|
 |
6c691a |
commit 58f79c3d235290c4cecccc1d55cbcc2da8e988a6
|
|
|
6c691a |
Author: Richard Hughes <richard@hughsie.com>
|
|
|
6c691a |
Date: Thu Aug 1 09:45:25 2019 +0100
|
|
|
6c691a |
|
|
|
6c691a |
Relax the certificate time checks in the self tests for the legacy certificate
|
|
|
6c691a |
|
|
|
6c691a |
One test verifies a firmware with a signature from the old LVFS which was
|
|
|
6c691a |
hosted on secure-lvfs.rhcloud.com and used the original PKCS-7 key. This key
|
|
|
6c691a |
had a two year validity (expiring today, ohh the naivety...) rather than the
|
|
|
6c691a |
newer fwupd.org key which expires in the year 2058.
|
|
|
6c691a |
|
|
|
6c691a |
For this specific test only, disable the certificate time checks to fix CI.
|
|
|
6c691a |
|
|
|
6c691a |
Fixes https://github.com/hughsie/fwupd/issues/1264
|
|
|
6c691a |
|
|
|
6c691a |
diff --git a/src/fu-engine.c b/src/fu-engine.c
|
|
|
6c691a |
index ac102cfa..1a57b0af 100644
|
|
|
6c691a |
--- a/src/fu-engine.c
|
|
|
6c691a |
+++ b/src/fu-engine.c
|
|
|
6c691a |
@@ -1908,7 +1908,8 @@ fu_engine_get_existing_keyring_result (FuEngine *self,
|
|
|
6c691a |
blob_sig = fu_common_get_contents_bytes (fwupd_remote_get_filename_cache_sig (remote), error);
|
|
|
6c691a |
if (blob_sig == NULL)
|
|
|
6c691a |
return NULL;
|
|
|
6c691a |
- return fu_keyring_verify_data (kr, blob, blob_sig, error);
|
|
|
6c691a |
+ return fu_keyring_verify_data (kr, blob, blob_sig,
|
|
|
6c691a |
+ FU_KEYRING_VERIFY_FLAG_NONE, error);
|
|
|
6c691a |
}
|
|
|
6c691a |
|
|
|
6c691a |
/**
|
|
|
6c691a |
@@ -1991,7 +1992,9 @@ fu_engine_update_metadata (FuEngine *self, const gchar *remote_id,
|
|
|
6c691a |
pki_dir = g_build_filename (sysconfdir, "pki", "fwupd-metadata", NULL);
|
|
|
6c691a |
if (!fu_keyring_add_public_keys (kr, pki_dir, error))
|
|
|
6c691a |
return FALSE;
|
|
|
6c691a |
- kr_result = fu_keyring_verify_data (kr, bytes_raw, bytes_sig, error);
|
|
|
6c691a |
+ kr_result = fu_keyring_verify_data (kr, bytes_raw, bytes_sig,
|
|
|
6c691a |
+ FU_KEYRING_VERIFY_FLAG_NONE,
|
|
|
6c691a |
+ error);
|
|
|
6c691a |
if (kr_result == NULL)
|
|
|
6c691a |
return FALSE;
|
|
|
6c691a |
|
|
|
6c691a |
diff --git a/src/fu-keyring-gpg.c b/src/fu-keyring-gpg.c
|
|
|
6c691a |
index af0bfbe0..a51ab7a4 100644
|
|
|
6c691a |
--- a/src/fu-keyring-gpg.c
|
|
|
6c691a |
+++ b/src/fu-keyring-gpg.c
|
|
|
6c691a |
@@ -231,6 +231,7 @@ static FuKeyringResult *
|
|
|
6c691a |
fu_keyring_gpg_verify_data (FuKeyring *keyring,
|
|
|
6c691a |
GBytes *blob,
|
|
|
6c691a |
GBytes *blob_signature,
|
|
|
6c691a |
+ FuKeyringVerifyFlags flags,
|
|
|
6c691a |
GError **error)
|
|
|
6c691a |
{
|
|
|
6c691a |
FuKeyringGpg *self = FU_KEYRING_GPG (keyring);
|
|
|
6c691a |
diff --git a/src/fu-keyring-pkcs7.c b/src/fu-keyring-pkcs7.c
|
|
|
6c691a |
index d48dc5d0..dc310d37 100644
|
|
|
6c691a |
--- a/src/fu-keyring-pkcs7.c
|
|
|
6c691a |
+++ b/src/fu-keyring-pkcs7.c
|
|
|
6c691a |
@@ -182,6 +182,7 @@ static FuKeyringResult *
|
|
|
6c691a |
fu_keyring_pkcs7_verify_data (FuKeyring *keyring,
|
|
|
6c691a |
GBytes *blob,
|
|
|
6c691a |
GBytes *blob_signature,
|
|
|
6c691a |
+ FuKeyringVerifyFlags flags,
|
|
|
6c691a |
GError **error)
|
|
|
6c691a |
{
|
|
|
6c691a |
FuKeyringPkcs7 *self = FU_KEYRING_PKCS7 (keyring);
|
|
|
6c691a |
@@ -231,6 +232,14 @@ fu_keyring_pkcs7_verify_data (FuKeyring *keyring,
|
|
|
6c691a |
for (gint i = 0; i < count; i++) {
|
|
|
6c691a |
gnutls_pkcs7_signature_info_st info;
|
|
|
6c691a |
gint64 signing_time = 0;
|
|
|
6c691a |
+ gnutls_certificate_verify_flags verify_flags = 0;
|
|
|
6c691a |
+
|
|
|
6c691a |
+ /* use with care */
|
|
|
6c691a |
+ if (flags & FU_KEYRING_VERIFY_FLAG_DISABLE_TIME_CHECKS) {
|
|
|
6c691a |
+ g_debug ("WARNING: disabling time checks");
|
|
|
6c691a |
+ verify_flags |= GNUTLS_VERIFY_DISABLE_TIME_CHECKS;
|
|
|
6c691a |
+ verify_flags |= GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS;
|
|
|
6c691a |
+ }
|
|
|
6c691a |
|
|
|
6c691a |
/* verify the data against the detached signature */
|
|
|
6c691a |
rc = gnutls_pkcs7_verify (pkcs7, self->tl,
|
|
|
6c691a |
@@ -238,7 +247,7 @@ fu_keyring_pkcs7_verify_data (FuKeyring *keyring,
|
|
|
6c691a |
0, /* vdata_size */
|
|
|
6c691a |
i, /* index */
|
|
|
6c691a |
&datum, /* data */
|
|
|
6c691a |
- 0); /* flags */
|
|
|
6c691a |
+ verify_flags);
|
|
|
6c691a |
if (rc < 0) {
|
|
|
6c691a |
g_set_error (error,
|
|
|
6c691a |
FWUPD_ERROR,
|
|
|
6c691a |
diff --git a/src/fu-keyring-utils.c b/src/fu-keyring-utils.c
|
|
|
6c691a |
index 0c5a7f04..465b4a02 100644
|
|
|
6c691a |
--- a/src/fu-keyring-utils.c
|
|
|
6c691a |
+++ b/src/fu-keyring-utils.c
|
|
|
6c691a |
@@ -167,7 +167,9 @@ fu_keyring_get_release_trust_flags (AsRelease *release,
|
|
|
6c691a |
fu_keyring_get_name (kr));
|
|
|
6c691a |
return FALSE;
|
|
|
6c691a |
}
|
|
|
6c691a |
- kr_result = fu_keyring_verify_data (kr, blob_payload, blob_signature, &error_local);
|
|
|
6c691a |
+ kr_result = fu_keyring_verify_data (kr, blob_payload, blob_signature,
|
|
|
6c691a |
+ FU_KEYRING_VERIFY_FLAG_NONE,
|
|
|
6c691a |
+ &error_local);
|
|
|
6c691a |
if (kr_result == NULL) {
|
|
|
6c691a |
g_warning ("untrusted as failed to verify from %s keyring: %s",
|
|
|
6c691a |
fu_keyring_get_name (kr),
|
|
|
6c691a |
diff --git a/src/fu-keyring.c b/src/fu-keyring.c
|
|
|
6c691a |
index d8a88e8c..9b582563 100644
|
|
|
6c691a |
--- a/src/fu-keyring.c
|
|
|
6c691a |
+++ b/src/fu-keyring.c
|
|
|
6c691a |
@@ -40,13 +40,14 @@ FuKeyringResult *
|
|
|
6c691a |
fu_keyring_verify_data (FuKeyring *keyring,
|
|
|
6c691a |
GBytes *blob,
|
|
|
6c691a |
GBytes *blob_signature,
|
|
|
6c691a |
+ FuKeyringVerifyFlags flags,
|
|
|
6c691a |
GError **error)
|
|
|
6c691a |
{
|
|
|
6c691a |
FuKeyringClass *klass = FU_KEYRING_GET_CLASS (keyring);
|
|
|
6c691a |
g_return_val_if_fail (FU_IS_KEYRING (keyring), NULL);
|
|
|
6c691a |
g_return_val_if_fail (blob != NULL, NULL);
|
|
|
6c691a |
g_return_val_if_fail (blob_signature != NULL, NULL);
|
|
|
6c691a |
- return klass->verify_data (keyring, blob, blob_signature, error);
|
|
|
6c691a |
+ return klass->verify_data (keyring, blob, blob_signature, flags, error);
|
|
|
6c691a |
}
|
|
|
6c691a |
|
|
|
6c691a |
const gchar *
|
|
|
6c691a |
diff --git a/src/fu-keyring.h b/src/fu-keyring.h
|
|
|
6c691a |
index 6e03694c..f097305d 100644
|
|
|
6c691a |
--- a/src/fu-keyring.h
|
|
|
6c691a |
+++ b/src/fu-keyring.h
|
|
|
6c691a |
@@ -17,6 +17,20 @@ G_BEGIN_DECLS
|
|
|
6c691a |
#define FU_TYPE_KEYRING (fu_keyring_get_type ())
|
|
|
6c691a |
G_DECLARE_DERIVABLE_TYPE (FuKeyring, fu_keyring, FU, KEYRING, GObject)
|
|
|
6c691a |
|
|
|
6c691a |
+/**
|
|
|
6c691a |
+ * FuKeyringVerifyFlags:
|
|
|
6c691a |
+ * @FU_KEYRING_VERIFY_FLAG_NONE: No flags set
|
|
|
6c691a |
+ * @FU_KEYRING_VERIFY_FLAG_DISABLE_TIME_CHECKS: Disable checking of validity periods
|
|
|
6c691a |
+ *
|
|
|
6c691a |
+ * The flags to use when interacting with a keyring
|
|
|
6c691a |
+ **/
|
|
|
6c691a |
+typedef enum {
|
|
|
6c691a |
+ FU_KEYRING_VERIFY_FLAG_NONE = 0,
|
|
|
6c691a |
+ FU_KEYRING_VERIFY_FLAG_DISABLE_TIME_CHECKS = 1 << 2,
|
|
|
6c691a |
+ /*< private >*/
|
|
|
6c691a |
+ FU_KEYRING_VERIFY_FLAG_LAST
|
|
|
6c691a |
+} FuKeyringVerifyFlags;
|
|
|
6c691a |
+
|
|
|
6c691a |
struct _FuKeyringClass
|
|
|
6c691a |
{
|
|
|
6c691a |
GObjectClass parent_class;
|
|
|
6c691a |
@@ -28,6 +42,7 @@ struct _FuKeyringClass
|
|
|
6c691a |
FuKeyringResult *(*verify_data) (FuKeyring *keyring,
|
|
|
6c691a |
GBytes *payload,
|
|
|
6c691a |
GBytes *payload_signature,
|
|
|
6c691a |
+ FuKeyringVerifyFlags flags,
|
|
|
6c691a |
GError **error);
|
|
|
6c691a |
};
|
|
|
6c691a |
|
|
|
6c691a |
@@ -39,6 +54,7 @@ gboolean fu_keyring_add_public_keys (FuKeyring *keyring,
|
|
|
6c691a |
FuKeyringResult *fu_keyring_verify_data (FuKeyring *keyring,
|
|
|
6c691a |
GBytes *blob,
|
|
|
6c691a |
GBytes *blob_signature,
|
|
|
6c691a |
+ FuKeyringVerifyFlags flags,
|
|
|
6c691a |
GError **error);
|
|
|
6c691a |
const gchar *fu_keyring_get_name (FuKeyring *self);
|
|
|
6c691a |
void fu_keyring_set_name (FuKeyring *self,
|
|
|
6c691a |
diff --git a/src/fu-self-test.c b/src/fu-self-test.c
|
|
|
6c691a |
index 4f359614..98fac714 100644
|
|
|
6c691a |
--- a/src/fu-self-test.c
|
|
|
6c691a |
+++ b/src/fu-self-test.c
|
|
|
6c691a |
@@ -1947,7 +1947,9 @@ fu_keyring_gpg_func (void)
|
|
|
6c691a |
g_assert_no_error (error);
|
|
|
6c691a |
g_assert_nonnull (blob_pass);
|
|
|
6c691a |
blob_sig = g_bytes_new_static (sig_gpgme, strlen (sig_gpgme));
|
|
|
6c691a |
- result_pass = fu_keyring_verify_data (keyring, blob_pass, blob_sig, &error);
|
|
|
6c691a |
+ result_pass = fu_keyring_verify_data (keyring, blob_pass, blob_sig,
|
|
|
6c691a |
+ FU_KEYRING_VERIFY_FLAG_NONE,
|
|
|
6c691a |
+ &error);
|
|
|
6c691a |
g_assert_no_error (error);
|
|
|
6c691a |
g_assert_nonnull (result_pass);
|
|
|
6c691a |
g_assert_cmpint (fu_keyring_result_get_timestamp (result_pass), == , 1438072952);
|
|
|
6c691a |
@@ -1960,7 +1962,8 @@ fu_keyring_gpg_func (void)
|
|
|
6c691a |
blob_fail = fu_common_get_contents_bytes (fw_fail, &error);
|
|
|
6c691a |
g_assert_no_error (error);
|
|
|
6c691a |
g_assert_nonnull (blob_fail);
|
|
|
6c691a |
- result_fail = fu_keyring_verify_data (keyring, blob_fail, blob_sig, &error);
|
|
|
6c691a |
+ result_fail = fu_keyring_verify_data (keyring, blob_fail, blob_sig,
|
|
|
6c691a |
+ FU_KEYRING_VERIFY_FLAG_NONE, &error);
|
|
|
6c691a |
g_assert_error (error, FWUPD_ERROR, FWUPD_ERROR_SIGNATURE_INVALID);
|
|
|
6c691a |
g_assert_null (result_fail);
|
|
|
6c691a |
g_clear_error (&error);
|
|
|
6c691a |
@@ -2010,7 +2013,9 @@ fu_keyring_pkcs7_func (void)
|
|
|
6c691a |
blob_sig = fu_common_get_contents_bytes (sig_fn, &error);
|
|
|
6c691a |
g_assert_no_error (error);
|
|
|
6c691a |
g_assert_nonnull (blob_sig);
|
|
|
6c691a |
- result_pass = fu_keyring_verify_data (keyring, blob_pass, blob_sig, &error);
|
|
|
6c691a |
+ result_pass = fu_keyring_verify_data (keyring, blob_pass, blob_sig,
|
|
|
6c691a |
+ FU_KEYRING_VERIFY_FLAG_DISABLE_TIME_CHECKS,
|
|
|
6c691a |
+ &error);
|
|
|
6c691a |
g_assert_no_error (error);
|
|
|
6c691a |
g_assert_nonnull (result_pass);
|
|
|
6c691a |
g_assert_cmpint (fu_keyring_result_get_timestamp (result_pass), >= , 1502871248);
|
|
|
6c691a |
@@ -2022,7 +2027,8 @@ fu_keyring_pkcs7_func (void)
|
|
|
6c691a |
blob_sig2 = fu_common_get_contents_bytes (sig_fn2, &error);
|
|
|
6c691a |
g_assert_no_error (error);
|
|
|
6c691a |
g_assert_nonnull (blob_sig2);
|
|
|
6c691a |
- result_fail = fu_keyring_verify_data (keyring, blob_pass, blob_sig2, &error);
|
|
|
6c691a |
+ result_fail = fu_keyring_verify_data (keyring, blob_pass, blob_sig2,
|
|
|
6c691a |
+ FU_KEYRING_VERIFY_FLAG_NONE, &error);
|
|
|
6c691a |
g_assert_error (error, FWUPD_ERROR, FWUPD_ERROR_SIGNATURE_INVALID);
|
|
|
6c691a |
g_assert_null (result_fail);
|
|
|
6c691a |
g_clear_error (&error);
|
|
|
6c691a |
@@ -2033,7 +2039,8 @@ fu_keyring_pkcs7_func (void)
|
|
|
6c691a |
blob_fail = fu_common_get_contents_bytes (fw_fail, &error);
|
|
|
6c691a |
g_assert_no_error (error);
|
|
|
6c691a |
g_assert_nonnull (blob_fail);
|
|
|
6c691a |
- result_fail = fu_keyring_verify_data (keyring, blob_fail, blob_sig, &error);
|
|
|
6c691a |
+ result_fail = fu_keyring_verify_data (keyring, blob_fail, blob_sig,
|
|
|
6c691a |
+ FU_KEYRING_VERIFY_FLAG_NONE, &error);
|
|
|
6c691a |
g_assert_error (error, FWUPD_ERROR, FWUPD_ERROR_SIGNATURE_INVALID);
|
|
|
6c691a |
g_assert_null (result_fail);
|
|
|
6c691a |
g_clear_error (&error);
|