certs: Reference revocation list for all keyrings

[thirdparty/linux.git] / certs / system_keyring.c

diff --git a/certs/system_keyring.c b/certs/system_keyring.c
index 33841c91f12cc88d12080b39636d539e57b1014f..9de610bf1f4b2854e38b8482e16113d0008295f9 100644 (file)
--- a/certs/system_keyring.c
+++ b/certs/system_keyring.c
@@ -330,6 +330,12 @@ int verify_pkcs7_message_sig(const void *data, size_t len,
        if (ret < 0)
                goto error;
 
+       ret = is_key_on_revocation_list(pkcs7);
+       if (ret != -ENOKEY) {
+               pr_devel("PKCS#7 key is on revocation list\n");
+               goto error;
+       }
+
        if (!trusted_keys) {
                trusted_keys = builtin_trusted_keys;
        } else if (trusted_keys == VERIFY_USE_SECONDARY_KEYRING) {
@@ -349,12 +355,6 @@ int verify_pkcs7_message_sig(const void *data, size_t len,
                        pr_devel("PKCS#7 platform keyring is not available\n");
                        goto error;
                }
-
-               ret = is_key_on_revocation_list(pkcs7);
-               if (ret != -ENOKEY) {
-                       pr_devel("PKCS#7 platform key is on revocation list\n");
-                       goto error;
-               }
        }
        ret = pkcs7_validate_trust(pkcs7, trusted_keys);
        if (ret < 0) {