Improve signature check failure reporting

Because of the structure of openssl's signature checking, we temporarily permit certain errors in the certificate trust stage, so that openssl will continue onto the digest check. That way we can detect special error cases such as the only failure being that a self-signed certificate is present. This commit misses out one of the cases we'd missed.
author: Paul Gardiner <paul.gardiner@artifex.com> 2018-01-11 11:44:21 +0000
committer: Paul Gardiner <paul.gardiner@artifex.com> 2018-01-19 13:52:25 +0000
commit: 9086386263154498dcb18c96f1e1630903b21a3c (patch)
tree: a7c8a078a3c102cdefb833c761d1baaf10588d31 /source/pdf/pdf-pkcs7.c
parent: 31397fa866cfd7207966ab607db974d92727ae43 (diff)
download: mupdf-9086386263154498dcb18c96f1e1630903b21a3c.tar.xz
1 files changed, 1 insertions, 0 deletions
diff --git a/source/pdf/pdf-pkcs7.c b/source/pdf/pdf-pkcs7.c
index 6ec8aaf2..f1e616c0 100644
--- a/source/pdf/pdf-pkcs7.c
+++ b/source/pdf/pdf-pkcs7.c
@@ -319,6 +319,7 @@ static int verify_callback(int ok, X509_STORE_CTX *ctx)
 		break;
 
 	case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
+	case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
 		/*
 			In this case, don't reset err to X509_V_OK, so that it can be reported,
 			although we do return 1, so that the digest will still be checked
author	Paul Gardiner <paul.gardiner@artifex.com>	2018-01-11 11:44:21 +0000
committer	Paul Gardiner <paul.gardiner@artifex.com>	2018-01-19 13:52:25 +0000
commit	9086386263154498dcb18c96f1e1630903b21a3c (patch)
tree	a7c8a078a3c102cdefb833c761d1baaf10588d31 /source/pdf/pdf-pkcs7.c
parent	31397fa866cfd7207966ab607db974d92727ae43 (diff)
download	mupdf-9086386263154498dcb18c96f1e1630903b21a3c.tar.xz