From df27a417b92ebdcf4161fd115fc61a204ff7c202 Mon Sep 17 00:00:00 2001
From: James Bottomley <James.Bottomley@HansenPartnership.com>
Date: Fri, 5 Jun 2020 18:29:07 -0700
Subject: [PATCH] sbverify: fix verification with intermediate certificates

sbverify is currently failing if an intermediate certificate is added
on signing but the binary is verified with the singing certificate.
It fails with X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY.

This is happening because the x509_STORE only contains the signing
certificate but the pkcs7 bundle in the binary contains the issuer
certificate as well.  Fix this by unconditionally approving any
locally missing certificates on verify.

Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
---
 src/sbverify.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/sbverify.c b/src/sbverify.c
index 3920d91..4dddecc 100644
--- a/src/sbverify.c
+++ b/src/sbverify.c
@@ -210,8 +210,7 @@ static int x509_verify_cb(int status, X509_STORE_CTX *ctx)
 			== XKU_CODE_SIGN)
 		status = 1;
 
-	else if (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY ||
-		 err == X509_V_ERR_CERT_UNTRUSTED ||
+	else if (err == X509_V_ERR_CERT_UNTRUSTED ||
 		 err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT ||
 		 err == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE) {
 		/* all certs given with the --cert argument are trusted */
@@ -221,6 +220,7 @@ static int x509_verify_cb(int status, X509_STORE_CTX *ctx)
 	} else if (err == X509_V_ERR_CERT_HAS_EXPIRED ||
 		   err == X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD ||
 		   err == X509_V_ERR_CERT_NOT_YET_VALID ||
+		   err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY ||
 		   err == X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD)
 		/* UEFI explicitly allows expired certificates */
 		status = 1;