diff --git a/src/internal.c b/src/internal.c index b8c90b981..6839a2870 100644 --- a/src/internal.c +++ b/src/internal.c @@ -42849,7 +42849,7 @@ static int DisplaySecTrustError(CFErrorRef error, SecTrustRef trust) info = CFErrorCopyUserInfo(error); if (info) { - printf("Trust error info dump:\n"); + WOLFSSL_MSG("Trust error info dump:\n"); CFShow(info); CFRelease(info); } @@ -42935,6 +42935,7 @@ static int DoAppleNativeCertValidation(WOLFSSL* ssl, #if defined(WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION) /* TEST ONLY CODE: * Set accumulated list of trusted CA certificates as trust anchors */ + WOLFSSL_MSG("Setting anchor certificates"); if (ssl->ctx->testTrustedCAs != NULL) { status = SecTrustSetAnchorCertificates(trust, ssl->ctx->testTrustedCAs); if (status != errSecSuccess) { @@ -42967,6 +42968,7 @@ static int DoAppleNativeCertValidation(WOLFSSL* ssl, if (code == errSecCertificateValidityPeriodTooLong) { WOLFSSL_MSG("Skipping certificate validity period error"); ret = 1; + /* TODO: ensure other errors aren't masked by this error */ } #endif diff --git a/src/ssl_load.c b/src/ssl_load.c index 1a380391b..275433f83 100644 --- a/src/ssl_load.c +++ b/src/ssl_load.c @@ -2159,9 +2159,14 @@ static int ProcessBufferCertHandleDer(WOLFSSL_CTX* ctx, WOLFSSL* ssl, /* CA certificate to verify with. */ if (type == CA_TYPE) { #ifdef WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION + /* TEST ONLY CODE: + * Store the DER encoding of the CA certificate so we can append it to + * the list of trusted CA certificates if the subsequent call to AddCA + * is successful */ word32 derLen; byte* derBuf; if (ctx->doAppleNativeCertValidationFlag == 1) { + WOLFSSL_MSG("ANCV Test: copy DER CA cert"); derLen = der->length; derBuf = (byte*)XMALLOC(derLen, NULL, DYNAMIC_TYPE_TMP_BUFFER); if (derBuf == NULL) { @@ -2176,12 +2181,16 @@ static int ProcessBufferCertHandleDer(WOLFSSL_CTX* ctx, WOLFSSL* ssl, #endif /* verify CA unless user set to no verify */ ret = AddCA(ctx->cm, &der, WOLFSSL_USER_CA, verify); + #ifdef WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION + /* TEST ONLY CODE: + * Append the DER encoded CA certificate to the list of trusted CA + * certificates so we can inject them at verification time */ if (ret == 1 && ctx->doAppleNativeCertValidationFlag == 1) { - WOLFSSL_MSG("Appending CA to cert list for native cert validation test"); + WOLFSSL_MSG("ANCV Test: Appending CA to cert list"); ret = wolfSSL_TestAppleNativeCertValidation_AppendCA(ctx, derBuf, (int)derLen); if (ret == WOLFSSL_SUCCESS) { - WOLFSSL_MSG("Clearing CA table for native cert validation test"); + WOLFSSL_MSG("ANCV Test: Clearing CA table"); /* Clear the CA table so we can ensure they won't be used for * verification */ ret = wolfSSL_CertManagerUnloadCAs(ctx->cm); @@ -2192,6 +2201,7 @@ static int ProcessBufferCertHandleDer(WOLFSSL_CTX* ctx, WOLFSSL* ssl, XFREE(derBuf, NULL, DYNAMIC_TYPE_TMP_BUFFER); } #endif /* !WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION */ + if (ret == 1) { ret = 0; } @@ -2978,6 +2988,14 @@ int wolfSSL_CTX_load_verify_locations_ex(WOLFSSL_CTX* ctx, const char* file, ret = 0; } +#ifdef WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION + if (ret == 1) { + /* TEST ONLY CODE: force native cert validation on */ + WOLFSSL_MSG("ANCV Test: Loading system CA certs"); + wolfSSL_CTX_load_system_CA_certs(ctx); + } +#endif + if (ret == 1) { /* Get setting on how to verify certificates. */ verify = GET_VERIFY_SETTING_CTX(ctx); @@ -2990,19 +3008,19 @@ int wolfSSL_CTX_load_verify_locations_ex(WOLFSSL_CTX* ctx, const char* file, /* Load the PEM formatted CA file */ ret = ProcessFile(ctx, file, WOLFSSL_FILETYPE_PEM, CA_TYPE, NULL, 0, NULL, verify); - #ifndef NO_WOLFSSL_DIR +#ifndef NO_WOLFSSL_DIR if (ret == 1) { /* Include success in overall count. */ successCount++; } - #endif - #if defined(WOLFSSL_TRUST_PEER_CERT) && defined(OPENSSL_COMPATIBLE_DEFAULTS) +#endif +#if defined(WOLFSSL_TRUST_PEER_CERT) && defined(OPENSSL_COMPATIBLE_DEFAULTS) /* Load CA as a trusted peer certificate. */ ret = wolfSSL_CTX_trust_peer_cert(ctx, file, WOLFSSL_FILETYPE_PEM); if (ret != 1) { WOLFSSL_MSG("wolfSSL_CTX_trust_peer_cert error"); } - #endif +#endif } } @@ -3015,12 +3033,6 @@ int wolfSSL_CTX_load_verify_locations_ex(WOLFSSL_CTX* ctx, const char* file, ret = NOT_COMPILED_IN; (void)flags; #endif - -#ifdef WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION - if (ret == 1) { - wolfSSL_CTX_load_system_CA_certs(ctx); - } -#endif } return ret; @@ -3461,16 +3473,15 @@ int wolfSSL_CTX_der_load_verify_locations(WOLFSSL_CTX* ctx, const char* file, ret = 0; } else { +#ifdef WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION + /* TEST ONLY CODE: force native cert validation on */ + WOLFSSL_MSG("ANCV Test: loading system CA certs"); + wolfSSL_CTX_load_system_CA_certs(ctx); +#endif ret = ProcessFile(ctx, file, format, CA_TYPE, NULL, 0, NULL, GET_VERIFY_SETTING_CTX(ctx)); } -#ifdef WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION - if (ret == 1) { - wolfSSL_CTX_load_system_CA_certs(ctx); - } -#endif - /* Return 1 on success or 0 on failure. */ return WS_RC(ret); } @@ -3975,6 +3986,14 @@ int wolfSSL_CTX_load_verify_buffer_ex(WOLFSSL_CTX* ctx, const unsigned char* in, WOLFSSL_ENTER("wolfSSL_CTX_load_verify_buffer_ex"); +#ifdef WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION + /* TEST ONLY CODE: force native cert validation on */ + if (ctx != NULL) { + WOLFSSL_MSG("ANCV Test: loading system CA certs"); + wolfSSL_CTX_load_system_CA_certs(ctx); + } +#endif + /* Get setting on how to verify certificates. */ verify = GET_VERIFY_SETTING_CTX(ctx); /* Overwrite setting when flag set. */ @@ -3999,12 +4018,6 @@ int wolfSSL_CTX_load_verify_buffer_ex(WOLFSSL_CTX* ctx, const unsigned char* in, } #endif -#ifdef WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION - if (ret == 1) { - wolfSSL_CTX_load_system_CA_certs(ctx); - } -#endif - WOLFSSL_LEAVE("wolfSSL_CTX_load_verify_buffer_ex", ret); return ret; } diff --git a/tests/api.c b/tests/api.c index ae72e8295..1dd2d9bc9 100644 --- a/tests/api.c +++ b/tests/api.c @@ -68151,7 +68151,7 @@ TEST_CASE testCases[] = { TEST_DECL(test_wolfSSL_CertManagerCRL), TEST_DECL(test_wolfSSL_CertManagerCheckOCSPResponse), TEST_DECL(test_wolfSSL_CheckOCSPResponse), -#ifdef HAVE_CERT_CHAIN_VALIDATION +#if defined(HAVE_CERT_CHAIN_VALIDATION) && !defined(WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION) TEST_DECL(test_various_pathlen_chains), #endif @@ -68201,7 +68201,8 @@ TEST_CASE testCases[] = { TEST_DECL(test_CONF_CTX_CMDLINE), #if !defined(NO_CERTS) && (!defined(NO_WOLFSSL_CLIENT) || \ - !defined(WOLFSSL_NO_CLIENT_AUTH)) && !defined(NO_FILESYSTEM) + !defined(WOLFSSL_NO_CLIENT_AUTH)) && !defined(NO_FILESYSTEM) && \ + !defined(WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION) /* Use the Cert Manager(CM) API to generate the error ASN_SIG_CONFIRM_E */ /* Bad certificate signature tests */ TEST_DECL(test_EccSigFailure_cm), @@ -68246,7 +68247,8 @@ TEST_CASE testCases[] = { /* Large number of memory allocations. */ TEST_DECL(test_wolfSSL_CTX_load_system_CA_certs), -#ifdef HAVE_CERT_CHAIN_VALIDATION +#if defined(HAVE_CERT_CHAIN_VALIDATION) && \ + !defined(WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION) TEST_DECL(test_wolfSSL_CertRsaPss), #endif TEST_DECL(test_wolfSSL_CTX_load_verify_locations_ex),