From 60b75c4ed9ec2fc148b3387883426258cab3efad Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Fri, 18 Jan 2013 13:58:35 +0000
Subject: [PATCH 26/28] PEFILE: Validate PKCS#7 trust chain

Validate the PKCS#7 trust chain against the contents of the system keyring.

Signed-off-by: David Howells <dhowells@redhat.com>
---
 arch/x86/Kconfig                |    1 +
 arch/x86/kernel/pefile_parser.c |    5 +++--
 2 files changed, 4 insertions(+), 2 deletions(-)

Index: linux-2.6/arch/x86/Kconfig
===================================================================
--- linux-2.6.orig/arch/x86/Kconfig	2014-06-17 09:14:17.502972983 -0400
+++ linux-2.6/arch/x86/Kconfig	2014-06-17 09:15:37.029977668 -0400
@@ -1577,6 +1577,7 @@ config SIGNED_PE_FILE_PARSER
 	bool "Signed PE/COFF binary parser"
 	select X509_CERTIFICATE_PARSER
 	select PKCS7_MESSAGE_PARSER
+	select SYSTEM_TRUSTED_KEYRING
 	help
 	  This option provides support for parsing signed PE binaries.
 
Index: linux-2.6/arch/x86/kernel/pefile_parser.c
===================================================================
--- linux-2.6.orig/arch/x86/kernel/pefile_parser.c	2014-06-17 09:15:13.852976303 -0400
+++ linux-2.6/arch/x86/kernel/pefile_parser.c	2014-06-17 09:15:37.029977668 -0400
@@ -18,6 +18,7 @@
 #include <linux/asn1.h>
 #include <keys/asymmetric-subtype.h>
 #include <keys/asymmetric-parser.h>
+#include <keys/system_keyring.h>
 #include <crypto/hash.h>
 #include <crypto/pkcs7.h>
 #include "pefile_parser.h"
@@ -374,6 +375,7 @@ int pefile_parse_verify_sig(const void *
 	void *pkcs7;
 	struct pefile_context ctx;
 	int ret;
+	bool trusted;
 
 	kenter("");
 
@@ -408,8 +410,7 @@ int pefile_parse_verify_sig(const void *
 	if (ret < 0)
 		goto error;
 
-	ret = -ENOANO; // Not yet complete
-
+	ret = pkcs7_validate_trust(pkcs7, system_trusted_keyring, &trusted);
 error:
 	pkcs7_free_message(ctx.pkcs7);
 	return ret;