Don't reject all binaries without a certificate database.

If a binary isn't signed, but its hash is enrolled in db, it won't have
a certificate database.  So in those cases, don't check it against
certificate databases in db/dbx/etc, but we don't need to reject it
outright.

Signed-off-by: Peter Jones <pjones@redhat.com>

shim.c

@@ -371,7 +371,7 @@ static EFI_STATUS check_blacklist (WIN_CERTIFICATE_EFI_PKCS *cert,
 				 SHA1_DIGEST_SIZE, EFI_CERT_SHA1_GUID) ==
 				DATA_FOUND)
 		return EFI_ACCESS_DENIED;
-	if (check_db_cert_in_ram(dbx, vendor_dbx_size, cert,
+	if (cert && check_db_cert_in_ram(dbx, vendor_dbx_size, cert,
 					 sha256hash) == DATA_FOUND)
 		return EFI_ACCESS_DENIED;
 
@@ -381,7 +381,8 @@ static EFI_STATUS check_blacklist (WIN_CERTIFICATE_EFI_PKCS *cert,
 	if (check_db_hash(L"dbx", secure_var, sha1hash, SHA1_DIGEST_SIZE,
 			  EFI_CERT_SHA1_GUID) == DATA_FOUND)
 		return EFI_ACCESS_DENIED;
-	if (check_db_cert(L"dbx", secure_var, cert, sha256hash) == DATA_FOUND)
+	if (cert && check_db_cert(L"dbx", secure_var, cert, sha256hash) ==
+				DATA_FOUND)
 		return EFI_ACCESS_DENIED;
 
 	return EFI_SUCCESS;
@@ -414,7 +415,8 @@ static EFI_STATUS check_whitelist (WIN_CERTIFICATE_EFI_PKCS *cert,
 			update_verification_method(VERIFIED_BY_HASH);
 			return EFI_SUCCESS;
 		}
-		if (check_db_cert(L"db", secure_var, cert, sha256hash) == DATA_FOUND) {
+		if (cert && check_db_cert(L"db", secure_var, cert, sha256hash)
+					== DATA_FOUND) {
 			verification_method = VERIFIED_BY_CERT;
 			update_verification_method(VERIFIED_BY_CERT);
 			return EFI_SUCCESS;
@@ -427,7 +429,8 @@ static EFI_STATUS check_whitelist (WIN_CERTIFICATE_EFI_PKCS *cert,
 		update_verification_method(VERIFIED_BY_HASH);
 		return EFI_SUCCESS;
 	}
-	if (check_db_cert(L"MokList", shim_var, cert, sha256hash) == DATA_FOUND) {
+	if (cert && check_db_cert(L"MokList", shim_var, cert, sha256hash) ==
+				DATA_FOUND) {
 		verification_method = VERIFIED_BY_CERT;
 		update_verification_method(VERIFIED_BY_CERT);
 		return EFI_SUCCESS;
@@ -712,26 +715,25 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
 	UINT8 sha256hash[SHA256_DIGEST_SIZE];
 	UINT8 sha1hash[SHA1_DIGEST_SIZE];
 	EFI_STATUS status = EFI_ACCESS_DENIED;
-	WIN_CERTIFICATE_EFI_PKCS *cert;
+	WIN_CERTIFICATE_EFI_PKCS *cert = NULL;
 	unsigned int size = datasize;
 
-	if (context->SecDir->Size == 0) {
+	if (context->SecDir->Size != 0) {
-		Print(L"Empty security header\n");
+		cert = ImageAddress (data, size,
-		return EFI_INVALID_PARAMETER;
+				     context->SecDir->VirtualAddress);
-	}
-
-	cert = ImageAddress (data, size, context->SecDir->VirtualAddress);
 
 		if (!cert) {
 			Print(L"Certificate located outside the image\n");
 			return EFI_INVALID_PARAMETER;
 		}
 
-	if (cert->Hdr.wCertificateType != WIN_CERT_TYPE_PKCS_SIGNED_DATA) {
+		if (cert->Hdr.wCertificateType !=
+		    WIN_CERT_TYPE_PKCS_SIGNED_DATA) {
 			Print(L"Unsupported certificate type %x\n",
 				cert->Hdr.wCertificateType);
 			return EFI_UNSUPPORTED;
 		}
+	}
 
 	status = generate_hash(data, datasize, context, sha256hash, sha1hash);
 
@@ -761,6 +763,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
 	if (status == EFI_SUCCESS)
 		return status;
 
+	if (cert) {
 		/*
 		 * Check against the shim build key
 		 */
@@ -783,6 +786,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
 			status = EFI_SUCCESS;
 			return status;
 		}
+	}
 
 	status = EFI_ACCESS_DENIED;