On Wed, 2016-11-23 at 10:53 +0000, David Woodhouse wrote: > On Wed, 2016-11-23 at 11:47 +0100, Richard Levitte wrote: > > > > Right... > > > > But then, embedding everything in an OCTET STRING isn't exactly a > > novel idea either. How do we discern a DER encoded TSS KEY BLOB > > from whatever else that had the same "novel" idea? An OCTET STRING > > is an OCTET STRING is an OCTET STRING... See the dragons hovering > > over there? ;-) > > We don't. Crap like that is auto-detected in PEM form only. And yes, > it *really* should have used the TssBlob structure, not just the > OCTET STRING.
Well, not that I'm advocating doing this, but for TPM keys we actually can. The binary content is recognisable even if it just contains a TPM_KEY12 structure. The first two bytes are a fixed tag, the second two must be zero and then we have a set of flags and length fields with fairly restricted value ranges. The encrypted private key, authority and hashes are at the end, so there's an effective and quite long header at the beginning. For an RSA2048 key, the structure will always be 559 bytes long as well. However, to get back to the plan: you want an additional "do I recognise this PEM" file callback instead of a "try this bio" one. I can code that up and see what it looks like. James
smime.p7s
Description: S/MIME cryptographic signature
-- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
