CryptoPkg/BaseCryptLib: Use X509_V_FLAG_PARTIAL_CHAIN

Since OpenSSL 1.0.2 we can set this flag on the X509_STORE to instruct OpenSSL to accept non-self-signed certificates as trusted. So we don't need two entirely identical copies of a verify_cb() function which makes it ignore the resulting errors. We also *didn't* use that verify_cb() function for X509VerifyCert(), but probably should have done. So that can get X509_V_FLAG_PARTIAL_CHAIN for consistency, too. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: David Woodhouse <David.Woodhouse@intel.com> Reviewed-by: Qin Long <qin.long@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@18703 6f19259b-4bc3-4df7-8a09-765794883524
2015-10-29 14:16:45 +00:00
parent e6eaada468
commit 68547181f3
3 changed files with 15 additions and 171 deletions
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c
@@ -463,6 +463,12 @@ X509VerifyCert (
    goto _Exit;
  }

+  //
+  // Allow partial certificate chains, terminated by a non-self-signed but
+  // still trusted intermediate certificate.
+  //
+  X509_STORE_set_flags (CertStore, X509_V_FLAG_PARTIAL_CHAIN);
+
  //
  // Set up X509_STORE_CTX for the subsequent verification operation.
  //