Fix WOLFSSL_SYS_CA_CERTS bug that accepted intermediate CA certs with invalid

signatures. Also adds --sys-ca-certs to client in unit.test to detect regressions
2023-10-19 13:37:28 -06:00
parent a3bf7a66a4
commit dd12e5a39e
1 changed files with 3 additions and 1 deletions
--- a/src/internal.c
+++ b/src/internal.c
@ -14223,7 +14223,9 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
                    /* If we are using native Apple CA validation, it is okay
                     * for a CA cert to fail validation here, as we will verify
                     * the entire chain when we hit the peer (leaf) cert */
-                    if (ssl->ctx->doAppleNativeCertValidationFlag) {
+                    if ((ssl->ctx->doAppleNativeCertValidationFlag)
+                        && (ret == ASN_NO_SIGNER_E)) {
+
                        WOLFSSL_MSG("Bypassing errors to allow for Apple native"
                                    " CA validation");
                        ret = 0; /* clear errors and continue */