certs: Introduce search_trusted_key()

hulk inclusion
category: feature
feature: IMA Digest Lists extension
bugzilla: 46797

-------------------------------------------------

Introduce search_trusted_key() to extend the key search to the primary or
secondary built-in keyrings.
Signed-off-by: NRoberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: NTianxing Zhang <zhangtianxing3@huawei.com>
Reviewed-by: NJason Yan <yanaijie@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>

certs/system_keyring.c

@@ -326,6 +326,28 @@ int verify_pkcs7_signature(const void *data, size_t len,
 }
 EXPORT_SYMBOL_GPL(verify_pkcs7_signature);
 
+struct key *search_trusted_key(struct key *trusted_keys, struct key_type *type,
+			       char *name)
+{
+	key_ref_t kref;
+
+	if (!trusted_keys) {
+		trusted_keys = builtin_trusted_keys;
+	} else if (trusted_keys == VERIFY_USE_SECONDARY_KEYRING) {
+#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
+		trusted_keys = secondary_trusted_keys;
+#else
+		trusted_keys = builtin_trusted_keys;
+#endif
+	}
+	kref = keyring_search(make_key_ref(trusted_keys, 1), type, name, true);
+	if (IS_ERR(kref))
+		return ERR_CAST(kref);
+
+	return key_ref_to_ptr(kref);
+}
+EXPORT_SYMBOL_GPL(search_trusted_key);
+
 #endif /* CONFIG_SYSTEM_DATA_VERIFICATION */
 
 #ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING

include/linux/verification.h

@@ -8,6 +8,8 @@
 #ifndef _LINUX_VERIFICATION_H
 #define _LINUX_VERIFICATION_H
 
+#include <linux/key.h>
+
 /*
  * Indicate that both builtin trusted keys and secondary trusted keys
  * should be used.
@@ -58,5 +60,8 @@ extern int verify_pefile_signature(const void *pebuf, unsigned pelen,
 				   enum key_being_used_for usage);
 #endif
 
+struct key *search_trusted_key(struct key *trusted_keys, struct key_type *type,
+			       char *name);
+
 #endif /* CONFIG_SYSTEM_DATA_VERIFICATION */
 #endif /* _LINUX_VERIFY_PEFILE_H */