Remove ekcert blacklist. (#37)

* Fix broken build on windows. * Remove cert blacklist now that certtransparency parsing is laxer by default.
2025-01-18 10:26:23 +00:00 · 2019-06-17 09:49:16 -07:00 · 2019-06-17 09:49:16 -07:00 · 6fede8c9ab
commit 6fede8c9ab
parent 1eb89bd0b8
3 changed files with 3 additions and 27 deletions
--- a/go.mod
+++ b/go.mod
@ -4,7 +4,7 @@ go 1.12

 require (
 	github.com/golang/protobuf v1.3.1
-	github.com/google/certificate-transparency-go v1.0.22-0.20190403155334-84853901c6b8
+	github.com/google/certificate-transparency-go v1.0.22-0.20190605205155-41fc2ef3a2a8
 	github.com/google/go-tpm v0.1.2-0.20190430183152-dcb1ada1f875
 	github.com/google/go-tpm-tools v0.0.0-20190328013357-5d2fd7f4b3e5
 	github.com/google/go-tspi v0.2.0
--- a/go.sum
+++ b/go.sum
@ -4,6 +4,8 @@ github.com/google/certificate-transparency-go v1.0.21 h1:Yf1aXowfZ2nuboBsg7iYGLm
 github.com/google/certificate-transparency-go v1.0.21/go.mod h1:QeJfpSbVSfYc7RgB3gJFj9cbuQMMchQxrWXz8Ruopmg=
 github.com/google/certificate-transparency-go v1.0.22-0.20190403155334-84853901c6b8 h1:pZtGL2P6rU7wOnemTcvTgoH9s+QB646LB5dBcZ1w5yE=
 github.com/google/certificate-transparency-go v1.0.22-0.20190403155334-84853901c6b8/go.mod h1:QeJfpSbVSfYc7RgB3gJFj9cbuQMMchQxrWXz8Ruopmg=
+github.com/google/certificate-transparency-go v1.0.22-0.20190605205155-41fc2ef3a2a8 h1:G3Wse9lGL7PmAl2jqdr0HgwhPkGA5KHu7guIPREa7DU=
+github.com/google/certificate-transparency-go v1.0.22-0.20190605205155-41fc2ef3a2a8/go.mod h1:QeJfpSbVSfYc7RgB3gJFj9cbuQMMchQxrWXz8Ruopmg=
 github.com/google/go-tpm v0.1.2-0.20190430183152-dcb1ada1f875 h1:4+5g5+b2aKnnAXX1XiDcbkU/+daEu8T1HOGbRciBu08=
 github.com/google/go-tpm v0.1.2-0.20190430183152-dcb1ada1f875/go.mod h1:70+xJCEPKoR1UFyG62ftF/qOTka+OVFVQpNcWmByY0g=
 github.com/google/go-tpm-tools v0.0.0-20190328013357-5d2fd7f4b3e5 h1:/moKuMi+BJ+OEva3jTms88ruyRkxaZn+f9EIZoGpQeY=
--- a/verifier/ekcert.go
+++ b/verifier/ekcert.go
@ -12,22 +12,6 @@ import (
 	pb "github.com/google/go-attestation/verifier/proto"
 )

-var (
-	// brokenCerts are a blacklist of certificate filenames which fail to parse
-	// due to being malformed. These certs are not processed and hence cannot
-	// form part of a trusted chain.
-	brokenCerts = map[string]bool{
-		// A number of ST Microelectronics certificates have malformed
-		// serial number fields.
-		"STM_TPM_ECC_Intermediate_CA_01.crt": true,
-		"STM_TPM_EK_Intermediate_CA_01.crt":  true,
-		"STM_TPM_EK_Intermediate_CA_02.crt":  true,
-		"STM_TPM_EK_Intermediate_CA_03.crt":  true,
-		"STM_TPM_EK_Intermediate_CA_04.crt":  true,
-		"STM_TPM_EK_Intermediate_CA_05.crt":  true,
-	}
-)
-
 // EKVerifier verifies x509 EK certificates based on a pool of allowed
 // parent certificates.
 type EKVerifier struct {
@ -133,9 +117,6 @@ func parseCertsToPool(path string, files []os.FileInfo, pool *x509.CertPool) err
 			}
 			c, err := x509.ParseCertificate(d)
 			if err != nil && x509.IsFatal(err) {
-				if isBrokenCert(info.Name()) {
-					continue
-				}
 				return fmt.Errorf("%s parse failed: %v", info.Name(), err)
 			}
 			pool.AddCert(c)
@ -148,9 +129,6 @@ func parseCertsToPool(path string, files []os.FileInfo, pool *x509.CertPool) err
 			}
 			c, err := x509.ParseCertificate(d)
 			if err != nil && x509.IsFatal(err) && !pool.AppendCertsFromPEM(d) {
-				if isBrokenCert(info.Name()) {
-					continue
-				}
 				return fmt.Errorf("%s parse failed: %v", info.Name(), err)
 			}
 			if err == nil {
@ -160,7 +138,3 @@ func parseCertsToPool(path string, files []os.FileInfo, pool *x509.CertPool) err
 	}
 	return nil
 }
-
-func isBrokenCert(fname string) bool {
-	return brokenCerts[fname]
-}