Re: [PATCH 00/22] KEYS: Support TPM-wrapped key and crypto ops
From: David Howells
Date: Tue Sep 18 2018 - 13:18:43 EST
Denis Kenzior <denkenz@xxxxxxxxx> wrote:
> > Yes. It shouldn't be much code, either. You still have to check for X.509
> > DER since the kernel currently supports that.
>
> For reasons of backward compatibility, correct? The kernel also has
> mscode.asn1 which we would need to support as well. Since we can't break
> compatibility then perhaps this doesn't buy us a whole lot in the end.
Don't worry about mscode - that's not an asymmetric key parser. That's only
ever used directly from verify_pefile_signature().
Currently, we have to retain support for DER-encoded X.509.
But there's no reason we can't have a PEM parser that decodes the PEM and
selects X.509, PKCS#8 or TPM based on the ascii header in that. PKCS#8 and
TPM don't need to take DER directly.
David