Am Sonntag, 2. August 2015, 21:16:47 schrieb Marcel Holtmann: Hi Marcel, >Hi Tadeusz, > >I have been working with the AF_ALG patches for akcipher lately and I find >the RSA set key function way too limited. Especially the fact that it uses a >format that I can not find a single reference / standard for worries me. > >RsaKey ::= SEQUENCE { > n INTEGER ({ rsa_get_n }), > e INTEGER ({ rsa_get_e }), > d INTEGER ({ rsa_get_d }) >} Note, the kernel uses BER encoding. > >So where is this format coming from? I can find the RSA Public Key format >which is a sequence of n and e. If you have a DER encoded RSA public key, >then you can use it to encrypt and verify. So that is okay. > >However if you have a standard Public Key that OpenSSL would create by >default, then things do not work since that is actually a more complicated >DER encoded format. However in the end, I would expect that we could also >load such a key here. The RSA set key function should auto detect it and >extract the right information if it is marked as rsaEncryption type. Do you propose to add a DER parser to the kernel? I feel that the BER parser is complex enough. If somebody has a DER key, user space should have the code to convert it to BER. > >My biggest concern however is that this does not reassemble the RSA Private >Key at all. That key format is a sequence of 9 integers starting with a >version. So logically I would expect that I can just set a RSA Private Key >and then utilize the encrypt and decrypt features of the RSA cipher. Why do you think this is not possible? testmgr.h seems to exactly do that. > >When it comes to exposing RSA via AF_ALG and akcipher, I really want standard >format for the set key operation. Asking userspace to construct this Linux >kernel only key format is not helpful. You want to be able to just load the >RSA Private Key in DER format and be done with it. I am all for it. BER is a standard, is it not? Yes, I have not yet seen a converter for DER to BER (and I have not searched for one either). But I feel DER should be left to user space. > >Any ideas on how we can fix this to allow a sensible userspace API? I actually planned to add a BER encoder to my libkcapi. I feel that should be right place to provide that code, including a potential DER to BER converter. Ciao Stephan -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html