David Howells <dhowe...@redhat.com> wrote: > If a certificate is self-signed, don't bother checking the validity of the > signature. The cert cannot be checked by validation against the next one > in the chain as this is the root of the chain. Trust for this certificate > can only be determined by whether we obtained it from a trusted location > (ie. it was built into the kernel at compile time). > > This also fixes a bug whereby certificates were being assumed to be > self-signed if they had neither AKID nor SKID, the symptoms of which show > up as an attempt to load a certificate failing with -ERANGE or -EBADMSG. > This is produced from the RSA module when the result of calculating "m = > s^e mod n" is checked.
Oops - I forgot to change the patch description. David -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html