Skip to content

bug: private CA ignores UnknownIssuer error #25

Open
#27
Open
bug: private CA ignores UnknownIssuer error#25
#27
@0x416e746f6e

Description

@0x416e746f6e
0x416e746f6e
opened on Apr 16, 2026

we allow AttestedCertificateVerifier to be configured with private CA root of trust, e.g.:

    /// Create a certificate verifier with given attestation verification
    /// and optionally a private CA root of trust
    pub fn new(
        root_store: Option<RootCertStore>,
        attestation_verifier: AttestationVerifier,
    ) -> Result<Self, AttestedTlsError> {
        Self::new_with_provider(root_store, attestation_verifier, default_crypto_provider()?)
    }

however, in ServerCertVerifier::verify_server_cert() and ClientCertVerifier::verify_client_cert() implementations on UnknownIssuer error we fall-through into non private CA code-path.

e.g.:

    fn verify_server_cert(...) -> Result<ServerCertVerified, rustls::Error> {
        if let Some(server_inner) = &self.server_inner {
            match server_inner.verify_server_cert(...) {
                Err(rustls::Error::InvalidCertificate(rustls::CertificateError::UnknownIssuer)) => {
                    // handle self-signed certs differently
                    Self::verify_server_cert_constraints(end_entity, server_name, now)?;
                }
                Err(err) => return Err(err),
                Ok(_) => {}
            }
        } ...
    }

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions