On 05/01/2015 09:21 AM, David Howells wrote: >> + .verify = RSA_verify_signature, >> > + .capabilities = PKEY_CAN_VERIFY, > Can we keep .verify_signature as the name of the first. The second is > redundant given the function pointers. I'm thinking that .verify will be more generic. If in the future we would like to implement something that verifies not a signature, but for instance is a number is a prime, then we can register a "prime" alg that implements verify and returns true if a number is a prime. > > Given that X.509 certs can hang around for a very long time, having a tfm in > the cert is probably a bad idea as it may pin resources such as crypto h/w. > >> > - ctx->cert->pub->pkey_algo = PKEY_ALGO_RSA; >> > - > I think you need this rather than the above. You should only get the tfm when > you actually need it. > That's a good point. Thank you David for all your comments. I'll rework my patches and send v2 soon. I'll also try to integrate it with your sign-file as you suggested. Thanks T -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
