diff options
| author | James Bottomley <James.Bottomley@HansenPartnership.com> | 2026-05-07 12:13:55 -0700 |
|---|---|---|
| committer | Paul Moore <paul@paul-moore.com> | 2026-05-13 14:36:30 -0400 |
| commit | 188cfb7ec81c8d9b19087984ac5e0fc42edf1087 (patch) | |
| tree | 23d3f424285466435d7858aec3d518156faa1687 | |
| parent | f71ece9712b7712df98871eea9aeb60e49ca5239 (diff) | |
| download | linux-next-history-188cfb7ec81c.tar.gz | |
crypto: pkcs7: add flag for validated trust on a signed info block
Allow consumers of struct pkcs7_message to tell if any of the sinfo
fields has passed a trust validation. Note that this does not happen
in parsing, pkcs7_validate_trust() must be explicitly called or called
via validate_pkcs7_trust(). Since the way to get this trusted pkcs7
object is via verify_pkcs7_message_sig, export that so modules can use
it.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Signed-off-by: Blaise Boscaccy <bboscaccy@linux.microsoft.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
| -rw-r--r-- | certs/system_keyring.c | 1 | ||||
| -rw-r--r-- | crypto/asymmetric_keys/pkcs7_parser.h | 1 | ||||
| -rw-r--r-- | crypto/asymmetric_keys/pkcs7_trust.c | 1 |
3 files changed, 3 insertions, 0 deletions
diff --git a/certs/system_keyring.c b/certs/system_keyring.c index e0761436ec7f4..9bda49295bd02 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -380,6 +380,7 @@ error: pr_devel("<==%s() = %d\n", __func__, ret); return ret; } +EXPORT_SYMBOL(verify_pkcs7_message_sig); /** * verify_pkcs7_signature - Verify a PKCS#7-based signature on system data. diff --git a/crypto/asymmetric_keys/pkcs7_parser.h b/crypto/asymmetric_keys/pkcs7_parser.h index 6ef9f335bb17f..203062a33def6 100644 --- a/crypto/asymmetric_keys/pkcs7_parser.h +++ b/crypto/asymmetric_keys/pkcs7_parser.h @@ -20,6 +20,7 @@ struct pkcs7_signed_info { unsigned index; bool unsupported_crypto; /* T if not usable due to missing crypto */ bool blacklisted; + bool verified; /* T if this signer has validated trust */ /* Message digest - the digest of the Content Data (or NULL) */ const void *msgdigest; diff --git a/crypto/asymmetric_keys/pkcs7_trust.c b/crypto/asymmetric_keys/pkcs7_trust.c index 9a87c34ed1733..78ebfb6373b61 100644 --- a/crypto/asymmetric_keys/pkcs7_trust.c +++ b/crypto/asymmetric_keys/pkcs7_trust.c @@ -127,6 +127,7 @@ verified: for (p = sinfo->signer; p != x509; p = p->signer) p->verified = true; } + sinfo->verified = true; kleave(" = 0"); return 0; } |