From: Vitaly Chikunov <email@example.com> To: Mimi Zohar <firstname.lastname@example.org> Cc: Mimi Zohar <email@example.com>, Dmitry Kasatkin <firstname.lastname@example.org>, email@example.com, "Dmitry V. Levin" <firstname.lastname@example.org> Subject: Re: [PATCH v6 1/3] ima-evm-utils: Allow manual setting keyid for signing Date: Thu, 1 Jul 2021 00:10:48 +0300 [thread overview] Message-ID: <email@example.com> (raw) In-Reply-To: <firstname.lastname@example.org> Mimi, On Wed, Jun 30, 2021 at 04:47:53PM -0400, Mimi Zohar wrote: > On Wed, 2021-06-30 at 22:44 +0300, Vitaly Chikunov wrote: > > On Wed, Jun 30, 2021 at 12:39:02PM -0400, Mimi Zohar wrote: > > > On Tue, 2021-06-29 at 04:32 +0300, Vitaly Chikunov wrote: > > > > On Mon, Jun 28, 2021 at 04:50:42PM -0400, Mimi Zohar wrote: > > > > > > > > > > Thank you for the detailed explanation. > > > > > > > > > > On Sat, 2021-06-26 at 03:42 +0300, Vitaly Chikunov wrote: > > > > > > > > > > > > Requiring the optarg value to be prefixed with "0x" would > > > > > > > simplify the strlen test. > > > > > > > (The subsequent patch wouldn't need a contrived prefix.) > > > > > > > > > > > > (I do not understand this remark at the moment.) > > > > > > > > > > > > Base 16 will let user pass keyid just as a string, copy-pasting from > > > > > > somewhere else. > > > > > > > > > > strtoul() supports prefixing the ascii-hex string with "0x". To > > > > > differentiate between a keyid and pathname, why not require the keyid > > > > > be prefixed with "0x", as opposed to requiring the pathname to be > > > > > prefixed with '@', like "--keyid @/path/to/cert.pem". > > > > > > > > I wanted to avoid (filename vs keyid) ambiguity of the argument to > > > > `--keyid' - if user have file named "0x00112233" they would have hard > > > > time passing it to `--keyid'. But, it's impossible to have keyid string > > > > starting with "@". So, "@" perfectly distinguish type of `--keyid' > > > > argument but "0x" isn't. > > > > > > > > Also, in some software (zip, rar) "@" is common prefix meaning value > > > > should be taken from the specified file. But, yes, "@" is not common > > > > in Unix environments. Do you want me to create separate option like > > > > `--keyid-from-file'? > > > > > > It's highly unlikely that both the filename and pathname would be > > > prefixed with "0x". Defining a new option might be a good idea. > > > Possibly naming it --extract-cert-keyid, ---cert-keyid, or --keyid- > > > from-cert. > > > > It's not unlikely, because people may want to keep cert files named or > > symlinked by keyid. (For example, local cert database keep cert files > > symlinked like `f30dd6ad.0'.) > > > > I will add an option, most understandable, perhaps, is `--keyid-from-cert'. > > > > Also, I will remove base 16 from --keyid argument. > > I must be missing something. "openssl x509", "keyctl show > %keyring:<keyring name>", and "getfattr -m security.ima -e hex --dump" > all display the skid in hex. Why would anyone provide the skid as > something other than in hex? Ah, I thought you want '0x' prefix mandatory. Will not remove base 16 then. Also, /proc/keys shows keyid without '0x' prefix. Thanks, > > thanks, > > Mimi >
next prev parent reply other threads:[~2021-06-30 21:11 UTC|newest] Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top 2021-05-11 11:56 [PATCH v6 0/3] ima-evm-utils: Add --keyid option Vitaly Chikunov 2021-05-11 11:56 ` [PATCH v6 1/3] ima-evm-utils: Allow manual setting keyid for signing Vitaly Chikunov 2021-06-25 12:21 ` Mimi Zohar 2021-06-26 0:42 ` Vitaly Chikunov 2021-06-28 20:50 ` Mimi Zohar 2021-06-29 1:32 ` Vitaly Chikunov 2021-06-30 16:39 ` Mimi Zohar 2021-06-30 19:44 ` Vitaly Chikunov 2021-06-30 20:47 ` Mimi Zohar 2021-06-30 21:10 ` Vitaly Chikunov [this message] 2021-06-30 21:32 ` Mimi Zohar 2021-05-11 11:56 ` [PATCH v6 2/3] ima-evm-utils: Allow manual setting keyid from a cert file Vitaly Chikunov 2021-06-25 12:22 ` Mimi Zohar 2021-06-26 0:27 ` Vitaly Chikunov 2021-06-30 16:39 ` Mimi Zohar 2021-05-11 11:56 ` [PATCH v6 3/3] ima-evm-utils: Read keyid from the cert appended to the key file Vitaly Chikunov 2021-06-25 12:22 ` Mimi Zohar 2021-06-26 0:21 ` Vitaly Chikunov 2021-06-30 17:38 ` Mimi Zohar 2021-06-30 19:10 ` Vitaly Chikunov 2021-06-30 19:26 ` Vitaly Chikunov
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --subject='Re: [PATCH v6 1/3] ima-evm-utils: Allow manual setting keyid for signing' \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).