diff options
| author | David Howells <dhowells@redhat.com> | 2015-09-25 16:31:46 +0100 |
|---|---|---|
| committer | David Howells <dhowells@redhat.com> | 2015-09-25 16:31:46 +0100 |
| commit | 283e8ba2dfde54f8f27d7d0f459a07de79a39d55 (patch) | |
| tree | 0e4057e7b3e082a9b93d04ba7b1e9ca2f23ef034 /fs/hugetlbfs | |
| parent | e7c87bef7de2417b219d4dbfe8d33a0098a8df54 (diff) | |
MODSIGN: Change from CMS to PKCS#7 signing if the openssl is too old
The sign-file.c program actually uses CMS rather than PKCS#7 to sign a file
since that allows the target X.509 certificate to be specified by
subjectKeyId rather than by issuer + serialNumber.
However, older versions of the OpenSSL crypto library (such as may be found
in CentOS 5.11) don't support CMS. Assume everything prior to
OpenSSL-1.0.0 doesn't support CMS and switch to using PKCS#7 in that case.
Further, the pre-1.0.0 OpenSSL only supports PKCS#7 signing with SHA1, so
give an error from the sign-file script if the caller requests anything
other than SHA1.
The compiler gives the following error with an OpenSSL crypto library
that's too old:
HOSTCC scripts/sign-file
scripts/sign-file.c:23:25: fatal error: openssl/cms.h: No such file or directory
#include <openssl/cms.h>
Reported-by: Vinson Lee <vlee@twopensource.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: David Woodhouse <David.Woodhouse@intel.com>
Diffstat (limited to 'fs/hugetlbfs')
0 files changed, 0 insertions, 0 deletions