• David Howells's avatar
    PKCS#7: Better handling of unsupported crypto · 41559420
    David Howells authored
    Provide better handling of unsupported crypto when verifying a PKCS#7 message.
    If we can't bridge the gap between a pair of X.509 certs or between a signed
    info block and an X.509 cert because it involves some crypto we don't support,
    that's not necessarily the end of the world as there may be other ways points
    at which we can intersect with a ring of trusted keys.
    
    Instead, only produce ENOPKG immediately if all the signed info blocks in a
    PKCS#7 message require unsupported crypto to bridge to the first X.509 cert.
    Otherwise, we defer the generation of ENOPKG until we get ENOKEY during trust
    validation.
    Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
    Acked-by: default avatarVivek Goyal <vgoyal@redhat.com>
    41559420
x509_parser.h 2 KB