Skip to content

Commit 4ebdb76

Browse files
dhowellsdhowells
committed
PKCS#7: Allow detached data to be supplied for signature checking purposes
It is possible for a PKCS#7 message to have detached data. However, to verify the signatures on a PKCS#7 message, we have to be able to digest the data. Provide a function to supply that data. An error is given if the PKCS#7 message included embedded data. This is used in a subsequent patch to supply the data to module signing where the signature is in the form of a PKCS#7 message with detached data, whereby the detached data is the module content that is signed. Signed-off-by: David Howells <dhowells@redhat.com> Tested-by: Vivek Goyal <vgoyal@redhat.com>
1 parent 4573b64 commit 4ebdb76

File tree

2 files changed

+28
-0
lines changed

2 files changed

+28
-0
lines changed

crypto/asymmetric_keys/pkcs7_verify.c

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -382,3 +382,28 @@ int pkcs7_verify(struct pkcs7_message *pkcs7)
382382
return enopkg;
383383
}
384384
EXPORT_SYMBOL_GPL(pkcs7_verify);
385+
386+
/**
387+
* pkcs7_supply_detached_data - Supply the data needed to verify a PKCS#7 message
388+
* @pkcs7: The PKCS#7 message
389+
* @data: The data to be verified
390+
* @datalen: The amount of data
391+
*
392+
* Supply the detached data needed to verify a PKCS#7 message. Note that no
393+
* attempt to retain/pin the data is made. That is left to the caller. The
394+
* data will not be modified by pkcs7_verify() and will not be freed when the
395+
* PKCS#7 message is freed.
396+
*
397+
* Returns -EINVAL if data is already supplied in the message, 0 otherwise.
398+
*/
399+
int pkcs7_supply_detached_data(struct pkcs7_message *pkcs7,
400+
const void *data, size_t datalen)
401+
{
402+
if (pkcs7->data) {
403+
pr_debug("Data already supplied\n");
404+
return -EINVAL;
405+
}
406+
pkcs7->data = data;
407+
pkcs7->data_len = datalen;
408+
return 0;
409+
}

include/crypto/pkcs7.h

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -34,3 +34,6 @@ extern int pkcs7_validate_trust(struct pkcs7_message *pkcs7,
3434
* pkcs7_verify.c
3535
*/
3636
extern int pkcs7_verify(struct pkcs7_message *pkcs7);
37+
38+
extern int pkcs7_supply_detached_data(struct pkcs7_message *pkcs7,
39+
const void *data, size_t datalen);

0 commit comments

Comments
 (0)