On 17.07.20 09:16, AKASHI Takahiro wrote: > In this commit, efi_signature_verify(with_sigdb) will be re-implemented > using pcks7_verify_one() in order to support certificates chain, where > the signer's certificate will be signed by an intermediate CA (certificate > authority) and the latter's certificate will also be signed by another CA > and so on. > > What we need to do here is to search for certificates in a signature, > build up a chain of certificates and verify one by one. pkcs7_verify_one() > handles most of these steps except the last one. > > pkcs7_verify_one() returns, if succeeded, the last certificate to verify, > which can be either a self-signed one or one that should be signed by one > of certificates in "db". Re-worked efi_signature_verify() will take care > of this step. > > Signed-off-by: AKASHI Takahiro <[email protected]> > ---
With patches 1-6 applied to origin/master (fee68b98fe3890): make tests: test/py/tests/test_efi_secboot/test_authvar.py FFFFF test/py/tests/test_efi_secboot/test_signed.py .F..FF test/py/tests/test_efi_secboot/test_unsigned.py ... Patches 1-5 pass the test. Best regards Heinrich
