[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <8830.1456486934@warthog.procyon.org.uk>
Date: Fri, 26 Feb 2016 11:42:14 +0000
From: David Howells <dhowells@...hat.com>
To: Andrew Zaborowski <balrogg@...glemail.com>
Cc: dhowells@...hat.com, Tadeusz Struk <tadeusz.struk@...el.com>,
keyrings@...r.kernel.org, linux-security-module@...r.kernel.org,
zohar@...ux.vnet.ibm.com, linux-kernel@...r.kernel.org,
Linux Crypto Mailing List <linux-crypto@...r.kernel.org>
Subject: Re: [PATCH 4/8] akcipher: Move the RSA DER encoding to the crypto layer
Andrew Zaborowski <balrogg@...glemail.com> wrote:
> Without overhauling akcipher you could modify pkcs1pad so that sign
> takes the hash as input, adds the DER struct in front of it to build
> the signature, and the verify operation could at most check that the
> DER string matches the hash type and return the hash. But I think
> RFC2437 suggests that you rather compare the signatures, not the
> hashes.
Whilst that is true about what RFC2437 shows, I wonder how strict it wants to
be about that rather than it just being a convenient way of describing the
algorithm.
The advantage of doing it the way the RFC suggests is that you get to use the
EMSA-PKCS1-V1_5-ENCODE operation twice, thereby saving code and only having
one place for bugs to occur instead of two - but you can argue this either
way.
That said, I would be okay with it returning just the message hash with the
padding stripped off, providing the padding is validated in the crypto layer,
if that's necessary.
David
Powered by blists - more mailing lists