pkcs7: Use better error codes

Remove an unnecessary debug print (whoops). Use new error code for when the x509 is expired. When there are no signers return invalid certificate. Signed-off-by: Nick Child <nick.child@ibm.com> Co-authored-by: Dave Rodgman <dave.rodgman@arm.com> Signed-off-by: Nick Child <nick.child@ibm.com>
2022-10-31 09:17:15 -05:00 · 2022-10-31 09:17:15 -05:00 · 3951a4f3ad
commit 3951a4f3ad
parent 5f39767495
2 changed files with 3 additions and 3 deletions
--- a/include/mbedtls/pkcs7.h
+++ b/include/mbedtls/pkcs7.h
@ -69,6 +69,7 @@
 #define MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA                   -0x5700  /**< Input invalid. */
 #define MBEDTLS_ERR_PKCS7_ALLOC_FAILED                     -0x5780  /**< Allocation of memory failed. */
 #define MBEDTLS_ERR_PKCS7_VERIFY_FAIL                      -0x5800  /**< Verification Failed */
+#define MBEDTLS_ERR_PKCS7_CERT_DATE_INVALID                -0x5880  /**< The PKCS7 date issued/expired dates are invalid */
 /* \} name */

 /**
--- a/library/pkcs7.c
+++ b/library/pkcs7.c
@ -630,15 +630,14 @@ static int mbedtls_pkcs7_data_or_hash_verify( mbedtls_pkcs7 *pkcs7,

    if( pkcs7->signed_data.no_of_signers == 0 )
    {
-        ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL;
+        ret = MBEDTLS_ERR_PKCS7_INVALID_CERT;
        goto out;
    }

    if( mbedtls_x509_time_is_past( &cert->valid_to ) ||
        mbedtls_x509_time_is_future( &cert->valid_from ))
    {
-        printf("EXPRED\n");
-        ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL;
+        ret = MBEDTLS_ERR_PKCS7_CERT_DATE_INVALID;
        goto out;
    }