Allow setting the CA type when loading into cert manager

and unloading specific CA types from the cert manager.

src/ssl.c

@@ -6142,6 +6142,49 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify)
     return ret == 0 ? WOLFSSL_SUCCESS : ret;
 }
 
+/* Sets the CA with the passed in subject hash
+   to the provided type. */
+int SetCAType(WOLFSSL_CERT_MANAGER* cm, byte* hash, int type)
+{
+    Signer* current;
+    int     ret = WC_NO_ERR_TRACE(WOLFSSL_FAILURE);
+    word32  row;
+
+    WOLFSSL_MSG_EX("Setting CA to type %d", type);
+
+    if (cm == NULL || hash == NULL ||
+        type < WOLFSSL_USER_CA || type > WOLFSSL_USER_INTER) {
+        return ret;
+    }
+
+    row = HashSigner(hash);
+
+    if (wc_LockMutex(&cm->caLock) != 0) {
+        return ret;
+    }
+    current = cm->caTable[row];
+    while (current) {
+        byte* subjectHash;
+
+    #ifndef NO_SKID
+        subjectHash = current->subjectKeyIdHash;
+    #else
+        subjectHash = current->subjectNameHash;
+    #endif
+
+        if (XMEMCMP(hash, subjectHash, SIGNER_DIGEST_SIZE) == 0) {
+            current->type = type;
+            ret = WOLFSSL_SUCCESS;
+            break;
+        }
+        current = current->next;
+    }
+    wc_UnLockMutex(&cm->caLock);
+
+    WOLFSSL_LEAVE("SetCAType", ret);
+
+    return ret;
+}
 #endif /* !NO_CERTS */
 
 

src/ssl_certman.c

@@ -453,7 +453,7 @@ int wolfSSL_CertManagerUnloadCAs(WOLFSSL_CERT_MANAGER* cm)
     return ret;
 }
 
-static int wolfSSL_CertManagerUnloadIntermediateCertsEx(
+int wolfSSL_CertManagerUnloadIntermediateCertsEx(
                                 WOLFSSL_CERT_MANAGER* cm, byte type)
 {
     int ret = WOLFSSL_SUCCESS;
@@ -544,17 +544,25 @@ int wolfSSL_CertManagerUnload_trust_peers(WOLFSSL_CERT_MANAGER* cm)
  *                          WOLFSSL_LOAD_FLAG_PEM_CA_ONLY,
  *                          WOLFSSL_LOAD_FLAG_IGNORE_BAD_PATH_ERR, and
  *                          WOLFSSL_LOAD_FLAG_IGNORE_ZEROFILE.
+ * @param [in] type       The CA cert's type, used in the internal CA
+                            table.  Defaults to WOLFSSL_USER_CA, passing
+                            in WOLFSSL_USER_CA = noop.  Recommended to
+                            set to WOLFSSL_USER_INTER when loading
+                            intermediate certs to allow unloading via
+                            wolfSSL_CertManagerUnloadIntermediateCertsEx.
  * @return  WOLFSSL_SUCCESS on success.
  * @return  WOLFSSL_FATAL_ERROR when cm is NULL or failed create WOLFSSL_CTX.
  * @return  Other values on loading failure.
  */
-int wolfSSL_CertManagerLoadCABuffer_ex(WOLFSSL_CERT_MANAGER* cm,
-    const unsigned char* buff, long sz, int format, int userChain, word32 flags)
+int wolfSSL_CertManagerLoadCABuffer_ex2(WOLFSSL_CERT_MANAGER* cm,
+    const unsigned char* buff, long sz, int format, int userChain,
+    word32 flags, int type)
 {
     int ret = WOLFSSL_SUCCESS;
     WOLFSSL_CTX* tmp = NULL;
+    DecodedCert* dCert = NULL;
 
-    WOLFSSL_ENTER("wolfSSL_CertManagerLoadCABuffer_ex");
+    WOLFSSL_ENTER("wolfSSL_CertManagerLoadCABuffer_ex2");
 
     /* Validate parameters. */
     if (cm == NULL) {
@@ -583,10 +591,59 @@ int wolfSSL_CertManagerLoadCABuffer_ex(WOLFSSL_CERT_MANAGER* cm,
         /* Clear certificate manager in WOLFSSL_CTX so it won't be freed. */
         tmp->cm = NULL;
     }
+    if (ret == WOLFSSL_SUCCESS && type != WOLFSSL_USER_CA) {
+        dCert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL,
+                                                DYNAMIC_TYPE_DCERT);
+
+        if (dCert == NULL) {
+            ret = WOLFSSL_FATAL_ERROR;
+        } else {
+            XMEMSET(dCert, 0, sizeof(DecodedCert));
+            wc_InitDecodedCert(dCert, buff,
+                            sz, cm->heap);
+            ret = wc_ParseCert(dCert, CA_TYPE, NO_VERIFY, NULL);
+            if (ret) {
+                ret = WOLFSSL_FATAL_ERROR;
+            } else {
+                ret = SetCAType(cm, dCert->extSubjKeyId, type);
+            }
+
+            if (dCert) {
+                wc_FreeDecodedCert(dCert);
+                XFREE(dCert, NULL, DYNAMIC_TYPE_DCERT);
+            }
+        }
+    }
 
     /* Dispose of temporary WOLFSSL_CTX. */
     wolfSSL_CTX_free(tmp);
     return ret;
+
+}
+
+/* Load certificate/s from buffer with flags.
+ *
+ * @param [in] cm         Certificate manager.
+ * @param [in] buff       Buffer holding encoding of certificate.
+ * @param [in] sz         Length in bytes of data in buffer.
+ * @param [in] format     Format of encoding. Valid values:
+ *                          WOLFSSL_FILETYPE_ASN1, WOLFSSL_FILETYPE_PEM.
+ * @param [in] userChain  Indicates buffer holds chain of certificates.
+ * @param [in] flags      Flags to modify behaviour of loading. Valid flags:
+ *                          WOLFSSL_LOAD_FLAG_IGNORE_ERR,
+ *                          WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY,
+ *                          WOLFSSL_LOAD_FLAG_PEM_CA_ONLY,
+ *                          WOLFSSL_LOAD_FLAG_IGNORE_BAD_PATH_ERR, and
+ *                          WOLFSSL_LOAD_FLAG_IGNORE_ZEROFILE.
+ * @return  WOLFSSL_SUCCESS on success.
+ * @return  WOLFSSL_FATAL_ERROR when cm is NULL or failed create WOLFSSL_CTX.
+ * @return  Other values on loading failure.
+ */
+int wolfSSL_CertManagerLoadCABuffer_ex(WOLFSSL_CERT_MANAGER* cm,
+    const unsigned char* buff, long sz, int format, int userChain, word32 flags)
+{
+    return wolfSSL_CertManagerLoadCABuffer_ex2(cm, buff, sz, format, userChain,
+        flags, WOLFSSL_USER_CA);
 }
 
 /* Load certificate/s from buffer into table.

wolfssl/internal.h

@@ -4276,6 +4276,7 @@ int ProcessOldClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
     WOLFSSL_LOCAL int AddSigner(WOLFSSL_CERT_MANAGER* cm, Signer *s);
     WOLFSSL_LOCAL
     int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify);
+    WOLFSSL_LOCAL int SetCAType(WOLFSSL_CERT_MANAGER* cm, byte* hash, int type);
     WOLFSSL_LOCAL
     int AlreadySigner(WOLFSSL_CERT_MANAGER* cm, byte* hash);
 #ifdef WOLFSSL_TRUST_PEER_CERT

wolfssl/ssl.h

@@ -3719,8 +3719,9 @@ enum {
 
     WOLFSSL_USER_CA  = 1,          /* user added as trusted */
     WOLFSSL_CHAIN_CA = 2,          /* added to cache from trusted chain */
-    WOLFSSL_TEMP_CA = 3            /* Temp intermediate CA, only for use by
+    WOLFSSL_TEMP_CA  = 3,          /* Temp intermediate CA, only for use by
                                     * X509_STORE */
+    WOLFSSL_USER_INTER = 4         /* user added intermediate cert */
 };
 
 WOLFSSL_ABI WOLFSSL_API WC_RNG* wolfSSL_GetRNG(WOLFSSL* ssl);
@@ -4202,6 +4203,9 @@ WOLFSSL_API void wolfSSL_CTX_SetPerformTlsRecordProcessingCb(WOLFSSL_CTX* ctx,
 
     WOLFSSL_API int wolfSSL_CertManagerLoadCA(WOLFSSL_CERT_MANAGER* cm,
         const char* f, const char* d);
+    WOLFSSL_API int wolfSSL_CertManagerLoadCABuffer_ex2(WOLFSSL_CERT_MANAGER* cm,
+        const unsigned char* buff, long sz, int format, int userChain,
+        word32 flags, int type);
     WOLFSSL_API int wolfSSL_CertManagerLoadCABuffer_ex(WOLFSSL_CERT_MANAGER* cm,
         const unsigned char* buff, long sz, int format, int userChain,
         word32 flags);
@@ -4209,6 +4213,8 @@ WOLFSSL_API void wolfSSL_CTX_SetPerformTlsRecordProcessingCb(WOLFSSL_CTX* ctx,
         const unsigned char* buff, long sz, int format);
 
     WOLFSSL_API int wolfSSL_CertManagerUnloadCAs(WOLFSSL_CERT_MANAGER* cm);
+    WOLFSSL_API int wolfSSL_CertManagerUnloadIntermediateCertsEx(
+                                WOLFSSL_CERT_MANAGER* cm, byte type);
     WOLFSSL_API int wolfSSL_CertManagerUnloadIntermediateCerts(
         WOLFSSL_CERT_MANAGER* cm);
 #ifdef WOLFSSL_TRUST_PEER_CERT