In message <1479894913.8937.58.ca...@infradead.org> on Wed, 23 Nov 2016 09:55:13 +0000, David Woodhouse <dw...@infradead.org> said:
dwmw2> On Wed, 2016-11-23 at 09:56 +0100, Richard Levitte wrote: dwmw2> > dwmw2> > dwmw2> > dwmw2> So maybe it's just "content types" that we have handlers for, each with dwmw2> > dwmw2> an optional PEM tag for matching, *and* an optional match function dwmw2> > dwmw2> which is given the parsed ASN.1 and checks if it's a match. dwmw2> > dwmw2> > I'm not sure what you mean with a match function... but going off on dwmw2> > a limb, how about a reference to an OpenSSL style ASN1 description? dwmw2> > So basically, for an imaginary TSS KEY BLOB (one that actually would dwmw2> > use that TssBlob definition we talked about earlier), these three dwmw2> > items would be specified: dwmw2> > dwmw2> > "TSS KEY BLOB", dwmw2> > ASN1_ITEM_rptr(TSS_BLOB), /* TSS_BLOB ASN1 stuff defined in engine */ dwmw2> > handler /* Essentially a d2i function */ dwmw2> > dwmw2> > Or did you mean that the matching would also involve checking the dwmw2> > contents of the OCTET_STRING that TSS KEY BLOBs currently are, to see dwmw2> > if they correspond to your structures? If that's what you mean, my dwmw2> > gut feeling tells me - and I haven't had my morning coffee yet - we're dwmw2> > now moving into a territory where I fully expect dragons... not to dwmw2> > mention the worries Rich expressed. dwmw2> dwmw2> Oh $DEITY no, not looking in the contents of the OCTET_STRING. dwmw2> Basically I'm thinking of doing precisely what d2i_AutoPrivateKey() dwmw2> already does, just with expanded coverage and slightly less hard-coded dwmw2> stuff. <snip> dwmw2> Doing it like that would prevent any implementations (like the one in dwmw2> the TPM engine) from being *tempted* to go prodding around in the dwmw2> contents of OCTET STRINGs. Which is probably a feature :) Right... But then, embedding everything in an OCTET STRING isn't exactly a novel idea either. How do we discern a DER encoded TSS KEY BLOB from whatever else that had the same "novel" idea? An OCTET STRING is an OCTET STRING is an OCTET STRING... See the dragons hovering over there? ;-) Cheers, Richard -- Richard Levitte levi...@openssl.org OpenSSL Project http://www.openssl.org/~levitte/ -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
