Hello Viktor, On Wednesday, May 6, 2015, Viktor Dukhovni <[email protected]> wrote:
> On Wed, May 06, 2015 at 08:33:37PM +0300, Dmitry Belyavsky wrote: > > > > > I would like to suggest a small patch providing the necessary check > for > > > > RSA_METHOD_FLAG_NO_CHECK here. > > > > > > I am not convinced this change is correct. The function would then > > > not do what it is supposed to do. The flag suppresses implicit > > > checks only, but suppressing explicit checks seems unexpected. > > > > > > > Well, but what is the correct way to provide, for example, HSM key if we > > have to check match without access to a private key? > > Well, one might argue that the checking function should support > performing the check via engines. Or that explicit checks should > not be called when you don't want to check. Perhaps openssl(1) > should have a command-line option to suppress the explicit check. > > I'd still be surprised if calling the explicit check did nothing. > However, I might not know enough of the history/intent. Perhaps > someone will comment... > > https://www.mail-archive.com/[email protected]/msg04370.html - a very old thread concerning using smartcards with OpenSSL. http://code.google.com/p/chromium/issues/detail?id=395279 - the solution selected in BoringSSL. -- SY, Dmitry Belyavsky
_______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
