From 3bc3ec25b80db393e95db0fc53aaedba3c27f868 Mon Sep 17 00:00:00 2001
From: tim-weller-wolfssl <tim.weller@wolfssl.com>
Date: Mon, 31 Oct 2022 10:14:21 -0500
Subject: [PATCH] Add link of newly created x509 store's certificate manager to
 self by default

---
 certs/crl/0fdb2da4.r0 | 41 +++++++++++++++++++++++
 certs/crl/include.am  |  1 +
 src/x509_str.c        |  4 +++
 tests/api.c           | 76 +++++++++++++++++++++++++++++++++++++++++--
 4 files changed, 120 insertions(+), 2 deletions(-)
 create mode 100644 certs/crl/0fdb2da4.r0

diff --git a/certs/crl/0fdb2da4.r0 b/certs/crl/0fdb2da4.r0
new file mode 100644
index 000000000..8f9612192
--- /dev/null
+++ b/certs/crl/0fdb2da4.r0
@@ -0,0 +1,41 @@
+Certificate Revocation List (CRL):
+        Version 2 (0x1)
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Montana, L = Bozeman, O = Sawtooth, OU = Consulting, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
+        Last Update: Feb 15 12:50:27 2022 GMT
+        Next Update: Nov 11 12:50:27 2024 GMT
+        CRL extensions:
+            X509v3 CRL Number: 
+                2
+Revoked Certificates:
+    Serial Number: 02
+        Revocation Date: Feb 15 12:50:27 2022 GMT
+    Signature Algorithm: sha256WithRSAEncryption
+         43:e6:3b:30:0e:32:53:32:a4:08:3c:e5:d5:2e:f1:ce:e9:95:
+         ff:ba:d6:fe:2e:59:80:f8:0a:2f:cf:1e:e0:37:fe:ca:cc:33:
+         66:8b:ed:65:50:7d:44:92:d3:5c:52:9a:95:a5:9d:a5:4e:77:
+         8b:b4:7f:59:c8:7a:e0:eb:34:32:ae:a1:03:99:d2:3c:c0:f4:
+         7e:1c:87:4c:6c:5a:ba:0a:95:e8:a1:44:01:7b:8f:3e:a4:e3:
+         e8:1e:07:19:f0:09:7a:85:8f:f3:82:62:f8:1e:08:51:a3:60:
+         30:5b:06:c8:a2:b3:ff:aa:28:66:ad:fe:4b:81:49:30:ef:5f:
+         5d:ac:d9:ad:17:9f:2a:b6:22:d6:35:cc:9f:d9:11:26:dd:7a:
+         06:35:d0:d5:c7:41:6c:52:97:8c:aa:82:5a:e5:a8:58:d4:b7:
+         2b:31:84:34:15:bd:08:e4:9e:71:9e:c5:40:f8:02:a3:a0:1e:
+         4f:98:72:2b:eb:9e:8a:4e:01:83:88:e5:cb:6e:3b:52:e3:a9:
+         34:a1:7c:e4:79:2c:d1:e0:0b:74:22:ba:6d:cb:c3:a1:56:f9:
+         c9:f4:20:bf:00:49:df:6b:59:49:18:c7:75:27:8e:a1:5a:a6:
+         ff:f2:be:34:4a:c9:6d:6e:24:a3:1f:15:7e:34:90:b6:81:bf:
+         15:80:c3:ac
+-----BEGIN X509 CRL-----
+MIICBDCB7QIBATANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMxEDAOBgNV
+BAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNhd3Rvb3Ro
+MRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20x
+HzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20XDTIyMDIxNTEyNTAyN1oX
+DTI0MTExMTEyNTAyN1owFDASAgECFw0yMjAyMTUxMjUwMjdaoA4wDDAKBgNVHRQE
+AwIBAjANBgkqhkiG9w0BAQsFAAOCAQEAQ+Y7MA4yUzKkCDzl1S7xzumV/7rW/i5Z
+gPgKL88e4Df+yswzZovtZVB9RJLTXFKalaWdpU53i7R/Wch64Os0Mq6hA5nSPMD0
+fhyHTGxaugqV6KFEAXuPPqTj6B4HGfAJeoWP84Ji+B4IUaNgMFsGyKKz/6ooZq3+
+S4FJMO9fXazZrRefKrYi1jXMn9kRJt16BjXQ1cdBbFKXjKqCWuWoWNS3KzGENBW9
+COSecZ7FQPgCo6AeT5hyK+ueik4Bg4jly247UuOpNKF85Hks0eALdCK6bcvDoVb5
+yfQgvwBJ32tZSRjHdSeOoVqm//K+NErJbW4kox8VfjSQtoG/FYDDrA==
+-----END X509 CRL-----
diff --git a/certs/crl/include.am b/certs/crl/include.am
index 6d6d9b2c6..e3e862337 100644
--- a/certs/crl/include.am
+++ b/certs/crl/include.am
@@ -3,6 +3,7 @@
 #
 
 EXTRA_DIST += \
+	     certs/crl/0fdb2da4.r0 \
 	     certs/crl/crl.pem \
 	     certs/crl/cliCrl.pem \
 	     certs/crl/eccSrvCRL.pem \
diff --git a/src/x509_str.c b/src/x509_str.c
index ae1bde5a8..51ec112d9 100644
--- a/src/x509_str.c
+++ b/src/x509_str.c
@@ -736,6 +736,10 @@ WOLFSSL_X509_STORE* wolfSSL_X509_STORE_new(void)
 #endif
 
 #if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL)
+
+    /* Link store's new Certificate Manager to self by default */
+    store->cm->x509_store_p = store;
+
     if ((store->param = (WOLFSSL_X509_VERIFY_PARAM*)XMALLOC(
                            sizeof(WOLFSSL_X509_VERIFY_PARAM),
                            NULL, DYNAMIC_TYPE_OPENSSL)) == NULL) {
diff --git a/tests/api.c b/tests/api.c
index 1a40c27b5..8b3b6bf82 100644
--- a/tests/api.c
+++ b/tests/api.c
@@ -437,7 +437,6 @@ static int testDevId = WOLFSSL_CAAM_DEVID;
 static int testDevId = INVALID_DEVID;
 #endif
 
-
 /*----------------------------------------------------------------------------*
  | Setup
  *----------------------------------------------------------------------------*/
@@ -50593,6 +50592,77 @@ static int test_wolfSSL_SMIME_write_PKCS7(void)
 #endif /* HAVE_SMIME */
 #endif /* !NO_BIO */
 
+/* Test of X509 store use outside of SSL context w/ CRL lookup (ALWAYS
+   returns 0) */
+static int test_X509_STORE_No_SSL_CTX(void)
+{
+#if defined(OPENSSL_ALL) && !defined(NO_FILESYSTEM) && \
+    !defined(NO_WOLFSSL_DIR) && defined(HAVE_CRL) && \
+    (defined(WOLFSSL_CERT_REQ) || defined(WOLFSSL_CERT_EXT)) && \
+    (defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL))
+
+    X509_STORE      *store;
+    X509_STORE_CTX  *storeCtx;
+    X509_CRL        *crl;
+    X509            *ca, *cert;
+    const char      cliCrlPem[] = "./certs/crl/cliCrl.pem";
+    const char      srvCert[] = "./certs/server-cert.pem";
+    const char      caCert[] = "./certs/ca-cert.pem";
+    const char      caDir[] = "./certs/crl";
+    XFILE           fp;
+    X509_LOOKUP     *lookup;
+
+    printf(testingFmt, "test_X509_STORE_No_SSL_CTX");
+
+    AssertNotNull(store = (X509_STORE *)X509_STORE_new());
+
+    /* Set up store with CA */
+    AssertNotNull((ca = wolfSSL_X509_load_certificate_file(caCert,
+            SSL_FILETYPE_PEM)));
+    AssertIntEQ(X509_STORE_add_cert(store, ca), SSL_SUCCESS);
+
+    /* Add CRL lookup directory to store
+       NOTE: test uses ./certs/crl/0fdb2da4.r0, which is a copy of crl.pem */
+    AssertNotNull((lookup = X509_STORE_add_lookup(store,
+            X509_LOOKUP_hash_dir())));
+    AssertIntEQ(X509_LOOKUP_ctrl(lookup, X509_L_ADD_DIR, caDir,
+            X509_FILETYPE_PEM, NULL), SSL_SUCCESS);
+
+    AssertIntEQ(X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK),
+            SSL_SUCCESS);
+
+    /* Add CRL to store NOT containing the verified certificate, which
+       forces use of the CRL lookup directory */
+    fp = XFOPEN(cliCrlPem, "rb");
+    AssertTrue((fp != XBADFILE));
+    AssertNotNull(crl = (X509_CRL *)PEM_read_X509_CRL(fp, (X509_CRL **)NULL,
+            NULL, NULL));
+    XFCLOSE(fp);
+    AssertIntEQ(X509_STORE_add_crl(store, crl), SSL_SUCCESS);
+
+    /* Create verification context outside of an SSL session */
+    AssertNotNull((storeCtx = X509_STORE_CTX_new()));
+    AssertNotNull((cert = wolfSSL_X509_load_certificate_file(srvCert,
+            SSL_FILETYPE_PEM)));
+    AssertIntEQ(X509_STORE_CTX_init(storeCtx, store, cert, NULL), SSL_SUCCESS);
+
+    /* Perform verification, which should NOT indicate CRL missing due to the
+       store CM's X509 store pointer being NULL */
+    AssertIntNE(X509_verify_cert(storeCtx), CRL_MISSING);
+
+    X509_CRL_free(crl);
+    X509_STORE_free(store);
+    X509_STORE_CTX_free(storeCtx);
+    X509_free(cert);
+    X509_free(ca);
+
+    printf(resultFmt, passed);
+
+#endif
+
+    return 0;
+}
+
 /*----------------------------------------------------------------------------*
  | Certificate Failure Checks
  *----------------------------------------------------------------------------*/
@@ -56560,7 +56630,6 @@ static int test_stubs_are_stubs(void)
     return 0;
 }
 
-
 static int test_CONF_modules_xxx(void)
 {
 #if defined(OPENSSL_EXTRA)
@@ -60730,6 +60799,9 @@ TEST_CASE testCases[] = {
 #endif /* HAVE_SMIME */
 #endif /* !NO_BIO */
 
+    /* OpenSSL compatibility outside SSL context w/ CRL lookup directory */
+    TEST_DECL(test_X509_STORE_No_SSL_CTX),
+
     /* wolfCrypt ASN tests */
     TEST_DECL(test_wc_CreateEncryptedPKCS8Key),
     TEST_DECL(test_wc_GetPkcs8TraditionalOffset),