Heinrich, On Fri, Jul 17, 2020 at 12:23:08PM +0200, Heinrich Schuchardt wrote: > On 17.07.20 09:16, AKASHI Takahiro wrote: > > In this commit, efi_signature_verify(with_sigdb) will be re-implemented > > using pcks7_verify_one() in order to support certificates chain, where > > the signer's certificate will be signed by an intermediate CA (certificate > > authority) and the latter's certificate will also be signed by another CA > > and so on. > > > > What we need to do here is to search for certificates in a signature, > > build up a chain of certificates and verify one by one. pkcs7_verify_one() > > handles most of these steps except the last one. > > > > pkcs7_verify_one() returns, if succeeded, the last certificate to verify, > > which can be either a self-signed one or one that should be signed by one > > of certificates in "db". Re-worked efi_signature_verify() will take care > > of this step. > > > > Signed-off-by: AKASHI Takahiro <takahiro.aka...@linaro.org> > > --- > > With patches 1-6 applied to origin/master (fee68b98fe3890): > make tests: > > test/py/tests/test_efi_secboot/test_authvar.py FFFFF > test/py/tests/test_efi_secboot/test_signed.py .F..FF > test/py/tests/test_efi_secboot/test_unsigned.py ...
Even after rebasing the code to fee68b98fe3890, I have never seen any failures in those cases. (I use pytest directly instead of 'make tests' though.) -Takahiro Akashi > Patches 1-5 pass the test. > > Best regards > > Heinrich