vbatts/sbsigntools
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

sbverify: fix verification

Browse source 
no leaf is OK as is expired cert.

Signed-off-by: James Bottomley <JBottomley@Parallels.com>
This commit is contained in:
James Bottomley 2014-12-19 11:37:30 -08:00
parent 35e2e074e3
commit 6b493361c2
1 changed files with 6 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
src/sbverify.c
View file

@ -199,13 +199,16 @@ static int x509_verify_cb(int status, X509_STORE_CTX *ctx)
&& ctx->cert->ex_xkusage == XKU_CODE_SIGN) && ctx->cert->ex_xkusage == XKU_CODE_SIGN)
status = 1; status = 1;
/* all certs given with the --cert argument are trusted */
else if (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY || else if (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY ||
err == X509_V_ERR_CERT_UNTRUSTED) { err == X509_V_ERR_CERT_UNTRUSTED ||
err == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE) {
/* all certs given with the --cert argument are trusted */
if (cert_in_store(ctx->current_cert, ctx)) if (cert_in_store(ctx->current_cert, ctx))
status = 1; status = 1;
} } else if (err == X509_V_ERR_CERT_HAS_EXPIRED)
/* UEFI explicitly allows expired certificates */
status = 1;
return status; return status;
} }