1. Patchew
  2. linux
  3. [RFC 00/11] Reintroduce Hornet LSM
  4. View patch

[RFC 04/11] crypto: pkcs7: add flag for validated trust on a signed info block

Blaise Boscaccy posted 11 patches 5 days, 14 hours ago
[RFC 04/11] crypto: pkcs7: add flag for validated trust on a signed info block
Posted by Blaise Boscaccy 5 days, 14 hours ago 
From: James Bottomley <James.Bottomley@HansenPartnership.com>

Allow consumers of struct pkcs7_message to tell if any of the sinfo
fields has passed a trust validation.  Note that this does not happen
in parsing, pkcs7_validate_trust() must be explicitly called or called
via validate_pkcs7_trust().

Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
---
 crypto/asymmetric_keys/pkcs7_parser.h | 1 +
 crypto/asymmetric_keys/pkcs7_trust.c  | 1 +
 2 files changed, 2 insertions(+)

diff --git a/crypto/asymmetric_keys/pkcs7_parser.h b/crypto/asymmetric_keys/pkcs7_parser.h
index e17f7ce4fb434..344340cfa6c13 100644
--- a/crypto/asymmetric_keys/pkcs7_parser.h
+++ b/crypto/asymmetric_keys/pkcs7_parser.h
@@ -20,6 +20,7 @@ struct pkcs7_signed_info {
 	unsigned	index;
 	bool		unsupported_crypto;	/* T if not usable due to missing crypto */
 	bool		blacklisted;
+	bool		verified; /* T if this signer has validated trust */
 
 	/* Message digest - the digest of the Content Data (or NULL) */
 	const void	*msgdigest;
diff --git a/crypto/asymmetric_keys/pkcs7_trust.c b/crypto/asymmetric_keys/pkcs7_trust.c
index 9a87c34ed1733..78ebfb6373b61 100644
--- a/crypto/asymmetric_keys/pkcs7_trust.c
+++ b/crypto/asymmetric_keys/pkcs7_trust.c
@@ -127,6 +127,7 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7,
 		for (p = sinfo->signer; p != x509; p = p->signer)
 			p->verified = true;
 	}
+	sinfo->verified = true;
 	kleave(" = 0");
 	return 0;
 }
-- 
2.52.0
Re: [RFC 04/11] crypto: pkcs7: add flag for validated trust on a signed info block
Posted by David Howells 4 days, 6 hours ago 
Note that there are two other potentially conflicting sets of changes to the
PKCS#7 code that will need to be coordinated: ML-DSA support and RSASSA-PSS
support.  The former wants to do the hashing itself, the latter requires
signature parameters.

David
Re: [RFC 04/11] crypto: pkcs7: add flag for validated trust on a signed info block
Posted by James Bottomley 3 days, 10 hours ago 
On Fri, 2025-12-12 at 09:45 +0000, David Howells wrote:
> Note that there are two other potentially conflicting sets of changes
> to the PKCS#7 code that will need to be coordinated: ML-DSA support
> and RSASSA-PSS support.  The former wants to do the hashing itself,
> the latter requires signature parameters.

I don't think there'll be a conflict.  The only changes this makes is
to add an API that exposes the attributes.  It shouldn't have any
effect on the way signatures are currently verified. 

From the use case patches it looks like we could simply get the struct
pkcs7 verified by calling verify_pkcs7_message_sig() as long as the
symbol is exported; Initially I didn't think they'd have access to the
content to reverify, so I added the extra patches to break out the
validate_pkcs7_trust() calls, but I don't think they're necessary now.

Regards,

James

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.