All of lore.kernel.org
 help / color / mirror / Atom feed
From: Vitaly Chikunov <vt@altlinux.org>
To: Mimi Zohar <zohar@linux.ibm.com>
Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>,
	Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
	linux-integrity@vger.kernel.org
Subject: Re: [PATCH v7 3/3] ima-evm-utils: Read keyid from the cert appended to the key file
Date: Tue, 6 Jul 2021 00:15:45 +0300	[thread overview]
Message-ID: <20210705211545.s2hzroeulcw7bfbm@altlinux.org> (raw)
In-Reply-To: <f304a136df93bd74e06a68737f9512e003e329ab.camel@linux.ibm.com>

Mimi,

On Mon, Jul 05, 2021 at 04:04:52PM -0400, Mimi Zohar wrote:
> On Thu, 2021-07-01 at 04:13 +0300, Vitaly Chikunov wrote:
> > 
> > +/**
> > + * read_keyid_from_key() - Read 32-bit keyid from the key file
> > + * @keyid_be:   Pointer to 32-bit value in network order (BE, unaligned).
> > + * @keyfile:    PEM file with private key with optionally appended x509 cert.
> > + * Return:      0 on success and keyid_be is written;
> > + *              -1 on error, logged error message, and keyid_be isn't written.
> > + */
> > +static int read_keyid_from_key(uint32_t *keyid_be, const char *keyfile)
> 
> (With  the new option "--keyid-from-cert" is this patch really still
> needed?)

Yes. Key+cert is a nice option and should be handy for users. Key is
stored together with the cert which will verify them. Otherwise key
format doesn't store keyid which is error prone.

> The function name is a bit off.  Both imaevm_read_keyid() and this
> function are getting the keyid from a cert.  There's also quite a bit
> of code duplication between them.  Refactoring the code might help. 
> For example, perhaps imaevm_read_keyid() could be a wrapper for
> read_keyid_from_cert().

They have important difference too. Thus, its hard to refactor them
into nested function that looked good and simple. This is third attempt.
And it's like solving a unsolvable puzzle.

imaevm_read_keyid() reads from cert-only file where cert could be PEM or
DER encoded. It's failure if there is no cert, because user intended to
read a cert.

imaevm_read_keyid() reads from private key optionally combined with a
cert (both are PEM-only). It's not failure if there is no cert.

We want to save "duplicated" call to PEM_read_X509() but really it
causes more convoluted internal logic.

I tried to de-duplicate them as much as possible while remaining
understandability.

> Otherwise renaming this function to read_keyid_from_keyfile(),
> read_appended_keyid() or read_appended_keyid_from_cert(), which is
> really wordy, would be better.

Ok. read_keyid_from_keyfile looks good.

> 
> thanks,
> 
> Mimi

  reply	other threads:[~2021-07-05 21:15 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-07-01  1:13 [PATCH v7 0/3] ima-evm-utils: Add --keyid option Vitaly Chikunov
2021-07-01  1:13 ` [PATCH v7 1/3] ima-evm-utils: Allow manual setting keyid for signing Vitaly Chikunov
2021-07-01  1:13 ` [PATCH v7 2/3] ima-evm-utils: Allow manual setting keyid from a cert file Vitaly Chikunov
2021-07-05 19:59   ` Mimi Zohar
2021-07-05 20:50     ` Vitaly Chikunov
2021-07-01  1:13 ` [PATCH v7 3/3] ima-evm-utils: Read keyid from the cert appended to the key file Vitaly Chikunov
2021-07-05 20:04   ` Mimi Zohar
2021-07-05 21:15     ` Vitaly Chikunov [this message]
2021-07-06 16:23 ` [PATCH v7 0/3] ima-evm-utils: Add --keyid option Mimi Zohar
2021-07-06 21:13   ` Vitaly Chikunov
2021-07-08 15:37     ` Mimi Zohar
2021-07-08 15:46       ` Vitaly Chikunov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210705211545.s2hzroeulcw7bfbm@altlinux.org \
    --to=vt@altlinux.org \
    --cc=dmitry.kasatkin@gmail.com \
    --cc=linux-integrity@vger.kernel.org \
    --cc=zohar@linux.ibm.com \
    --cc=zohar@linux.vnet.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.