[crypto] Differentiate "untrusted root" and "incomplete chain" error cases

Signed-off-by: Michael Brown <mcb30@ipxe.org>
2025-12-25 09:01:24 +03:00 · 2012-03-22 10:55:13 +00:00
parent 5c66395939
commit f2af64aba5
2 changed files with 18 additions and 6 deletions
--- a/src/crypto/x509.c
+++ b/src/crypto/x509.c
@@ -93,6 +93,10 @@ FILE_LICENCE ( GPL2_OR_LATER );
 	__einfo_error ( EINFO_EACCES_PATH_LEN )
 #define EINFO_EACCES_PATH_LEN \
 	__einfo_uniqify ( EINFO_EACCES, 0x05, "Maximum path length exceeded" )
+#define EACCES_UNTRUSTED \
+	__einfo_error ( EINFO_EACCES_UNTRUSTED )
+#define EINFO_EACCES_UNTRUSTED \
+	__einfo_uniqify ( EINFO_EACCES, 0x06, "Untrusted root certificate" )

 /** "commonName" object identifier */
 static uint8_t oid_common_name[] = { ASN1_OID_COMMON_NAME };
@@ -1179,10 +1183,18 @@ int x509_validate_chain ( int ( * parse_next )
 		if ( ( rc = x509_validate_time ( current, time ) ) != 0 )
 			return rc;

-		/* Succeed if we have reached a root certificate */
+		/* Succeed if we have reached a trusted root certificate */
 		if ( x509_validate_root ( current, root ) == 0 )
 			return 0;

+		/* Fail if we have reached an untrusted root certificate */
+		if ( asn1_compare ( &current->issuer.raw,
+				    &current->subject.raw ) == 0 ) {
+			DBGC ( context, "X509 chain %p reached untrusted root "
+			       "certificate\n", context );
+			return -EACCES_UNTRUSTED;
+		}
+
 		/* Get next certificate in chain */
 		if ( ( rc = parse_next ( next, current, context ) ) != 0 ) {
 			DBGC ( context, "X509 chain %p could not get next "