From: David Howells Date: Tue, 16 Sep 2014 16:38:07 +0000 (+0100) Subject: Merge tag 'keys-pkcs7-20140916' into keys-next X-Git-Url: https://git.karo-electronics.de/?a=commitdiff_plain;h=d3e4f41973753a7768a5728be53c7d9a3fdf86cb;p=linux-beck.git Merge tag 'keys-pkcs7-20140916' into keys-next Changes for next to improve the matching of asymmetric keys and to improve the handling of PKCS#7 certificates: (1) Provide a method to preparse the data supplied for matching a key. This permits they key type to extract out the bits it needs for matching once only. Further, the type of search (direct lookup or iterative) can be set and the function used to actually check the match can be set by preparse rather than being hard coded for the type. (2) Improves asymmetric keys identification. Keys derived from X.509 certs now get labelled with IDs derived from their issuer and certificate number (required to match PKCS#7) and from their SKID and subject (required to match X.509). IDs are now binary and match criterion preparsing is provided so that criteria can be turned into binary blobs to make matching faster. (3) Improves PKCS#7 message handling to permit PKCS#7 messages without X.509 cert lists to be matched to trusted keys, thereby allowing minimally sized PKCS#7 certs to be used. (4) Improves PKCS#7 message handling to better handle certificate chains that are broken due to unsupported crypto that can otherwise by used to intersect a trust keyring. These must go on top of the PKCS#7 parser cleanup fixes. Signed-off-by: David Howells --- d3e4f41973753a7768a5728be53c7d9a3fdf86cb