[openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl
Salz, Rich
rsalz at akamai.com
Tue Nov 22 18:03:31 UTC 2016
> > It does this by trying to interpret the blob against known ASN.1
> > definitions, and will only succeed when there's a complete match. I'm
> > not terribly worried...
I am. With locales and UTF8, the old simple days of text/binary are probably long gone. And if any ASN.1 definition has extensibility in it, then we have to be concerned about things being wrapped, something like prefix attacks, and so on.
> And even if you were, you should be *more* worried about making
> *applications* do it for themselves :)
I cannot control what an application does, and I am not responsible for any other application's reputation. I do have a strongly vested stake in OpenSSL's.
It is already possible to write a utility library that tries everything in turn, and returns an enumeration that says "seems to be an X509 certificate" etc. And then another routine that takes that enumeration and the blob and calls the right decoder. I would be okay with that, even if it were part of OpenSSL. I am opposed to guessing and parsing in one step, and would -1 any PR for that, forcing a team discussion.
More information about the openssl-dev
mailing list