-28 22:46 ` Vitaly Chikunov
2019-05-28 23:31 ` Mimi Zohar [this message]
2019-06-12 14:30 ` Mimi Zohar
2019-06-12 14:46 ` Vitaly Chikunov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1559086262.4139.75.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=linux-integrity@vger.kernel.org \
--cc=vt@altlinux.org \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).