diff options
| author | David Howells <dhowells@redhat.com> | 2016-04-06 11:14:24 -0400 |
|---|---|---|
| committer | David Howells <dhowells@redhat.com> | 2016-04-06 11:14:24 -0400 |
| commit | bda850cd214e90b1be0cc25bc48c4f6ac53eb543 (patch) | |
| tree | acb936239ac766592c557295aec265ec9a2d04fb /certs | |
| parent | e68503bd6836ba765dc8e0ee77ea675fedc07e41 (diff) | |
PKCS#7: Make trust determination dependent on contents of trust keyring
Make the determination of the trustworthiness of a key dependent on whether
a key that can verify it is present in the supplied ring of trusted keys
rather than whether or not the verifying key has KEY_FLAG_TRUSTED set.
verify_pkcs7_signature() will return -ENOKEY if the PKCS#7 message trust
chain cannot be verified.
Signed-off-by: David Howells <dhowells@redhat.com>
Diffstat (limited to 'certs')
| -rw-r--r-- | certs/system_keyring.c | 13 |
1 files changed, 4 insertions, 9 deletions
diff --git a/certs/system_keyring.c b/certs/system_keyring.c index a83bffedc0aa..dc18869ff680 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c | |||
| @@ -121,7 +121,6 @@ late_initcall(load_system_certificate_list); | |||
| 121 | int verify_pkcs7_signature(const void *data, size_t len, | 121 | int verify_pkcs7_signature(const void *data, size_t len, |
| 122 | const void *raw_pkcs7, size_t pkcs7_len, | 122 | const void *raw_pkcs7, size_t pkcs7_len, |
| 123 | struct key *trusted_keys, | 123 | struct key *trusted_keys, |
| 124 | int untrusted_error, | ||
| 125 | enum key_being_used_for usage, | 124 | enum key_being_used_for usage, |
| 126 | int (*view_content)(void *ctx, | 125 | int (*view_content)(void *ctx, |
| 127 | const void *data, size_t len, | 126 | const void *data, size_t len, |
| @@ -129,7 +128,6 @@ int verify_pkcs7_signature(const void *data, size_t len, | |||
| 129 | void *ctx) | 128 | void *ctx) |
| 130 | { | 129 | { |
| 131 | struct pkcs7_message *pkcs7; | 130 | struct pkcs7_message *pkcs7; |
| 132 | bool trusted; | ||
| 133 | int ret; | 131 | int ret; |
| 134 | 132 | ||
| 135 | pkcs7 = pkcs7_parse_message(raw_pkcs7, pkcs7_len); | 133 | pkcs7 = pkcs7_parse_message(raw_pkcs7, pkcs7_len); |
| @@ -149,13 +147,10 @@ int verify_pkcs7_signature(const void *data, size_t len, | |||
| 149 | 147 | ||
| 150 | if (!trusted_keys) | 148 | if (!trusted_keys) |
| 151 | trusted_keys = system_trusted_keyring; | 149 | trusted_keys = system_trusted_keyring; |
| 152 | ret = pkcs7_validate_trust(pkcs7, trusted_keys, &trusted); | 150 | ret = pkcs7_validate_trust(pkcs7, trusted_keys); |
| 153 | if (ret < 0) | 151 | if (ret < 0) { |
| 154 | goto error; | 152 | if (ret == -ENOKEY) |
| 155 | 153 | pr_err("PKCS#7 signature not signed with a trusted key\n"); | |
| 156 | if (!trusted && untrusted_error) { | ||
| 157 | pr_err("PKCS#7 signature not signed with a trusted key\n"); | ||
| 158 | ret = untrusted_error; | ||
| 159 | goto error; | 154 | goto error; |
| 160 | } | 155 | } |
| 161 | 156 | ||