11 files changed, 296 insertions, 140 deletions

diff --git a/crypto/Kconfig b/crypto/Kconfig
index 71f337aefa39..4ae5734fb473 100644
--- a/crypto/Kconfig
+++ b/crypto/Kconfig
@@ -1402,6 +1402,9 @@ config CRYPTO_USER_API_SKCIPHER
           This option enables the user-spaces interface for symmetric
           key cipher algorithms.
 
+config CRYPTO_HASH_INFO
+        bool
+
 source "drivers/crypto/Kconfig"
 source crypto/asymmetric_keys/Kconfig
 
diff --git a/crypto/Makefile b/crypto/Makefile
index 80019ba8da3a..b3a7e807e08b 100644
--- a/crypto/Makefile
+++ b/crypto/Makefile
@@ -104,3 +104,4 @@ obj-$(CONFIG_CRYPTO_USER_API_SKCIPHER) += algif_skcipher.o
 obj-$(CONFIG_XOR_BLOCKS) += xor.o
 obj-$(CONFIG_ASYNC_CORE) += async_tx/
 obj-$(CONFIG_ASYMMETRIC_KEY_TYPE) += asymmetric_keys/
+obj-$(CONFIG_CRYPTO_HASH_INFO) += hash_info.o
diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig
index 6d2c2ea12559..03a6eb95ab50 100644
--- a/crypto/asymmetric_keys/Kconfig
+++ b/crypto/asymmetric_keys/Kconfig
@@ -12,6 +12,8 @@ if ASYMMETRIC_KEY_TYPE
 config ASYMMETRIC_PUBLIC_KEY_SUBTYPE
         tristate "Asymmetric public-key crypto algorithm subtype"
         select MPILIB
+        select PUBLIC_KEY_ALGO_RSA
+        select CRYPTO_HASH_INFO
         help
           This option provides support for asymmetric public key type handling.
           If signature generation and/or verification are to be used,
@@ -20,8 +22,8 @@ config ASYMMETRIC_PUBLIC_KEY_SUBTYPE
 
 config PUBLIC_KEY_ALGO_RSA
         tristate "RSA public-key algorithm"
-        depends on ASYMMETRIC_PUBLIC_KEY_SUBTYPE
         select MPILIB_EXTRA
+        select MPILIB
         help
           This option enables support for the RSA algorithm (PKCS#1, RFC3447).
 
diff --git a/crypto/asymmetric_keys/asymmetric_type.c b/crypto/asymmetric_keys/asymmetric_type.c
index cf807654d221..b77eb5304788 100644
--- a/crypto/asymmetric_keys/asymmetric_type.c
+++ b/crypto/asymmetric_keys/asymmetric_type.c
@@ -209,6 +209,7 @@ struct key_type key_type_asymmetric = {
         .match          = asymmetric_key_match,
         .destroy        = asymmetric_key_destroy,
         .describe       = asymmetric_key_describe,
+        .def_lookup_type = KEYRING_SEARCH_LOOKUP_ITERATE,
 };
 EXPORT_SYMBOL_GPL(key_type_asymmetric);
 
diff --git a/crypto/asymmetric_keys/public_key.c b/crypto/asymmetric_keys/public_key.c
index cb2e29180a87..97eb001960b9 100644
--- a/crypto/asymmetric_keys/public_key.c
+++ b/crypto/asymmetric_keys/public_key.c
@@ -22,29 +22,25 @@
 
 MODULE_LICENSE("GPL");
 
-const char *const pkey_algo[PKEY_ALGO__LAST] = {
+const char *const pkey_algo_name[PKEY_ALGO__LAST] = {
         [PKEY_ALGO_DSA]         = "DSA",
         [PKEY_ALGO_RSA]         = "RSA",
 };
-EXPORT_SYMBOL_GPL(pkey_algo);
+EXPORT_SYMBOL_GPL(pkey_algo_name);
 
-const char *const pkey_hash_algo[PKEY_HASH__LAST] = {
-        [PKEY_HASH_MD4]         = "md4",
-        [PKEY_HASH_MD5]         = "md5",
-        [PKEY_HASH_SHA1]        = "sha1",
-        [PKEY_HASH_RIPE_MD_160] = "rmd160",
-        [PKEY_HASH_SHA256]      = "sha256",
-        [PKEY_HASH_SHA384]      = "sha384",
-        [PKEY_HASH_SHA512]      = "sha512",
-        [PKEY_HASH_SHA224]      = "sha224",
+const struct public_key_algorithm *pkey_algo[PKEY_ALGO__LAST] = {
+#if defined(CONFIG_PUBLIC_KEY_ALGO_RSA) || \
+        defined(CONFIG_PUBLIC_KEY_ALGO_RSA_MODULE)
+        [PKEY_ALGO_RSA]         = &RSA_public_key_algorithm,
+#endif
 };
-EXPORT_SYMBOL_GPL(pkey_hash_algo);
+EXPORT_SYMBOL_GPL(pkey_algo);
 
-const char *const pkey_id_type[PKEY_ID_TYPE__LAST] = {
+const char *const pkey_id_type_name[PKEY_ID_TYPE__LAST] = {
         [PKEY_ID_PGP]           = "PGP",
         [PKEY_ID_X509]          = "X509",
 };
-EXPORT_SYMBOL_GPL(pkey_id_type);
+EXPORT_SYMBOL_GPL(pkey_id_type_name);
 
 /*
  * Provide a part of a description of the key for /proc/keys.
@@ -56,7 +52,7 @@ static void public_key_describe(const struct key *asymmetric_key,
 
         if (key)
                 seq_printf(m, "%s.%s",
-                           pkey_id_type[key->id_type], key->algo->name);
+                           pkey_id_type_name[key->id_type], key->algo->name);
 }
 
 /*
@@ -78,21 +74,45 @@ EXPORT_SYMBOL_GPL(public_key_destroy);
 /*
  * Verify a signature using a public key.
  */
-static int public_key_verify_signature(const struct key *key,
-                                       const struct public_key_signature *sig)
+int public_key_verify_signature(const struct public_key *pk,
+                                const struct public_key_signature *sig)
 {
-        const struct public_key *pk = key->payload.data;
+        const struct public_key_algorithm *algo;
+
+        BUG_ON(!pk);
+        BUG_ON(!pk->mpi[0]);
+        BUG_ON(!pk->mpi[1]);
+        BUG_ON(!sig);
+        BUG_ON(!sig->digest);
+        BUG_ON(!sig->mpi[0]);
+
+        algo = pk->algo;
+        if (!algo) {
+                if (pk->pkey_algo >= PKEY_ALGO__LAST)
+                        return -ENOPKG;
+                algo = pkey_algo[pk->pkey_algo];
+                if (!algo)
+                        return -ENOPKG;
+        }
 
-        if (!pk->algo->verify_signature)
+        if (!algo->verify_signature)
                 return -ENOTSUPP;
 
-        if (sig->nr_mpi != pk->algo->n_sig_mpi) {
+        if (sig->nr_mpi != algo->n_sig_mpi) {
                 pr_debug("Signature has %u MPI not %u\n",
-                         sig->nr_mpi, pk->algo->n_sig_mpi);
+                         sig->nr_mpi, algo->n_sig_mpi);
                 return -EINVAL;
         }
 
-        return pk->algo->verify_signature(pk, sig);
+        return algo->verify_signature(pk, sig);
+}
+EXPORT_SYMBOL_GPL(public_key_verify_signature);
+
+static int public_key_verify_signature_2(const struct key *key,
+                                         const struct public_key_signature *sig)
+{
+        const struct public_key *pk = key->payload.data;
+        return public_key_verify_signature(pk, sig);
 }
 
 /*
@@ -103,6 +123,6 @@ struct asymmetric_key_subtype public_key_subtype = {
         .name                   = "public_key",
         .describe               = public_key_describe,
         .destroy                = public_key_destroy,
-        .verify_signature       = public_key_verify_signature,
+        .verify_signature       = public_key_verify_signature_2,
 };
 EXPORT_SYMBOL_GPL(public_key_subtype);
diff --git a/crypto/asymmetric_keys/public_key.h b/crypto/asymmetric_keys/public_key.h
index 5e5e35626899..5c37a22a0637 100644
--- a/crypto/asymmetric_keys/public_key.h
+++ b/crypto/asymmetric_keys/public_key.h
@@ -28,3 +28,9 @@ struct public_key_algorithm {
 };
 
 extern const struct public_key_algorithm RSA_public_key_algorithm;
+
+/*
+ * public_key.c
+ */
+extern int public_key_verify_signature(const struct public_key *pk,
+                                       const struct public_key_signature *sig);
diff --git a/crypto/asymmetric_keys/rsa.c b/crypto/asymmetric_keys/rsa.c
index 4a6a0696f8a3..90a17f59ba28 100644
--- a/crypto/asymmetric_keys/rsa.c
+++ b/crypto/asymmetric_keys/rsa.c
@@ -73,13 +73,13 @@ static const struct {
         size_t size;
 } RSA_ASN1_templates[PKEY_HASH__LAST] = {
 #define _(X) { RSA_digest_info_##X, sizeof(RSA_digest_info_##X) }
-        [PKEY_HASH_MD5]         = _(MD5),
-        [PKEY_HASH_SHA1]        = _(SHA1),
-        [PKEY_HASH_RIPE_MD_160] = _(RIPE_MD_160),
-        [PKEY_HASH_SHA256]      = _(SHA256),
-        [PKEY_HASH_SHA384]      = _(SHA384),
-        [PKEY_HASH_SHA512]      = _(SHA512),
-        [PKEY_HASH_SHA224]      = _(SHA224),
+        [HASH_ALGO_MD5]         = _(MD5),
+        [HASH_ALGO_SHA1]        = _(SHA1),
+        [HASH_ALGO_RIPE_MD_160] = _(RIPE_MD_160),
+        [HASH_ALGO_SHA256]      = _(SHA256),
+        [HASH_ALGO_SHA384]      = _(SHA384),
+        [HASH_ALGO_SHA512]      = _(SHA512),
+        [HASH_ALGO_SHA224]      = _(SHA224),
 #undef _
 };
 
diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c
index facbf26bc6bb..29893162497c 100644
--- a/crypto/asymmetric_keys/x509_cert_parser.c
+++ b/crypto/asymmetric_keys/x509_cert_parser.c
@@ -47,6 +47,8 @@ void x509_free_certificate(struct x509_certificate *cert)
                 kfree(cert->subject);
                 kfree(cert->fingerprint);
                 kfree(cert->authority);
+                kfree(cert->sig.digest);
+                mpi_free(cert->sig.rsa.s);
                 kfree(cert);
         }
 }
@@ -152,33 +154,33 @@ int x509_note_pkey_algo(void *context, size_t hdrlen,
                 return -ENOPKG; /* Unsupported combination */
 
         case OID_md4WithRSAEncryption:
-                ctx->cert->sig_hash_algo = PKEY_HASH_MD5;
-                ctx->cert->sig_pkey_algo = PKEY_ALGO_RSA;
+                ctx->cert->sig.pkey_hash_algo = HASH_ALGO_MD5;
+                ctx->cert->sig.pkey_algo = PKEY_ALGO_RSA;
                 break;
 
         case OID_sha1WithRSAEncryption:
-                ctx->cert->sig_hash_algo = PKEY_HASH_SHA1;
-                ctx->cert->sig_pkey_algo = PKEY_ALGO_RSA;
+                ctx->cert->sig.pkey_hash_algo = HASH_ALGO_SHA1;
+                ctx->cert->sig.pkey_algo = PKEY_ALGO_RSA;
                 break;
 
         case OID_sha256WithRSAEncryption:
-                ctx->cert->sig_hash_algo = PKEY_HASH_SHA256;
-                ctx->cert->sig_pkey_algo = PKEY_ALGO_RSA;
+                ctx->cert->sig.pkey_hash_algo = HASH_ALGO_SHA256;
+                ctx->cert->sig.pkey_algo = PKEY_ALGO_RSA;
                 break;
 
         case OID_sha384WithRSAEncryption:
-                ctx->cert->sig_hash_algo = PKEY_HASH_SHA384;
-                ctx->cert->sig_pkey_algo = PKEY_ALGO_RSA;
+                ctx->cert->sig.pkey_hash_algo = HASH_ALGO_SHA384;
+                ctx->cert->sig.pkey_algo = PKEY_ALGO_RSA;
                 break;
 
         case OID_sha512WithRSAEncryption:
-                ctx->cert->sig_hash_algo = PKEY_HASH_SHA512;
-                ctx->cert->sig_pkey_algo = PKEY_ALGO_RSA;
+                ctx->cert->sig.pkey_hash_algo = HASH_ALGO_SHA512;
+                ctx->cert->sig.pkey_algo = PKEY_ALGO_RSA;
                 break;
 
         case OID_sha224WithRSAEncryption:
-                ctx->cert->sig_hash_algo = PKEY_HASH_SHA224;
-                ctx->cert->sig_pkey_algo = PKEY_ALGO_RSA;
+                ctx->cert->sig.pkey_hash_algo = HASH_ALGO_SHA224;
+                ctx->cert->sig.pkey_algo = PKEY_ALGO_RSA;
                 break;
         }
 
@@ -203,8 +205,8 @@ int x509_note_signature(void *context, size_t hdrlen,
                 return -EINVAL;
         }
 
-        ctx->cert->sig = value;
-        ctx->cert->sig_size = vlen;
+        ctx->cert->raw_sig = value;
+        ctx->cert->raw_sig_size = vlen;
         return 0;
 }
 
@@ -343,8 +345,9 @@ int x509_extract_key_data(void *context, size_t hdrlen,
         if (ctx->last_oid != OID_rsaEncryption)
                 return -ENOPKG;
 
-        /* There seems to be an extraneous 0 byte on the front of the data */
-        ctx->cert->pkey_algo = PKEY_ALGO_RSA;
+        ctx->cert->pub->pkey_algo = PKEY_ALGO_RSA;
+
+        /* Discard the BIT STRING metadata */
         ctx->key = value + 1;
         ctx->key_size = vlen - 1;
         return 0;
diff --git a/crypto/asymmetric_keys/x509_parser.h b/crypto/asymmetric_keys/x509_parser.h
index f86dc5fcc4ad..87d9cc26f630 100644
--- a/crypto/asymmetric_keys/x509_parser.h
+++ b/crypto/asymmetric_keys/x509_parser.h
@@ -9,6 +9,7 @@
  * 2 of the Licence, or (at your option) any later version.
  */
 
+#include <linux/time.h>
 #include <crypto/public_key.h>
 
 struct x509_certificate {
@@ -20,13 +21,11 @@ struct x509_certificate {
         char            *authority;             /* Authority key fingerprint as hex */
         struct tm       valid_from;
         struct tm       valid_to;
-        enum pkey_algo  pkey_algo : 8;          /* Public key algorithm */
-        enum pkey_algo  sig_pkey_algo : 8;      /* Signature public key algorithm */
-        enum pkey_hash_algo sig_hash_algo : 8;  /* Signature hash algorithm */
         const void      *tbs;                   /* Signed data */
-        size_t          tbs_size;               /* Size of signed data */
-        const void      *sig;                   /* Signature data */
-        size_t          sig_size;               /* Size of sigature */
+        unsigned        tbs_size;               /* Size of signed data */
+        unsigned        raw_sig_size;           /* Size of sigature */
+        const void      *raw_sig;               /* Signature data */
+        struct public_key_signature sig;        /* Signature parameters */
 };
 
 /*
@@ -34,3 +33,10 @@ struct x509_certificate {
  */
 extern void x509_free_certificate(struct x509_certificate *cert);
 extern struct x509_certificate *x509_cert_parse(const void *data, size_t datalen);
+
+/*
+ * x509_public_key.c
+ */
+extern int x509_get_sig_params(struct x509_certificate *cert);
+extern int x509_check_signature(const struct public_key *pub,
+                                struct x509_certificate *cert);
diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c
index 06007f0e880c..f83300b6e8c1 100644
--- a/crypto/asymmetric_keys/x509_public_key.c
+++ b/crypto/asymmetric_keys/x509_public_key.c
@@ -18,85 +18,162 @@
 #include <linux/asn1_decoder.h>
 #include <keys/asymmetric-subtype.h>
 #include <keys/asymmetric-parser.h>
+#include <keys/system_keyring.h>
 #include <crypto/hash.h>
 #include "asymmetric_keys.h"
 #include "public_key.h"
 #include "x509_parser.h"
 
-static const
-struct public_key_algorithm *x509_public_key_algorithms[PKEY_ALGO__LAST] = {
-        [PKEY_ALGO_DSA]         = NULL,
-#if defined(CONFIG_PUBLIC_KEY_ALGO_RSA) || \
-        defined(CONFIG_PUBLIC_KEY_ALGO_RSA_MODULE)
-        [PKEY_ALGO_RSA]         = &RSA_public_key_algorithm,
-#endif
-};
+/*
+ * Find a key in the given keyring by issuer and authority.
+ */
+static struct key *x509_request_asymmetric_key(
+        struct key *keyring,
+        const char *signer, size_t signer_len,
+        const char *authority, size_t auth_len)
+{
+        key_ref_t key;
+        char *id;
+
+        /* Construct an identifier. */
+        id = kmalloc(signer_len + 2 + auth_len + 1, GFP_KERNEL);
+        if (!id)
+                return ERR_PTR(-ENOMEM);
+
+        memcpy(id, signer, signer_len);
+        id[signer_len + 0] = ':';
+        id[signer_len + 1] = ' ';
+        memcpy(id + signer_len + 2, authority, auth_len);
+        id[signer_len + 2 + auth_len] = 0;
+
+        pr_debug("Look up: \"%s\"\n", id);
+
+        key = keyring_search(make_key_ref(keyring, 1),
+                             &key_type_asymmetric, id);
+        if (IS_ERR(key))
+                pr_debug("Request for module key '%s' err %ld\n",
+                         id, PTR_ERR(key));
+        kfree(id);
+
+        if (IS_ERR(key)) {
+                switch (PTR_ERR(key)) {
+                        /* Hide some search errors */
+                case -EACCES:
+                case -ENOTDIR:
+                case -EAGAIN:
+                        return ERR_PTR(-ENOKEY);
+                default:
+                        return ERR_CAST(key);
+                }
+        }
+
+        pr_devel("<==%s() = 0 [%x]\n", __func__, key_serial(key_ref_to_ptr(key)));
+        return key_ref_to_ptr(key);
+}
 
 /*
- * Check the signature on a certificate using the provided public key
+ * Set up the signature parameters in an X.509 certificate.  This involves
+ * digesting the signed data and extracting the signature.
  */
-static int x509_check_signature(const struct public_key *pub,
-                                const struct x509_certificate *cert)
+int x509_get_sig_params(struct x509_certificate *cert)
 {
-        struct public_key_signature *sig;
         struct crypto_shash *tfm;
         struct shash_desc *desc;
         size_t digest_size, desc_size;
+        void *digest;
         int ret;
 
         pr_devel("==>%s()\n", __func__);
-        
+
+        if (cert->sig.rsa.s)
+                return 0;
+
+        cert->sig.rsa.s = mpi_read_raw_data(cert->raw_sig, cert->raw_sig_size);
+        if (!cert->sig.rsa.s)
+                return -ENOMEM;
+        cert->sig.nr_mpi = 1;
+
         /* Allocate the hashing algorithm we're going to need and find out how
          * big the hash operational data will be.
          */
-        tfm = crypto_alloc_shash(pkey_hash_algo[cert->sig_hash_algo], 0, 0);
+        tfm = crypto_alloc_shash(hash_algo_name[cert->sig.pkey_hash_algo], 0, 0);
         if (IS_ERR(tfm))
                 return (PTR_ERR(tfm) == -ENOENT) ? -ENOPKG : PTR_ERR(tfm);
 
         desc_size = crypto_shash_descsize(tfm) + sizeof(*desc);
         digest_size = crypto_shash_digestsize(tfm);
 
-        /* We allocate the hash operational data storage on the end of our
-         * context data.
+        /* We allocate the hash operational data storage on the end of the
+         * digest storage space.
          */
         ret = -ENOMEM;
-        sig = kzalloc(sizeof(*sig) + desc_size + digest_size, GFP_KERNEL);
-        if (!sig)
-                goto error_no_sig;
+        digest = kzalloc(digest_size + desc_size, GFP_KERNEL);
+        if (!digest)
+                goto error;
 
-        sig->pkey_hash_algo     = cert->sig_hash_algo;
-        sig->digest             = (u8 *)sig + sizeof(*sig) + desc_size;
-        sig->digest_size        = digest_size;
+        cert->sig.digest = digest;
+        cert->sig.digest_size = digest_size;
 
-        desc = (void *)sig + sizeof(*sig);
-        desc->tfm       = tfm;
-        desc->flags     = CRYPTO_TFM_REQ_MAY_SLEEP;
+        desc = digest + digest_size;
+        desc->tfm = tfm;
+        desc->flags = CRYPTO_TFM_REQ_MAY_SLEEP;
 
         ret = crypto_shash_init(desc);
         if (ret < 0)
                 goto error;
+        might_sleep();
+        ret = crypto_shash_finup(desc, cert->tbs, cert->tbs_size, digest);
+error:
+        crypto_free_shash(tfm);
+        pr_devel("<==%s() = %d\n", __func__, ret);
+        return ret;
+}
+EXPORT_SYMBOL_GPL(x509_get_sig_params);
 
-        ret = -ENOMEM;
-        sig->rsa.s = mpi_read_raw_data(cert->sig, cert->sig_size);
-        if (!sig->rsa.s)
-                goto error;
+/*
+ * Check the signature on a certificate using the provided public key
+ */
+int x509_check_signature(const struct public_key *pub,
+                         struct x509_certificate *cert)
+{
+        int ret;
 
-        ret = crypto_shash_finup(desc, cert->tbs, cert->tbs_size, sig->digest);
-        if (ret < 0)
-                goto error_mpi;
+        pr_devel("==>%s()\n", __func__);
 
-        ret = pub->algo->verify_signature(pub, sig);
+        ret = x509_get_sig_params(cert);
+        if (ret < 0)
+                return ret;
 
+        ret = public_key_verify_signature(pub, &cert->sig);
         pr_debug("Cert Verification: %d\n", ret);
+        return ret;
+}
+EXPORT_SYMBOL_GPL(x509_check_signature);
 
-error_mpi:
-        mpi_free(sig->rsa.s);
-error:
-        kfree(sig);
-error_no_sig:
-        crypto_free_shash(tfm);
+/*
+ * Check the new certificate against the ones in the trust keyring.  If one of
+ * those is the signing key and validates the new certificate, then mark the
+ * new certificate as being trusted.
+ *
+ * Return 0 if the new certificate was successfully validated, 1 if we couldn't
+ * find a matching parent certificate in the trusted list and an error if there
+ * is a matching certificate but the signature check fails.
+ */
+static int x509_validate_trust(struct x509_certificate *cert,
+                               struct key *trust_keyring)
+{
+        const struct public_key *pk;
+        struct key *key;
+        int ret = 1;
 
-        pr_devel("<==%s() = %d\n", __func__, ret);
+        key = x509_request_asymmetric_key(trust_keyring,
+                                          cert->issuer, strlen(cert->issuer),
+                                          cert->authority,
+                                          strlen(cert->authority));
+        if (!IS_ERR(key))  {
+                pk = key->payload.data;
+                ret = x509_check_signature(pk, cert);
+        }
         return ret;
 }
 
@@ -106,7 +183,6 @@ error_no_sig:
 static int x509_key_preparse(struct key_preparsed_payload *prep)
 {
         struct x509_certificate *cert;
-        struct tm now;
         size_t srlen, sulen;
         char *desc = NULL;
         int ret;
@@ -117,7 +193,18 @@ static int x509_key_preparse(struct key_preparsed_payload *prep)
 
         pr_devel("Cert Issuer: %s\n", cert->issuer);
         pr_devel("Cert Subject: %s\n", cert->subject);
-        pr_devel("Cert Key Algo: %s\n", pkey_algo[cert->pkey_algo]);
+
+        if (cert->pub->pkey_algo >= PKEY_ALGO__LAST ||
+            cert->sig.pkey_algo >= PKEY_ALGO__LAST ||
+            cert->sig.pkey_hash_algo >= PKEY_HASH__LAST ||
+            !pkey_algo[cert->pub->pkey_algo] ||
+            !pkey_algo[cert->sig.pkey_algo] ||
+            !hash_algo_name[cert->sig.pkey_hash_algo]) {
+                ret = -ENOPKG;
+                goto error_free_cert;
+        }
+
+        pr_devel("Cert Key Algo: %s\n", pkey_algo_name[cert->pub->pkey_algo]);
         pr_devel("Cert Valid From: %04ld-%02d-%02d %02d:%02d:%02d\n",
                  cert->valid_from.tm_year + 1900, cert->valid_from.tm_mon + 1,
                  cert->valid_from.tm_mday, cert->valid_from.tm_hour,
@@ -127,61 +214,29 @@ static int x509_key_preparse(struct key_preparsed_payload *prep)
                  cert->valid_to.tm_mday, cert->valid_to.tm_hour,
                  cert->valid_to.tm_min,  cert->valid_to.tm_sec);
         pr_devel("Cert Signature: %s + %s\n",
-                 pkey_algo[cert->sig_pkey_algo],
-                 pkey_hash_algo[cert->sig_hash_algo]);
+                 pkey_algo_name[cert->sig.pkey_algo],
+                 hash_algo_name[cert->sig.pkey_hash_algo]);
 
-        if (!cert->fingerprint || !cert->authority) {
-                pr_warn("Cert for '%s' must have SubjKeyId and AuthKeyId extensions\n",
+        if (!cert->fingerprint) {
+                pr_warn("Cert for '%s' must have a SubjKeyId extension\n",
                         cert->subject);
                 ret = -EKEYREJECTED;
                 goto error_free_cert;
         }
 
-        time_to_tm(CURRENT_TIME.tv_sec, 0, &now);
-        pr_devel("Now: %04ld-%02d-%02d %02d:%02d:%02d\n",
-                 now.tm_year + 1900, now.tm_mon + 1, now.tm_mday,
-                 now.tm_hour, now.tm_min,  now.tm_sec);
-        if (now.tm_year < cert->valid_from.tm_year ||
-            (now.tm_year == cert->valid_from.tm_year &&
-             (now.tm_mon < cert->valid_from.tm_mon ||
-              (now.tm_mon == cert->valid_from.tm_mon &&
-               (now.tm_mday < cert->valid_from.tm_mday ||
-                (now.tm_mday == cert->valid_from.tm_mday &&
-                 (now.tm_hour < cert->valid_from.tm_hour ||
-                  (now.tm_hour == cert->valid_from.tm_hour &&
-                   (now.tm_min < cert->valid_from.tm_min ||
-                    (now.tm_min == cert->valid_from.tm_min &&
-                     (now.tm_sec < cert->valid_from.tm_sec
-                      ))))))))))) {
-                pr_warn("Cert %s is not yet valid\n", cert->fingerprint);
-                ret = -EKEYREJECTED;
-                goto error_free_cert;
-        }
-        if (now.tm_year > cert->valid_to.tm_year ||
-            (now.tm_year == cert->valid_to.tm_year &&
-             (now.tm_mon > cert->valid_to.tm_mon ||
-              (now.tm_mon == cert->valid_to.tm_mon &&
-               (now.tm_mday > cert->valid_to.tm_mday ||
-                (now.tm_mday == cert->valid_to.tm_mday &&
-                 (now.tm_hour > cert->valid_to.tm_hour ||
-                  (now.tm_hour == cert->valid_to.tm_hour &&
-                   (now.tm_min > cert->valid_to.tm_min ||
-                    (now.tm_min == cert->valid_to.tm_min &&
-                     (now.tm_sec > cert->valid_to.tm_sec
-                      ))))))))))) {
-                pr_warn("Cert %s has expired\n", cert->fingerprint);
-                ret = -EKEYEXPIRED;
-                goto error_free_cert;
-        }
-
-        cert->pub->algo = x509_public_key_algorithms[cert->pkey_algo];
+        cert->pub->algo = pkey_algo[cert->pub->pkey_algo];
         cert->pub->id_type = PKEY_ID_X509;
 
-        /* Check the signature on the key */
-        if (strcmp(cert->fingerprint, cert->authority) == 0) {
-                ret = x509_check_signature(cert->pub, cert);
+        /* Check the signature on the key if it appears to be self-signed */
+        if (!cert->authority ||
+            strcmp(cert->fingerprint, cert->authority) == 0) {
+                ret = x509_check_signature(cert->pub, cert); /* self-signed */
                 if (ret < 0)
                         goto error_free_cert;
+        } else {
+                ret = x509_validate_trust(cert, system_trusted_keyring);
+                if (!ret)
+                        prep->trusted = 1;
         }
 
         /* Propose a description */
@@ -237,3 +292,6 @@ static void __exit x509_key_exit(void)
 
 module_init(x509_key_init);
 module_exit(x509_key_exit);
+
+MODULE_DESCRIPTION("X.509 certificate parser");
+MODULE_LICENSE("GPL");
diff --git a/crypto/hash_info.c b/crypto/hash_info.c
new file mode 100644
index 000000000000..3e7ff46f26e8
--- /dev/null
+++ b/crypto/hash_info.c
@@ -0,0 +1,56 @@
+/*
+ * Hash Info: Hash algorithms information
+ *
+ * Copyright (c) 2013 Dmitry Kasatkin <d.kasatkin@samsung.com>
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation; either version 2 of the License, or (at your option)
+ * any later version.
+ *
+ */
+
+#include <linux/export.h>
+#include <crypto/hash_info.h>
+
+const char *const hash_algo_name[HASH_ALGO__LAST] = {
+        [HASH_ALGO_MD4]         = "md4",
+        [HASH_ALGO_MD5]         = "md5",
+        [HASH_ALGO_SHA1]        = "sha1",
+        [HASH_ALGO_RIPE_MD_160] = "rmd160",
+        [HASH_ALGO_SHA256]      = "sha256",
+        [HASH_ALGO_SHA384]      = "sha384",
+        [HASH_ALGO_SHA512]      = "sha512",
+        [HASH_ALGO_SHA224]      = "sha224",
+        [HASH_ALGO_RIPE_MD_128] = "rmd128",
+        [HASH_ALGO_RIPE_MD_256] = "rmd256",
+        [HASH_ALGO_RIPE_MD_320] = "rmd320",
+        [HASH_ALGO_WP_256]      = "wp256",
+        [HASH_ALGO_WP_384]      = "wp384",
+        [HASH_ALGO_WP_512]      = "wp512",
+        [HASH_ALGO_TGR_128]     = "tgr128",
+        [HASH_ALGO_TGR_160]     = "tgr160",
+        [HASH_ALGO_TGR_192]     = "tgr192",
+};
+EXPORT_SYMBOL_GPL(hash_algo_name);
+
+const int hash_digest_size[HASH_ALGO__LAST] = {
+        [HASH_ALGO_MD4]         = MD5_DIGEST_SIZE,
+        [HASH_ALGO_MD5]         = MD5_DIGEST_SIZE,
+        [HASH_ALGO_SHA1]        = SHA1_DIGEST_SIZE,
+        [HASH_ALGO_RIPE_MD_160] = RMD160_DIGEST_SIZE,
+        [HASH_ALGO_SHA256]      = SHA256_DIGEST_SIZE,
+        [HASH_ALGO_SHA384]      = SHA384_DIGEST_SIZE,
+        [HASH_ALGO_SHA512]      = SHA512_DIGEST_SIZE,
+        [HASH_ALGO_SHA224]      = SHA224_DIGEST_SIZE,
+        [HASH_ALGO_RIPE_MD_128] = RMD128_DIGEST_SIZE,
+        [HASH_ALGO_RIPE_MD_256] = RMD256_DIGEST_SIZE,
+        [HASH_ALGO_RIPE_MD_320] = RMD320_DIGEST_SIZE,
+        [HASH_ALGO_WP_256]      = WP256_DIGEST_SIZE,
+        [HASH_ALGO_WP_384]      = WP384_DIGEST_SIZE,
+        [HASH_ALGO_WP_512]      = WP512_DIGEST_SIZE,
+        [HASH_ALGO_TGR_128]     = TGR128_DIGEST_SIZE,
+        [HASH_ALGO_TGR_160]     = TGR160_DIGEST_SIZE,
+        [HASH_ALGO_TGR_192]     = TGR192_DIGEST_SIZE,
+};
+EXPORT_SYMBOL_GPL(hash_digest_size);