2017-08-10 18:19:50 +00:00
|
|
|
From 0456758e0c0873d1251bdf77d27f0f6175cbf289 Mon Sep 17 00:00:00 2001
|
|
|
|
From: Peter Jones <pjones@redhat.com>
|
|
|
|
Date: Tue, 25 Apr 2017 16:25:02 -0400
|
2017-08-15 15:14:22 +00:00
|
|
|
Subject: [PATCH 17/29] check_cert_db(): try even harder to pick a reasonable
|
2017-08-10 18:19:50 +00:00
|
|
|
validation time.
|
|
|
|
|
|
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
|
|
---
|
|
|
|
src/certdb.c | 75 ++++++++++++++++++++++++++++++++++++++++++++++++++++--------
|
|
|
|
1 file changed, 66 insertions(+), 9 deletions(-)
|
|
|
|
|
|
|
|
diff --git a/src/certdb.c b/src/certdb.c
|
|
|
|
index b7c99bb..1a4baf1 100644
|
|
|
|
--- a/src/certdb.c
|
|
|
|
+++ b/src/certdb.c
|
|
|
|
@@ -250,12 +250,53 @@ check_db_hash(db_specifier which, pesigcheck_context *ctx)
|
|
|
|
return check_db(which, ctx, check_hash, NULL, 0);
|
|
|
|
}
|
|
|
|
|
|
|
|
-static PRTime
|
|
|
|
-determine_reasonable_time(CERTCertificate *cert)
|
|
|
|
+static void
|
|
|
|
+find_cert_times(SEC_PKCS7ContentInfo *cinfo,
|
|
|
|
+ PRTime *notBefore, PRTime *notAfter)
|
|
|
|
{
|
|
|
|
- PRTime notBefore, notAfter;
|
|
|
|
- CERT_GetCertTimes(cert, ¬Before, ¬After);
|
|
|
|
- return notBefore;
|
|
|
|
+ CERTCertDBHandle *defaultdb, *certdb;
|
|
|
|
+ SEC_PKCS7SignedData *sdp;
|
|
|
|
+ CERTCertificate **certs = NULL;
|
|
|
|
+ SECItem **rawcerts;
|
|
|
|
+ int i, certcount;
|
|
|
|
+ SECStatus rv;
|
|
|
|
+
|
|
|
|
+ if (cinfo->contentTypeTag->offset != SEC_OID_PKCS7_SIGNED_DATA) {
|
|
|
|
+err:
|
|
|
|
+ *notBefore = 0;
|
|
|
|
+ *notAfter = 0x7fffffffffffffff;
|
|
|
|
+ return;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ sdp = cinfo->content.signedData;
|
|
|
|
+ rawcerts = sdp->rawCerts;
|
|
|
|
+
|
|
|
|
+ defaultdb = CERT_GetDefaultCertDB();
|
|
|
|
+
|
|
|
|
+ certdb = defaultdb;
|
|
|
|
+ if (certdb == NULL)
|
|
|
|
+ goto err;
|
|
|
|
+
|
|
|
|
+ certcount = 0;
|
|
|
|
+ if (rawcerts != NULL) {
|
|
|
|
+ for (; rawcerts[certcount] != NULL; certcount++)
|
|
|
|
+ ;
|
|
|
|
+ }
|
|
|
|
+ rv = CERT_ImportCerts(certdb, certUsageObjectSigner, certcount,
|
|
|
|
+ rawcerts, &certs, PR_FALSE, PR_FALSE, NULL);
|
|
|
|
+ if (rv != SECSuccess)
|
|
|
|
+ goto err;
|
|
|
|
+
|
|
|
|
+ for (i = 0; i < certcount; i++) {
|
|
|
|
+ PRTime nb = 0, na = 0x7fffffffffff;
|
|
|
|
+ CERT_GetCertTimes(certs[i], &nb, &na);
|
|
|
|
+ if (*notBefore < nb)
|
|
|
|
+ *notBefore = nb;
|
|
|
|
+ if (*notAfter > na)
|
|
|
|
+ *notAfter = na;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ CERT_DestroyCertArray(certs, certcount);
|
|
|
|
}
|
|
|
|
|
|
|
|
static db_status
|
|
|
|
@@ -271,6 +312,8 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
|
|
|
|
PRBool result;
|
|
|
|
SECStatus rv;
|
|
|
|
db_status status = NOT_FOUND;
|
|
|
|
+ PRTime earlyNow = 0, lateNow = 0x7fffffffffffffff;
|
|
|
|
+ PRTime notBefore = 0, notAfter = 0x7fffffffffffffff;
|
|
|
|
|
|
|
|
efi_guid_t efi_x509 = efi_guid_x509_cert;
|
|
|
|
|
|
|
|
@@ -327,16 +370,30 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
|
|
|
|
}
|
|
|
|
cert->timeOK = PR_TRUE;
|
|
|
|
|
|
|
|
+ find_cert_times(cinfo, ¬Before, ¬After);
|
|
|
|
+ if (earlyNow < notBefore)
|
|
|
|
+ earlyNow = notBefore;
|
|
|
|
+ if (lateNow > notAfter)
|
|
|
|
+ lateNow = notAfter;
|
|
|
|
+
|
|
|
|
SECItem *eTime;
|
|
|
|
PRTime atTime;
|
|
|
|
// atTime = determine_reasonable_time(cert);
|
|
|
|
eTime = SEC_PKCS7GetSigningTime(cinfo);
|
|
|
|
if (eTime != NULL) {
|
|
|
|
- if (DER_DecodeTimeChoice (&atTime, eTime) != SECSuccess)
|
|
|
|
- atTime = determine_reasonable_time(cert);
|
|
|
|
- } else {
|
|
|
|
- atTime = determine_reasonable_time(cert);
|
|
|
|
+ if (DER_DecodeTimeChoice (&atTime, eTime) == SECSuccess) {
|
|
|
|
+ if (earlyNow < atTime)
|
|
|
|
+ earlyNow = atTime;
|
|
|
|
+ if (lateNow > atTime)
|
|
|
|
+ lateNow = atTime;
|
|
|
|
+ }
|
|
|
|
}
|
|
|
|
+
|
|
|
|
+ if (lateNow < earlyNow)
|
|
|
|
+ printf("Impossible time constraints: %ld <= %ld\n",
|
|
|
|
+ earlyNow / 1000000, lateNow / 1000000);
|
|
|
|
+ atTime = earlyNow / 2 + lateNow / 2;
|
|
|
|
+
|
|
|
|
/* Verify the signature */
|
|
|
|
result = SEC_PKCS7VerifyDetachedSignatureAtTime(cinfo,
|
|
|
|
certUsageObjectSigner,
|
|
|
|
--
|
|
|
|
2.13.4
|
|
|
|
|