Heinrich,
On Fri, Jul 17, 2020 at 12:23:08PM +0200, Heinrich Schuchardt wrote:
On 17.07.20 09:16, AKASHI Takahiro wrote:
In this commit, efi_signature_verify(with_sigdb) will be re-implemented using pcks7_verify_one() in order to support certificates chain, where the signer's certificate will be signed by an intermediate CA (certificate authority) and the latter's certificate will also be signed by another CA and so on.
What we need to do here is to search for certificates in a signature, build up a chain of certificates and verify one by one. pkcs7_verify_one() handles most of these steps except the last one.
pkcs7_verify_one() returns, if succeeded, the last certificate to verify, which can be either a self-signed one or one that should be signed by one of certificates in "db". Re-worked efi_signature_verify() will take care of this step.
Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org
With patches 1-6 applied to origin/master (fee68b98fe3890): make tests:
test/py/tests/test_efi_secboot/test_authvar.py FFFFF test/py/tests/test_efi_secboot/test_signed.py .F..FF test/py/tests/test_efi_secboot/test_unsigned.py ...
Even after rebasing the code to fee68b98fe3890, I have never seen any failures in those cases. (I use pytest directly instead of 'make tests' though.)
-Takahiro Akashi
Patches 1-5 pass the test.
Best regards
Heinrich