David Woodhouse <[email protected]> wrote:
> Why not just take multiple certs in PEM form in a single file, rather
> than automatically including *.x509 in DER form? Wouldn't that be a
> whole lot easier?
No, for the following reasons:
(1) Unless we want the kernel to be able to handle PEM form, they have to be
converted to DER form for inclusion in system_certificates.S.
(2) We would have to combine the automatically generated signing cert with
the added certs, though, admittedly, this could be done in
system_certificates.S.
(3) We've already told people they must drop DER certs into the source tree
and distribution kernel packages are already doing this, so we have to
make sure they get this right.
You could make it so that the make process picks up .pem files and converts
them to DER-encoded .x509 files. You can cat a bunch of DER certs together
and the kernel will break them apart when it parses the single buffer that
contains all the certs.
We could even make the kernel handle PEM. It shouldn't be very much overhead
since it's just a wrapping/encoding of the DER, right?
So it's by no means impossible, but it's not easier.
David
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
