[crypto] Report meaningful error when certificate chain validation fails

If a certificate chain contains no certificate which can be validated
as a standalone certificate (i.e. contains no trusted root
certificates or previously-validated certificates) then iPXE will
currently return a fixed error EACCES_UNTRUSTED.  This masks the
actual errors obtained when attempting to validate each certificate as
a standalone certificate, and so makes troubleshooting difficult for
the end user.

Fix by instead returning the error obtained when attempting to
validate the final certificate in the chain as a standalone
certificate.  This error is most likely (though not guaranteed) to
represent the "real" problem.

Reported-by: Sven Dreyer <sven@dreyer-net.de>
Signed-off-by: Michael Brown <mcb30@ipxe.org>

diff --git a/src/crypto/x509.c b/src/crypto/x509.c
index df3c5c0de18023320a276d434eaf77aff6662d21..d54124c531a9a4db1574b29badda3d7019bc2980 100644 (file)
--- a/src/crypto/x509.c
+++ b/src/crypto/x509.c
@@ -1552,11 +1552,8 @@ int x509_validate_chain ( struct x509_chain *chain, time_t time,
        struct x509_link *link;
        int rc;
 
-       /* Sanity check */
-       if ( list_empty ( &chain->links ) ) {
-               DBGC ( chain, "X509 chain %p is empty\n", chain );
-               return -EACCES_EMPTY;
-       }
+       /* Error to be used if chain contains no certifictes */
+       rc = -EACCES_EMPTY;
 
        /* Find first certificate that can be validated as a
         * standalone (i.e.  is already valid, or can be validated as
@@ -1586,6 +1583,7 @@ int x509_validate_chain ( struct x509_chain *chain, time_t time,
                return 0;
        }
 
-       DBGC ( chain, "X509 chain %p found no valid certificates\n", chain );
-       return -EACCES_UNTRUSTED;
+       DBGC ( chain, "X509 chain %p found no valid certificates: %s\n",
+              chain, strerror ( rc ) );
+       return rc;
 }