Blame SOURCES/0001-Relax-the-certificate-time-checks-in-the-self-tests-.patch

bbab8c
commit 58f79c3d235290c4cecccc1d55cbcc2da8e988a6
bbab8c
Author: Richard Hughes <richard@hughsie.com>
bbab8c
Date:   Thu Aug 1 09:45:25 2019 +0100
bbab8c
bbab8c
    Relax the certificate time checks in the self tests for the legacy certificate
bbab8c
    
bbab8c
    One test verifies a firmware with a signature from the old LVFS which was
bbab8c
    hosted on secure-lvfs.rhcloud.com and used the original PKCS-7 key. This key
bbab8c
    had a two year validity (expiring today, ohh the naivety...) rather than the
bbab8c
    newer fwupd.org key which expires in the year 2058.
bbab8c
    
bbab8c
    For this specific test only, disable the certificate time checks to fix CI.
bbab8c
    
bbab8c
    Fixes https://github.com/hughsie/fwupd/issues/1264
bbab8c
bbab8c
diff --git a/src/fu-engine.c b/src/fu-engine.c
bbab8c
index ac102cfa..1a57b0af 100644
bbab8c
--- a/src/fu-engine.c
bbab8c
+++ b/src/fu-engine.c
bbab8c
@@ -1908,7 +1908,8 @@ fu_engine_get_existing_keyring_result (FuEngine *self,
bbab8c
 	blob_sig = fu_common_get_contents_bytes (fwupd_remote_get_filename_cache_sig (remote), error);
bbab8c
 	if (blob_sig == NULL)
bbab8c
 		return NULL;
bbab8c
-	return fu_keyring_verify_data (kr, blob, blob_sig, error);
bbab8c
+	return fu_keyring_verify_data (kr, blob, blob_sig,
bbab8c
+				       FU_KEYRING_VERIFY_FLAG_NONE, error);
bbab8c
 }
bbab8c
 
bbab8c
 /**
bbab8c
@@ -1991,7 +1992,9 @@ fu_engine_update_metadata (FuEngine *self, const gchar *remote_id,
bbab8c
 		pki_dir = g_build_filename (sysconfdir, "pki", "fwupd-metadata", NULL);
bbab8c
 		if (!fu_keyring_add_public_keys (kr, pki_dir, error))
bbab8c
 			return FALSE;
bbab8c
-		kr_result = fu_keyring_verify_data (kr, bytes_raw, bytes_sig, error);
bbab8c
+		kr_result = fu_keyring_verify_data (kr, bytes_raw, bytes_sig,
bbab8c
+						    FU_KEYRING_VERIFY_FLAG_NONE,
bbab8c
+						    error);
bbab8c
 		if (kr_result == NULL)
bbab8c
 			return FALSE;
bbab8c
 
bbab8c
diff --git a/src/fu-keyring-gpg.c b/src/fu-keyring-gpg.c
bbab8c
index af0bfbe0..a51ab7a4 100644
bbab8c
--- a/src/fu-keyring-gpg.c
bbab8c
+++ b/src/fu-keyring-gpg.c
bbab8c
@@ -231,6 +231,7 @@ static FuKeyringResult *
bbab8c
 fu_keyring_gpg_verify_data (FuKeyring *keyring,
bbab8c
 			    GBytes *blob,
bbab8c
 			    GBytes *blob_signature,
bbab8c
+			    FuKeyringVerifyFlags flags,
bbab8c
 			    GError **error)
bbab8c
 {
bbab8c
 	FuKeyringGpg *self = FU_KEYRING_GPG (keyring);
bbab8c
diff --git a/src/fu-keyring-pkcs7.c b/src/fu-keyring-pkcs7.c
bbab8c
index d48dc5d0..dc310d37 100644
bbab8c
--- a/src/fu-keyring-pkcs7.c
bbab8c
+++ b/src/fu-keyring-pkcs7.c
bbab8c
@@ -182,6 +182,7 @@ static FuKeyringResult *
bbab8c
 fu_keyring_pkcs7_verify_data (FuKeyring *keyring,
bbab8c
 			     GBytes *blob,
bbab8c
 			     GBytes *blob_signature,
bbab8c
+			     FuKeyringVerifyFlags flags,
bbab8c
 			     GError **error)
bbab8c
 {
bbab8c
 	FuKeyringPkcs7 *self = FU_KEYRING_PKCS7 (keyring);
bbab8c
@@ -231,6 +232,14 @@ fu_keyring_pkcs7_verify_data (FuKeyring *keyring,
bbab8c
 	for (gint i = 0; i < count; i++) {
bbab8c
 		gnutls_pkcs7_signature_info_st info;
bbab8c
 		gint64 signing_time = 0;
bbab8c
+		gnutls_certificate_verify_flags verify_flags = 0;
bbab8c
+
bbab8c
+		/* use with care */
bbab8c
+		if (flags & FU_KEYRING_VERIFY_FLAG_DISABLE_TIME_CHECKS) {
bbab8c
+			g_debug ("WARNING: disabling time checks");
bbab8c
+			verify_flags |= GNUTLS_VERIFY_DISABLE_TIME_CHECKS;
bbab8c
+			verify_flags |= GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS;
bbab8c
+		}
bbab8c
 
bbab8c
 		/* verify the data against the detached signature */
bbab8c
 		rc = gnutls_pkcs7_verify (pkcs7, self->tl,
bbab8c
@@ -238,7 +247,7 @@ fu_keyring_pkcs7_verify_data (FuKeyring *keyring,
bbab8c
 					  0,    /* vdata_size */
bbab8c
 					  i,    /* index */
bbab8c
 					  &datum, /* data */
bbab8c
-					  0);   /* flags */
bbab8c
+					  verify_flags);
bbab8c
 		if (rc < 0) {
bbab8c
 			g_set_error (error,
bbab8c
 				     FWUPD_ERROR,
bbab8c
diff --git a/src/fu-keyring-utils.c b/src/fu-keyring-utils.c
bbab8c
index 0c5a7f04..465b4a02 100644
bbab8c
--- a/src/fu-keyring-utils.c
bbab8c
+++ b/src/fu-keyring-utils.c
bbab8c
@@ -167,7 +167,9 @@ fu_keyring_get_release_trust_flags (AsRelease *release,
bbab8c
 				fu_keyring_get_name (kr));
bbab8c
 		return FALSE;
bbab8c
 	}
bbab8c
-	kr_result = fu_keyring_verify_data (kr, blob_payload, blob_signature, &error_local);
bbab8c
+	kr_result = fu_keyring_verify_data (kr, blob_payload, blob_signature,
bbab8c
+					    FU_KEYRING_VERIFY_FLAG_NONE,
bbab8c
+					    &error_local);
bbab8c
 	if (kr_result == NULL) {
bbab8c
 		g_warning ("untrusted as failed to verify from %s keyring: %s",
bbab8c
 			   fu_keyring_get_name (kr),
bbab8c
diff --git a/src/fu-keyring.c b/src/fu-keyring.c
bbab8c
index d8a88e8c..9b582563 100644
bbab8c
--- a/src/fu-keyring.c
bbab8c
+++ b/src/fu-keyring.c
bbab8c
@@ -40,13 +40,14 @@ FuKeyringResult *
bbab8c
 fu_keyring_verify_data (FuKeyring *keyring,
bbab8c
 		       GBytes *blob,
bbab8c
 		       GBytes *blob_signature,
bbab8c
+		       FuKeyringVerifyFlags flags,
bbab8c
 		       GError **error)
bbab8c
 {
bbab8c
 	FuKeyringClass *klass = FU_KEYRING_GET_CLASS (keyring);
bbab8c
 	g_return_val_if_fail (FU_IS_KEYRING (keyring), NULL);
bbab8c
 	g_return_val_if_fail (blob != NULL, NULL);
bbab8c
 	g_return_val_if_fail (blob_signature != NULL, NULL);
bbab8c
-	return klass->verify_data (keyring, blob, blob_signature, error);
bbab8c
+	return klass->verify_data (keyring, blob, blob_signature, flags, error);
bbab8c
 }
bbab8c
 
bbab8c
 const gchar *
bbab8c
diff --git a/src/fu-keyring.h b/src/fu-keyring.h
bbab8c
index 6e03694c..f097305d 100644
bbab8c
--- a/src/fu-keyring.h
bbab8c
+++ b/src/fu-keyring.h
bbab8c
@@ -17,6 +17,20 @@ G_BEGIN_DECLS
bbab8c
 #define FU_TYPE_KEYRING (fu_keyring_get_type ())
bbab8c
 G_DECLARE_DERIVABLE_TYPE (FuKeyring, fu_keyring, FU, KEYRING, GObject)
bbab8c
 
bbab8c
+/**
bbab8c
+ * FuKeyringVerifyFlags:
bbab8c
+ * @FU_KEYRING_VERIFY_FLAG_NONE:		No flags set
bbab8c
+ * @FU_KEYRING_VERIFY_FLAG_DISABLE_TIME_CHECKS:	Disable checking of validity periods
bbab8c
+ *
bbab8c
+ * The flags to use when interacting with a keyring
bbab8c
+ **/
bbab8c
+typedef enum {
bbab8c
+	FU_KEYRING_VERIFY_FLAG_NONE			= 0,
bbab8c
+	FU_KEYRING_VERIFY_FLAG_DISABLE_TIME_CHECKS	= 1 << 2,
bbab8c
+	/*< private >*/
bbab8c
+	FU_KEYRING_VERIFY_FLAG_LAST
bbab8c
+} FuKeyringVerifyFlags;
bbab8c
+
bbab8c
 struct _FuKeyringClass
bbab8c
 {
bbab8c
 	GObjectClass		 parent_class;
bbab8c
@@ -28,6 +42,7 @@ struct _FuKeyringClass
bbab8c
 	FuKeyringResult		*(*verify_data)		(FuKeyring	*keyring,
bbab8c
 							 GBytes		*payload,
bbab8c
 							 GBytes		*payload_signature,
bbab8c
+							 FuKeyringVerifyFlags flags,
bbab8c
 							 GError		**error);
bbab8c
 };
bbab8c
 
bbab8c
@@ -39,6 +54,7 @@ gboolean	 fu_keyring_add_public_keys		(FuKeyring	*keyring,
bbab8c
 FuKeyringResult	*fu_keyring_verify_data			(FuKeyring	*keyring,
bbab8c
 							 GBytes		*blob,
bbab8c
 							 GBytes		*blob_signature,
bbab8c
+							 FuKeyringVerifyFlags flags,
bbab8c
 							 GError		**error);
bbab8c
 const gchar	*fu_keyring_get_name			(FuKeyring	*self);
bbab8c
 void		 fu_keyring_set_name			(FuKeyring	*self,
bbab8c
diff --git a/src/fu-self-test.c b/src/fu-self-test.c
bbab8c
index 4f359614..98fac714 100644
bbab8c
--- a/src/fu-self-test.c
bbab8c
+++ b/src/fu-self-test.c
bbab8c
@@ -1947,7 +1947,9 @@ fu_keyring_gpg_func (void)
bbab8c
 	g_assert_no_error (error);
bbab8c
 	g_assert_nonnull (blob_pass);
bbab8c
 	blob_sig = g_bytes_new_static (sig_gpgme, strlen (sig_gpgme));
bbab8c
-	result_pass = fu_keyring_verify_data (keyring, blob_pass, blob_sig, &error);
bbab8c
+	result_pass = fu_keyring_verify_data (keyring, blob_pass, blob_sig,
bbab8c
+					      FU_KEYRING_VERIFY_FLAG_NONE,
bbab8c
+					      &error);
bbab8c
 	g_assert_no_error (error);
bbab8c
 	g_assert_nonnull (result_pass);
bbab8c
 	g_assert_cmpint (fu_keyring_result_get_timestamp (result_pass), == , 1438072952);
bbab8c
@@ -1960,7 +1962,8 @@ fu_keyring_gpg_func (void)
bbab8c
 	blob_fail = fu_common_get_contents_bytes (fw_fail, &error);
bbab8c
 	g_assert_no_error (error);
bbab8c
 	g_assert_nonnull (blob_fail);
bbab8c
-	result_fail = fu_keyring_verify_data (keyring, blob_fail, blob_sig, &error);
bbab8c
+	result_fail = fu_keyring_verify_data (keyring, blob_fail, blob_sig,
bbab8c
+					      FU_KEYRING_VERIFY_FLAG_NONE, &error);
bbab8c
 	g_assert_error (error, FWUPD_ERROR, FWUPD_ERROR_SIGNATURE_INVALID);
bbab8c
 	g_assert_null (result_fail);
bbab8c
 	g_clear_error (&error);
bbab8c
@@ -2010,7 +2013,9 @@ fu_keyring_pkcs7_func (void)
bbab8c
 	blob_sig = fu_common_get_contents_bytes (sig_fn, &error);
bbab8c
 	g_assert_no_error (error);
bbab8c
 	g_assert_nonnull (blob_sig);
bbab8c
-	result_pass = fu_keyring_verify_data (keyring, blob_pass, blob_sig, &error);
bbab8c
+	result_pass = fu_keyring_verify_data (keyring, blob_pass, blob_sig,
bbab8c
+					      FU_KEYRING_VERIFY_FLAG_DISABLE_TIME_CHECKS,
bbab8c
+					      &error);
bbab8c
 	g_assert_no_error (error);
bbab8c
 	g_assert_nonnull (result_pass);
bbab8c
 	g_assert_cmpint (fu_keyring_result_get_timestamp (result_pass), >= , 1502871248);
bbab8c
@@ -2022,7 +2027,8 @@ fu_keyring_pkcs7_func (void)
bbab8c
 	blob_sig2 = fu_common_get_contents_bytes (sig_fn2, &error);
bbab8c
 	g_assert_no_error (error);
bbab8c
 	g_assert_nonnull (blob_sig2);
bbab8c
-	result_fail = fu_keyring_verify_data (keyring, blob_pass, blob_sig2, &error);
bbab8c
+	result_fail = fu_keyring_verify_data (keyring, blob_pass, blob_sig2,
bbab8c
+					      FU_KEYRING_VERIFY_FLAG_NONE, &error);
bbab8c
 	g_assert_error (error, FWUPD_ERROR, FWUPD_ERROR_SIGNATURE_INVALID);
bbab8c
 	g_assert_null (result_fail);
bbab8c
 	g_clear_error (&error);
bbab8c
@@ -2033,7 +2039,8 @@ fu_keyring_pkcs7_func (void)
bbab8c
 	blob_fail = fu_common_get_contents_bytes (fw_fail, &error);
bbab8c
 	g_assert_no_error (error);
bbab8c
 	g_assert_nonnull (blob_fail);
bbab8c
-	result_fail = fu_keyring_verify_data (keyring, blob_fail, blob_sig, &error);
bbab8c
+	result_fail = fu_keyring_verify_data (keyring, blob_fail, blob_sig,
bbab8c
+					      FU_KEYRING_VERIFY_FLAG_NONE, &error);
bbab8c
 	g_assert_error (error, FWUPD_ERROR, FWUPD_ERROR_SIGNATURE_INVALID);
bbab8c
 	g_assert_null (result_fail);
bbab8c
 	g_clear_error (&error);