Merge pull request #6895 from bigbrett/ios-ca-api

Fix WOLFSSL_SYS_CA_CERTS bug on Apple devices
2025-07-30 02:37:28 +02:00 · 2023-10-23 07:57:08 -06:00
parent 9db828a099 2387579880
commit 1de048826e
2 changed files with 9 additions and 1 deletions
--- a/src/internal.c
+++ b/src/internal.c
@ -14223,7 +14223,9 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
                    /* If we are using native Apple CA validation, it is okay
                     * for a CA cert to fail validation here, as we will verify
                     * the entire chain when we hit the peer (leaf) cert */
-                    if (ssl->ctx->doAppleNativeCertValidationFlag) {
+                    if ((ssl->ctx->doAppleNativeCertValidationFlag)
+                        && (ret == ASN_NO_SIGNER_E)) {
+
                        WOLFSSL_MSG("Bypassing errors to allow for Apple native"
                                    " CA validation");
                        ret = 0; /* clear errors and continue */
--- a/src/ssl.c
+++ b/src/ssl.c
@ -8576,6 +8576,12 @@ int wolfSSL_CTX_load_system_CA_certs(WOLFSSL_CTX* ctx)
    ctx->doAppleNativeCertValidationFlag = 1;
    ret = WOLFSSL_SUCCESS;
    loaded = 1;
+
+#if FIPS_VERSION_GE(2,0) /* Gate back to cert 3389 FIPS modules */
+#warning "Cryptographic operations may occur outside the FIPS module boundary" \
+         "Please review FIPS claims for cryptography on this Apple device"
+#endif /* FIPS_VERSION_GE(2,0) */
+
 #else
 /* HAVE_SECURITY_SECXXX_H macros are set by autotools or CMake when searching
 * system for the required SDK headers. If building with user_settings.h, you