Add a check_trust call to the legacy chain validation on chain add, remembering

beck · beck · commit 9b2335a992c9 · 2021-08-18T15:32:38.000Z
the result in order to return the same errors as OpenSSL users expect to override
the generic "Untrusted cert" error.

This fixes the openssl-ruby timestamp test.

ok tb@
diff --git a/src/lib/libcrypto/x509/x509_verify.c b/src/lib/libcrypto/x509/x509_verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_verify.c,v 1.40 2021/08/18 15:10:46 beck Exp $ */
+/* $OpenBSD: x509_verify.c,v 1.41 2021/08/18 15:32:38 beck Exp $ */
 /*
  * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org>
  *
@@ -312,7 +312,7 @@ static int
 x509_verify_ctx_validate_legacy_chain(struct x509_verify_ctx *ctx,
     struct x509_verify_chain *chain, size_t depth)
 {
-	int ret = 0;
+	int ret = 0, trust;
 
 	if (ctx->xsc == NULL)
 		return 1;
@@ -330,6 +330,10 @@ x509_verify_ctx_validate_legacy_chain(struct x509_verify_ctx *ctx,
 	ctx->xsc->error = X509_V_OK;
 	ctx->xsc->error_depth = 0;
 
+	trust = x509_vfy_check_trust(ctx->xsc);
+	if (trust == X509_TRUST_REJECTED)
+		goto err;
+
 	if (!x509_verify_ctx_set_xsc_chain(ctx, chain, 0, 1))
 		goto err;
 
@@ -354,6 +358,10 @@ x509_verify_ctx_validate_legacy_chain(struct x509_verify_ctx *ctx,
 	if (!x509_vfy_check_policy(ctx->xsc))
 		goto err;
 
+	if ((!(ctx->xsc->param->flags & X509_V_FLAG_PARTIAL_CHAIN)) &&
+	    trust != X509_TRUST_TRUSTED)
+		goto err;
+
 	ret = 1;
 
  err:
