KEYS: CA link restriction

	return ret;

}

/**

 * restrict_link_by_ca - Restrict additions to a ring of CA keys

 * @dest_keyring: Keyring being linked to.

 * @type: The type of key being added.

 * @payload: The payload of the new key.

 * @trust_keyring: Unused.

 *

 * Check if the new certificate is a CA. If it is a CA, then mark the new

 * certificate as being ok to link.

 *

 * Returns 0 if the new certificate was accepted, -ENOKEY if the

 * certificate is not a CA. -ENOPKG if the signature uses unsupported

 * crypto, or some other error if there is a matching certificate but

 * the signature check cannot be performed.

 */

int restrict_link_by_ca(struct key *dest_keyring,

			const struct key_type *type,

			const union key_payload *payload,

			struct key *trust_keyring)

{

	const struct public_key *pkey;

	if (type != &key_type_asymmetric)

		return -EOPNOTSUPP;

	pkey = payload->data[asym_crypto];

	if (!pkey)

		return -ENOPKG;

	if (!test_bit(KEY_EFLAG_CA, &pkey->key_eflags))

		return -ENOKEY;

	if (!test_bit(KEY_EFLAG_KEYCERTSIGN, &pkey->key_eflags))

		return -ENOKEY;

	if (test_bit(KEY_EFLAG_DIGITALSIG, &pkey->key_eflags))

		return -ENOKEY;

	return 0;

}

static bool match_either_id(const struct asymmetric_key_id **pair,

			    const struct asymmetric_key_id *single)

{

						 const union key_payload *payload,

						 struct key *trusted);

#if IS_REACHABLE(CONFIG_ASYMMETRIC_KEY_TYPE)

extern int restrict_link_by_ca(struct key *dest_keyring,

			       const struct key_type *type,

			       const union key_payload *payload,

			       struct key *trust_keyring);

#else

static inline int restrict_link_by_ca(struct key *dest_keyring,

				      const struct key_type *type,

				      const union key_payload *payload,

				      struct key *trust_keyring)

{

	return 0;

}

#endif

extern int query_asymmetric_key(const struct kernel_pkey_params *,

				struct kernel_pkey_query *);