PEFILE: Validate PKCS#7 trust chain

Validate the PKCS#7 trust chain against the contents of the system keyring.

Signed-off-by: David Howells <dhowells@redhat.com>

diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig
index 2e7315c2790092678e70087a9331a8d547e5ea49..2777916e7160c80cf1e237f2e20bf5ddafeffdb1 100644 (file)
--- a/crypto/asymmetric_keys/Kconfig
+++ b/crypto/asymmetric_keys/Kconfig
@@ -48,6 +48,7 @@ config PE_FILE_PARSER
        tristate "PE binary-wrapped key parser"
        depends on X509_CERTIFICATE_PARSER
        depends on PKCS7_MESSAGE_PARSER
+       depends on SYSTEM_TRUSTED_KEYRING
        help
          This option provides support for parsing signed PE binaries that
          contain an X.509 certificate in an internal section.

diff --git a/crypto/asymmetric_keys/pefile_parser.c b/crypto/asymmetric_keys/pefile_parser.c
index dfdb85e180ca9610bd49c0d95c77272c77d6420b..edad948b18b477c6ad86381435e6b49d8ba94eab 100644 (file)
--- a/crypto/asymmetric_keys/pefile_parser.c
+++ b/crypto/asymmetric_keys/pefile_parser.c
@@ -18,6 +18,7 @@
 #include <linux/asn1.h>
 #include <keys/asymmetric-subtype.h>
 #include <keys/asymmetric-parser.h>
+#include <keys/system_keyring.h>
 #include <crypto/hash.h>
 #include "asymmetric_keys.h"
 #include "public_key.h"
@@ -435,6 +436,10 @@ static int pefile_key_preparse(struct key_preparsed_payload *prep)
        if (ret < 0)
                goto error;
 
+       ret = pkcs7_validate_trust(pkcs7, system_trusted_keyring, &prep->trusted);
+       if (ret < 0)
+               goto error;
+
        ret = -ENOANO; // Not yet complete
 
 error: