Merge pull request #8921 from rlm2002/appleNativeCertTests

Apple native cert tests code modifications
This commit is contained in:
Daniel Pouzzner
2025-06-27 22:26:17 -05:00
committed by GitHub
5 changed files with 356 additions and 49 deletions
@@ -0,0 +1,27 @@
name: MacOS apple native cert validation tests
# START OF COMMON SECTION
on:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
jobs:
make_check:
strategy:
fail-fast: false
runs-on: macos-latest
# This should be a safe limit for the tests to run.
timeout-minutes: 5
steps:
- name: Build and configure wolfSSL
uses: wolfSSL/actions-build-autotools-project@v1
with:
configure: CFLAGS='-DWOLFSSL_APPLE_NATIVE_CERT_VALIDATION -DWOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION -DRSA_MIN_SIZE=2048 -DNO_WOLFSSL_CIPHER_SUITE_TEST'
+221 -24
View File
@@ -2915,6 +2915,12 @@ void SSL_CtxResourceFree(WOLFSSL_CTX* ctx)
ctx->x509Chain = NULL;
}
#endif
#ifdef WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION
if (ctx->testTrustedCAs != NULL) {
CFRelease(ctx->testTrustedCAs);
ctx->testTrustedCAs = NULL;
}
#endif /* WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION */
#endif /* !NO_CERTS */
#ifdef HAVE_TLS_EXTENSIONS
@@ -16330,7 +16336,6 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
}
#endif
if (!ssl->options.verifyNone && ssl->buffers.domainName.buffer) {
#ifndef WOLFSSL_ALLOW_NO_CN_IN_SAN
/* Per RFC 5280 section 4.2.1.6, "Whenever such identities
@@ -42777,7 +42782,122 @@ cleanup:
return secCert;
}
static int DisplaySecTrustError(CFErrorRef error, SecTrustRef trust)
{
CFStringRef desc;
CFStringRef domain;
SecTrustResultType trustResult;
CFDictionaryRef info;
/* Description */
desc = CFErrorCopyDescription(error);
if (desc) {
char buffer[256];
if (CFStringGetCString(desc, buffer, sizeof(buffer),
kCFStringEncodingUTF8)) {
WOLFSSL_MSG_EX("SecTrustEvaluateWithError Error description: %s\n",
buffer);
}
CFRelease(desc);
}
/* Domain */
domain = CFErrorGetDomain(error);
if (domain) {
char domainStr[128];
if (CFStringGetCString(domain, domainStr, sizeof(domainStr),
kCFStringEncodingUTF8)) {
WOLFSSL_MSG_EX("SecTrustEvaluateWithError Domain: %s\n", domainStr);
}
}
/* Get additional trust result info */
if (SecTrustGetTrustResult(trust, &trustResult) == errSecSuccess) {
WOLFSSL_MSG_EX("SecTrustResultType: %d\n", trustResult);
/* Optional: decode the enum */
switch (trustResult) {
case kSecTrustResultInvalid:
WOLFSSL_MSG("TrustResult: Invalid\n");
break;
case kSecTrustResultProceed:
WOLFSSL_MSG("TrustResult: Proceed\n");
break;
case kSecTrustResultDeny:
WOLFSSL_MSG("TrustResult: Deny\n");
break;
case kSecTrustResultUnspecified:
WOLFSSL_MSG("TrustResult: Unspecified (implicitly trusted)\n");
break;
case kSecTrustResultRecoverableTrustFailure:
WOLFSSL_MSG("TrustResult: Recoverable trust failure\n");
break;
case kSecTrustResultFatalTrustFailure:
WOLFSSL_MSG("TrustResult: Fatal trust failure\n");
break;
case kSecTrustResultOtherError:
WOLFSSL_MSG("TrustResult: Other error\n");
break;
default:
WOLFSSL_MSG("TrustResult: Unknown\n");
break;
}
}
else {
WOLFSSL_MSG("SecTrustGetTrustResult failed\n");
}
info = CFErrorCopyUserInfo(error);
if (info) {
WOLFSSL_MSG("Trust error info dump:\n");
CFShow(info);
CFRelease(info);
}
return 0;
}
#if defined(WOLFSSL_APPLE_NATIVE_CERT_VALIDATION) && \
defined (WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION)
static int MaxValidityPeriodErrorOnly(CFErrorRef error)
{
int multiple = 0;
CFDictionaryRef userInfo = CFErrorCopyUserInfo(error);
if (userInfo) {
/* Get underlying error */
CFTypeRef underlying =
CFDictionaryGetValue(userInfo, kCFErrorUnderlyingErrorKey);
if (underlying) {
/* Get underlying error value*/
CFDictionaryRef underlyingDict =
CFErrorCopyUserInfo((CFErrorRef)underlying);
if (underlyingDict) {
char buffer[512];
CFStringRef values =
CFDictionaryGetValue(underlyingDict,
kCFErrorLocalizedDescriptionKey);
if(CFStringGetCString(values, buffer, sizeof(buffer),
kCFStringEncodingUTF8)) {
if (XSTRSTR(buffer, "Certificate exceeds maximum "
"temporal validity period") &&
(!XSTRSTR(buffer, "Certificate exceeds maximum "
"temporal validity period,") ||
!XSTRSTR(buffer, ", Certificate exceeds maximum "
"temporal validity period"))) {
WOLFSSL_MSG("Maximum validity period error only");
} else {
WOLFSSL_MSG("Found other errors");
multiple = 1;
}
}
CFRelease(underlyingDict);
}
}
CFRelease(userInfo);
}
return multiple;
}
#endif
/*
* Validates a chain of certificates using the Apple system trust APIs
*
@@ -42793,23 +42913,23 @@ cleanup:
* wolfSSL's built-in certificate validation mechanisms anymore. We instead
* must call into the Security Framework APIs to authenticate peer certificates
*/
static int DoAppleNativeCertValidation(WOLFSSL* ssl,
const WOLFSSL_BUFFER_INFO* certs,
int totalCerts)
static int DoAppleNativeCertValidation(WOLFSSL* ssl,
const WOLFSSL_BUFFER_INFO* certs,
int totalCerts)
{
int i;
int ret;
OSStatus status;
int i;
int ret;
OSStatus status;
CFMutableArrayRef certArray = NULL;
SecCertificateRef secCert = NULL;
SecTrustRef trust = NULL;
SecPolicyRef policy = NULL;
CFStringRef hostname = NULL;
CFErrorRef error = NULL;
WOLFSSL_ENTER("DoAppleNativeCertValidation");
certArray = CFArrayCreateMutable(kCFAllocatorDefault,
totalCerts,
certArray = CFArrayCreateMutable(kCFAllocatorDefault, totalCerts,
&kCFTypeArrayCallBacks);
if (!certArray) {
WOLFSSL_MSG("Error: can't allocate CFArray for certificates");
@@ -42818,8 +42938,8 @@ static int DoAppleNativeCertValidation(WOLFSSL* ssl,
}
for (i = 0; i < totalCerts; i++) {
secCert = ConvertToSecCertificateRef(certs[i].buffer,
(int)certs[i].length);
secCert =
ConvertToSecCertificateRef(certs[i].buffer, (int)certs[i].length);
if (!secCert) {
WOLFSSL_MSG("Error: can't convert DER cert to SecCertificateRef");
ret = 0;
@@ -42833,35 +42953,80 @@ static int DoAppleNativeCertValidation(WOLFSSL* ssl,
}
/* Create trust object for SecCertifiate Ref */
if (ssl->buffers.domainName.buffer &&
ssl->buffers.domainName.length > 0) {
if (ssl->buffers.domainName.buffer && ssl->buffers.domainName.length > 0) {
/* Create policy with specified value to require host name match */
hostname = CFStringCreateWithCString(kCFAllocatorDefault,
(const char*)ssl->buffers.domainName.buffer,
kCFStringEncodingUTF8);
hostname = CFStringCreateWithCString(
kCFAllocatorDefault, (const char*)ssl->buffers.domainName.buffer,
kCFStringEncodingUTF8);
}
if (hostname != NULL) {
policy = SecPolicyCreateSSL(true, hostname);
} else {
}
else {
policy = SecPolicyCreateSSL(true, NULL);
}
status = SecTrustCreateWithCertificates(certArray, policy, &trust);
if (status != errSecSuccess) {
WOLFSSL_MSG_EX("Error creating trust object, "
"SecTrustCreateWithCertificates returned %d",status);
"SecTrustCreateWithCertificates returned %d",
status);
ret = 0;
goto cleanup;
}
#if defined(WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION)
/* TEST ONLY CODE:
* Set accumulated list of trusted CA certificates as trust anchors */
WOLFSSL_MSG("Setting anchor certificates");
if (ssl->ctx->testTrustedCAs != NULL) {
status = SecTrustSetAnchorCertificates(trust, ssl->ctx->testTrustedCAs);
if (status != errSecSuccess) {
WOLFSSL_MSG_EX("Error setting anchor certificates: %d", status);
ret = 0;
goto cleanup;
}
}
#endif
/* Evaluate the certificate's authenticity */
if (SecTrustEvaluateWithError(trust, NULL) == 1) {
WOLFSSL_MSG("Cert chain is trusted");
ret = 1;
WOLFSSL_MSG("Performing Apple native cert validation via "
"SecTrustEvaluateWithError");
ret = SecTrustEvaluateWithError(trust, &error);
if (ret != 1) {
if (error) {
CFIndex code;
code = CFErrorGetCode(error);
WOLFSSL_MSG_EX("SecTrustEvaluateWithError failed with code: %ld\n",
code);
DisplaySecTrustError(error, trust);
#ifdef WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION
/* TEST ONLY CODE:
* wolfSSL API tests use a cert with a validity period that is too
* long for the Apple system trust APIs
* (See: https://support.apple.com/en-us/103769)
* therefore we should skip over this particular error */
if (code == errSecCertificateValidityPeriodTooLong) {
if (MaxValidityPeriodErrorOnly(error)) {
WOLFSSL_MSG("Multiple reasons for validity period error, "
"not skipping");
ret = 0;
} else {
WOLFSSL_MSG("Skipping certificate validity period error");
ret = 1;
}
}
#endif
(void)code;
CFRelease(error);
}
else {
WOLFSSL_MSG(
"SecTrustEvaluateWithError failed with unknown error.\n");
}
}
else {
WOLFSSL_MSG("Cert chain trust evaluation failed"
"SecTrustEvaluateWithError returned 0");
ret = 0;
WOLFSSL_MSG("SecTrustEvaluateWithError succeeded");
}
/* Cleanup */
@@ -42883,6 +43048,38 @@ cleanup:
return ret;
}
#if defined(WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION)
int wolfSSL_TestAppleNativeCertValidation_AppendCA(WOLFSSL_CTX* ctx,
const byte* derCert,
int derLen)
{
SecCertificateRef certRef;
if (derCert == NULL || derLen == 0) {
return WOLFSSL_FAILURE;
}
/* Create the base array for trust anchors if it doesn't exist */
if (ctx->testTrustedCAs == NULL) {
ctx->testTrustedCAs =
CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
if (!ctx->testTrustedCAs) {
return WOLFSSL_FAILURE;
}
}
certRef = ConvertToSecCertificateRef(derCert, derLen);
if (!certRef) {
return false;
}
CFArrayAppendValue(ctx->testTrustedCAs, certRef);
CFRelease(certRef);
return WOLFSSL_SUCCESS;
}
#endif /* WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION */
#endif /* defined(__APPLE__) && defined(WOLFSSL_SYS_CA_CERTS) */
#undef ERROR_OUT
+74 -6
View File
@@ -42,9 +42,14 @@
#endif
#endif
#if defined(__APPLE__) && defined(HAVE_SECURITY_SECTRUSTSETTINGS_H)
#if defined(__APPLE__)
#if defined(HAVE_SECURITY_SECTRUSTSETTINGS_H)
#include <Security/SecTrustSettings.h>
#endif
#endif /* HAVE_SECURITY_SECTRUSTSETTINGS_H */
#ifdef WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION
#include <CoreFoundation/CoreFoundation.h>
#endif /* WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION */
#endif /* __APPLE__ */
#endif /* WOLFSSL_SYS_CA_CERTS */
@@ -2153,8 +2158,50 @@ static int ProcessBufferCertHandleDer(WOLFSSL_CTX* ctx, WOLFSSL* ssl,
/* CA certificate to verify with. */
if (type == CA_TYPE) {
#ifdef WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION
/* TEST ONLY CODE:
* Store the DER encoding of the CA certificate so we can append it to
* the list of trusted CA certificates if the subsequent call to AddCA
* is successful */
word32 derLen;
byte* derBuf;
if (ctx->doAppleNativeCertValidationFlag == 1) {
WOLFSSL_MSG("ANCV Test: copy DER CA cert");
derLen = der->length;
derBuf = (byte*)XMALLOC(derLen, NULL, DYNAMIC_TYPE_TMP_BUFFER);
if (derBuf == NULL) {
return MEMORY_E;
}
XMEMCPY(derBuf, der->buffer, derLen);
}
else {
(void)derLen;
(void)derBuf;
}
#endif
/* verify CA unless user set to no verify */
ret = AddCA(ctx->cm, &der, WOLFSSL_USER_CA, verify);
#ifdef WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION
/* TEST ONLY CODE:
* Append the DER encoded CA certificate to the list of trusted CA
* certificates so we can inject them at verification time */
if (ret == 1 && ctx->doAppleNativeCertValidationFlag == 1) {
WOLFSSL_MSG("ANCV Test: Appending CA to cert list");
ret = wolfSSL_TestAppleNativeCertValidation_AppendCA(ctx, derBuf, (int)derLen);
if (ret == WOLFSSL_SUCCESS) {
WOLFSSL_MSG("ANCV Test: Clearing CA table");
/* Clear the CA table so we can ensure they won't be used for
* verification */
ret = wolfSSL_CertManagerUnloadCAs(ctx->cm);
if (ret == WOLFSSL_SUCCESS) {
ret = 0;
}
}
XFREE(derBuf, NULL, DYNAMIC_TYPE_TMP_BUFFER);
}
#endif /* !WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION */
if (ret == 1) {
ret = 0;
}
@@ -2941,6 +2988,14 @@ int wolfSSL_CTX_load_verify_locations_ex(WOLFSSL_CTX* ctx, const char* file,
ret = 0;
}
#ifdef WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION
if (ret == 1) {
/* TEST ONLY CODE: force native cert validation on */
WOLFSSL_MSG("ANCV Test: Loading system CA certs");
wolfSSL_CTX_load_system_CA_certs(ctx);
}
#endif
if (ret == 1) {
/* Get setting on how to verify certificates. */
verify = GET_VERIFY_SETTING_CTX(ctx);
@@ -2953,19 +3008,19 @@ int wolfSSL_CTX_load_verify_locations_ex(WOLFSSL_CTX* ctx, const char* file,
/* Load the PEM formatted CA file */
ret = ProcessFile(ctx, file, WOLFSSL_FILETYPE_PEM, CA_TYPE, NULL, 0,
NULL, verify);
#ifndef NO_WOLFSSL_DIR
#ifndef NO_WOLFSSL_DIR
if (ret == 1) {
/* Include success in overall count. */
successCount++;
}
#endif
#if defined(WOLFSSL_TRUST_PEER_CERT) && defined(OPENSSL_COMPATIBLE_DEFAULTS)
#endif
#if defined(WOLFSSL_TRUST_PEER_CERT) && defined(OPENSSL_COMPATIBLE_DEFAULTS)
/* Load CA as a trusted peer certificate. */
ret = wolfSSL_CTX_trust_peer_cert(ctx, file, WOLFSSL_FILETYPE_PEM);
if (ret != 1) {
WOLFSSL_MSG("wolfSSL_CTX_trust_peer_cert error");
}
#endif
#endif
}
}
@@ -3418,6 +3473,11 @@ int wolfSSL_CTX_der_load_verify_locations(WOLFSSL_CTX* ctx, const char* file,
ret = 0;
}
else {
#ifdef WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION
/* TEST ONLY CODE: force native cert validation on */
WOLFSSL_MSG("ANCV Test: loading system CA certs");
wolfSSL_CTX_load_system_CA_certs(ctx);
#endif
ret = ProcessFile(ctx, file, format, CA_TYPE, NULL, 0, NULL,
GET_VERIFY_SETTING_CTX(ctx));
}
@@ -3926,6 +3986,14 @@ int wolfSSL_CTX_load_verify_buffer_ex(WOLFSSL_CTX* ctx, const unsigned char* in,
WOLFSSL_ENTER("wolfSSL_CTX_load_verify_buffer_ex");
#ifdef WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION
/* TEST ONLY CODE: force native cert validation on */
if (ctx != NULL) {
WOLFSSL_MSG("ANCV Test: loading system CA certs");
wolfSSL_CTX_load_system_CA_certs(ctx);
}
#endif
/* Get setting on how to verify certificates. */
verify = GET_VERIFY_SETTING_CTX(ctx);
/* Overwrite setting when flag set. */
+19 -19
View File
@@ -5077,6 +5077,7 @@ static int test_wolfSSL_OtherName(void)
}
#ifdef HAVE_CERT_CHAIN_VALIDATION
#ifndef WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION
static int test_wolfSSL_CertRsaPss(void)
{
EXPECT_DECLS;
@@ -5134,7 +5135,8 @@ static int test_wolfSSL_CertRsaPss(void)
return EXPECT_RESULT();
}
#endif
#endif /* WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION */
#endif /* HAVE_CERT_CHAIN_VALIDATION */
static int test_wolfSSL_CTX_load_verify_locations_ex(void)
{
@@ -32836,18 +32838,8 @@ static int test_wolfSSL_check_domain(void)
}
#endif /* OPENSSL_EXTRA && HAVE_SSL_MEMIO_TESTS_DEPENDENCIES */
#if defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && \
defined(WOLFSSL_SYS_CA_CERTS)
#if defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && !defined(OPENSSL_COMPATIBLE_DEFAULTS)
static const char* dn = NULL;
static int test_wolfSSL_check_domain_basic_client_ctx(WOLFSSL_CTX* ctx)
{
EXPECT_DECLS;
ExpectIntEQ(wolfSSL_CTX_load_system_CA_certs(ctx), WOLFSSL_SUCCESS);
wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_PEER, NULL);
return EXPECT_RESULT();
}
static int test_wolfSSL_check_domain_basic_client_ssl(WOLFSSL* ssl)
{
EXPECT_DECLS;
@@ -32865,8 +32857,6 @@ static int test_wolfSSL_check_domain_basic(void)
XMEMSET(&func_cb_client, 0, sizeof(func_cb_client));
XMEMSET(&func_cb_server, 0, sizeof(func_cb_server));
func_cb_client.ctx_ready = &test_wolfSSL_check_domain_basic_client_ctx;
dn = "invalid.com";
func_cb_client.ssl_ready = &test_wolfSSL_check_domain_basic_client_ssl;
@@ -48411,6 +48401,7 @@ static int test_X509_LOOKUP_add_dir(void)
!defined(WOLFSSL_NO_CLIENT_AUTH)) && !defined(NO_FILESYSTEM)
#if !defined(NO_RSA) || defined(HAVE_ECC)
/* Use the Cert Manager(CM) API to generate the error ASN_SIG_CONFIRM_E */
#ifndef WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION
static int verify_sig_cm(const char* ca, byte* cert_buf, size_t cert_sz,
int type)
{
@@ -48461,7 +48452,7 @@ static int verify_sig_cm(const char* ca, byte* cert_buf, size_t cert_sz,
return ret;
}
#endif
#if !defined(NO_FILESYSTEM)
static int test_RsaSigFailure_cm(void)
@@ -48538,8 +48529,9 @@ static int test_EccSigFailure_cm(void)
#endif /* HAVE_ECC */
return EXPECT_RESULT();
}
#endif /* !NO_FILESYSTEM */
#endif /* !WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION*/
#endif /* !NO_RSA || HAVE_ECC */
#endif /* NO_CERTS */
#ifdef WOLFSSL_TLS13
@@ -57965,6 +57957,7 @@ static int test_wolfSSL_dtls_stateless(void)
* HAVE_IO_TESTS_DEPENDENCIES && !SINGLE_THREADED */
#ifdef HAVE_CERT_CHAIN_VALIDATION
#ifndef WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION
static int load_ca_into_cm(WOLFSSL_CERT_MANAGER* cm, char* certA)
{
int ret;
@@ -58201,6 +58194,7 @@ static int test_various_pathlen_chains(void)
return EXPECT_RESULT();
}
#endif
#endif /* !NO_RSA && !NO_SHA && !NO_FILESYSTEM && !NO_CERTS */
#if defined(HAVE_KEYING_MATERIAL) && defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES)
@@ -66962,6 +66956,7 @@ static int test_get_signature_nid(void)
return EXPECT_RESULT();
}
#ifndef WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION
#if !defined(NO_CERTS) && defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES)
static word32 test_tls_cert_store_unchanged_HashCaTable(Signer** caTable)
{
@@ -67108,6 +67103,7 @@ static int test_tls_cert_store_unchanged(void)
#endif
return EXPECT_RESULT();
}
#endif /* !WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION */
static int test_wolfSSL_SendUserCanceled(void)
{
@@ -68191,7 +68187,7 @@ TEST_CASE testCases[] = {
TEST_DECL(test_wolfSSL_CRL_duplicate_extensions),
TEST_DECL(test_wolfSSL_CertManagerCheckOCSPResponse),
TEST_DECL(test_wolfSSL_CheckOCSPResponse),
#ifdef HAVE_CERT_CHAIN_VALIDATION
#if defined(HAVE_CERT_CHAIN_VALIDATION) && !defined(WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION)
TEST_DECL(test_various_pathlen_chains),
#endif
@@ -68241,7 +68237,8 @@ TEST_CASE testCases[] = {
TEST_DECL(test_CONF_CTX_CMDLINE),
#if !defined(NO_CERTS) && (!defined(NO_WOLFSSL_CLIENT) || \
!defined(WOLFSSL_NO_CLIENT_AUTH)) && !defined(NO_FILESYSTEM)
!defined(WOLFSSL_NO_CLIENT_AUTH)) && !defined(NO_FILESYSTEM) && \
!defined(WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION)
/* Use the Cert Manager(CM) API to generate the error ASN_SIG_CONFIRM_E */
/* Bad certificate signature tests */
TEST_DECL(test_EccSigFailure_cm),
@@ -68286,7 +68283,8 @@ TEST_CASE testCases[] = {
/* Large number of memory allocations. */
TEST_DECL(test_wolfSSL_CTX_load_system_CA_certs),
#ifdef HAVE_CERT_CHAIN_VALIDATION
#if defined(HAVE_CERT_CHAIN_VALIDATION) && \
!defined(WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION)
TEST_DECL(test_wolfSSL_CertRsaPss),
#endif
TEST_DECL(test_wolfSSL_CTX_load_verify_locations_ex),
@@ -68534,7 +68532,9 @@ TEST_CASE testCases[] = {
TEST_DECL(test_write_dup),
TEST_DECL(test_read_write_hs),
TEST_DECL(test_get_signature_nid),
#ifndef WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION
TEST_DECL(test_tls_cert_store_unchanged),
#endif
TEST_DECL(test_wolfSSL_SendUserCanceled),
TEST_DECL(test_wolfSSL_SSLDisableRead),
TEST_DECL(test_wolfSSL_inject),
+15
View File
@@ -300,6 +300,10 @@
#include <wolfssl/sniffer.h>
#endif /* WOLFSSL_SNIFFER && WOLFSSL_SNIFFER_KEYLOGFILE */
#ifdef WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION
#include <CoreFoundation/CoreFoundation.h>
#endif /* WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION */
#ifdef __cplusplus
extern "C" {
#endif
@@ -4242,6 +4246,10 @@ struct WOLFSSL_CTX {
#if defined(WOLFSSL_SYS_CRYPTO_POLICY)
int secLevel; /* The security level of system-wide crypto policy. */
#endif /* WOLFSSL_SYS_CRYPTO_POLICY */
#ifdef WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION
CFMutableArrayRef testTrustedCAs;
#endif /* WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION */
};
WOLFSSL_LOCAL
@@ -4278,6 +4286,13 @@ int ProcessOldClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
#endif
#endif
#ifdef WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION
WOLFSSL_API
int wolfSSL_TestAppleNativeCertValidation_AppendCA(WOLFSSL_CTX* ctx,
const byte* derCert,
int derLen);
#endif /* WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION */
/* All cipher suite related info
* Keep as a constant size (no ifdefs) for session export */
typedef struct CipherSpecs {