On Fri, Sep 25, 2015 at 7:24 AM, David Howells <[email protected]> wrote: > Here's my patch with the changes squashed into it for reference. > > David > --- > commit 81852354cf81402ae69fda4d67138accab2702d5 > Author: David Howells <[email protected]> > Date: Thu Sep 24 14:06:02 2015 +0100 > > MODSIGN: Change from CMS to PKCS#7 signing if the openssl is too old > > The sign-file.c program actually uses CMS rather than PKCS#7 to sign a > file > since that allows the target X.509 certificate to be specified by > subjectKeyId rather than by issuer + serialNumber. > > However, older versions of the OpenSSL crypto library (such as may be > found > in CentOS 5.11) don't support CMS. Assume everything prior to > OpenSSL-1.0.0 doesn't support CMS and switch to using PKCS#7 in that case. > > Further, the pre-1.0.0 OpenSSL only supports PKCS#7 signing with SHA1, so > give an error from the sign-file script if the caller requests anything > other than SHA1. > > The compiler gives the following error with an OpenSSL crypto library > that's too old: > > HOSTCC scripts/sign-file > scripts/sign-file.c:23:25: fatal error: openssl/cms.h: No such file or > directory > #include <openssl/cms.h> > > Reported-by: Vinson Lee <[email protected]> > Signed-off-by: David Howells <[email protected]> > Acked-by: David Woodhouse <[email protected]> >
This squashed patch also builds for me on CentOS 5.11. Linux 4.2-rc2 plus this patch booted up without issue and it appears this feature is available. $ dmesg | grep -i 'x.*509' [ 1.888412] Asymmetric key parser 'x509' registered [ 3.485152] Loading compiled-in X.509 certificates [ 3.490659] Loaded X.509 cert 'Build time autogenerated kernel key: ea8ef2f666280e4d429a8ff8a2056069bbb55979' Vinson -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
