[crypto] Report meaningful error when certificate chain validation fails

If a certificate chain contains no certificate which can be validated as a standalone certificate (i.e. contains no trusted root certificates or previously-validated certificates) then iPXE will currently return a fixed error EACCES_UNTRUSTED. This masks the actual errors obtained when attempting to validate each certificate as a standalone certificate, and so makes troubleshooting difficult for the end user. Fix by instead returning the error obtained when attempting to validate the final certificate in the chain as a standalone certificate. This error is most likely (though not guaranteed) to represent the "real" problem. Reported-by: Sven Dreyer <sven@dreyer-net.de> Signed-off-by: Michael Brown <mcb30@ipxe.org>
ipxe · May 10, 2013 · cb29cd4 · cb29cd4
1 parent 8bc20c1
commit cb29cd4
Showing 1 changed file with 5 additions and 7 deletions.
diff --git a/src/crypto/x509.c b/src/crypto/x509.c
@@ -1552,11 +1552,8 @@ int x509_validate_chain ( struct x509_chain *chain, time_t time,
 	struct x509_link *link;
 	int rc;
 
-	/* Sanity check */
-	if ( list_empty ( &chain->links ) ) {
-		DBGC ( chain, "X509 chain %p is empty\n", chain );
-		return -EACCES_EMPTY;
-	}
+	/* Error to be used if chain contains no certifictes */
+	rc = -EACCES_EMPTY;
 
 	/* Find first certificate that can be validated as a
 	 * standalone (i.e.  is already valid, or can be validated as
@@ -1586,6 +1583,7 @@ int x509_validate_chain ( struct x509_chain *chain, time_t time,
 		return 0;
 	}
 
-	DBGC ( chain, "X509 chain %p found no valid certificates\n", chain );
-	return -EACCES_UNTRUSTED;
+	DBGC ( chain, "X509 chain %p found no valid certificates: %s\n",
+	       chain, strerror ( rc ) );
+	return rc;
 }