PKI Valdiator always fails on unknown CAs

pki/validator.go

@@ -135,8 +135,8 @@ func (v *validator) Validate(chain []*x509.Certificate) error {
 		// check in reverse order to prevent CRL expiration errors due to revoked CAs no longer issuing CRLs
 		if err = v.validateCert(cert); err != nil {
 			errOut := fmt.Errorf("%w: subject=%s, S/N=%s, issuer=%s", err, cert.Subject.String(), cert.SerialNumber.String(), cert.Issuer.String())
-			if v.softfail && !(errors.Is(err, ErrCertRevoked) || errors.Is(err, ErrCertBanned)) {
-				// Accept the certificate even if it cannot be properly validated
+			if v.softfail && (errors.Is(err, ErrCRLExpired) || errors.Is(err, ErrCRLMissing) || errors.Is(err, ErrDenylistMissing)) {
+				// Accept the certificate even if it cannot be properly validated against the CRL or denylist
 				logger().WithError(errOut).Error("Certificate CRL check softfail bypass. Might be unsafe, find cause of failure!")
 				continue
 			}
@@ -169,6 +169,7 @@ func (v *validator) validateCert(cert *x509.Certificate) error {
 		// Validate the cert against the denylist
 		if err := v.denylist.ValidateCert(cert); err != nil {
 			// Return any denylist error, blocking the certificate
+			// Can only be ErrDenylistMissing or ErrCertBanned
 			return err
 		}
 	}

pki/validator_test.go

@@ -126,7 +126,7 @@ func TestValidator_Validate(t *testing.T) {
 	})
 	t.Run("unknown issuer", func(t *testing.T) {
 		val := &validator{}
-		testSoftHard(t, val, validCertA, nil, ErrCertUntrusted)
+		testSoftHard(t, val, validCertA, ErrCertUntrusted, ErrCertUntrusted)
 	})
 	t.Run("missing crl", func(t *testing.T) {
 		testSoftHard(t, val, validCertBWithRevokedCA, nil, ErrCRLMissing)