Added by commit 436529562df2748fd9918f578205b22cf8ced277 Author: David Howells <dhowells@xxxxxxxxxx> Date: Mon Apr 3 16:07:25 2017 +0100 X.509: Allow X.509 certs to be blacklisted Ironically it duplicates a UEFI bug we've been struggling with for a while in the pkcs11 handlers: namely if you have a blacklist based on certificate hashes, an interface which only takes a hash cannot definitively tell you if the certificate is on the blacklist or not because the hash the cert is blacklisted by may be a different algorithm from the hash you feed in to is_hash_blacklisted(). This means that the only safe way to use the interface is to construct every possible hash of the cert and feed them one at a time into is_hash_blacklisted(). This makes it an almost unusable API. I suggest you deprecate this interface immediately and introduce an is_cert_blacklisted() one which takes a pointer to the TBS data. Then the implementation can loop over the blacklists, see the hash type and construct the hash of the TBS data for comparison (caching the hashes for efficiency). That way you'll be assured of a definitive answer and an easy API. It might be reasonable to cc linux-efi on future kernel keyring stuff, because some of the other issues may have also come up in the UEFI keyrings. James -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html