[ipxe-devel] Certificate validation when trust chain includes root

[Tatum, James]

Hi, iPXE developers,

While setting up a crosscert server for my organization, I ran into a small issue. In validator.c:validator_step() around line 591, there is a check to see if the last certificate in the chain is a self-signed certificate (subject == issuer). If so, validation stops and fails.

In some cases, this is right. Self-signed certs generally can’t be validated. However, if the server is configured to include the CA root certificate as part of the chain, the root certificate is always self-signed. The client must have the root cert in order to do any validation in the first place, so many servers omit it from the chain. However, RFC 8446 4.4.2 says:

> Because certificate validation requires that trust anchors be distributed independently, a certificate that specifies a trust anchor MAY be omitted from the chain, provided that supported peers are known to possess any omitted certificates.

This verbiage, describing root cert omission as optional, mirrors similar wording in TLS 1.2 and earlier. I’ve worked around this in a local patch but I wonder if there is a better heuristic here. Should iPXE continue to crosscert validation if there is more than one certificate in the chain, or if the last certificate isn’t self-signed? I’m happy to submit a PR if that makes sense.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ipxe.org/pipermail/ipxe-devel/attachments/20200106/1edb9a67/attachment.htm>