commit 58f79c3d235290c4cecccc1d55cbcc2da8e988a6
Author: Richard Hughes <richard@hughsie.com>
Date: Thu Aug 1 09:45:25 2019 +0100
Relax the certificate time checks in the self tests for the legacy certificate
One test verifies a firmware with a signature from the old LVFS which was
hosted on secure-lvfs.rhcloud.com and used the original PKCS-7 key. This key
had a two year validity (expiring today, ohh the naivety...) rather than the
newer fwupd.org key which expires in the year 2058.
For this specific test only, disable the certificate time checks to fix CI.
Fixes https://github.com/hughsie/fwupd/issues/1264
diff --git a/src/fu-engine.c b/src/fu-engine.c
index ac102cfa..1a57b0af 100644
--- a/src/fu-engine.c
+++ b/src/fu-engine.c
@@ -1908,7 +1908,8 @@ fu_engine_get_existing_keyring_result (FuEngine *self,
blob_sig = fu_common_get_contents_bytes (fwupd_remote_get_filename_cache_sig (remote), error);
if (blob_sig == NULL)
return NULL;
- return fu_keyring_verify_data (kr, blob, blob_sig, error);
+ return fu_keyring_verify_data (kr, blob, blob_sig,
+ FU_KEYRING_VERIFY_FLAG_NONE, error);
}
/**
@@ -1991,7 +1992,9 @@ fu_engine_update_metadata (FuEngine *self, const gchar *remote_id,
pki_dir = g_build_filename (sysconfdir, "pki", "fwupd-metadata", NULL);
if (!fu_keyring_add_public_keys (kr, pki_dir, error))
return FALSE;
- kr_result = fu_keyring_verify_data (kr, bytes_raw, bytes_sig, error);
+ kr_result = fu_keyring_verify_data (kr, bytes_raw, bytes_sig,
+ FU_KEYRING_VERIFY_FLAG_NONE,
+ error);
if (kr_result == NULL)
return FALSE;
diff --git a/src/fu-keyring-gpg.c b/src/fu-keyring-gpg.c
index af0bfbe0..a51ab7a4 100644
--- a/src/fu-keyring-gpg.c
+++ b/src/fu-keyring-gpg.c
@@ -231,6 +231,7 @@ static FuKeyringResult *
fu_keyring_gpg_verify_data (FuKeyring *keyring,
GBytes *blob,
GBytes *blob_signature,
+ FuKeyringVerifyFlags flags,
GError **error)
{
FuKeyringGpg *self = FU_KEYRING_GPG (keyring);
diff --git a/src/fu-keyring-pkcs7.c b/src/fu-keyring-pkcs7.c
index d48dc5d0..dc310d37 100644
--- a/src/fu-keyring-pkcs7.c
+++ b/src/fu-keyring-pkcs7.c
@@ -182,6 +182,7 @@ static FuKeyringResult *
fu_keyring_pkcs7_verify_data (FuKeyring *keyring,
GBytes *blob,
GBytes *blob_signature,
+ FuKeyringVerifyFlags flags,
GError **error)
{
FuKeyringPkcs7 *self = FU_KEYRING_PKCS7 (keyring);
@@ -231,6 +232,14 @@ fu_keyring_pkcs7_verify_data (FuKeyring *keyring,
for (gint i = 0; i < count; i++) {
gnutls_pkcs7_signature_info_st info;
gint64 signing_time = 0;
+ gnutls_certificate_verify_flags verify_flags = 0;
+
+ /* use with care */
+ if (flags & FU_KEYRING_VERIFY_FLAG_DISABLE_TIME_CHECKS) {
+ g_debug ("WARNING: disabling time checks");
+ verify_flags |= GNUTLS_VERIFY_DISABLE_TIME_CHECKS;
+ verify_flags |= GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS;
+ }
/* verify the data against the detached signature */
rc = gnutls_pkcs7_verify (pkcs7, self->tl,
@@ -238,7 +247,7 @@ fu_keyring_pkcs7_verify_data (FuKeyring *keyring,
0, /* vdata_size */
i, /* index */
&datum, /* data */
- 0); /* flags */
+ verify_flags);
if (rc < 0) {
g_set_error (error,
FWUPD_ERROR,
diff --git a/src/fu-keyring-utils.c b/src/fu-keyring-utils.c
index 0c5a7f04..465b4a02 100644
--- a/src/fu-keyring-utils.c
+++ b/src/fu-keyring-utils.c
@@ -167,7 +167,9 @@ fu_keyring_get_release_trust_flags (AsRelease *release,
fu_keyring_get_name (kr));
return FALSE;
}
- kr_result = fu_keyring_verify_data (kr, blob_payload, blob_signature, &error_local);
+ kr_result = fu_keyring_verify_data (kr, blob_payload, blob_signature,
+ FU_KEYRING_VERIFY_FLAG_NONE,
+ &error_local);
if (kr_result == NULL) {
g_warning ("untrusted as failed to verify from %s keyring: %s",
fu_keyring_get_name (kr),
diff --git a/src/fu-keyring.c b/src/fu-keyring.c
index d8a88e8c..9b582563 100644
--- a/src/fu-keyring.c
+++ b/src/fu-keyring.c
@@ -40,13 +40,14 @@ FuKeyringResult *
fu_keyring_verify_data (FuKeyring *keyring,
GBytes *blob,
GBytes *blob_signature,
+ FuKeyringVerifyFlags flags,
GError **error)
{
FuKeyringClass *klass = FU_KEYRING_GET_CLASS (keyring);
g_return_val_if_fail (FU_IS_KEYRING (keyring), NULL);
g_return_val_if_fail (blob != NULL, NULL);
g_return_val_if_fail (blob_signature != NULL, NULL);
- return klass->verify_data (keyring, blob, blob_signature, error);
+ return klass->verify_data (keyring, blob, blob_signature, flags, error);
}
const gchar *
diff --git a/src/fu-keyring.h b/src/fu-keyring.h
index 6e03694c..f097305d 100644
--- a/src/fu-keyring.h
+++ b/src/fu-keyring.h
@@ -17,6 +17,20 @@ G_BEGIN_DECLS
#define FU_TYPE_KEYRING (fu_keyring_get_type ())
G_DECLARE_DERIVABLE_TYPE (FuKeyring, fu_keyring, FU, KEYRING, GObject)
+/**
+ * FuKeyringVerifyFlags:
+ * @FU_KEYRING_VERIFY_FLAG_NONE: No flags set
+ * @FU_KEYRING_VERIFY_FLAG_DISABLE_TIME_CHECKS: Disable checking of validity periods
+ *
+ * The flags to use when interacting with a keyring
+ **/
+typedef enum {
+ FU_KEYRING_VERIFY_FLAG_NONE = 0,
+ FU_KEYRING_VERIFY_FLAG_DISABLE_TIME_CHECKS = 1 << 2,
+ /*< private >*/
+ FU_KEYRING_VERIFY_FLAG_LAST
+} FuKeyringVerifyFlags;
+
struct _FuKeyringClass
{
GObjectClass parent_class;
@@ -28,6 +42,7 @@ struct _FuKeyringClass
FuKeyringResult *(*verify_data) (FuKeyring *keyring,
GBytes *payload,
GBytes *payload_signature,
+ FuKeyringVerifyFlags flags,
GError **error);
};
@@ -39,6 +54,7 @@ gboolean fu_keyring_add_public_keys (FuKeyring *keyring,
FuKeyringResult *fu_keyring_verify_data (FuKeyring *keyring,
GBytes *blob,
GBytes *blob_signature,
+ FuKeyringVerifyFlags flags,
GError **error);
const gchar *fu_keyring_get_name (FuKeyring *self);
void fu_keyring_set_name (FuKeyring *self,
diff --git a/src/fu-self-test.c b/src/fu-self-test.c
index 4f359614..98fac714 100644
--- a/src/fu-self-test.c
+++ b/src/fu-self-test.c
@@ -1947,7 +1947,9 @@ fu_keyring_gpg_func (void)
g_assert_no_error (error);
g_assert_nonnull (blob_pass);
blob_sig = g_bytes_new_static (sig_gpgme, strlen (sig_gpgme));
- result_pass = fu_keyring_verify_data (keyring, blob_pass, blob_sig, &error);
+ result_pass = fu_keyring_verify_data (keyring, blob_pass, blob_sig,
+ FU_KEYRING_VERIFY_FLAG_NONE,
+ &error);
g_assert_no_error (error);
g_assert_nonnull (result_pass);
g_assert_cmpint (fu_keyring_result_get_timestamp (result_pass), == , 1438072952);
@@ -1960,7 +1962,8 @@ fu_keyring_gpg_func (void)
blob_fail = fu_common_get_contents_bytes (fw_fail, &error);
g_assert_no_error (error);
g_assert_nonnull (blob_fail);
- result_fail = fu_keyring_verify_data (keyring, blob_fail, blob_sig, &error);
+ result_fail = fu_keyring_verify_data (keyring, blob_fail, blob_sig,
+ FU_KEYRING_VERIFY_FLAG_NONE, &error);
g_assert_error (error, FWUPD_ERROR, FWUPD_ERROR_SIGNATURE_INVALID);
g_assert_null (result_fail);
g_clear_error (&error);
@@ -2010,7 +2013,9 @@ fu_keyring_pkcs7_func (void)
blob_sig = fu_common_get_contents_bytes (sig_fn, &error);
g_assert_no_error (error);
g_assert_nonnull (blob_sig);
- result_pass = fu_keyring_verify_data (keyring, blob_pass, blob_sig, &error);
+ result_pass = fu_keyring_verify_data (keyring, blob_pass, blob_sig,
+ FU_KEYRING_VERIFY_FLAG_DISABLE_TIME_CHECKS,
+ &error);
g_assert_no_error (error);
g_assert_nonnull (result_pass);
g_assert_cmpint (fu_keyring_result_get_timestamp (result_pass), >= , 1502871248);
@@ -2022,7 +2027,8 @@ fu_keyring_pkcs7_func (void)
blob_sig2 = fu_common_get_contents_bytes (sig_fn2, &error);
g_assert_no_error (error);
g_assert_nonnull (blob_sig2);
- result_fail = fu_keyring_verify_data (keyring, blob_pass, blob_sig2, &error);
+ result_fail = fu_keyring_verify_data (keyring, blob_pass, blob_sig2,
+ FU_KEYRING_VERIFY_FLAG_NONE, &error);
g_assert_error (error, FWUPD_ERROR, FWUPD_ERROR_SIGNATURE_INVALID);
g_assert_null (result_fail);
g_clear_error (&error);
@@ -2033,7 +2039,8 @@ fu_keyring_pkcs7_func (void)
blob_fail = fu_common_get_contents_bytes (fw_fail, &error);
g_assert_no_error (error);
g_assert_nonnull (blob_fail);
- result_fail = fu_keyring_verify_data (keyring, blob_fail, blob_sig, &error);
+ result_fail = fu_keyring_verify_data (keyring, blob_fail, blob_sig,
+ FU_KEYRING_VERIFY_FLAG_NONE, &error);
g_assert_error (error, FWUPD_ERROR, FWUPD_ERROR_SIGNATURE_INVALID);
g_assert_null (result_fail);
g_clear_error (&error);