sbverify: explicitly trust all certificates given in --cert arguments
In line with the verification process in firmware, update our verify callback to explicitly trust all certificates that we load to our cert store. Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
This commit is contained in:
Jeremy Kerr
parent
c98692a71f
commit
050f003ce7
1 changed files with 18 additions and 0 deletions
|
|
@ -180,6 +180,16 @@ static int load_detached_signature_data(struct image *image,
|
||||||
return fileio_read_file(image, filename, buf, len);
|
return fileio_read_file(image, filename, buf, len);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static int cert_in_store(X509 *cert, X509_STORE_CTX *ctx)
|
||||||
|
{
|
||||||
|
X509_OBJECT obj;
|
||||||
|
|
||||||
|
obj.type = X509_LU_X509;
|
||||||
|
obj.data.x509 = cert;
|
||||||
|
|
||||||
|
return X509_OBJECT_retrieve_match(ctx->ctx->objs, &obj) != NULL;
|
||||||
|
}
|
||||||
|
|
||||||
static int x509_verify_cb(int status, X509_STORE_CTX *ctx)
|
static int x509_verify_cb(int status, X509_STORE_CTX *ctx)
|
||||||
{
|
{
|
||||||
int err = X509_STORE_CTX_get_error(ctx);
|
int err = X509_STORE_CTX_get_error(ctx);
|
||||||
|
|
@ -189,6 +199,14 @@ static int x509_verify_cb(int status, X509_STORE_CTX *ctx)
|
||||||
&& ctx->cert->ex_xkusage == XKU_CODE_SIGN)
|
&& ctx->cert->ex_xkusage == XKU_CODE_SIGN)
|
||||||
status = 1;
|
status = 1;
|
||||||
|
|
||||||
|
/* all certs given with the --cert argument are trusted */
|
||||||
|
else if (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY ||
|
||||||
|
err == X509_V_ERR_CERT_UNTRUSTED) {
|
||||||
|
|
||||||
|
if (cert_in_store(ctx->current_cert, ctx))
|
||||||
|
status = 1;
|
||||||
|
}
|
||||||
|
|
||||||
return status;
|
return status;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue