After updating openssl from 0.9.8zf to 1.0.2c(*), all images with the depth zero self-signed certificates were rejected since X509_verify_cert() issued this error: X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT. This commit relaxes the check in X509VerifyCb() to allow the self-signed images pass the verification.
(*) The critical commit in openssl is da084a5ec6cebd67ae27f2463ebe4a50bb840fa5 https://git.openssl.org/?p=openssl.git;a=commit;h=da084a5ec6cebd67ae27f2463ebe4a50bb840fa5 Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Gary Ching-Pang Lin <g...@suse.com> --- CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c index d0b0c83..1145f65 100644 --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c @@ -100,7 +100,8 @@ X509VerifyCb ( } if ((Error == X509_V_ERR_CERT_UNTRUSTED) || - (Error == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE)) { + (Error == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE) || + (Error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)) { Status = 1; } -- 2.1.4 ------------------------------------------------------------------------------ Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/ _______________________________________________ edk2-devel mailing list edk2-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/edk2-devel
