vbatts/sbsigntools
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

sbverify: fix verification with intermediate certificates

Browse source 
sbverify is currently failing if an intermediate certificate is added
on signing but the binary is verified with the singing certificate.
It fails with X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY.

This is happening because the x509_STORE only contains the signing
certificate but the pkcs7 bundle in the binary contains the issuer
certificate as well.  Fix this by unconditionally approving any
locally missing certificates on verify.

Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
This commit is contained in:
James Bottomley 2020-06-05 18:29:07 -07:00
parent 7d6210e4b1
commit df27a417b9
1 changed files with 2 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
src/sbverify.c
View file

@ -210,8 +210,7 @@ static int x509_verify_cb(int status, X509_STORE_CTX *ctx)
== XKU_CODE_SIGN)
status = 1;
else if (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY ||
err == X509_V_ERR_CERT_UNTRUSTED ||
else if (err == X509_V_ERR_CERT_UNTRUSTED ||
err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT ||
err == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE) {
/* all certs given with the --cert argument are trusted */
@ -221,6 +220,7 @@ static int x509_verify_cb(int status, X509_STORE_CTX *ctx)
} else if (err == X509_V_ERR_CERT_HAS_EXPIRED ||
err == X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD ||
err == X509_V_ERR_CERT_NOT_YET_VALID ||
err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY ||
err == X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD)
/* UEFI explicitly allows expired certificates */
status = 1;