From: David Howells <dhowells@redhat.com>
Date: Fri, 18 Jan 2013 13:58:35 +0000 (+0000)
Subject: PEFILE: Validate PKCS#7 trust chain
X-Git-Tag: next-20130218~61^2~1
X-Git-Url: https://git.karo-electronics.de/?a=commitdiff_plain;h=60b75c4ed9ec2fc148b3387883426258cab3efad;p=karo-tx-linux.git

PEFILE: Validate PKCS#7 trust chain

Validate the PKCS#7 trust chain against the contents of the system keyring.

Signed-off-by: David Howells <dhowells@redhat.com>
---

diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig
index 2e7315c27900..2777916e7160 100644
--- a/crypto/asymmetric_keys/Kconfig
+++ b/crypto/asymmetric_keys/Kconfig
@@ -48,6 +48,7 @@ config PE_FILE_PARSER
 	tristate "PE binary-wrapped key parser"
 	depends on X509_CERTIFICATE_PARSER
 	depends on PKCS7_MESSAGE_PARSER
+	depends on SYSTEM_TRUSTED_KEYRING
 	help
 	  This option provides support for parsing signed PE binaries that
 	  contain an X.509 certificate in an internal section.
diff --git a/crypto/asymmetric_keys/pefile_parser.c b/crypto/asymmetric_keys/pefile_parser.c
index dfdb85e180ca..edad948b18b4 100644
--- a/crypto/asymmetric_keys/pefile_parser.c
+++ b/crypto/asymmetric_keys/pefile_parser.c
@@ -18,6 +18,7 @@
 #include <linux/asn1.h>
 #include <keys/asymmetric-subtype.h>
 #include <keys/asymmetric-parser.h>
+#include <keys/system_keyring.h>
 #include <crypto/hash.h>
 #include "asymmetric_keys.h"
 #include "public_key.h"
@@ -435,6 +436,10 @@ static int pefile_key_preparse(struct key_preparsed_payload *prep)
 	if (ret < 0)
 		goto error;
 
+	ret = pkcs7_validate_trust(pkcs7, system_trusted_keyring, &prep->trusted);
+	if (ret < 0)
+		goto error;
+
 	ret = -ENOANO; // Not yet complete
 
 error: