2017-08-10 18:19:50 +00:00
|
|
|
From 713e61448a6ffa3e6029a7c89fad61b8cb08c9ff Mon Sep 17 00:00:00 2001
|
|
|
|
From: Peter Jones <pjones@redhat.com>
|
|
|
|
Date: Tue, 25 Apr 2017 17:00:46 -0400
|
2017-08-15 15:14:22 +00:00
|
|
|
Subject: [PATCH 19/29] more about the time
|
2017-08-10 18:19:50 +00:00
|
|
|
|
|
|
|
---
|
|
|
|
src/certdb.c | 59 +++++++++++++++++++++++++++++++++--------------------------
|
|
|
|
1 file changed, 33 insertions(+), 26 deletions(-)
|
|
|
|
|
|
|
|
diff --git a/src/certdb.c b/src/certdb.c
|
|
|
|
index 673e074..1078a8a 100644
|
|
|
|
--- a/src/certdb.c
|
|
|
|
+++ b/src/certdb.c
|
|
|
|
@@ -345,8 +345,10 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
|
|
|
|
PRBool result;
|
|
|
|
SECStatus rv;
|
|
|
|
db_status status = NOT_FOUND;
|
|
|
|
+ PRTime atTime = PR_Now();
|
|
|
|
+ SECItem *eTime;
|
|
|
|
PRTime earlyNow = 0, lateNow = 0x7fffffffffffffff;
|
|
|
|
- PRTime notBefore = 0, notAfter = 0x7fffffffffffffff;
|
|
|
|
+ PRTime notBefore, notAfter;
|
|
|
|
|
|
|
|
efi_guid_t efi_x509 = efi_guid_x509_cert;
|
|
|
|
|
|
|
|
@@ -358,6 +360,36 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
|
|
|
|
if (!cinfo)
|
|
|
|
goto out;
|
|
|
|
|
|
|
|
+ notBefore = earlyNow;
|
|
|
|
+ notAfter = lateNow;
|
|
|
|
+ find_cert_times(cinfo, ¬Before, ¬After);
|
|
|
|
+ if (earlyNow < notBefore)
|
|
|
|
+ earlyNow = notBefore;
|
|
|
|
+ if (lateNow > notAfter)
|
|
|
|
+ lateNow = notAfter;
|
|
|
|
+
|
|
|
|
+ // atTime = determine_reasonable_time(cert);
|
|
|
|
+ eTime = SEC_PKCS7GetSigningTime(cinfo);
|
|
|
|
+ if (eTime != NULL) {
|
|
|
|
+ if (DER_DecodeTimeChoice (&atTime, eTime) == SECSuccess) {
|
|
|
|
+ if (earlyNow < atTime)
|
|
|
|
+ earlyNow = atTime;
|
|
|
|
+ if (lateNow > atTime)
|
|
|
|
+ lateNow = atTime;
|
|
|
|
+ }
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ if (lateNow < earlyNow)
|
|
|
|
+ printf("Signature has impossible time constraint: %ld <= %ld\n",
|
|
|
|
+ earlyNow / 1000000, lateNow / 1000000);
|
|
|
|
+ atTime = earlyNow / 2 + lateNow / 2;
|
|
|
|
+
|
|
|
|
+
|
|
|
|
+ cinfo = SEC_PKCS7DecodeItem(pkcs7sig, NULL, NULL, NULL, NULL, NULL,
|
|
|
|
+ NULL, NULL);
|
|
|
|
+ if (!cinfo)
|
|
|
|
+ goto out;
|
|
|
|
+
|
|
|
|
/* Generate the digest of contentInfo */
|
|
|
|
/* XXX support only sha256 for now */
|
|
|
|
digest = SECITEM_AllocItem(NULL, NULL, 32);
|
|
|
|
@@ -401,31 +433,6 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
|
|
|
|
PORT_ErrorToString(PORT_GetError()));
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
- cert->timeOK = PR_TRUE;
|
|
|
|
-
|
|
|
|
- find_cert_times(cinfo, ¬Before, ¬After);
|
|
|
|
- if (earlyNow < notBefore)
|
|
|
|
- earlyNow = notBefore;
|
|
|
|
- if (lateNow > notAfter)
|
|
|
|
- lateNow = notAfter;
|
|
|
|
-
|
|
|
|
- SECItem *eTime;
|
|
|
|
- PRTime atTime;
|
|
|
|
- // atTime = determine_reasonable_time(cert);
|
|
|
|
- eTime = SEC_PKCS7GetSigningTime(cinfo);
|
|
|
|
- if (eTime != NULL) {
|
|
|
|
- if (DER_DecodeTimeChoice (&atTime, eTime) == SECSuccess) {
|
|
|
|
- if (earlyNow < atTime)
|
|
|
|
- earlyNow = atTime;
|
|
|
|
- if (lateNow > atTime)
|
|
|
|
- lateNow = atTime;
|
|
|
|
- }
|
|
|
|
- }
|
|
|
|
-
|
|
|
|
- if (lateNow < earlyNow)
|
|
|
|
- printf("Impossible time constraints: %ld <= %ld\n",
|
|
|
|
- earlyNow / 1000000, lateNow / 1000000);
|
|
|
|
- atTime = earlyNow / 2 + lateNow / 2;
|
|
|
|
|
|
|
|
/* Verify the signature */
|
|
|
|
result = SEC_PKCS7VerifyDetachedSignatureAtTime(cinfo,
|
|
|
|
--
|
|
|
|
2.13.4
|
|
|
|
|