Mimi, On Mon, Jun 17, 2019 at 09:34:46AM -0400, Mimi Zohar wrote: > On Fri, 2019-06-14 at 04:54 +0300, Vitaly Chikunov wrote: > > Convert sign_v2 and related to using more generic EVP_PKEY API instead > > of RSA API. This enables more signatures to work out of the box. > > Please elaborate on "enables more signatures to work out of the box", > perhaps with example(s). Yes, message is split between next commit where it's mentioned that MD4 got fixed. I will also mention EC-RDSA. Basically, anything that OpenSSL supports will work. > I like simple stories, where everything is laid out. Think of a patch > set as a simple story, not a mystery, explaining how you go from point > A to point B. Each patch in the series explains the next step. > > The changes in cmd_import() are nice, straight forward, and easy to > read. Other than the "calc_keyid_v2()" change from passing an RSA key > to pkey key" dependency, this could be a separate patch. > Please see if you could further break this patch up to simplify review. I thought about splitting as much as possible, but didn't not find what to split more. - If we add read_pub_pkey into cmd_import then we can not use old calc_keyid_v2 (which wants RSA). - If we add new calc_keyid_v2 into cmd_import it would require calling read_pub_pkey (and have sign_hash_v2 updated too). - We can not put cmd_import change before 'rsa to pkey' change, because calc_keyid_v2 is also used in new sign_hash_v2. - We can not put cmd_import change after 'rsa to pkey' change, because cmd_import will fail for v2 signatures (which should use PKEY). So I don't see how this is splittable. Thanks,
