From ccaad014dbdae061f09b22f2ffff14a0fc04b6fa Mon Sep 17 00:00:00 2001
From: AssemblyJohn <ioan.bogdann@gmail.com>
Date: Wed, 28 Feb 2024 15:31:54 +0200
Subject: [PATCH] Removed strict cert verification, added error string print

Signed-off-by: AssemblyJohn <ioan.bogdann@gmail.com>
---
 .../crypto/openssl/openssl_supplier.cpp           | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/lib/evse_security/crypto/openssl/openssl_supplier.cpp b/lib/evse_security/crypto/openssl/openssl_supplier.cpp
index 7583138..d984a01 100644
--- a/lib/evse_security/crypto/openssl/openssl_supplier.cpp
+++ b/lib/evse_security/crypto/openssl/openssl_supplier.cpp
@@ -517,12 +517,21 @@ bool OpenSSLSupplier::x509_is_child(X509Handle* child, X509Handle* parent) {
 
     // If the parent is not a self-signed certificate, assume we have a partial chain
     if (x509_is_selfsigned(parent) == false) {
-        // TODO(ioan): see if this strict flag is required
-        X509_STORE_CTX_set_flags(ctx.get(), X509_V_FLAG_X509_STRICT);
+        // TODO(ioan): see if this strict flag is required, caused many problems
+        // X509_STORE_CTX_set_flags(ctx.get(), X509_V_FLAG_X509_STRICT);
+
         X509_STORE_CTX_set_flags(ctx.get(), X509_V_FLAG_PARTIAL_CHAIN);
     }
 
-    return (X509_verify_cert(ctx.get()) == 1);
+    if (X509_verify_cert(ctx.get()) != 1) {
+        int ec = X509_STORE_CTX_get_error(ctx.get());
+        const char* error = X509_verify_cert_error_string(ec);
+
+        EVLOG_debug << "Certificate issued by error: " << ((error != nullptr) ? error : "UNKNOWN");
+        return false;
+    }
+
+    return true;
 }
 
 bool OpenSSLSupplier::x509_is_selfsigned(X509Handle* handle) {