git.baikalelectronics.ru Git - kernel.git/commit

author	David Howells <dhowells@redhat.com>
	Tue, 16 Sep 2014 16:36:15 +0000 (17:36 +0100)
committer	David Howells <dhowells@redhat.com>
	Tue, 16 Sep 2014 16:36:15 +0000 (17:36 +0100)
commit	45710593e2d8737c88ccdc9863706c4f48fe7f8e
tree	478af8309836992b40385a1aff6d8eae537d44c4	tree \| snapshot
parent	cece4ad9cf7ecc784ad88647bcc1b8cc1ac9a0d5	commit \| diff

PKCS#7: Better handling of unsupported crypto

Provide better handling of unsupported crypto when verifying a PKCS#7 message.
If we can't bridge the gap between a pair of X.509 certs or between a signed
info block and an X.509 cert because it involves some crypto we don't support,
that's not necessarily the end of the world as there may be other ways points
at which we can intersect with a ring of trusted keys.

Instead, only produce ENOPKG immediately if all the signed info blocks in a
PKCS#7 message require unsupported crypto to bridge to the first X.509 cert.
Otherwise, we defer the generation of ENOPKG until we get ENOKEY during trust
validation.

Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Vivek Goyal <vgoyal@redhat.com>

crypto/asymmetric_keys/pkcs7_parser.h		diff \| blob \| history
crypto/asymmetric_keys/pkcs7_trust.c		diff \| blob \| history
crypto/asymmetric_keys/pkcs7_verify.c		diff \| blob \| history
crypto/asymmetric_keys/x509_parser.h		diff \| blob \| history
crypto/asymmetric_keys/x509_public_key.c		diff \| blob \| history