[Opendnssec-develop] hsm-toolkit questions

Rick van Rein rick at openfortress.nl
Wed Mar 11 14:19:03 UTC 2009


John,

> +  /* Hash the modulus bits */
> +  SHA1_Update(&sha1ctx, &keysize, sizeof (keysize));

Not seeing the keysize in this patch, I'm assuming it is a value
of platform-independent endianness?  We don't want to get into
trouble when moving the signing service from an i386 Mac to a
PowerPC Mac, so to speak.  Also, the sizeof (keysize) is the
same for all platforms, I hope?

Actually, this same reasoning also applies to strengthen my
previous remark about hashing XML representations of keys.
Lacking a canonical form for XML (even if the name is coined
for something that approaches it) we cannot assume that the
"canonical" form of any XML document yields the same hash.

> +  for (j = 0; j < SHA_DIGEST_LENGTH; j++) {
> +    printf("%02x", md[j]);
> +  }

I also agree that hex is more practical for us developers, and
don't mind a few bytes being wasted on it.  Not even if the
context in which it is stored is as scarce in memory as a token.

Cheers,
 -Rick



More information about the Opendnssec-develop mailing list