proxmox-mirrors/fwupd
1
0
Fork 0
mirror of https://git.proxmox.com/git/fwupd synced 2025-08-09 09:55:39 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

trivial: Allow PKCS-7 certificates for DIGITAL_SIGNATURE

Browse Source 
This allows us to also use a self-signed certificate for verification.
This commit is contained in:
Richard Hughes 2019-03-07 15:48:45 +00:00
parent 2eee2582fd
commit ca6d92aa5c
1 changed files with 14 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
src/fu-keyring-pkcs7.c
View File

@ -35,6 +35,7 @@ fu_keyring_pkcs7_add_public_key (FuKeyringPkcs7 *self,
gnutls_x509_crt_fmt_t format, gnutls_x509_crt_fmt_t format,
GError **error) GError **error)
{ {
guint key_usage = 0;
gnutls_datum_t datum; gnutls_datum_t datum;
gsize sz; gsize sz;
int rc; int rc;
@ -67,12 +68,22 @@ fu_keyring_pkcs7_add_public_key (FuKeyringPkcs7 *self,
gnutls_strerror (rc), rc); gnutls_strerror (rc), rc);
return FALSE; return FALSE;
} }
if (gnutls_x509_crt_check_key_purpose (cert, GNUTLS_KP_ANY, 0) != 0) { rc = gnutls_x509_crt_get_key_usage (cert, &key_usage, NULL);
if (rc < 0) {
g_set_error (error, g_set_error (error,
FWUPD_ERROR, FWUPD_ERROR,
FWUPD_ERROR_SIGNATURE_INVALID, FWUPD_ERROR_SIGNATURE_INVALID,
"certificate %s not suitable for use", "failed to get key usage: %s [%i]",
filename); gnutls_strerror (rc), rc);
return FALSE;
}
if ((key_usage & GNUTLS_KEY_DIGITAL_SIGNATURE) == 0 &&
(key_usage & GNUTLS_KEY_KEY_CERT_SIGN) == 0) {
g_set_error (error,
FWUPD_ERROR,
FWUPD_ERROR_SIGNATURE_INVALID,
"certificate %s not suitable for use [0x%x]",
filename, key_usage);
return FALSE; return FALSE;
} }
rc = gnutls_x509_trust_list_add_cas (self->tl, &cert, 1, 0); rc = gnutls_x509_trust_list_add_cas (self->tl, &cert, 1, 0);