From dd12e5a39ef1f713c8885d47ed78ff5c2599ab2e Mon Sep 17 00:00:00 2001
From: Brett <brett.r.nicholas.15@dartmouth.edu>
Date: Thu, 19 Oct 2023 13:37:28 -0600
Subject: [PATCH] Fix WOLFSSL_SYS_CA_CERTS bug that accepted intermediate CA
 certs with invalid signatures. Also adds --sys-ca-certs to client in
 unit.test to detect regressions

---
 src/internal.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/internal.c b/src/internal.c
index 6b4468fb0..d4a493a83 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -14223,7 +14223,9 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
                     /* If we are using native Apple CA validation, it is okay
                      * for a CA cert to fail validation here, as we will verify
                      * the entire chain when we hit the peer (leaf) cert */
-                    if (ssl->ctx->doAppleNativeCertValidationFlag) {
+                    if ((ssl->ctx->doAppleNativeCertValidationFlag)
+                        && (ret == ASN_NO_SIGNER_E)) {
+
                         WOLFSSL_MSG("Bypassing errors to allow for Apple native"
                                     " CA validation");
                         ret = 0; /* clear errors and continue */