commit 3951a4f3ada028d08e50d32ab837f0a226afd0b0
author Nick Child <nick.child@ibm.com> Mon Oct 31 09:17:15 2022 -0500
committer Nick Child <nick.child@ibm.com> Mon Oct 31 09:38:42 2022 -0500
tree 834e0f50196150ebde216249c2513a2063dbf523
parent 5f39767495331edc29417c52e55f06a0ab665d41

pkcs7: Use better error codes

Remove an unnecessary debug print (whoops).
Use new error code for when the x509 is expired.
When there are no signers return invalid certificate.

Signed-off-by: Nick Child <nick.child@ibm.com>

Co-authored-by: Dave Rodgman <dave.rodgman@arm.com>
Signed-off-by: Nick Child <nick.child@ibm.com>

include/mbedtls/pkcs7.h

diff --git a/include/mbedtls/pkcs7.h b/include/mbedtls/pkcs7.h
index 2a557bf..52895ac 100644
--- a/include/mbedtls/pkcs7.h
+++ b/include/mbedtls/pkcs7.h
@@ -69,6 +69,7 @@
 #define MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA                   -0x5700  /**< Input invalid. */
 #define MBEDTLS_ERR_PKCS7_ALLOC_FAILED                     -0x5780  /**< Allocation of memory failed. */
 #define MBEDTLS_ERR_PKCS7_VERIFY_FAIL                      -0x5800  /**< Verification Failed */
+#define MBEDTLS_ERR_PKCS7_CERT_DATE_INVALID                -0x5880  /**< The PKCS7 date issued/expired dates are invalid */
 /* \} name */
 
 /**

library/pkcs7.c

diff --git a/library/pkcs7.c b/library/pkcs7.c
index 7976a0b..ca0170a 100644
--- a/library/pkcs7.c
+++ b/library/pkcs7.c
@@ -630,15 +630,14 @@
 
     if( pkcs7->signed_data.no_of_signers == 0 )
     {
-        ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL;
+        ret = MBEDTLS_ERR_PKCS7_INVALID_CERT;
         goto out;
     }
 
     if( mbedtls_x509_time_is_past( &cert->valid_to ) ||
         mbedtls_x509_time_is_future( &cert->valid_from ))
     {
-        printf("EXPRED\n");
-        ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL;
+        ret = MBEDTLS_ERR_PKCS7_CERT_DATE_INVALID;
         goto out;
     }