Keys (was Re: Successful LDAP signing test)

From: Murray S. Kucherawy <msk_at_blackops.org>
Date: Sat, 20 Feb 2010 00:47:53 -0800 (PST)

So in thinking about this a little more, here's my current favourite
approach.

Right now private keys can only be accepted as PEM format. libcrypto
takes care of the decoding and stripping away of newlines and the
begin/end junk; we just pass it the data the user provided.

Instead, let's say we start accepting either PEM format or base64-encoded
DER format. We auto-select based on whether or not the first five bytes
are "-----" (present => PEM, absent => encoded DER). The former case is
what we have now; in the latter case, we would take care of base64
decoding the input (inside dkim_sign() prior to calling into libcrypto) so
the user doesn't have to worry about preserving or encoding newlines
because they get ignored during the base64 decoding anyway. That would
mean any of these will work:

- PEM (libcrypto handles it)
- base64-encoded DER all on one line
- base64-encoded DER with newlines (which is PEM without the begin/end)

Is this palatable for LDAP admins? Can we get one of those forms without
too much pain on their part?

The only thing we can't take is the raw (binary) DER key. We could do
that too, but it would require an API change to dkim_sign() to accept a
new length parameter for the secret key, which right now is determined
just by calling strlen() on the parameter passed in. In that case we may
as well also add a "format" parameter. This is a major release so if we
want to tinker with the API, now's the time.

What do people think?
Received on Sat Feb 20 2010 - 08:48:15 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:32:52 PST