[openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl
Salz, Rich
rsalz at akamai.com
Wed Nov 23 14:41:14 UTC 2016
> Essentially, you're suggesting that we split out the matching part of the d2i
> functions and put that to good use. Or do you have some other idea, along
> the lines if magic?
NO. I am suggesting add one new routine that tries varies "convert to native" and returns which conversion worked. And then another new routine that takes that return value and calls that conversion routine directly. The cost of doing this is one extra d2i. By the application. And that first routine should ideally return a bitmask of all functions that succeeded so that handling ambiguities are built-in to the API.
> rsalz> Security libraries *should not guess.*
>
> Isn't telling the application "we think it's a FOO" guessing? What's the
> application going to do, go "naaaah, methinks it's a BAR" and try to decode
> the blob as that (and most probably fail) rather than FOO?
It might. Or it might throw up its hands and give up. Or it might check to see if the file is ambiguous and do something. The point is, it is not openssl that is doing that.
More information about the openssl-dev
mailing list