diff options
| author | Carl Hetherington <cth@carlh.net> | 2022-12-22 16:36:41 +0100 |
|---|---|---|
| committer | Carl Hetherington <cth@carlh.net> | 2022-12-22 16:36:41 +0100 |
| commit | 55ca48ff8f63809f1f8ca4069d6a751517dd7947 (patch) | |
| tree | 3bd1cadd1773daefd6dbdca8df1b5bb6bdb16be3 /src | |
| parent | 0f2f26d5aad7b22b208fa5b87997ed117621cdd9 (diff) | |
Give a better error from chain_valid() when a certificate has some problem (e.g. it has expired).
Diffstat (limited to 'src')
| -rw-r--r-- | src/certificate_chain.cc | 15 | ||||
| -rw-r--r-- | src/certificate_chain.h | 2 |
2 files changed, 13 insertions, 4 deletions
diff --git a/src/certificate_chain.cc b/src/certificate_chain.cc index 84478dc1..51f2ca68 100644 --- a/src/certificate_chain.cc +++ b/src/certificate_chain.cc @@ -420,8 +420,13 @@ CertificateChain::chain_valid () const } +/** @param error if non-null, filled with an error if a certificate in the list has a + * a problem. + * @return true if all the given certificates verify OK, and are in the correct order in the list + * (root to leaf). false if any certificate has a problem, or the order is wrong. + */ bool -CertificateChain::chain_valid (List const & chain) const +CertificateChain::chain_valid(List const & chain, string* error) const { /* Here I am taking a chain of certificates A/B/C/D and checking validity of B wrt A, C wrt B and D wrt C. It also appears necessary to check the issuer of B/C/D matches @@ -470,6 +475,9 @@ CertificateChain::chain_valid (List const & chain) const if (v != 1) { X509_STORE_free (store); + if (error) { + *error = X509_verify_cert_error_string(X509_STORE_CTX_get_error(ctx)); + } return false; } @@ -559,13 +567,14 @@ CertificateChain::root_to_leaf () const { auto rtl = _certificates; std::sort (rtl.begin(), rtl.end()); + string error; do { - if (chain_valid (rtl)) { + if (chain_valid(rtl, &error)) { return rtl; } } while (std::next_permutation (rtl.begin(), rtl.end())); - throw CertificateChainError ("certificate chain is not consistent"); + throw CertificateChainError(error.empty() ? string{"certificate chain is not consistent"} : error); } diff --git a/src/certificate_chain.h b/src/certificate_chain.h index df9f4ccf..8d07ebc2 100644 --- a/src/certificate_chain.h +++ b/src/certificate_chain.h @@ -175,7 +175,7 @@ private: friend struct ::certificates_validation7; friend struct ::certificates_validation8; - bool chain_valid (List const & chain) const; + bool chain_valid(List const & chain, std::string* error = nullptr) const; /** Our certificates, not in any particular order */ List _certificates; |