xiaomi-sm8450/android_kernel_xiaomi_sm8450
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

PKCS#7: Better handling of unsupported crypto

Browse Source 
Provide better handling of unsupported crypto when verifying a PKCS#7 message.
If we can't bridge the gap between a pair of X.509 certs or between a signed
info block and an X.509 cert because it involves some crypto we don't support,
that's not necessarily the end of the world as there may be other ways points
at which we can intersect with a ring of trusted keys.

Instead, only produce ENOPKG immediately if all the signed info blocks in a
PKCS#7 message require unsupported crypto to bridge to the first X.509 cert.
Otherwise, we defer the generation of ENOPKG until we get ENOKEY during trust
validation.

Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Vivek Goyal <vgoyal@redhat.com>
This commit is contained in:
David Howells
2014-09-16 17:36:15 +01:00
parent 46963b774d
commit 4155942000
5 changed files with 74 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
crypto/asymmetric_keys/x509_parser.h
View File

@@ -38,6 +38,7 @@ struct x509_certificate {
bool seen; /* Infinite recursion prevention */
bool verified;
bool trusted;
bool unsupported_crypto; /* T if can't be verified due to missing crypto */
};
/*