[crypto] Differentiate "untrusted root" and "incomplete chain" error cases
Signed-off-by: Michael Brown <mcb30@ipxe.org>
This commit is contained in:
Michael Brown
parent
5c66395939
commit
f2af64aba5
|
|
@ -93,6 +93,10 @@ FILE_LICENCE ( GPL2_OR_LATER );
|
|||
__einfo_error ( EINFO_EACCES_PATH_LEN )
|
||||
#define EINFO_EACCES_PATH_LEN \
|
||||
__einfo_uniqify ( EINFO_EACCES, 0x05, "Maximum path length exceeded" )
|
||||
#define EACCES_UNTRUSTED \
|
||||
__einfo_error ( EINFO_EACCES_UNTRUSTED )
|
||||
#define EINFO_EACCES_UNTRUSTED \
|
||||
__einfo_uniqify ( EINFO_EACCES, 0x06, "Untrusted root certificate" )
|
||||
|
||||
/** "commonName" object identifier */
|
||||
static uint8_t oid_common_name[] = { ASN1_OID_COMMON_NAME };
|
||||
|
|
@ -1179,10 +1183,18 @@ int x509_validate_chain ( int ( * parse_next )
|
|||
if ( ( rc = x509_validate_time ( current, time ) ) != 0 )
|
||||
return rc;
|
||||
|
||||
/* Succeed if we have reached a root certificate */
|
||||
/* Succeed if we have reached a trusted root certificate */
|
||||
if ( x509_validate_root ( current, root ) == 0 )
|
||||
return 0;
|
||||
|
||||
/* Fail if we have reached an untrusted root certificate */
|
||||
if ( asn1_compare ( ¤t->issuer.raw,
|
||||
¤t->subject.raw ) == 0 ) {
|
||||
DBGC ( context, "X509 chain %p reached untrusted root "
|
||||
"certificate\n", context );
|
||||
return -EACCES_UNTRUSTED;
|
||||
}
|
||||
|
||||
/* Get next certificate in chain */
|
||||
if ( ( rc = parse_next ( next, current, context ) ) != 0 ) {
|
||||
DBGC ( context, "X509 chain %p could not get next "
|
||||
|
|
|
|||
|
|
@ -46,10 +46,10 @@ FILE_LICENCE ( GPL2_OR_LATER );
|
|||
#include <ipxe/tls.h>
|
||||
|
||||
/* Disambiguate the various error causes */
|
||||
#define EACCES_UNTRUSTED \
|
||||
__einfo_error ( EINFO_EACCES_UNTRUSTED )
|
||||
#define EINFO_EACCES_UNTRUSTED \
|
||||
__einfo_uniqify ( EINFO_EACCES, 0x01, "Untrusted certificate chain" )
|
||||
#define EACCES_INCOMPLETE \
|
||||
__einfo_error ( EINFO_EACCES_INCOMPLETE )
|
||||
#define EINFO_EACCES_INCOMPLETE \
|
||||
__einfo_uniqify ( EINFO_EACCES, 0x01, "Incomplete certificate chain" )
|
||||
#define EACCES_WRONG_NAME \
|
||||
__einfo_error ( EINFO_EACCES_WRONG_NAME )
|
||||
#define EINFO_EACCES_WRONG_NAME \
|
||||
|
|
@ -1302,7 +1302,7 @@ static int tls_parse_next ( struct x509_certificate *cert,
|
|||
/* Return error at end of chain */
|
||||
if ( context->current >= context->end ) {
|
||||
DBGC ( tls, "TLS %p reached end of certificate chain\n", tls );
|
||||
return -EACCES_UNTRUSTED;
|
||||
return -EACCES_INCOMPLETE;
|
||||
}
|
||||
|
||||
/* Extract current certificate and update context */
|
||||
|
|
|
|||
Reference in New Issue