pkcs7: Use better error codes
Remove an unnecessary debug print (whoops).
Use new error code for when the x509 is expired.
When there are no signers return invalid certificate.
Signed-off-by: Nick Child <nick.child@ibm.com>
Co-authored-by: Dave Rodgman <dave.rodgman@arm.com>
Signed-off-by: Nick Child <nick.child@ibm.com>
diff --git a/include/mbedtls/pkcs7.h b/include/mbedtls/pkcs7.h
index 2a557bf..52895ac 100644
--- a/include/mbedtls/pkcs7.h
+++ b/include/mbedtls/pkcs7.h
@@ -69,6 +69,7 @@
#define MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA -0x5700 /**< Input invalid. */
#define MBEDTLS_ERR_PKCS7_ALLOC_FAILED -0x5780 /**< Allocation of memory failed. */
#define MBEDTLS_ERR_PKCS7_VERIFY_FAIL -0x5800 /**< Verification Failed */
+#define MBEDTLS_ERR_PKCS7_CERT_DATE_INVALID -0x5880 /**< The PKCS7 date issued/expired dates are invalid */
/* \} name */
/**
diff --git a/library/pkcs7.c b/library/pkcs7.c
index 7976a0b..ca0170a 100644
--- a/library/pkcs7.c
+++ b/library/pkcs7.c
@@ -630,15 +630,14 @@
if( pkcs7->signed_data.no_of_signers == 0 )
{
- ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL;
+ ret = MBEDTLS_ERR_PKCS7_INVALID_CERT;
goto out;
}
if( mbedtls_x509_time_is_past( &cert->valid_to ) ||
mbedtls_x509_time_is_future( &cert->valid_from ))
{
- printf("EXPRED\n");
- ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL;
+ ret = MBEDTLS_ERR_PKCS7_CERT_DATE_INVALID;
goto out;
}