On Wed, Sep 16, 2020 at 01:14:56PM +0200, Heinrich Schuchardt wrote: > On 16.09.20 10:13, AKASHI Takahiro wrote: > > On Wed, Sep 16, 2020 at 01:19:03AM +0200, Heinrich Schuchardt wrote: > >> On 9/11/20 7:26 PM, Andrii Voloshyn wrote: > >>> Hi there, > >>> > >>> Does U-boot take into account certificate expiration date when > >>> verifying signed images in FIT? In other words, is date stored along with > >>> the public key in DTB file? > >>> > >>> Cheers, > >>> Andy > >>> > >> > >> Hello Philippe, > >> > >> looking at padding_pkcs_15_verify() in lib/rsa/rsa-verify.c I cannot > >> find a comparison of the date on which an image was signed with the > >> expiry date of the certificate. Shouldn't there be a check? Or did I > >> simply look into the wrong function? > > > > I think Simon is the right person to answer this question, but > > > > as far as I know, we don't have any device tree property for the expiration > > date of a public key. See doc/uImage.FIT/signature.txt. > > Yes, the problem starts with mkimage not writing the dates available in > the X509 certificate into the device tree. > > The dates are accessible via the X509_get0_notBefore() and > X509_get0_notAfter() functions of the OpenSSL library. > > > Takahiro, could you, please, also look at the UEFI secure boot > implementation in U-Boot. EDK2 validates the dates via the embedded > OpenSSL library in > CryptoPkg/Library/OpensslLib/openssl/crypto/x509/x509_vfy.c, function > verify_chain(). We should not do less.
Yes, we do the check. See pkcs7_verify_one() in lib/crypto/pkcs7_verify.c. -Takahiro Akashi > Best regards > > Heinrich