You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
94 lines
2.6 KiB
94 lines
2.6 KiB
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: Peter Jones <pjones@redhat.com>
|
|
Date: Tue, 25 Apr 2017 17:00:46 -0400
|
|
Subject: [PATCH] more about the time
|
|
|
|
---
|
|
src/certdb.c | 59 +++++++++++++++++++++++++++++++++--------------------------
|
|
1 file changed, 33 insertions(+), 26 deletions(-)
|
|
|
|
diff --git a/src/certdb.c b/src/certdb.c
|
|
index 673e074..1078a8a 100644
|
|
--- a/src/certdb.c
|
|
+++ b/src/certdb.c
|
|
@@ -345,14 +345,46 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
|
|
PRBool result;
|
|
SECStatus rv;
|
|
db_status status = NOT_FOUND;
|
|
+ PRTime atTime = PR_Now();
|
|
+ SECItem *eTime;
|
|
PRTime earlyNow = 0, lateNow = 0x7fffffffffffffff;
|
|
- PRTime notBefore = 0, notAfter = 0x7fffffffffffffff;
|
|
+ PRTime notBefore, notAfter;
|
|
|
|
efi_guid_t efi_x509 = efi_guid_x509_cert;
|
|
|
|
if (memcmp(sigtype, &efi_x509, sizeof(efi_guid_t)) != 0)
|
|
return NOT_FOUND;
|
|
|
|
+ cinfo = SEC_PKCS7DecodeItem(pkcs7sig, NULL, NULL, NULL, NULL, NULL,
|
|
+ NULL, NULL);
|
|
+ if (!cinfo)
|
|
+ goto out;
|
|
+
|
|
+ notBefore = earlyNow;
|
|
+ notAfter = lateNow;
|
|
+ find_cert_times(cinfo, ¬Before, ¬After);
|
|
+ if (earlyNow < notBefore)
|
|
+ earlyNow = notBefore;
|
|
+ if (lateNow > notAfter)
|
|
+ lateNow = notAfter;
|
|
+
|
|
+ // atTime = determine_reasonable_time(cert);
|
|
+ eTime = SEC_PKCS7GetSigningTime(cinfo);
|
|
+ if (eTime != NULL) {
|
|
+ if (DER_DecodeTimeChoice (&atTime, eTime) == SECSuccess) {
|
|
+ if (earlyNow < atTime)
|
|
+ earlyNow = atTime;
|
|
+ if (lateNow > atTime)
|
|
+ lateNow = atTime;
|
|
+ }
|
|
+ }
|
|
+
|
|
+ if (lateNow < earlyNow)
|
|
+ printf("Signature has impossible time constraint: %ld <= %ld\n",
|
|
+ earlyNow / 1000000, lateNow / 1000000);
|
|
+ atTime = earlyNow / 2 + lateNow / 2;
|
|
+
|
|
+
|
|
cinfo = SEC_PKCS7DecodeItem(pkcs7sig, NULL, NULL, NULL, NULL, NULL,
|
|
NULL, NULL);
|
|
if (!cinfo)
|
|
@@ -401,31 +433,6 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
|
|
PORT_ErrorToString(PORT_GetError()));
|
|
goto out;
|
|
}
|
|
- cert->timeOK = PR_TRUE;
|
|
-
|
|
- find_cert_times(cinfo, ¬Before, ¬After);
|
|
- if (earlyNow < notBefore)
|
|
- earlyNow = notBefore;
|
|
- if (lateNow > notAfter)
|
|
- lateNow = notAfter;
|
|
-
|
|
- SECItem *eTime;
|
|
- PRTime atTime;
|
|
- // atTime = determine_reasonable_time(cert);
|
|
- eTime = SEC_PKCS7GetSigningTime(cinfo);
|
|
- if (eTime != NULL) {
|
|
- if (DER_DecodeTimeChoice (&atTime, eTime) == SECSuccess) {
|
|
- if (earlyNow < atTime)
|
|
- earlyNow = atTime;
|
|
- if (lateNow > atTime)
|
|
- lateNow = atTime;
|
|
- }
|
|
- }
|
|
-
|
|
- if (lateNow < earlyNow)
|
|
- printf("Impossible time constraints: %ld <= %ld\n",
|
|
- earlyNow / 1000000, lateNow / 1000000);
|
|
- atTime = earlyNow / 2 + lateNow / 2;
|
|
|
|
/* Verify the signature */
|
|
result = SEC_PKCS7VerifyDetachedSignatureAtTime(cinfo,
|