summaryrefslogtreecommitdiff
path: root/crypto/asymmetric_keys/pkcs7_parser.h
diff options
context:
space:
mode:
authorDavid Howells <dhowells@redhat.com>2014-09-16 20:36:15 +0400
committerDavid Howells <dhowells@redhat.com>2014-09-16 20:36:15 +0400
commit41559420003cfe99522257dded7793192c77b4e9 (patch)
tree478af8309836992b40385a1aff6d8eae537d44c4 /crypto/asymmetric_keys/pkcs7_parser.h
parent46963b774d441c833afc1535f6d84b3df2a94204 (diff)
downloadlinux-41559420003cfe99522257dded7793192c77b4e9.tar.xz
PKCS#7: Better handling of unsupported crypto
Provide better handling of unsupported crypto when verifying a PKCS#7 message. If we can't bridge the gap between a pair of X.509 certs or between a signed info block and an X.509 cert because it involves some crypto we don't support, that's not necessarily the end of the world as there may be other ways points at which we can intersect with a ring of trusted keys. Instead, only produce ENOPKG immediately if all the signed info blocks in a PKCS#7 message require unsupported crypto to bridge to the first X.509 cert. Otherwise, we defer the generation of ENOPKG until we get ENOKEY during trust validation. Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Vivek Goyal <vgoyal@redhat.com>
Diffstat (limited to 'crypto/asymmetric_keys/pkcs7_parser.h')
-rw-r--r--crypto/asymmetric_keys/pkcs7_parser.h1
1 files changed, 1 insertions, 0 deletions
diff --git a/crypto/asymmetric_keys/pkcs7_parser.h b/crypto/asymmetric_keys/pkcs7_parser.h
index 91949f92bc72..efc7dc9b8f9c 100644
--- a/crypto/asymmetric_keys/pkcs7_parser.h
+++ b/crypto/asymmetric_keys/pkcs7_parser.h
@@ -23,6 +23,7 @@ struct pkcs7_signed_info {
struct x509_certificate *signer; /* Signing certificate (in msg->certs) */
unsigned index;
bool trusted;
+ bool unsupported_crypto; /* T if not usable due to missing crypto */
/* Message digest - the digest of the Content Data (or NULL) */
const void *msgdigest;