On 4/27/21 6:26 PM, Vitaly Chikunov wrote:
Stefan,
On Tue, Apr 27, 2021 at 03:31:32PM -0400, Stefan Berger wrote:
Since the new API call is not used by evmctl, implement a test program
'create_ima_signature' to use it. Extend _evmctl_sign to also created
IMA v2 signatures with RSA keys using this test program and compare the
results.
Evmctl's signature creation path is unmodified at this point, so the tests
ensure that the existing sign_hash_v2 and the new sign_hash_v2_pkey create
identical (RSA) signatures.
Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxx>
---
tests/Makefile.am | 6 ++
tests/create_ima_signature.c | 111 +++++++++++++++++++++++++++++++++++
Why not add this to evmctl?
evmctl has 3 callers to the 'competing' function sign_hash(), all of
which of course let the code path under sign_hash() read the key from
the file (and access the keypassword via a global variable :(( ). I
didn't want to pull up the reading of the key into evmctl, which we
would have to do in case we wanted to call this new function. Also then
the question is which callers to replace? All of them, or which ones?
