[RFC 04/11] crypto: pkcs7: add flag for validated trust on a signed info block
James Bottomley
James.Bottomley at HansenPartnership.com
Sat Dec 13 05:50:13 UTC 2025
On Fri, 2025-12-12 at 09:45 +0000, David Howells wrote:
> Note that there are two other potentially conflicting sets of changes
> to the PKCS#7 code that will need to be coordinated: ML-DSA support
> and RSASSA-PSS support. The former wants to do the hashing itself,
> the latter requires signature parameters.
I don't think there'll be a conflict. The only changes this makes is
to add an API that exposes the attributes. It shouldn't have any
effect on the way signatures are currently verified.
>From the use case patches it looks like we could simply get the struct
pkcs7 verified by calling verify_pkcs7_message_sig() as long as the
symbol is exported; Initially I didn't think they'd have access to the
content to reverify, so I added the extra patches to break out the
validate_pkcs7_trust() calls, but I don't think they're necessary now.
Regards,
James
More information about the Linux-security-module-archive
mailing list