From 713e61448a6ffa3e6029a7c89fad61b8cb08c9ff Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Tue, 25 Apr 2017 17:00:46 -0400 Subject: [PATCH 19/29] more about the time --- src/certdb.c | 59 +++++++++++++++++++++++++++++++++-------------------------- 1 file changed, 33 insertions(+), 26 deletions(-) diff --git a/src/certdb.c b/src/certdb.c index 673e074..1078a8a 100644 --- a/src/certdb.c +++ b/src/certdb.c @@ -345,8 +345,10 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype, PRBool result; SECStatus rv; db_status status = NOT_FOUND; + PRTime atTime = PR_Now(); + SECItem *eTime; PRTime earlyNow = 0, lateNow = 0x7fffffffffffffff; - PRTime notBefore = 0, notAfter = 0x7fffffffffffffff; + PRTime notBefore, notAfter; efi_guid_t efi_x509 = efi_guid_x509_cert; @@ -358,6 +360,36 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype, if (!cinfo) goto out; + notBefore = earlyNow; + notAfter = lateNow; + find_cert_times(cinfo, ¬Before, ¬After); + if (earlyNow < notBefore) + earlyNow = notBefore; + if (lateNow > notAfter) + lateNow = notAfter; + + // atTime = determine_reasonable_time(cert); + eTime = SEC_PKCS7GetSigningTime(cinfo); + if (eTime != NULL) { + if (DER_DecodeTimeChoice (&atTime, eTime) == SECSuccess) { + if (earlyNow < atTime) + earlyNow = atTime; + if (lateNow > atTime) + lateNow = atTime; + } + } + + if (lateNow < earlyNow) + printf("Signature has impossible time constraint: %ld <= %ld\n", + earlyNow / 1000000, lateNow / 1000000); + atTime = earlyNow / 2 + lateNow / 2; + + + cinfo = SEC_PKCS7DecodeItem(pkcs7sig, NULL, NULL, NULL, NULL, NULL, + NULL, NULL); + if (!cinfo) + goto out; + /* Generate the digest of contentInfo */ /* XXX support only sha256 for now */ digest = SECITEM_AllocItem(NULL, NULL, 32); @@ -401,31 +433,6 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype, PORT_ErrorToString(PORT_GetError())); goto out; } - cert->timeOK = PR_TRUE; - - find_cert_times(cinfo, ¬Before, ¬After); - if (earlyNow < notBefore) - earlyNow = notBefore; - if (lateNow > notAfter) - lateNow = notAfter; - - SECItem *eTime; - PRTime atTime; - // atTime = determine_reasonable_time(cert); - eTime = SEC_PKCS7GetSigningTime(cinfo); - if (eTime != NULL) { - if (DER_DecodeTimeChoice (&atTime, eTime) == SECSuccess) { - if (earlyNow < atTime) - earlyNow = atTime; - if (lateNow > atTime) - lateNow = atTime; - } - } - - if (lateNow < earlyNow) - printf("Impossible time constraints: %ld <= %ld\n", - earlyNow / 1000000, lateNow / 1000000); - atTime = earlyNow / 2 + lateNow / 2; /* Verify the signature */ result = SEC_PKCS7VerifyDetachedSignatureAtTime(cinfo, -- 2.13.4