feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Restore proper error code handling for self signed CA in non-trusted intermediates

Browse Source
This commit is contained in:
Colton Willey
2024-10-22 15:10:18 -07:00
committed by Daniel Pouzzner
parent 4c63668295
commit 96138e70f8
2 changed files with 26 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
src/x509_str.c
View File

@ -305,6 +305,7 @@ int wolfSSL_X509_verify_cert(WOLFSSL_X509_STORE_CTX* ctx)
int depth = 0;
WOLFSSL_X509 *issuer = NULL;
WOLFSSL_X509 *orig = NULL;
WOLFSSL_X509 *tmp = NULL;
WOLF_STACK_OF(WOLFSSL_X509)* certs = NULL;
WOLFSSL_ENTER("wolfSSL_X509_verify_cert");
@ -355,6 +356,25 @@ int wolfSSL_X509_verify_cert(WOLFSSL_X509_STORE_CTX* ctx)
/* Try to find an untrusted issuer first */
ret = X509StoreGetIssuerEx(&issuer, certs,
ctx->current_cert);
if (issuer != NULL &&
wolfSSL_X509_NAME_cmp(&issuer->issuer, &issuer->subject) == 0) {
ret = WOLFSSL_FAILURE;
/* Self signed allowed if in set trusted stack, otherwise
* ignore it and fall back to see if its in CM */
if ((certs == ctx->setTrustedSk) &&
(wolfSSL_sk_X509_num(certs) > numInterAdd)) {
for (i = wolfSSL_sk_X509_num(certs) - 1;
i > (numInterAdd > 0 ? numInterAdd - 1 : 0);
i++) {
tmp = wolfSSL_sk_X509_value(certs, i);
if (wolfSSL_X509_NAME_cmp(
&issuer->subject, &tmp->subject) == 0) {
ret = WOLFSSL_SUCCESS;
break;
}
}
}
}
if (ret == WOLFSSL_SUCCESS) {
if (ctx->current_cert == issuer) {
wolfSSL_sk_X509_push(ctx->chain, ctx->current_cert);

8
tests/api.c
View File

@ -60421,10 +60421,14 @@ static int test_X509_STORE_untrusted(void)
/* Succeeds because path to loaded CA is available. */
ExpectIntEQ(test_X509_STORE_untrusted_certs(untrusted2, 1, 0, 1),
TEST_SUCCESS);
/* Root CA in untrusted chain is OK */
/* Root CA in untrusted chain is OK so long as CA has been loaded
* properly */
ExpectIntEQ(test_X509_STORE_untrusted_certs(untrusted3, 1, 0, 1),
TEST_SUCCESS);
ExpectIntEQ(test_X509_STORE_untrusted_certs(untrusted3, 1, 0, 0),
/* Still needs properly loaded CA, while including it in untrusted
* list is not an error, it also doesnt count for verify */
ExpectIntEQ(test_X509_STORE_untrusted_certs(untrusted3, 0,
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, 0),
TEST_SUCCESS);
/* Succeeds because path to loaded CA is available. */
ExpectIntEQ(test_X509_STORE_untrusted_certs(untrusted4, 1, 0, 1),