libsecureboot: do not accept certificate we cannot decode
Although we care more about the CN of a certificate than its status (for purpose of reporting), we should skip if we have errors decoding. Reviewed by: stevek Sponsored by: Juniper Networks, Inc.
This commit is contained in:
@@ -243,12 +243,10 @@ x509_cn_get(br_x509_certificate *xc, char *buf, size_t len)
|
|||||||
mc.vtable->end_cert(&mc.vtable);
|
mc.vtable->end_cert(&mc.vtable);
|
||||||
/* we don't actually care about cert status - just its name */
|
/* we don't actually care about cert status - just its name */
|
||||||
err = mc.vtable->end_chain(&mc.vtable);
|
err = mc.vtable->end_chain(&mc.vtable);
|
||||||
|
(void)err; /* keep compiler quiet */
|
||||||
|
|
||||||
if (!cn.status) {
|
if (cn.status <= 0)
|
||||||
buf = NULL;
|
buf = NULL;
|
||||||
if (err == 0) /* keep compiler happy */
|
|
||||||
buf = NULL;
|
|
||||||
}
|
|
||||||
return (buf);
|
return (buf);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user