git.ipfire.org Git - thirdparty/kmod.git/commit

author	Stefan Strogin <steils@gentoo.org>
	Sun, 19 May 2019 00:42:01 +0000 (03:42 +0300)
committer	Lucas De Marchi <lucas.demarchi@intel.com>
	Tue, 28 May 2019 22:22:18 +0000 (15:22 -0700)
commit	628677e066198d8658d7edd5511a5bb27cd229f5
tree	312d7109691faeb2df3bb818a6924fb6d0fbda49	tree \| snapshot
parent	ea3e508f61251b16567f888042f6c4c60b48a4e0	commit \| diff

libkmod-signature: use PKCS#7 instead of CMS

Linux uses either PKCS #7 or CMS for signing modules (see
scripts/sign-file.c). CMS is not supported by LibreSSL or older OpenSSL,
so PKCS #7 is used on systems with these libcrypto providers.

CMS and PKCS #7 formats are very similar. CMS is newer but is as much as
possible backward compatible with PKCS #7 [1]. PKCS #7 is supported in
the latest OpenSSL as well as CMS. The fields used for signing kernel
modules are supported both in PKCS #7 and CMS.

For now modinfo uses CMS with no alternative requiring OpenSSL 1.1.0 or
newer.

Use PKCS #7 for parsing module signature information, so that modinfo
could be used both with OpenSSL and LibreSSL.

[1] https://tools.ietf.org/html/rfc5652#section-1.1

Changes v1->v2:
- Don't use ifdefs for keeping redundant CMS code, just use PKCS #7 both
with OpenSSL and LibreSSL.

Signed-off-by: Stefan Strogin <steils@gentoo.org>