From f20f043dd8f0c04ea5e322acd2c47d9221e302f9 Mon Sep 17 00:00:00 2001
From: Timotej Ecimovic <timotej.ecimovic@silabs.com>
Date: Sun, 13 Oct 2024 14:56:04 -0400
Subject: [PATCH] Add another critical extension bypass.

Signed-off-by: Timotej Ecimovic <t1@digitalgeyser.com>
Signed-off-by: Timotej Ecimovic <timotej.ecimovic@silabs.com>
---
 .gitignore                    | 3 ++-
 quill/pki/certchain/verify.go | 6 ++++--
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/.gitignore b/.gitignore
index 070d996d..c61106e9 100644
--- a/.gitignore
+++ b/.gitignore
@@ -23,6 +23,7 @@ CHANGELOG.md
 .tmp/
 coverage.txt
 bin/
+cmd/quill/quill
 
 # Binaries for programs and plugins
 *.exe
@@ -40,4 +41,4 @@ bin/
 # macOS Finder metadata
 .DS_STORE
 
-*.profile
\ No newline at end of file
+*.profile
diff --git a/quill/pki/certchain/verify.go b/quill/pki/certchain/verify.go
index 70ba85cc..06601b06 100644
--- a/quill/pki/certchain/verify.go
+++ b/quill/pki/certchain/verify.go
@@ -54,11 +54,13 @@ func VerifyForCodeSigning(certs []*x509.Certificate, failWithoutFullChain bool)
 		},
 	}
 
-	// ignore "devid_execute" critical extension
+	// ignore "devid_execute" and "devid_kernel" critical extensions
 	temp := leaf.UnhandledCriticalExtensions[:0]
 	for _, ex := range leaf.UnhandledCriticalExtensions {
 		switch ex.String() {
-		case "1.2.840.113635.100.6.1.13":
+		case "1.2.840.113635.100.6.1.13": // devid_execute
+			continue
+		case "1.2.840.113635.100.6.1.18": // devid_kernel
 			continue
 		default:
 			temp = append(temp, ex)