From cb29cd4298f07c35ac2099f56bd9895a9160e3a2 Mon Sep 17 00:00:00 2001 From: Michael Brown Date: Fri, 10 May 2013 10:03:56 +0100 Subject: [PATCH] [crypto] Report meaningful error when certificate chain validation fails If a certificate chain contains no certificate which can be validated as a standalone certificate (i.e. contains no trusted root certificates or previously-validated certificates) then iPXE will currently return a fixed error EACCES_UNTRUSTED. This masks the actual errors obtained when attempting to validate each certificate as a standalone certificate, and so makes troubleshooting difficult for the end user. Fix by instead returning the error obtained when attempting to validate the final certificate in the chain as a standalone certificate. This error is most likely (though not guaranteed) to represent the "real" problem. Reported-by: Sven Dreyer Signed-off-by: Michael Brown --- src/crypto/x509.c | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/src/crypto/x509.c b/src/crypto/x509.c index df3c5c0d..d54124c5 100644 --- a/src/crypto/x509.c +++ b/src/crypto/x509.c @@ -1552,11 +1552,8 @@ int x509_validate_chain ( struct x509_chain *chain, time_t time, struct x509_link *link; int rc; - /* Sanity check */ - if ( list_empty ( &chain->links ) ) { - DBGC ( chain, "X509 chain %p is empty\n", chain ); - return -EACCES_EMPTY; - } + /* Error to be used if chain contains no certifictes */ + rc = -EACCES_EMPTY; /* Find first certificate that can be validated as a * standalone (i.e. is already valid, or can be validated as @@ -1586,6 +1583,7 @@ int x509_validate_chain ( struct x509_chain *chain, time_t time, return 0; } - DBGC ( chain, "X509 chain %p found no valid certificates\n", chain ); - return -EACCES_UNTRUSTED; + DBGC ( chain, "X509 chain %p found no valid certificates: %s\n", + chain, strerror ( rc ) ); + return rc; }