ECC-step3: extra import/export (ASN.1 related) #187
Conversation
| case LTC_ASN1_BOOLEAN: | ||
| z = inlen; | ||
| if ((err = der_decode_boolean(in + x, z, ((int *)data))) != CRYPT_OK) { | ||
| if (!ordered || list[i].optional) { continue; } |
There was a problem hiding this comment.
was this a bug before or this one now?
There was a problem hiding this comment.
Looking at the code I believe that missing if (!ordered) { continue; } was a bug
| goto LBL_ERR; | ||
| } | ||
| y = 0; z = 0; | ||
| if ((err = der_length_sequence_ex(list, inlen, &y, &z)) != CRYPT_OK) return CRYPT_INVALID_ARG; |
There was a problem hiding this comment.
Can I extract this single change as a separate "small fix" PR?
| case LTC_ASN1_CONTEXT_SPECIFIC: | ||
| case LTC_ASN1_EOL: | ||
| case LTC_ASN1_TELETEX_STRING: | ||
| default: |
|
IIUC this implements context-specific tag encoding differently than in the flexi decoder (it's stored in |
|
Ad context-specific tag encoding - when I added I am in no way an expert at ASN.1, when I created the patch back in 2014 the only goal was to be able to load/save EC keys which I somehow managed. But some parts are rather hacks/workarounds. If you want some testing keys, go to https://github.com/DCIT/perl-CryptX/tree/master/t/data and take any of ECC related |
| tmptag[4] = (unsigned char)(z&255); | ||
| y = 5; | ||
| } | ||
| memmove(out + x + y, out + x, z); |
As of the comment on the
I'm also no expert at ASN.1 but I'll have a look when I have the time. Would it probably make sense to split this PR up into two parts? One with the changes for |
| break; | ||
| } | ||
|
|
||
| /* some items may be optional during import */ |
There was a problem hiding this comment.
is this one correct? this looks fishy to me as the used field is only used when decoding but der_length_sequence_ex() is used when encoding
There was a problem hiding this comment.
The der_length_sequence (which calls der_length_sequence_ex) is called during decoding - see der_decode_sequence_ex.c.
Possible theory: it seems that during decode operation I use optional to indicate that it is ok if the item is missing and used to indicate whether it was really decoded.
There was a problem hiding this comment.
Yeah sure, I missed that. Sorry.
karel-m
force-pushed
the
pr/ecc-asn1-part
branch
4 times, most recently
from
b12bef7 to
eb3efc3
Compare
karel-m
force-pushed
the
pr/ecc-asn1-part
branch
2 times, most recently
from
cb50664 to
c4024b6
Compare
karel-m
force-pushed
the
pr/ecc-asn1-part
branch
2 times, most recently
from
a3114ec to
f9f8364
Compare
karel-m
force-pushed
the
pr/ecc-asn1-part
branch
from
5c3a455 to
1162ac9
Compare
karel-m
changed the title
|
Now rebased on top of |
karel-m
force-pushed
the
pr/ecc-non-asn1-part
branch
2 times, most recently
from
54ba133 to
e0c7170
Compare
karel-m
force-pushed
the
pr/ecc-non-asn1-part
branch
from
e0c7170 to
885f81d
Compare
karel-m
force-pushed
the
pr/ecc-non-asn1-part
branch
2 times, most recently
from
0cd0205 to
362275e
Compare
karel-m
force-pushed
the
pr/ecc-non-asn1-part
branch
from
362275e to
24c0eb8
Compare
|
@sjaeckel we should rebase this one onto a develop I have created a branch |
|
IIUC that's only 1 commit which is left and I've already rebased locally, so go ahead |
|
Don't you have some pkcs8 changes/improvements locally? I have not done any coding in this PR/branche since you have asked me whether you can work on pkcs8. Therefore I think it would be better if you |
yeah, but nothing ready for publishing yet as I didn't really have the time ... |
|
OK, now rebased. Is it worth splitting this PR into:
? |
karel-m
force-pushed
the
pr/ecc-asn1-part
branch
5 times, most recently
from
d9d203a to
50ffa85
Compare
|
@sjaeckel could you please review: ecc_export_openssl + ecc_import_openssl + ecc_import_x509? |
karel-m
force-pushed
the
pr/ecc-asn1-part
branch
2 times, most recently
from
2a446c5 to
95fe5ea
Compare
src/pk/ecc/ecc_import_openssl.c
Outdated
|
|
||
| len_xy = sizeof(bin_xy); | ||
| len_oid = 16; | ||
| err = x509_decode_subject_public_key_info(in, inlen, PKA_EC, bin_xy, &len_xy, |
There was a problem hiding this comment.
What do you think about factoring-out those tries in their own functions?
_ecc_import_x509_with_oid()
_ecc_import_x509_with_curve()
ecc_import_subject_public_key_info() /* private API which calls the two above */
ecc_import_private_with_oid() /* private API */
ecc_import_private_with_curve() /* private API */
This would also allow to call ecc_import_subject_public_key_info() from ecc_import_x509() instead of this multi-purpose import function.
There was a problem hiding this comment.
Frankly, it looks like too much work for more of less no gain. As it will not be part of public API we can change it any-time later.
My doubts here are more about whether ecc_export_openssl or ecc_export_<something_else> (and the same for ecc_import_openssl) would be better. Or generally whether the new API is fine as changing/renaming it later will be a pain.
As you can see from the code the available options for saving/loading an ecc key are pretty wide. For ecc_import_openssl I have chosen the approach "load whatever DER the openssl is able to save" therefore the name and therefore a single, maybe slightly overloaded, import function.
There was a problem hiding this comment.
Frankly, it looks like too much work for more of less no gain
I think 30 minutes for a bit more readability is well invested.
Why I really did it was that I didn't like the fact that it would've been possible to import a private-key from a SubjectPublicKeyInfo.
There was a problem hiding this comment.
👍 Looks good. Thank you.
... into several smaller functions
sjaeckel
force-pushed
the
pr/ecc-asn1-part
branch
from
57ede5d to
4f36e03
Compare
This PR was extracted from #65
I have written this code in 2014 (just an excuse in case it starts to seem that I am not completely sure what these changes are good for).
The main reason for this patch was ASN.1 support for importing/exporting EC keys which are stored in ASN.1 structures using esoteric stuff like context specific tags and optional items in ASN.1 sequences.
You will notice on the first sight the ugly duplication in API that I have introduced (to keep backwards compatibility of "non *_ex" functions):
and