Allow locally trusted EE certs from a callback

When verifying a certificate chain, call the user-provided CA callback before checking whether the current cert is a locally-trusted end-entity cert. This allows the list of locally-trusted EE certs to be supplied dynamically via the callback. Signed-off-by: David Horstmann <david.horstmann@arm.com>
2024-12-26 18:20:21 +00:00 · 2023-08-15 17:30:02 +01:00 · 2023-08-15 17:30:02 +01:00 · c894f7332e
commit c894f7332e
parent b476177849
1 changed files with 10 additions and 10 deletions
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@ -2598,16 +2598,6 @@ static int x509_crt_verify_chain(
            *flags |= MBEDTLS_X509_BADCERT_BAD_PK;
        }

-        /* Special case: EE certs that are locally trusted */
-        if (ver_chain->len == 1 &&
-            x509_crt_check_ee_locally_trusted(child, trust_ca) == 0) {
-            return 0;
-        }
-
-#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
-find_parent:
-#endif
-
        /* Obtain list of potential trusted signers from CA callback,
         * or use statically provided list. */
 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
@ -2630,6 +2620,16 @@ find_parent:
            cur_trust_ca = trust_ca;
        }

+        /* Special case: EE certs that are locally trusted */
+        if (ver_chain->len == 1 &&
+            x509_crt_check_ee_locally_trusted(child, cur_trust_ca) == 0) {
+            return 0;
+        }
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+find_parent:
+#endif
+
        /* Look for a parent in trusted CAs or up the chain */
        ret = x509_crt_find_parent(child, cur_trust_ca, &parent,
                                   &parent_is_trusted, &signature_is_good,