On 10/21/2016 03:52 PM, Mat Martineau wrote:
Verifying certificate chains was a little awkward using the
L_KEYRING_TRUSTED_ASYM keyring type, which required verifying the
signature and then separately adding the verified certificate to the
With L_KEYRING_TRUSTED_ASYM_CHAIN, the destination keyring is also
searched for signing keys.
One use model is to have two keyrings:
1. trust_keyring: contains long-lived root and intermediate CA certs.
2. verify_keyring: an L_KEYRING_TRUSTED_ASYM_CHAIN keyring that
is created with "trust_keyring" referenced for
In order to validate new certificates, they are added to verify_keyring
in series, starting with certs that are signed by those in
trust_keyring. Once an intermediate CA cert is added to verify_keyring,
certs signed by that intermediate CA can also be added to verify_keyring.
ell/key.c | 22 ++++++++++++++++------
ell/key.h | 3 ++-
2 files changed, 18 insertions(+), 7 deletions(-)
All four applied, thanks.