Stefan, On Wed, May 05, 2021 at 04:15:02AM +0300, Vitaly Chikunov wrote: > On Tue, May 04, 2021 at 09:04:44PM -0400, Stefan Berger wrote: > > On 5/4/21 6:27 PM, Vitaly Chikunov wrote: > > > On Tue, May 04, 2021 at 09:38:06AM -0400, Stefan Berger wrote: > > > > On 5/4/21 12:33 AM, Vitaly Chikunov wrote: > > > > I suppose if there's an > > > > appended X509 in the private key file as well then only one function should > > > > be necessary to extract the x509 cert from the files. That function should > > > > be able to handle PEM and DER format at the same time. Have you tried > > > > extracting the x509 cert from the private key file using that other function > > > > in 2/3 yet? > > > Excuse me, I don't understand what you talking about in this note. > > > 2/3 does not read private keys. Where and why should be one function? > > > And what other function? > > > > It should be possible to combine your functions extract_keyid (2/3) and > > read_keyid (3/3) into a single function that can handle PEM files containing > > X509 certs as well as DER files. It's two times very similar code and the > > function that can handle DER and PEM should be able to handle PEM files with > > private keys + X509 certs. > > I see. There should be very generic function that can read fd, FILE, > bio, and memory region, also can parse DER, PEM, and combined PEMs. Implemented in [PATCH v3 2/3], but now there are some problems. ima_read_keyid() is called with different intentions from evmctl and from libimaevm. Call from evmctl is explicit user intention (to read cert) and should produce error messages for failures. Call from calc_keyid_v2() is best effort (and can be thought as a side effect) and should be as quiet as possible. Also, in the second case it shall not try to load DER certificate. Vitaly,
