Re: [PATCH RFC PKCS7 asn1c 0/2] asn1c version of PKCS#7 parser

[Yauheni Kaliuta <yauheni.kaliuta@redhat.com>]

Hi, Michal!

>>>>> On Tue, 22 Jan 2019 23:07:03 +0100, Michal Suchánek  wrote:

 > On Tue, 22 Jan 2019 12:43:45 -0800
 > Lucas De Marchi <lucas.de.marchi@gmail.com> wrote:

 >> On Tue, Jan 22, 2019 at 12:03 PM Michal Suchánek <msuchanek@suse.de>
 >> wrote:
 >> >
 >> > On Tue, 22 Jan 2019 22:01:04 +0200
 >> > Yauheni Kaliuta <yauheni.kaliuta@redhat.com> wrote:
 >> >  
 >> > > Hi!
 >> > >
 >> > > Looks like OpenSUSE took the RFC patch.
 >> > >
 >> > > The diverging doesn't sound nice, frankly speaking.  
 >> >
 >> > Is there an upstream solution?
 >> >
 >> > The diverging is caused by lack of support upstream.  
 >> 
 >> Mea culpa for not deciding with which implementation to go for the
 >> next release. We actually have 3 possible implementations: one with
 >> openssl, one with gnutls and
 >> this one lifting the implementation from the kernel to be used in
 >> userspace.

 > This is not really about lifting the kernel implementation. It is more
 > about using a parser generator to generate code that parses the
 > signature. asn1c is specialized on asn1 encoded data such as the PKCS#7
 > signature.

 >> 
 >> It would be good to know from downstream their preference to weigh in
 >> the decision.

 > I think with the size of initrd currently in openSUSE nobody will
 > notice a crypto library or two added. For other distributions 0.5M size
 > increase in ramdisk may be more noticeable.

 >  15M /boot/initrd-4.19.4-1-default
 > 1.7M /usr/lib64/libgnutls.so.30.22.0
 > 437K /usr/lib64/libssl.so.1.1

 > Between gnutls and openssl my impression is that openssl is
 > more likely to be included with other tools anyway in more
 > featureful ramdisks (ie.  kdump over ssh or live system over
 > https will need SSL). openssl is is also smaller of the two.

Fine. I've resent the openssl version. If you know anybody,
security related, for review, I would appriciate for it.

-- 
WBR,
Yauheni Kaliuta