diff options
author | James Bottomley <JBottomley@Parallels.com> | 2014-12-19 11:37:30 -0800 |
---|---|---|
committer | James Bottomley <JBottomley@Parallels.com> | 2014-12-19 16:42:37 -0800 |
commit | 6b493361c28756e6e0167a972d06ab49ce24640f (patch) | |
tree | a5be9e5e86f6f5f71ebe3d58122f2a843251fa1b | |
parent | 35e2e074e362b949aa9c6ac1619312b8e2642080 (diff) | |
download | sbsigntools-6b493361c28756e6e0167a972d06ab49ce24640f.tar.gz |
sbverify: fix verification
no leaf is OK as is expired cert.
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
-rw-r--r-- | src/sbverify.c | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/src/sbverify.c b/src/sbverify.c index 2e3a75b..4c4b2c6 100644 --- a/src/sbverify.c +++ b/src/sbverify.c @@ -199,13 +199,16 @@ static int x509_verify_cb(int status, X509_STORE_CTX *ctx) && ctx->cert->ex_xkusage == XKU_CODE_SIGN) status = 1; - /* all certs given with the --cert argument are trusted */ else if (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY || - err == X509_V_ERR_CERT_UNTRUSTED) { + err == X509_V_ERR_CERT_UNTRUSTED || + err == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE) { + /* all certs given with the --cert argument are trusted */ if (cert_in_store(ctx->current_cert, ctx)) status = 1; - } + } else if (err == X509_V_ERR_CERT_HAS_EXPIRED) + /* UEFI explicitly allows expired certificates */ + status = 1; return status; } |