[x509] Record root of trust used when validating a certificate

Record the root of trust used at the point that a certificate is validated, redefine validation as checking a certificate against a specific root of trust, and pass an explicit root of trust when creating a TLS connection. This allows a custom TLS connection to be used with a custom root of trust, without causing any validated certificates to be treated as valid for normal purposes. Signed-off-by: Michael Brown <mcb30@ipxe.org>
2026-02-28 03:11:18 +03:00 · 2020-12-08 14:58:46 +00:00
parent 6e92d6213d
commit 39f5293492
13 changed files with 60 additions and 33 deletions
--- a/src/tests/ocsp_test.c
+++ b/src/tests/ocsp_test.c
@@ -42,6 +42,7 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
 #include <stdlib.h>
 #include <string.h>
 #include <ipxe/x509.h>
+#include <ipxe/rootcert.h>
 #include <ipxe/ocsp.h>
 #include <ipxe/test.h>

@@ -110,7 +111,7 @@ static void ocsp_prepare_test ( struct ocsp_test *test ) {
 	x509_invalidate ( cert );

 	/* Force-validate issuer certificate */
-	issuer->flags |= X509_FL_VALIDATED;
+	issuer->root = &root_certificates;
 	issuer->path_remaining = ( issuer->extensions.basic.path_len + 1 );
 }