3 files changed, 12 insertions, 6 deletions

diff --git a/src/lib/cert/x509/x509path.cpp b/src/lib/cert/x509/x509path.cpp
index a6c3ce6e9..b5345c272 100644
--- a/src/lib/cert/x509/x509path.cpp
+++ b/src/lib/cert/x509/x509path.cpp
@@ -338,6 +338,8 @@ const X509_Certificate& Path_Validation_Result::trust_root() const
    {
    if(m_cert_path.empty())
       throw std::runtime_error("Path_Validation_Result::trust_root no path set");
+   if(result() != Certificate_Status_Code::VERIFIED)
+      throw std::runtime_error("Path_Validation_Result::trust_root meaningless with invalid status");
 
    return m_cert_path[m_cert_path.size()-1];
    }
diff --git a/src/lib/cert/x509/x509path.h b/src/lib/cert/x509/x509path.h
index c56aef21f..08d92915d 100644
--- a/src/lib/cert/x509/x509path.h
+++ b/src/lib/cert/x509/x509path.h
@@ -84,7 +84,8 @@ class BOTAN_DLL Path_Validation_Result
       std::set<std::string> trusted_hashes() const;
 
       /**
-      * @return the trust root of the validation
+      * @return the trust root of the validation if successful
+      * throws an exception if the validation failed
       */
       const X509_Certificate& trust_root() const;
 
diff --git a/src/lib/tls/credentials_manager.cpp b/src/lib/tls/credentials_manager.cpp
index 43ba7650a..3762dc149 100644
--- a/src/lib/tls/credentials_manager.cpp
+++ b/src/lib/tls/credentials_manager.cpp
@@ -129,11 +129,14 @@ void Credentials_Manager::verify_certificate_chain(
 
    Path_Validation_Restrictions restrictions;
 
-   auto result = x509_path_validate(cert_chain,
-                                    restrictions,
-                                    trusted_CAs,
-                                    purported_hostname,
-                                    choose_leaf_usage(type));
+   Path_Validation_Result result = x509_path_validate(cert_chain,
+                                                      restrictions,
+                                                      trusted_CAs,
+                                                      purported_hostname,
+                                                      choose_leaf_usage(type));
+
+   if(!result.successful_validation())
+      throw std::runtime_error("Certificate validation failure: " + result.result_string());
 
    if(!cert_in_some_store(trusted_CAs, result.trust_root()))
       throw std::runtime_error("Certificate chain roots in unknown/untrusted CA");