CryptoPkg/BaseCryptLib: Use X509_V_FLAG_PARTIAL_CHAIN
Since OpenSSL 1.0.2 we can set this flag on the X509_STORE to instruct OpenSSL to accept non-self-signed certificates as trusted. So we don't need two entirely identical copies of a verify_cb() function which makes it ignore the resulting errors. We also *didn't* use that verify_cb() function for X509VerifyCert(), but probably should have done. So that can get X509_V_FLAG_PARTIAL_CHAIN for consistency, too. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: David Woodhouse <David.Woodhouse@intel.com> Reviewed-by: Qin Long <qin.long@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@18703 6f19259b-4bc3-4df7-8a09-765794883524
This commit is contained in:
@@ -463,6 +463,12 @@ X509VerifyCert (
|
||||
goto _Exit;
|
||||
}
|
||||
|
||||
//
|
||||
// Allow partial certificate chains, terminated by a non-self-signed but
|
||||
// still trusted intermediate certificate.
|
||||
//
|
||||
X509_STORE_set_flags (CertStore, X509_V_FLAG_PARTIAL_CHAIN);
|
||||
|
||||
//
|
||||
// Set up X509_STORE_CTX for the subsequent verification operation.
|
||||
//
|
||||
|
Reference in New Issue
Block a user