[PATCH 00/22] KEYS: Support TPM-wrapped key and crypto ops
David Howells
dhowells at redhat.com
Tue Sep 18 17:18:37 UTC 2018
Denis Kenzior <denkenz at gmail.com> wrote:
> > Yes. It shouldn't be much code, either. You still have to check for X.509
> > DER since the kernel currently supports that.
>
> For reasons of backward compatibility, correct? The kernel also has
> mscode.asn1 which we would need to support as well. Since we can't break
> compatibility then perhaps this doesn't buy us a whole lot in the end.
Don't worry about mscode - that's not an asymmetric key parser. That's only
ever used directly from verify_pefile_signature().
Currently, we have to retain support for DER-encoded X.509.
But there's no reason we can't have a PEM parser that decodes the PEM and
selects X.509, PKCS#8 or TPM based on the ascii header in that. PKCS#8 and
TPM don't need to take DER directly.
David
More information about the Linux-security-module-archive
mailing list