libsecureboot: do not accept certificate we cannot decode

Although we care more about the CN of a certificate than its status (for purpose of reporting), we should skip if we have errors decoding. Reviewed by: stevek Sponsored by: Juniper Networks, Inc.
bsdjhb · Sep 2, 2023 · caa41cb · caa41cb
2 parents 093436b + 9c3478c
commit caa41cb
Showing 1 changed file with 2 additions and 4 deletions.
diff --git a/lib/libsecureboot/vets.c b/lib/libsecureboot/vets.c
@@ -243,12 +243,10 @@ x509_cn_get(br_x509_certificate *xc, char *buf, size_t len)
 	mc.vtable->end_cert(&mc.vtable);
 	/* we don't actually care about cert status - just its name */
 	err = mc.vtable->end_chain(&mc.vtable);
+	(void)err;			/* keep compiler quiet */
 
-	if (!cn.status) {
+	if (cn.status <= 0)
 		buf = NULL;
-		if (err == 0)		/* keep compiler happy */
-			buf = NULL;
-	}
 	return (buf);
 }