From 9086386263154498dcb18c96f1e1630903b21a3c Mon Sep 17 00:00:00 2001 From: Paul Gardiner Date: Thu, 11 Jan 2018 11:44:21 +0000 Subject: Improve signature check failure reporting Because of the structure of openssl's signature checking, we temporarily permit certain errors in the certificate trust stage, so that openssl will continue onto the digest check. That way we can detect special error cases such as the only failure being that a self-signed certificate is present. This commit misses out one of the cases we'd missed. --- source/pdf/pdf-pkcs7.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source/pdf/pdf-pkcs7.c') diff --git a/source/pdf/pdf-pkcs7.c b/source/pdf/pdf-pkcs7.c index 6ec8aaf2..f1e616c0 100644 --- a/source/pdf/pdf-pkcs7.c +++ b/source/pdf/pdf-pkcs7.c @@ -319,6 +319,7 @@ static int verify_callback(int ok, X509_STORE_CTX *ctx) break; case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: + case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: /* In this case, don't reset err to X509_V_OK, so that it can be reported, although we do return 1, so that the digest will still be checked -- cgit v1.2.3