diff --git a/go.mod b/go.mod index f59dfe2..fc95dc3 100644 --- a/go.mod +++ b/go.mod @@ -4,7 +4,7 @@ go 1.12 require ( github.com/golang/protobuf v1.3.1 - github.com/google/certificate-transparency-go v1.0.22-0.20190403155334-84853901c6b8 + github.com/google/certificate-transparency-go v1.0.22-0.20190605205155-41fc2ef3a2a8 github.com/google/go-tpm v0.1.2-0.20190430183152-dcb1ada1f875 github.com/google/go-tpm-tools v0.0.0-20190328013357-5d2fd7f4b3e5 github.com/google/go-tspi v0.2.0 diff --git a/go.sum b/go.sum index 59d2ae4..91b0e2a 100644 --- a/go.sum +++ b/go.sum @@ -4,6 +4,8 @@ github.com/google/certificate-transparency-go v1.0.21 h1:Yf1aXowfZ2nuboBsg7iYGLm github.com/google/certificate-transparency-go v1.0.21/go.mod h1:QeJfpSbVSfYc7RgB3gJFj9cbuQMMchQxrWXz8Ruopmg= github.com/google/certificate-transparency-go v1.0.22-0.20190403155334-84853901c6b8 h1:pZtGL2P6rU7wOnemTcvTgoH9s+QB646LB5dBcZ1w5yE= github.com/google/certificate-transparency-go v1.0.22-0.20190403155334-84853901c6b8/go.mod h1:QeJfpSbVSfYc7RgB3gJFj9cbuQMMchQxrWXz8Ruopmg= +github.com/google/certificate-transparency-go v1.0.22-0.20190605205155-41fc2ef3a2a8 h1:G3Wse9lGL7PmAl2jqdr0HgwhPkGA5KHu7guIPREa7DU= +github.com/google/certificate-transparency-go v1.0.22-0.20190605205155-41fc2ef3a2a8/go.mod h1:QeJfpSbVSfYc7RgB3gJFj9cbuQMMchQxrWXz8Ruopmg= github.com/google/go-tpm v0.1.2-0.20190430183152-dcb1ada1f875 h1:4+5g5+b2aKnnAXX1XiDcbkU/+daEu8T1HOGbRciBu08= github.com/google/go-tpm v0.1.2-0.20190430183152-dcb1ada1f875/go.mod h1:70+xJCEPKoR1UFyG62ftF/qOTka+OVFVQpNcWmByY0g= github.com/google/go-tpm-tools v0.0.0-20190328013357-5d2fd7f4b3e5 h1:/moKuMi+BJ+OEva3jTms88ruyRkxaZn+f9EIZoGpQeY= diff --git a/verifier/ekcert.go b/verifier/ekcert.go index ed42bcd..bf2fbf0 100644 --- a/verifier/ekcert.go +++ b/verifier/ekcert.go @@ -12,22 +12,6 @@ import ( pb "github.com/google/go-attestation/verifier/proto" ) -var ( - // brokenCerts are a blacklist of certificate filenames which fail to parse - // due to being malformed. These certs are not processed and hence cannot - // form part of a trusted chain. - brokenCerts = map[string]bool{ - // A number of ST Microelectronics certificates have malformed - // serial number fields. - "STM_TPM_ECC_Intermediate_CA_01.crt": true, - "STM_TPM_EK_Intermediate_CA_01.crt": true, - "STM_TPM_EK_Intermediate_CA_02.crt": true, - "STM_TPM_EK_Intermediate_CA_03.crt": true, - "STM_TPM_EK_Intermediate_CA_04.crt": true, - "STM_TPM_EK_Intermediate_CA_05.crt": true, - } -) - // EKVerifier verifies x509 EK certificates based on a pool of allowed // parent certificates. type EKVerifier struct { @@ -133,9 +117,6 @@ func parseCertsToPool(path string, files []os.FileInfo, pool *x509.CertPool) err } c, err := x509.ParseCertificate(d) if err != nil && x509.IsFatal(err) { - if isBrokenCert(info.Name()) { - continue - } return fmt.Errorf("%s parse failed: %v", info.Name(), err) } pool.AddCert(c) @@ -148,9 +129,6 @@ func parseCertsToPool(path string, files []os.FileInfo, pool *x509.CertPool) err } c, err := x509.ParseCertificate(d) if err != nil && x509.IsFatal(err) && !pool.AppendCertsFromPEM(d) { - if isBrokenCert(info.Name()) { - continue - } return fmt.Errorf("%s parse failed: %v", info.Name(), err) } if err == nil { @@ -160,7 +138,3 @@ func parseCertsToPool(path string, files []os.FileInfo, pool *x509.CertPool) err } return nil } - -func isBrokenCert(fname string) bool { - return brokenCerts[fname] -}