proxmox-mirrors/fwupd
1
0
Fork 0
mirror of https://git.proxmox.com/git/fwupd synced 2025-07-19 14:51:42 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

trivial: Check the PKCS key purpose before adding to the trust list

Browse Source 
According to some best practices this is a good idea, but in this specific case
the certificate will have been installed by the admin or package manager and
so is less important.
This commit is contained in:
Richard Hughes 2017-08-18 12:18:29 +01:00
parent f03f386c68
commit 0a8d5df265
1 changed files with 32 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
src/fu-keyring-pkcs7.c
View File

@ -36,6 +36,7 @@ struct _FuKeyringPkcs7
G_DEFINE_TYPE (FuKeyringPkcs7, fu_keyring_pkcs7, FU_TYPE_KEYRING) G_DEFINE_TYPE (FuKeyringPkcs7, fu_keyring_pkcs7, FU_TYPE_KEYRING)
G_DEFINE_AUTO_CLEANUP_FREE_FUNC(gnutls_pkcs7_t, gnutls_pkcs7_deinit, NULL) G_DEFINE_AUTO_CLEANUP_FREE_FUNC(gnutls_pkcs7_t, gnutls_pkcs7_deinit, NULL)
G_DEFINE_AUTO_CLEANUP_FREE_FUNC(gnutls_x509_crt_t, gnutls_x509_crt_deinit, NULL)
G_DEFINE_AUTO_CLEANUP_FREE_FUNC(gnutls_x509_dn_t, gnutls_x509_dn_deinit, NULL) G_DEFINE_AUTO_CLEANUP_FREE_FUNC(gnutls_x509_dn_t, gnutls_x509_dn_deinit, NULL)
static gboolean static gboolean
@ -48,6 +49,7 @@ fu_keyring_pkcs7_add_public_key (FuKeyringPkcs7 *self,
gsize sz; gsize sz;
int rc; int rc;
g_autofree gchar *pem_data = NULL; g_autofree gchar *pem_data = NULL;
g_auto(gnutls_x509_crt_t) cert = NULL;
/* load file and add to the trust list */ /* load file and add to the trust list */
if (!g_file_get_contents (filename, &pem_data, &sz, error)) { if (!g_file_get_contents (filename, &pem_data, &sz, error)) {
@ -57,11 +59,33 @@ fu_keyring_pkcs7_add_public_key (FuKeyringPkcs7 *self,
datum.data = (guint8 *) pem_data; datum.data = (guint8 *) pem_data;
datum.size = sz; datum.size = sz;
g_debug ("trying to load CA from %s", filename); g_debug ("trying to load CA from %s", filename);
rc = gnutls_x509_trust_list_add_trust_mem (self->tl, &datum, rc = gnutls_x509_crt_init (&cert);
NULL, /* crls */ if (rc < 0) {
format, g_set_error (error,
0, /* tl_flags */ FWUPD_ERROR,
0); /* tl_vflags */ FWUPD_ERROR_SIGNATURE_INVALID,
"failed to initialize certificate: %s [%i]",
gnutls_strerror (rc), rc);
return FALSE;
}
rc = gnutls_x509_crt_import (cert, &datum, format);
if (rc < 0) {
g_set_error (error,
FWUPD_ERROR,
FWUPD_ERROR_SIGNATURE_INVALID,
"failed to import certificate: %s [%i]",
gnutls_strerror (rc), rc);
return FALSE;
}
if (gnutls_x509_crt_check_key_purpose (cert, GNUTLS_KP_ANY, 0) != 0) {
g_set_error (error,
FWUPD_ERROR,
FWUPD_ERROR_SIGNATURE_INVALID,
"certificate %s not suitable for use",
filename);
return FALSE;
}
rc = gnutls_x509_trust_list_add_cas (self->tl, &cert, 1, 0);
if (rc < 0) { if (rc < 0) {
g_set_error (error, g_set_error (error,
FWUPD_ERROR, FWUPD_ERROR,
@ -71,6 +95,9 @@ fu_keyring_pkcs7_add_public_key (FuKeyringPkcs7 *self,
return FALSE; return FALSE;
} }
g_debug ("loaded %i CAs", rc); g_debug ("loaded %i CAs", rc);
/* confusingly the trust list does not copy the certificate */
cert = NULL;
return TRUE; return TRUE;
} }