kernel_optimize_test/crypto/asymmetric_keys
Mat Martineau acddc72015 KEYS: Fix for erroneous trust of incorrectly signed X.509 certs
Arbitrary X.509 certificates without authority key identifiers (AKIs)
can be added to "trusted" keyrings, including IMA or EVM certs loaded
from the filesystem. Signature verification is currently bypassed for
certs without AKIs.

Trusted keys were recently refactored, and this bug is not present in
4.6.

restrict_link_by_signature should return -ENOKEY (no matching parent
certificate found) if the certificate being evaluated has no AKIs,
instead of bypassing signature checks and returning 0 (new certificate
accepted).

Reported-by: Petko Manolov <petkan@mip-labs.com>
Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
2016-07-18 12:19:47 +10:00
..
.gitignore
asymmetric_keys.h
asymmetric_type.c
Kconfig
Makefile
mscode_parser.c pefile: Fix the failure of calculation for digest 2016-07-18 12:19:46 +10:00
mscode.asn1
pkcs7_key_type.c
pkcs7_parser.c
pkcs7_parser.h
pkcs7_trust.c
pkcs7_verify.c PKCS#7: Fix panic when referring to the empty AKID when DEBUG defined 2016-07-18 12:19:44 +10:00
pkcs7.asn1
public_key.c
restrict.c KEYS: Fix for erroneous trust of incorrectly signed X.509 certs 2016-07-18 12:19:47 +10:00
signature.c
verify_pefile.c
verify_pefile.h
x509_akid.asn1
x509_cert_parser.c
x509_parser.h
x509_public_key.c
x509.asn1