[crypto] Report meaningful error when certificate chain validation fails

If a certificate chain contains no certificate which can be validated
as a standalone certificate (i.e. contains no trusted root
certificates or previously-validated certificates) then iPXE will
currently return a fixed error EACCES_UNTRUSTED.  This masks the
actual errors obtained when attempting to validate each certificate as
a standalone certificate, and so makes troubleshooting difficult for
the end user.

Fix by instead returning the error obtained when attempting to
validate the final certificate in the chain as a standalone
certificate.  This error is most likely (though not guaranteed) to
represent the "real" problem.

Reported-by: Sven Dreyer <sven@dreyer-net.de>
Signed-off-by: Michael Brown <mcb30@ipxe.org>

1 files changed, 5 insertions, 7 deletions

diff --git a/src/crypto/x509.c b/src/crypto/x509.c
index df3c5c0d..d54124c5 100644
--- a/src/crypto/x509.c
+++ b/src/crypto/x509.c
@@ -1552,11 +1552,8 @@ int x509_validate_chain ( struct x509_chain *chain, time_t time,
 	struct x509_link *link;
 	int rc;
 
-	/* Sanity check */
-	if ( list_empty ( &chain->links ) ) {
-		DBGC ( chain, "X509 chain %p is empty\n", chain );
-		return -EACCES_EMPTY;
-	}
+	/* Error to be used if chain contains no certifictes */
+	rc = -EACCES_EMPTY;
 
 	/* Find first certificate that can be validated as a
 	 * standalone (i.e.  is already valid, or can be validated as
@@ -1586,6 +1583,7 @@ int x509_validate_chain ( struct x509_chain *chain, time_t time,
 		return 0;
 	}
 
-	DBGC ( chain, "X509 chain %p found no valid certificates\n", chain );
-	return -EACCES_UNTRUSTED;
+	DBGC ( chain, "X509 chain %p found no valid certificates: %s\n",
+	       chain, strerror ( rc ) );
+	return rc;
 }