pesign/0019-more-about-the-time.patch

98 lines
2.7 KiB
Diff

From 713e61448a6ffa3e6029a7c89fad61b8cb08c9ff Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 25 Apr 2017 17:00:46 -0400
Subject: [PATCH 19/29] more about the time
---
src/certdb.c | 59 +++++++++++++++++++++++++++++++++--------------------------
1 file changed, 33 insertions(+), 26 deletions(-)
diff --git a/src/certdb.c b/src/certdb.c
index 673e074..1078a8a 100644
--- a/src/certdb.c
+++ b/src/certdb.c
@@ -345,8 +345,10 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
PRBool result;
SECStatus rv;
db_status status = NOT_FOUND;
+ PRTime atTime = PR_Now();
+ SECItem *eTime;
PRTime earlyNow = 0, lateNow = 0x7fffffffffffffff;
- PRTime notBefore = 0, notAfter = 0x7fffffffffffffff;
+ PRTime notBefore, notAfter;
efi_guid_t efi_x509 = efi_guid_x509_cert;
@@ -358,6 +360,36 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
if (!cinfo)
goto out;
+ notBefore = earlyNow;
+ notAfter = lateNow;
+ find_cert_times(cinfo, &notBefore, &notAfter);
+ if (earlyNow < notBefore)
+ earlyNow = notBefore;
+ if (lateNow > notAfter)
+ lateNow = notAfter;
+
+ // atTime = determine_reasonable_time(cert);
+ eTime = SEC_PKCS7GetSigningTime(cinfo);
+ if (eTime != NULL) {
+ if (DER_DecodeTimeChoice (&atTime, eTime) == SECSuccess) {
+ if (earlyNow < atTime)
+ earlyNow = atTime;
+ if (lateNow > atTime)
+ lateNow = atTime;
+ }
+ }
+
+ if (lateNow < earlyNow)
+ printf("Signature has impossible time constraint: %ld <= %ld\n",
+ earlyNow / 1000000, lateNow / 1000000);
+ atTime = earlyNow / 2 + lateNow / 2;
+
+
+ cinfo = SEC_PKCS7DecodeItem(pkcs7sig, NULL, NULL, NULL, NULL, NULL,
+ NULL, NULL);
+ if (!cinfo)
+ goto out;
+
/* Generate the digest of contentInfo */
/* XXX support only sha256 for now */
digest = SECITEM_AllocItem(NULL, NULL, 32);
@@ -401,31 +433,6 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
PORT_ErrorToString(PORT_GetError()));
goto out;
}
- cert->timeOK = PR_TRUE;
-
- find_cert_times(cinfo, &notBefore, &notAfter);
- if (earlyNow < notBefore)
- earlyNow = notBefore;
- if (lateNow > notAfter)
- lateNow = notAfter;
-
- SECItem *eTime;
- PRTime atTime;
- // atTime = determine_reasonable_time(cert);
- eTime = SEC_PKCS7GetSigningTime(cinfo);
- if (eTime != NULL) {
- if (DER_DecodeTimeChoice (&atTime, eTime) == SECSuccess) {
- if (earlyNow < atTime)
- earlyNow = atTime;
- if (lateNow > atTime)
- lateNow = atTime;
- }
- }
-
- if (lateNow < earlyNow)
- printf("Impossible time constraints: %ld <= %ld\n",
- earlyNow / 1000000, lateNow / 1000000);
- atTime = earlyNow / 2 + lateNow / 2;
/* Verify the signature */
result = SEC_PKCS7VerifyDetachedSignatureAtTime(cinfo,
--
2.13.4