Menu
▾
▴
Re: [Linux-ima-devel] Query about ditital signature format (v1 and v2)
|
From: Dmitry K. <dmi...@gm...> - 2013-05-31 09:44:43
|
Hello Vivek, On Thu, May 30, 2013 at 6:44 PM, Vivek Goyal <vg...@re...> wrote: > Hi Dmitry, > > I was going through the evmutils code and have few questions. Would be > great if you could help me out here. > > I noticed that both for v1 and v2 of digital signauture we store the > length of signature. > > For v1 we seem to be storing bit length (and not byte length) while > for V2 we seem to be storing byte length. Comment says that it is to > make it compatible with gnupg. > > For v1: > > /* we add bit length of the signature to make it gnupg compatible > * */ > blen = (uint16_t *) (sig + sizeof(*hdr)); > *blen = __cpu_to_be16(len << 3); > > > For v2: > > /* we add bit length of the signature to make it gnupg compatible > * */ > hdr->sig_size = __cpu_to_be16(len); > > > Few queries. > > - Is it intentional that for V2 we store the length in bytes and not bits. > > - Is there any documentation which explains gnupg signature format and it > requirements for storing length of signature. > Using bits was a very old legacy decision based on some very old code from digsig project or so. There is a function in the mpilib which reads bits... In fact it has nothing to do with gpg... > - Storing sizse in bits with-in 2 bytes means that signature can not exceed > the size of 32 bytes. I am not sure if that's good enough or not. > When measuring in bytes, 2 bytes it can hold up 64k. When measuring in nits, 2 bytes can 64k >> 3 - up to 8k. Right? Signature is under 1k now... > - What does gnupg compatible mean here? Can I take this sigunature and > pass as detached signature to gnupg utils and they can verify this > signature against a given file? It means nothing.. just ignore that comment. it is not possible.. signature header format is different... BUT RSA signature itself is a usual signature (RSA sign). What do you want to achieve? > > Thanks > Vivek |
