From: Roberto Sassu <roberto.sa...@huawei.com>

Retry asymmetric key search in restrict_link_by_signature() to support the
case of partial IDs, provided by PGP signatures (only the last 8 bytes).

Although RFC 9580 supports the signature subpacket type 33, which contains
the full issuer fingerprint, we cannot rely on existing signatures to
support it.

Signed-off-by: Roberto Sassu <roberto.sa...@huawei.com>
Signed-off-by: David Howells <dhowe...@redhat.com>
---
 crypto/asymmetric_keys/restrict.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/crypto/asymmetric_keys/restrict.c 
b/crypto/asymmetric_keys/restrict.c
index afcd4d101ac5..dd3d4b3405f7 100644
--- a/crypto/asymmetric_keys/restrict.c
+++ b/crypto/asymmetric_keys/restrict.c
@@ -97,8 +97,14 @@ int restrict_link_by_signature(struct key *dest_keyring,
        key = find_asymmetric_key(trust_keyring,
                                  sig->auth_ids[0], sig->auth_ids[1],
                                  sig->auth_ids[2], false);
-       if (IS_ERR(key))
-               return -ENOKEY;
+       if (IS_ERR(key)) {
+               /* Retry with a partial ID. */
+               key = find_asymmetric_key(trust_keyring,
+                                         sig->auth_ids[0], sig->auth_ids[1],
+                                         sig->auth_ids[2], true);
+               if (IS_ERR(key))
+                       return -ENOKEY;
+       }
 
        if (use_builtin_keys && !test_bit(KEY_FLAG_BUILTIN, &key->flags))
                ret = -ENOKEY;
-- 
2.34.1


Reply via email to