[x509] Record root of trust used when validating a certificate

Record the root of trust used at the point that a certificate is validated, redefine validation as checking a certificate against a specific root of trust, and pass an explicit root of trust when creating a TLS connection. This allows a custom TLS connection to be used with a custom root of trust, without causing any validated certificates to be treated as valid for normal purposes. Signed-off-by: Michael Brown <mcb30@ipxe.org>
2026-04-04 03:00:20 +03:00 · 2020-12-08 14:58:46 +00:00
parent 6e92d6213d
commit 39f5293492
13 changed files with 60 additions and 33 deletions
--- a/src/tests/ocsp_test.c
+++ b/src/tests/ocsp_test.c
@@ -42,6 +42,7 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
 #include <stdlib.h>
 #include <string.h>
 #include <ipxe/x509.h>
+#include <ipxe/rootcert.h>
 #include <ipxe/ocsp.h>
 #include <ipxe/test.h>

@@ -110,7 +111,7 @@ static void ocsp_prepare_test ( struct ocsp_test *test ) {
 	x509_invalidate ( cert );

 	/* Force-validate issuer certificate */
-	issuer->flags |= X509_FL_VALIDATED;
+	issuer->root = &root_certificates;
 	issuer->path_remaining = ( issuer->extensions.basic.path_len + 1 );
 }

--- a/src/tests/x509_test.c
+++ b/src/tests/x509_test.c
@@ -943,6 +943,10 @@ static void x509_validate_chain_okx ( struct x509_test_chain *chn, time_t time,
 	x509_invalidate_chain ( chn->chain );
 	okx ( x509_validate_chain ( chn->chain, time, store, root ) == 0,
 	      file, line );
+	okx ( x509_is_valid ( chn->certs[0]->cert, root ),
+	      file, line );
+	okx ( ! x509_is_valid ( chn->certs[0]->cert, &dummy_root ),
+	      file, line );
 }
 #define x509_validate_chain_ok( chn, time, store, root ) \
 	x509_validate_chain_okx ( chn, time, store, root, __FILE__, __LINE__ )