[image] Allow "imgtrust" to automatically download cross-signed certificates

Signed-off-by: Michael Brown <mcb30@ipxe.org>

diff --git a/src/usr/imgtrust.c b/src/usr/imgtrust.c
index 651f04939387cc56ab392c44e53074a9a15bdfd0..be0ca6ee0603195aec65723445e7c07f65f64e8b 100644 (file)
--- a/src/usr/imgtrust.c
+++ b/src/usr/imgtrust.c
@@ -25,6 +25,8 @@ FILE_LICENCE ( GPL2_OR_LATER );
 #include <ipxe/uaccess.h>
 #include <ipxe/image.h>
 #include <ipxe/cms.h>
+#include <ipxe/validator.h>
+#include <ipxe/monojob.h>
 #include <usr/imgtrust.h>
 
 /** @file
@@ -46,6 +48,7 @@ int imgverify ( struct image *image, struct image *signature,
        size_t len;
        void *data;
        struct cms_signature *sig;
+       struct cms_signer_info *info;
        time_t now;
        int rc;
 
@@ -69,6 +72,14 @@ int imgverify ( struct image *image, struct image *signature,
        free ( data );
        data = NULL;
 
+       /* Complete all certificate chains */
+       list_for_each_entry ( info, &sig->info, list ) {
+               if ( ( rc = create_validator ( &monojob, info->chain ) ) != 0 )
+                       goto err_create_validator;
+               if ( ( rc = monojob_wait ( NULL ) ) != 0 )
+                       goto err_validator_wait;
+       }
+
        /* Use signature to verify image */
        now = time ( NULL );
        if ( ( rc = cms_verify ( sig, image->data, image->len,
@@ -86,6 +97,8 @@ int imgverify ( struct image *image, struct image *signature,
        return 0;
 
  err_verify:
+ err_validator_wait:
+ err_create_validator:
        cms_put ( sig );
  err_parse:
        free ( data );