瀏覽代碼

[crypto] Report meaningful error when certificate chain validation fails

If a certificate chain contains no certificate which can be validated
as a standalone certificate (i.e. contains no trusted root
certificates or previously-validated certificates) then iPXE will
currently return a fixed error EACCES_UNTRUSTED.  This masks the
actual errors obtained when attempting to validate each certificate as
a standalone certificate, and so makes troubleshooting difficult for
the end user.

Fix by instead returning the error obtained when attempting to
validate the final certificate in the chain as a standalone
certificate.  This error is most likely (though not guaranteed) to
represent the "real" problem.

Reported-by: Sven Dreyer <sven@dreyer-net.de>
Signed-off-by: Michael Brown <mcb30@ipxe.org>
tags/v1.20.1
Michael Brown 11 年之前
父節點
當前提交
cb29cd4298
共有 1 個文件被更改,包括 5 次插入7 次删除
  1. 5
    7
      src/crypto/x509.c

+ 5
- 7
src/crypto/x509.c 查看文件

@@ -1552,11 +1552,8 @@ int x509_validate_chain ( struct x509_chain *chain, time_t time,
1552 1552
 	struct x509_link *link;
1553 1553
 	int rc;
1554 1554
 
1555
-	/* Sanity check */
1556
-	if ( list_empty ( &chain->links ) ) {
1557
-		DBGC ( chain, "X509 chain %p is empty\n", chain );
1558
-		return -EACCES_EMPTY;
1559
-	}
1555
+	/* Error to be used if chain contains no certifictes */
1556
+	rc = -EACCES_EMPTY;
1560 1557
 
1561 1558
 	/* Find first certificate that can be validated as a
1562 1559
 	 * standalone (i.e.  is already valid, or can be validated as
@@ -1586,6 +1583,7 @@ int x509_validate_chain ( struct x509_chain *chain, time_t time,
1586 1583
 		return 0;
1587 1584
 	}
1588 1585
 
1589
-	DBGC ( chain, "X509 chain %p found no valid certificates\n", chain );
1590
-	return -EACCES_UNTRUSTED;
1586
+	DBGC ( chain, "X509 chain %p found no valid certificates: %s\n",
1587
+	       chain, strerror ( rc ) );
1588
+	return rc;
1591 1589
 }

Loading…
取消
儲存