Commit a2bffce159d ("efi_x509: convert the cert to X509 directly") stopped
using a BIO buffer and instead just created a X509 object directly.
Unfortunately that change also broke the certs fingerprint calculation due
a behaviour of the d2i_X509() function that's not intuitive at all.
The function modifies the value of the pointer passed as second argument,
which points to the certificate data. This causes the SHA1 digests to be
calculated against the wrong buffers and leads to invalid fingerprints:
Commit a2bffce159d ("efi_x509: convert the cert to X509 directly") stopped using a BIO buffer and instead just created a X509 object directly.
Unfortunately that change also broke the certs fingerprint calculation due a behaviour of the d2i_X509() function that's not intuitive at all.
The function modifies the value of the pointer passed as second argument, which points to the certificate data. This causes the SHA1 digests to be calculated against the wrong buffers and leads to invalid fingerprints:
Before the mentioned commit:
After the mentioned commit:
Fix this by using a different pointer, than the one passed by reference to the d2i_X509() function, to calculate the certificates' SHA1 fingerprints.
Signed-off-by: Javier Martinez Canillas javierm@redhat.com