sysadmin/ipxe
1
0
Fork 0
mirror of https://github.com/ipxe/ipxe synced 2026-01-25 07:31:04 +03:00
Code Issues Packages Projects Releases Wiki Activity

[crypto] Add x509_truncate() to truncate a certificate chain

Browse Source 
Downloading a cross-signed certificate chain to partially replace
(rather than simply extend) an existing chain will require the ability
to discard all certificates after a specified link in the chain.

Extract the relevant logic from x509_free_chain() and expose it
separately as x509_truncate().

Signed-off-by: Michael Brown <mcb30@ipxe.org>
This commit is contained in:
Michael Brown
2024-02-13 16:27:31 +00:00
parent e10dfe5dc7
commit 3e721e0c08
3 changed files with 37 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
src/tests/x509_test.c
View File

@@ -984,6 +984,7 @@ static void x509_validate_chain_fail_okx ( struct x509_test_chain *chn,
*
*/
static void x509_test_exec ( void ) {
struct x509_link *link;
/* Parse all certificates */
x509_certificate_ok ( &root_crt );
@@ -1089,6 +1090,18 @@ static void x509_test_exec ( void ) {
x509_validate_chain_fail_ok ( &useless_chain, test_ca_expired,
&empty_store, &test_root );
/* Check chain truncation */
link = list_last_entry ( &server_chain.chain->links,
struct x509_link, list );
ok ( link->cert == root_crt.cert );
link = list_prev_entry ( link, &server_chain.chain->links, list );
ok ( link->cert == intermediate_crt.cert );
x509_validate_chain_ok ( &server_chain, test_time,
&empty_store, &test_root );
x509_truncate ( server_chain.chain, link );
x509_validate_chain_fail_ok ( &server_chain, test_time,
&empty_store, &test_root );
/* Sanity check */
assert ( list_empty ( &empty_store.links ) );