From: James Bottomley Add new validate_pkcs7_trust() function which can operate on the system keyrings and is simply some of the innards of verify_pkcs7_message_sig(). Signed-off-by: James Bottomley --- certs/system_keyring.c | 76 +++++++++++++++++++++--------------- include/linux/verification.h | 2 + 2 files changed, 47 insertions(+), 31 deletions(-) diff --git a/certs/system_keyring.c b/certs/system_keyring.c index e0761436ec7f..dcbefc2d3f6d 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -298,42 +298,19 @@ late_initcall(load_system_certificate_list); #ifdef CONFIG_SYSTEM_DATA_VERIFICATION /** - * verify_pkcs7_message_sig - Verify a PKCS#7-based signature on system data. - * @data: The data to be verified (NULL if expecting internal data). - * @len: Size of @data. + * validate_pkcs7_trust - add trust markers based on keyring * @pkcs7: The PKCS#7 message that is the signature. * @trusted_keys: Trusted keys to use (NULL for builtin trusted keys only, * (void *)1UL for all trusted keys). - * @usage: The use to which the key is being put. - * @view_content: Callback to gain access to content. - * @ctx: Context for callback. */ -int verify_pkcs7_message_sig(const void *data, size_t len, - struct pkcs7_message *pkcs7, - struct key *trusted_keys, - enum key_being_used_for usage, - int (*view_content)(void *ctx, - const void *data, size_t len, - size_t asn1hdrlen), - void *ctx) +int validate_pkcs7_trust(struct pkcs7_message *pkcs7, struct key *trusted_keys) { int ret; - /* The data should be detached - so we need to supply it. */ - if (data && pkcs7_supply_detached_data(pkcs7, data, len) < 0) { - pr_err("PKCS#7 signature with non-detached data\n"); - ret = -EBADMSG; - goto error; - } - - ret = pkcs7_verify(pkcs7, usage); - if (ret < 0) - goto error; - ret = is_key_on_revocation_list(pkcs7); if (ret != -ENOKEY) { pr_devel("PKCS#7 key is on revocation list\n"); - goto error; + return ret; } if (!trusted_keys) { @@ -351,18 +328,55 @@ int verify_pkcs7_message_sig(const void *data, size_t len, trusted_keys = NULL; #endif if (!trusted_keys) { - ret = -ENOKEY; pr_devel("PKCS#7 platform keyring is not available\n"); - goto error; + return -ENOKEY; } } ret = pkcs7_validate_trust(pkcs7, trusted_keys); - if (ret < 0) { - if (ret == -ENOKEY) - pr_devel("PKCS#7 signature not signed with a trusted key\n"); + if (ret == -ENOKEY) + pr_devel("PKCS#7 signature not signed with a trusted key\n"); + + return ret; +} +EXPORT_SYMBOL_GPL(validate_pkcs7_trust); + +/** + * verify_pkcs7_message_sig - Verify a PKCS#7-based signature on system data. + * @data: The data to be verified (NULL if expecting internal data). + * @len: Size of @data. + * @pkcs7: The PKCS#7 message that is the signature. + * @trusted_keys: Trusted keys to use (NULL for builtin trusted keys only, + * (void *)1UL for all trusted keys). + * @usage: The use to which the key is being put. + * @view_content: Callback to gain access to content. + * @ctx: Context for callback. + */ +int verify_pkcs7_message_sig(const void *data, size_t len, + struct pkcs7_message *pkcs7, + struct key *trusted_keys, + enum key_being_used_for usage, + int (*view_content)(void *ctx, + const void *data, size_t len, + size_t asn1hdrlen), + void *ctx) +{ + int ret; + + /* The data should be detached - so we need to supply it. */ + if (data && pkcs7_supply_detached_data(pkcs7, data, len) < 0) { + pr_err("PKCS#7 signature with non-detached data\n"); + ret = -EBADMSG; goto error; } + ret = pkcs7_verify(pkcs7, usage); + if (ret < 0) + goto error; + + ret = validate_pkcs7_trust(pkcs7, trusted_keys); + if (ret < 0) + goto error; + if (view_content) { size_t asn1hdrlen; diff --git a/include/linux/verification.h b/include/linux/verification.h index dec7f2beabfd..57f1460d36f1 100644 --- a/include/linux/verification.h +++ b/include/linux/verification.h @@ -44,6 +44,8 @@ enum key_being_used_for { struct key; struct pkcs7_message; +extern int validate_pkcs7_trust(struct pkcs7_message *pkcs7, + struct key *trusted_keys); extern int verify_pkcs7_signature(const void *data, size_t len, const void *raw_pkcs7, size_t pkcs7_len, struct key *trusted_keys, -- 2.52.0