CryptoPkg/BaseCryptLib: Use X509_V_FLAG_PARTIAL_CHAIN

Since OpenSSL 1.0.2 we can set this flag on the X509_STORE to instruct
OpenSSL to accept non-self-signed certificates as trusted. So we don't
need two entirely identical copies of a verify_cb() function which makes
it ignore the resulting errors.

We also *didn't* use that verify_cb() function for X509VerifyCert(), but
probably should have done. So that can get X509_V_FLAG_PARTIAL_CHAIN for
consistency, too.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Reviewed-by: Qin Long <qin.long@intel.com>

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@18703 6f19259b-4bc3-4df7-8a09-765794883524
This commit is contained in:
David Woodhouse
2015-10-29 14:16:45 +00:00
committed by qlong
parent e6eaada468
commit 68547181f3
3 changed files with 15 additions and 171 deletions

View File

@@ -463,6 +463,12 @@ X509VerifyCert (
goto _Exit;
}
//
// Allow partial certificate chains, terminated by a non-self-signed but
// still trusted intermediate certificate.
//
X509_STORE_set_flags (CertStore, X509_V_FLAG_PARTIAL_CHAIN);
//
// Set up X509_STORE_CTX for the subsequent verification operation.
//