pkcs7: fix check for self-signed certificate
pkcs7_validate_trust_one() used 'x509->next == x509' to identify a self-signed certificate. That's wrong; ->next is simply the link in the linked list of certificates in the PKCS#7 message. It should be checking ->signer instead. Fix it. Fortunately this didn't actually matter because when we re-visited 'x509' on the next iteration via 'x509->signer', it was already seen and not verified, so we returned -ENOKEY anyway. Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: David Howells <dhowells@redhat.com> Reviewed-by: James Morris <james.l.morris@oracle.com>
This commit is contained in:
parent
8ecb506d34
commit
7204eb8590
|
@ -69,7 +69,7 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7,
|
|||
/* Self-signed certificates form roots of their own, and if we
|
||||
* don't know them, then we can't accept them.
|
||||
*/
|
||||
if (x509->next == x509) {
|
||||
if (x509->signer == x509) {
|
||||
kleave(" = -ENOKEY [unknown self-signed]");
|
||||
return -ENOKEY;
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue