On Tue, 2022-08-30 at 08:12 -0400, Stefan Berger wrote:
> > @@ -747,6 +756,7 @@ int ima_verify_signature(const char *file, unsigned char *sig, int siglen,
> > */
> > int key2bin(RSA *key, unsigned char *pub)
> > {
> > +#if CONFIG_SIGV1
> > int len, b, offset = 0;
> > struct pubkey_hdr *pkh = (struct pubkey_hdr *)pub;
> > const BIGNUM *n, *e;
> > @@ -781,10 +791,14 @@ int key2bin(RSA *key, unsigned char *pub)
> > offset += len;
> >
> > return offset;
> > +#else
> > + return 77; /* SKIP */
> > +#endif
> > }
>
> This function has no callers if CONFIG_SIGV1 is not set and otherwise
> it's useless also if someone was a user of the library only. I would
> consider ifdef'ing the whole function...
Agreed. key2bin() and calc_keyid_v1() are now fully commented out in
the next version, as well as cmd_convert() and read_pub_key() as you
suggested.
>
> >
> > void calc_keyid_v1(uint8_t *keyid, char *str, const unsigned char *pkey, int len)
> > {
> > +#if CONFIG_SIGV1
> > uint8_t sha1[SHA_DIGEST_LENGTH];
> > uint64_t id;
> >
> > @@ -799,6 +813,7 @@ void calc_keyid_v1(uint8_t *keyid, char *str, const unsigned char *pkey, int len
> >
> > if (imaevm_params.verbose > LOG_INFO)
> > log_info("keyid-v1: %s\n", str);
> > +#endif
> > }
--
thanks,
Mimi
