On 16.06.20 07:26, AKASHI Takahiro wrote: > In this commit, efi_signature_verify(with_sigdb) will be re-implemented > using pcks7_verify_one() in order to support certificates chain, where > the signer's certificate will be signed by an intermediate CA (certificate > authority) and the latter's certificate will also be signed by another CA > and so on. > > What we need to do here is to search for certificates in a signature, > build up a chain of certificates and verify one by one. pkcs7_verify_one() > handles most of these steps except the last one. > > pkcs7_verify_one() returns, if succeeded, the last certificate to verify, > which can be either a self-signed one or one that should be signed by one > of certificates in "db". Re-worked efi_signature_verify() will take care > of this step. > > Signed-off-by: AKASHI Takahiro <takahiro.aka...@linaro.org>
Sounds reasonable. Acked-by: Heinrich Schuchardt <xypron.g...@gmx.de>
