[x509] Record root of trust used when validating a certificate

Record the root of trust used at the point that a certificate is
validated, redefine validation as checking a certificate against a
specific root of trust, and pass an explicit root of trust when
creating a TLS connection.

This allows a custom TLS connection to be used with a custom root of
trust, without causing any validated certificates to be treated as
valid for normal purposes.

Signed-off-by: Michael Brown <mcb30@ipxe.org>

2 files changed, 6 insertions, 1 deletions

diff --git a/src/tests/ocsp_test.c b/src/tests/ocsp_test.c
index a3349346a..3d2f556ed 100644
--- a/src/tests/ocsp_test.c
+++ b/src/tests/ocsp_test.c
@@ -42,6 +42,7 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
 #include <stdlib.h>
 #include <string.h>
 #include <ipxe/x509.h>
+#include <ipxe/rootcert.h>
 #include <ipxe/ocsp.h>
 #include <ipxe/test.h>
 
@@ -110,7 +111,7 @@ static void ocsp_prepare_test ( struct ocsp_test *test ) {
 	x509_invalidate ( cert );
 
 	/* Force-validate issuer certificate */
-	issuer->flags |= X509_FL_VALIDATED;
+	issuer->root = &root_certificates;
 	issuer->path_remaining = ( issuer->extensions.basic.path_len + 1 );
 }
 
diff --git a/src/tests/x509_test.c b/src/tests/x509_test.c
index 658d5247c..2915b9068 100644
--- a/src/tests/x509_test.c
+++ b/src/tests/x509_test.c
@@ -943,6 +943,10 @@ static void x509_validate_chain_okx ( struct x509_test_chain *chn, time_t time,
 	x509_invalidate_chain ( chn->chain );
 	okx ( x509_validate_chain ( chn->chain, time, store, root ) == 0,
 	      file, line );
+	okx ( x509_is_valid ( chn->certs[0]->cert, root ),
+	      file, line );
+	okx ( ! x509_is_valid ( chn->certs[0]->cert, &dummy_root ),
+	      file, line );
 }
 #define x509_validate_chain_ok( chn, time, store, root ) \
 	x509_validate_chain_okx ( chn, time, store, root, __FILE__, __LINE__ )