vbatts/sbsigntools
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

sbverify: add extra expiry errors to ignore

Browse source 
Original patch from: Steve Langasek <steve.langasek@canonical.com>

The ubuntu version of the signature expiry patch ignores serveral more errors,
so add them.

Bug-Ubuntu: https://bugs.launchpad.net/bugs/1234649.

Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
This commit is contained in:
James Bottomley 2016-01-27 11:42:53 -08:00
parent be1f3d8350
commit a03f9d4d7c
1 changed files with 4 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
src/sbverify.c
View file

@ -189,7 +189,10 @@ static int x509_verify_cb(int status, X509_STORE_CTX *ctx)
if (cert_in_store(ctx->current_cert, ctx))
status = 1;
} else if (err == X509_V_ERR_CERT_HAS_EXPIRED)
} else if (err == X509_V_ERR_CERT_HAS_EXPIRED ||
err == X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD ||
err == X509_V_ERR_CERT_NOT_YET_VALID ||
err == X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD)
/* UEFI explicitly allows expired certificates */
status = 1;