From e9cfb6e09338ad2081dfa06cdae4acc1dc0c78d9 Mon Sep 17 00:00:00 2001 From: beck <> Date: Wed, 18 Aug 2021 15:32:38 +0000 Subject: Add a check_trust call to the legacy chain validation on chain add, remembering the result in order to return the same errors as OpenSSL users expect to override the generic "Untrusted cert" error. This fixes the openssl-ruby timestamp test. ok tb@ --- src/lib/libcrypto/x509/x509_verify.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) (limited to 'src/lib') diff --git a/src/lib/libcrypto/x509/x509_verify.c b/src/lib/libcrypto/x509/x509_verify.c index dd053ad812..9073dda31d 100644 --- a/src/lib/libcrypto/x509/x509_verify.c +++ b/src/lib/libcrypto/x509/x509_verify.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_verify.c,v 1.40 2021/08/18 15:10:46 beck Exp $ */ +/* $OpenBSD: x509_verify.c,v 1.41 2021/08/18 15:32:38 beck Exp $ */ /* * Copyright (c) 2020-2021 Bob Beck * @@ -312,7 +312,7 @@ static int x509_verify_ctx_validate_legacy_chain(struct x509_verify_ctx *ctx, struct x509_verify_chain *chain, size_t depth) { - int ret = 0; + int ret = 0, trust; if (ctx->xsc == NULL) return 1; @@ -330,6 +330,10 @@ x509_verify_ctx_validate_legacy_chain(struct x509_verify_ctx *ctx, ctx->xsc->error = X509_V_OK; ctx->xsc->error_depth = 0; + trust = x509_vfy_check_trust(ctx->xsc); + if (trust == X509_TRUST_REJECTED) + goto err; + if (!x509_verify_ctx_set_xsc_chain(ctx, chain, 0, 1)) goto err; @@ -354,6 +358,10 @@ x509_verify_ctx_validate_legacy_chain(struct x509_verify_ctx *ctx, if (!x509_vfy_check_policy(ctx->xsc)) goto err; + if ((!(ctx->xsc->param->flags & X509_V_FLAG_PARTIAL_CHAIN)) && + trust != X509_TRUST_TRUSTED) + goto err; + ret = 1; err: -- cgit v1.2.3-55-g6feb