From 713e61448a6ffa3e6029a7c89fad61b8cb08c9ff Mon Sep 17 00:00:00 2001

From: Peter Jones <pjones@redhat.com>

Date: Tue, 25 Apr 2017 17:00:46 -0400

Subject: [PATCH 19/29] more about the time

---

 src/certdb.c | 59 +++++++++++++++++++++++++++++++++--------------------------

 1 file changed, 33 insertions(+), 26 deletions(-)

diff --git a/src/certdb.c b/src/certdb.c

index 673e074..1078a8a 100644

--- a/src/certdb.c

+++ b/src/certdb.c

@@ -345,8 +345,10 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,

 	PRBool result;

 	SECStatus rv;

 	db_status status = NOT_FOUND;

+	PRTime atTime = PR_Now();

+	SECItem *eTime;

 	PRTime earlyNow = 0, lateNow = 0x7fffffffffffffff;

-	PRTime notBefore = 0, notAfter = 0x7fffffffffffffff;

+	PRTime notBefore, notAfter;

 	efi_guid_t efi_x509 = efi_guid_x509_cert;

@@ -358,6 +360,36 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,

 	if (!cinfo)

 		goto out;

+	notBefore = earlyNow;

+	notAfter = lateNow;

+	find_cert_times(cinfo, &notBefore, &notAfter);

+	if (earlyNow < notBefore)

+		earlyNow = notBefore;

+	if (lateNow > notAfter)

+		lateNow = notAfter;

+

+	// atTime = determine_reasonable_time(cert);

+	eTime = SEC_PKCS7GetSigningTime(cinfo);

+	if (eTime != NULL) {

+		if (DER_DecodeTimeChoice (&atTime, eTime) == SECSuccess) {

+			if (earlyNow < atTime)

+				earlyNow = atTime;

+			if (lateNow > atTime)

+				lateNow = atTime;

+		}

+	}

+

+	if (lateNow < earlyNow)

+		printf("Signature has impossible time constraint: %ld <= %ld\n",

+		       earlyNow / 1000000, lateNow / 1000000);

+	atTime = earlyNow / 2 + lateNow / 2;

+

+

+	cinfo = SEC_PKCS7DecodeItem(pkcs7sig, NULL, NULL, NULL, NULL, NULL,

+				    NULL, NULL);

+	if (!cinfo)

+		goto out;

+

 	/* Generate the digest of contentInfo */

 	/* XXX support only sha256 for now */

 	digest = SECITEM_AllocItem(NULL, NULL, 32);

@@ -401,31 +433,6 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,

 			PORT_ErrorToString(PORT_GetError()));

 		goto out;

 	}

-	cert->timeOK = PR_TRUE;

-

-	find_cert_times(cinfo, &notBefore, &notAfter);

-	if (earlyNow < notBefore)

-		earlyNow = notBefore;

-	if (lateNow > notAfter)

-		lateNow = notAfter;

-

-	SECItem *eTime;

-	PRTime atTime;

-	// atTime = determine_reasonable_time(cert);

-	eTime = SEC_PKCS7GetSigningTime(cinfo);

-	if (eTime != NULL) {

-		if (DER_DecodeTimeChoice (&atTime, eTime) == SECSuccess) {

-			if (earlyNow < atTime)

-				earlyNow = atTime;

-			if (lateNow > atTime)

-				lateNow = atTime;

-		}

-	}

-

-	if (lateNow < earlyNow)

-		printf("Impossible time constraints: %ld <= %ld\n",

-		       earlyNow / 1000000, lateNow / 1000000);

-	atTime = earlyNow / 2 + lateNow / 2;

 	/* Verify the signature */

 	result = SEC_PKCS7VerifyDetachedSignatureAtTime(cinfo,

-- 

2.13.4