sbverify: fix verification

no leaf is OK as is expired cert. Signed-off-by: James Bottomley <JBottomley@Parallels.com>
author: James Bottomley <JBottomley@Parallels.com> 2014-12-19 11:37:30 -0800
committer: James Bottomley <JBottomley@Parallels.com> 2014-12-19 16:42:37 -0800
commit: 6b493361c28756e6e0167a972d06ab49ce24640f (patch)
tree: a5be9e5e86f6f5f71ebe3d58122f2a843251fa1b
parent: 35e2e074e362b949aa9c6ac1619312b8e2642080 (diff)
download: sbsigntools-6b493361c28756e6e0167a972d06ab49ce24640f.tar.gz
1 files changed, 6 insertions, 3 deletions
diff --git a/src/sbverify.c b/src/sbverify.c
index 2e3a75b..4c4b2c6 100644
--- a/src/sbverify.c
+++ b/src/sbverify.c
@@ -199,13 +199,16 @@ static int x509_verify_cb(int status, X509_STORE_CTX *ctx)
 			&& ctx->cert->ex_xkusage == XKU_CODE_SIGN)
 		status = 1;
 
-	/* all certs given with the --cert argument are trusted */
 	else if (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY ||
-			err == X509_V_ERR_CERT_UNTRUSTED) {
+		 err == X509_V_ERR_CERT_UNTRUSTED ||
+		 err == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE) {
+		/* all certs given with the --cert argument are trusted */
 
 		if (cert_in_store(ctx->current_cert, ctx))
 			status = 1;
-	}
+	} else if (err == X509_V_ERR_CERT_HAS_EXPIRED)
+		/* UEFI explicitly allows expired certificates */
+		status = 1;
 
 	return status;
 }
author	James Bottomley <JBottomley@Parallels.com>	2014-12-19 11:37:30 -0800
committer	James Bottomley <JBottomley@Parallels.com>	2014-12-19 16:42:37 -0800
commit	6b493361c28756e6e0167a972d06ab49ce24640f (patch)
tree	a5be9e5e86f6f5f71ebe3d58122f2a843251fa1b
parent	35e2e074e362b949aa9c6ac1619312b8e2642080 (diff)
download	sbsigntools-6b493361c28756e6e0167a972d06ab49ce24640f.tar.gz