mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2026-07-09 21:10:51 +02:00
Merge pull request #8921 from rlm2002/appleNativeCertTests
Apple native cert tests code modifications
This commit is contained in:
@@ -0,0 +1,27 @@
|
||||
name: MacOS apple native cert validation tests
|
||||
|
||||
# START OF COMMON SECTION
|
||||
on:
|
||||
push:
|
||||
branches: [ 'master', 'main', 'release/**' ]
|
||||
pull_request:
|
||||
branches: [ '*' ]
|
||||
|
||||
concurrency:
|
||||
group: ${{ github.workflow }}-${{ github.ref }}
|
||||
cancel-in-progress: true
|
||||
# END OF COMMON SECTION
|
||||
|
||||
jobs:
|
||||
make_check:
|
||||
strategy:
|
||||
fail-fast: false
|
||||
runs-on: macos-latest
|
||||
# This should be a safe limit for the tests to run.
|
||||
timeout-minutes: 5
|
||||
steps:
|
||||
- name: Build and configure wolfSSL
|
||||
uses: wolfSSL/actions-build-autotools-project@v1
|
||||
with:
|
||||
configure: CFLAGS='-DWOLFSSL_APPLE_NATIVE_CERT_VALIDATION -DWOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION -DRSA_MIN_SIZE=2048 -DNO_WOLFSSL_CIPHER_SUITE_TEST'
|
||||
|
||||
+221
-24
@@ -2915,6 +2915,12 @@ void SSL_CtxResourceFree(WOLFSSL_CTX* ctx)
|
||||
ctx->x509Chain = NULL;
|
||||
}
|
||||
#endif
|
||||
#ifdef WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION
|
||||
if (ctx->testTrustedCAs != NULL) {
|
||||
CFRelease(ctx->testTrustedCAs);
|
||||
ctx->testTrustedCAs = NULL;
|
||||
}
|
||||
#endif /* WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION */
|
||||
#endif /* !NO_CERTS */
|
||||
|
||||
#ifdef HAVE_TLS_EXTENSIONS
|
||||
@@ -16330,7 +16336,6 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
|
||||
}
|
||||
#endif
|
||||
|
||||
|
||||
if (!ssl->options.verifyNone && ssl->buffers.domainName.buffer) {
|
||||
#ifndef WOLFSSL_ALLOW_NO_CN_IN_SAN
|
||||
/* Per RFC 5280 section 4.2.1.6, "Whenever such identities
|
||||
@@ -42777,7 +42782,122 @@ cleanup:
|
||||
return secCert;
|
||||
}
|
||||
|
||||
static int DisplaySecTrustError(CFErrorRef error, SecTrustRef trust)
|
||||
{
|
||||
CFStringRef desc;
|
||||
CFStringRef domain;
|
||||
SecTrustResultType trustResult;
|
||||
CFDictionaryRef info;
|
||||
|
||||
/* Description */
|
||||
desc = CFErrorCopyDescription(error);
|
||||
if (desc) {
|
||||
char buffer[256];
|
||||
if (CFStringGetCString(desc, buffer, sizeof(buffer),
|
||||
kCFStringEncodingUTF8)) {
|
||||
WOLFSSL_MSG_EX("SecTrustEvaluateWithError Error description: %s\n",
|
||||
buffer);
|
||||
}
|
||||
CFRelease(desc);
|
||||
}
|
||||
|
||||
/* Domain */
|
||||
domain = CFErrorGetDomain(error);
|
||||
if (domain) {
|
||||
char domainStr[128];
|
||||
if (CFStringGetCString(domain, domainStr, sizeof(domainStr),
|
||||
kCFStringEncodingUTF8)) {
|
||||
WOLFSSL_MSG_EX("SecTrustEvaluateWithError Domain: %s\n", domainStr);
|
||||
}
|
||||
}
|
||||
|
||||
/* Get additional trust result info */
|
||||
if (SecTrustGetTrustResult(trust, &trustResult) == errSecSuccess) {
|
||||
WOLFSSL_MSG_EX("SecTrustResultType: %d\n", trustResult);
|
||||
/* Optional: decode the enum */
|
||||
switch (trustResult) {
|
||||
case kSecTrustResultInvalid:
|
||||
WOLFSSL_MSG("TrustResult: Invalid\n");
|
||||
break;
|
||||
case kSecTrustResultProceed:
|
||||
WOLFSSL_MSG("TrustResult: Proceed\n");
|
||||
break;
|
||||
case kSecTrustResultDeny:
|
||||
WOLFSSL_MSG("TrustResult: Deny\n");
|
||||
break;
|
||||
case kSecTrustResultUnspecified:
|
||||
WOLFSSL_MSG("TrustResult: Unspecified (implicitly trusted)\n");
|
||||
break;
|
||||
case kSecTrustResultRecoverableTrustFailure:
|
||||
WOLFSSL_MSG("TrustResult: Recoverable trust failure\n");
|
||||
break;
|
||||
case kSecTrustResultFatalTrustFailure:
|
||||
WOLFSSL_MSG("TrustResult: Fatal trust failure\n");
|
||||
break;
|
||||
case kSecTrustResultOtherError:
|
||||
WOLFSSL_MSG("TrustResult: Other error\n");
|
||||
break;
|
||||
default:
|
||||
WOLFSSL_MSG("TrustResult: Unknown\n");
|
||||
break;
|
||||
}
|
||||
}
|
||||
else {
|
||||
WOLFSSL_MSG("SecTrustGetTrustResult failed\n");
|
||||
}
|
||||
|
||||
info = CFErrorCopyUserInfo(error);
|
||||
if (info) {
|
||||
WOLFSSL_MSG("Trust error info dump:\n");
|
||||
CFShow(info);
|
||||
CFRelease(info);
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
#if defined(WOLFSSL_APPLE_NATIVE_CERT_VALIDATION) && \
|
||||
defined (WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION)
|
||||
static int MaxValidityPeriodErrorOnly(CFErrorRef error)
|
||||
{
|
||||
int multiple = 0;
|
||||
|
||||
CFDictionaryRef userInfo = CFErrorCopyUserInfo(error);
|
||||
if (userInfo) {
|
||||
/* Get underlying error */
|
||||
CFTypeRef underlying =
|
||||
CFDictionaryGetValue(userInfo, kCFErrorUnderlyingErrorKey);
|
||||
if (underlying) {
|
||||
/* Get underlying error value*/
|
||||
CFDictionaryRef underlyingDict =
|
||||
CFErrorCopyUserInfo((CFErrorRef)underlying);
|
||||
if (underlyingDict) {
|
||||
char buffer[512];
|
||||
CFStringRef values =
|
||||
CFDictionaryGetValue(underlyingDict,
|
||||
kCFErrorLocalizedDescriptionKey);
|
||||
if(CFStringGetCString(values, buffer, sizeof(buffer),
|
||||
kCFStringEncodingUTF8)) {
|
||||
if (XSTRSTR(buffer, "Certificate exceeds maximum "
|
||||
"temporal validity period") &&
|
||||
(!XSTRSTR(buffer, "Certificate exceeds maximum "
|
||||
"temporal validity period,") ||
|
||||
!XSTRSTR(buffer, ", Certificate exceeds maximum "
|
||||
"temporal validity period"))) {
|
||||
WOLFSSL_MSG("Maximum validity period error only");
|
||||
} else {
|
||||
WOLFSSL_MSG("Found other errors");
|
||||
multiple = 1;
|
||||
}
|
||||
}
|
||||
CFRelease(underlyingDict);
|
||||
}
|
||||
}
|
||||
CFRelease(userInfo);
|
||||
}
|
||||
return multiple;
|
||||
}
|
||||
#endif
|
||||
/*
|
||||
* Validates a chain of certificates using the Apple system trust APIs
|
||||
*
|
||||
@@ -42793,23 +42913,23 @@ cleanup:
|
||||
* wolfSSL's built-in certificate validation mechanisms anymore. We instead
|
||||
* must call into the Security Framework APIs to authenticate peer certificates
|
||||
*/
|
||||
static int DoAppleNativeCertValidation(WOLFSSL* ssl,
|
||||
const WOLFSSL_BUFFER_INFO* certs,
|
||||
int totalCerts)
|
||||
static int DoAppleNativeCertValidation(WOLFSSL* ssl,
|
||||
const WOLFSSL_BUFFER_INFO* certs,
|
||||
int totalCerts)
|
||||
{
|
||||
int i;
|
||||
int ret;
|
||||
OSStatus status;
|
||||
int i;
|
||||
int ret;
|
||||
OSStatus status;
|
||||
CFMutableArrayRef certArray = NULL;
|
||||
SecCertificateRef secCert = NULL;
|
||||
SecTrustRef trust = NULL;
|
||||
SecPolicyRef policy = NULL;
|
||||
CFStringRef hostname = NULL;
|
||||
CFErrorRef error = NULL;
|
||||
|
||||
WOLFSSL_ENTER("DoAppleNativeCertValidation");
|
||||
|
||||
certArray = CFArrayCreateMutable(kCFAllocatorDefault,
|
||||
totalCerts,
|
||||
certArray = CFArrayCreateMutable(kCFAllocatorDefault, totalCerts,
|
||||
&kCFTypeArrayCallBacks);
|
||||
if (!certArray) {
|
||||
WOLFSSL_MSG("Error: can't allocate CFArray for certificates");
|
||||
@@ -42818,8 +42938,8 @@ static int DoAppleNativeCertValidation(WOLFSSL* ssl,
|
||||
}
|
||||
|
||||
for (i = 0; i < totalCerts; i++) {
|
||||
secCert = ConvertToSecCertificateRef(certs[i].buffer,
|
||||
(int)certs[i].length);
|
||||
secCert =
|
||||
ConvertToSecCertificateRef(certs[i].buffer, (int)certs[i].length);
|
||||
if (!secCert) {
|
||||
WOLFSSL_MSG("Error: can't convert DER cert to SecCertificateRef");
|
||||
ret = 0;
|
||||
@@ -42833,35 +42953,80 @@ static int DoAppleNativeCertValidation(WOLFSSL* ssl,
|
||||
}
|
||||
|
||||
/* Create trust object for SecCertifiate Ref */
|
||||
if (ssl->buffers.domainName.buffer &&
|
||||
ssl->buffers.domainName.length > 0) {
|
||||
if (ssl->buffers.domainName.buffer && ssl->buffers.domainName.length > 0) {
|
||||
/* Create policy with specified value to require host name match */
|
||||
hostname = CFStringCreateWithCString(kCFAllocatorDefault,
|
||||
(const char*)ssl->buffers.domainName.buffer,
|
||||
kCFStringEncodingUTF8);
|
||||
hostname = CFStringCreateWithCString(
|
||||
kCFAllocatorDefault, (const char*)ssl->buffers.domainName.buffer,
|
||||
kCFStringEncodingUTF8);
|
||||
}
|
||||
if (hostname != NULL) {
|
||||
policy = SecPolicyCreateSSL(true, hostname);
|
||||
} else {
|
||||
}
|
||||
else {
|
||||
policy = SecPolicyCreateSSL(true, NULL);
|
||||
}
|
||||
status = SecTrustCreateWithCertificates(certArray, policy, &trust);
|
||||
if (status != errSecSuccess) {
|
||||
WOLFSSL_MSG_EX("Error creating trust object, "
|
||||
"SecTrustCreateWithCertificates returned %d",status);
|
||||
"SecTrustCreateWithCertificates returned %d",
|
||||
status);
|
||||
ret = 0;
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
#if defined(WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION)
|
||||
/* TEST ONLY CODE:
|
||||
* Set accumulated list of trusted CA certificates as trust anchors */
|
||||
WOLFSSL_MSG("Setting anchor certificates");
|
||||
if (ssl->ctx->testTrustedCAs != NULL) {
|
||||
status = SecTrustSetAnchorCertificates(trust, ssl->ctx->testTrustedCAs);
|
||||
if (status != errSecSuccess) {
|
||||
WOLFSSL_MSG_EX("Error setting anchor certificates: %d", status);
|
||||
ret = 0;
|
||||
goto cleanup;
|
||||
}
|
||||
}
|
||||
#endif
|
||||
|
||||
/* Evaluate the certificate's authenticity */
|
||||
if (SecTrustEvaluateWithError(trust, NULL) == 1) {
|
||||
WOLFSSL_MSG("Cert chain is trusted");
|
||||
ret = 1;
|
||||
WOLFSSL_MSG("Performing Apple native cert validation via "
|
||||
"SecTrustEvaluateWithError");
|
||||
ret = SecTrustEvaluateWithError(trust, &error);
|
||||
if (ret != 1) {
|
||||
if (error) {
|
||||
CFIndex code;
|
||||
code = CFErrorGetCode(error);
|
||||
WOLFSSL_MSG_EX("SecTrustEvaluateWithError failed with code: %ld\n",
|
||||
code);
|
||||
DisplaySecTrustError(error, trust);
|
||||
|
||||
#ifdef WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION
|
||||
/* TEST ONLY CODE:
|
||||
* wolfSSL API tests use a cert with a validity period that is too
|
||||
* long for the Apple system trust APIs
|
||||
* (See: https://support.apple.com/en-us/103769)
|
||||
* therefore we should skip over this particular error */
|
||||
if (code == errSecCertificateValidityPeriodTooLong) {
|
||||
if (MaxValidityPeriodErrorOnly(error)) {
|
||||
WOLFSSL_MSG("Multiple reasons for validity period error, "
|
||||
"not skipping");
|
||||
ret = 0;
|
||||
} else {
|
||||
WOLFSSL_MSG("Skipping certificate validity period error");
|
||||
ret = 1;
|
||||
}
|
||||
}
|
||||
#endif
|
||||
(void)code;
|
||||
CFRelease(error);
|
||||
}
|
||||
else {
|
||||
WOLFSSL_MSG(
|
||||
"SecTrustEvaluateWithError failed with unknown error.\n");
|
||||
}
|
||||
}
|
||||
else {
|
||||
WOLFSSL_MSG("Cert chain trust evaluation failed"
|
||||
"SecTrustEvaluateWithError returned 0");
|
||||
ret = 0;
|
||||
WOLFSSL_MSG("SecTrustEvaluateWithError succeeded");
|
||||
}
|
||||
|
||||
/* Cleanup */
|
||||
@@ -42883,6 +43048,38 @@ cleanup:
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
#if defined(WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION)
|
||||
int wolfSSL_TestAppleNativeCertValidation_AppendCA(WOLFSSL_CTX* ctx,
|
||||
const byte* derCert,
|
||||
int derLen)
|
||||
{
|
||||
SecCertificateRef certRef;
|
||||
|
||||
if (derCert == NULL || derLen == 0) {
|
||||
return WOLFSSL_FAILURE;
|
||||
}
|
||||
|
||||
/* Create the base array for trust anchors if it doesn't exist */
|
||||
if (ctx->testTrustedCAs == NULL) {
|
||||
ctx->testTrustedCAs =
|
||||
CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
|
||||
if (!ctx->testTrustedCAs) {
|
||||
return WOLFSSL_FAILURE;
|
||||
}
|
||||
}
|
||||
|
||||
certRef = ConvertToSecCertificateRef(derCert, derLen);
|
||||
if (!certRef) {
|
||||
return false;
|
||||
}
|
||||
|
||||
CFArrayAppendValue(ctx->testTrustedCAs, certRef);
|
||||
CFRelease(certRef);
|
||||
return WOLFSSL_SUCCESS;
|
||||
}
|
||||
#endif /* WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION */
|
||||
|
||||
#endif /* defined(__APPLE__) && defined(WOLFSSL_SYS_CA_CERTS) */
|
||||
|
||||
#undef ERROR_OUT
|
||||
|
||||
+74
-6
@@ -42,9 +42,14 @@
|
||||
#endif
|
||||
#endif
|
||||
|
||||
#if defined(__APPLE__) && defined(HAVE_SECURITY_SECTRUSTSETTINGS_H)
|
||||
#if defined(__APPLE__)
|
||||
#if defined(HAVE_SECURITY_SECTRUSTSETTINGS_H)
|
||||
#include <Security/SecTrustSettings.h>
|
||||
#endif
|
||||
#endif /* HAVE_SECURITY_SECTRUSTSETTINGS_H */
|
||||
#ifdef WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION
|
||||
#include <CoreFoundation/CoreFoundation.h>
|
||||
#endif /* WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION */
|
||||
#endif /* __APPLE__ */
|
||||
|
||||
#endif /* WOLFSSL_SYS_CA_CERTS */
|
||||
|
||||
@@ -2153,8 +2158,50 @@ static int ProcessBufferCertHandleDer(WOLFSSL_CTX* ctx, WOLFSSL* ssl,
|
||||
|
||||
/* CA certificate to verify with. */
|
||||
if (type == CA_TYPE) {
|
||||
#ifdef WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION
|
||||
/* TEST ONLY CODE:
|
||||
* Store the DER encoding of the CA certificate so we can append it to
|
||||
* the list of trusted CA certificates if the subsequent call to AddCA
|
||||
* is successful */
|
||||
word32 derLen;
|
||||
byte* derBuf;
|
||||
if (ctx->doAppleNativeCertValidationFlag == 1) {
|
||||
WOLFSSL_MSG("ANCV Test: copy DER CA cert");
|
||||
derLen = der->length;
|
||||
derBuf = (byte*)XMALLOC(derLen, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
||||
if (derBuf == NULL) {
|
||||
return MEMORY_E;
|
||||
}
|
||||
XMEMCPY(derBuf, der->buffer, derLen);
|
||||
}
|
||||
else {
|
||||
(void)derLen;
|
||||
(void)derBuf;
|
||||
}
|
||||
#endif
|
||||
/* verify CA unless user set to no verify */
|
||||
ret = AddCA(ctx->cm, &der, WOLFSSL_USER_CA, verify);
|
||||
|
||||
#ifdef WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION
|
||||
/* TEST ONLY CODE:
|
||||
* Append the DER encoded CA certificate to the list of trusted CA
|
||||
* certificates so we can inject them at verification time */
|
||||
if (ret == 1 && ctx->doAppleNativeCertValidationFlag == 1) {
|
||||
WOLFSSL_MSG("ANCV Test: Appending CA to cert list");
|
||||
ret = wolfSSL_TestAppleNativeCertValidation_AppendCA(ctx, derBuf, (int)derLen);
|
||||
if (ret == WOLFSSL_SUCCESS) {
|
||||
WOLFSSL_MSG("ANCV Test: Clearing CA table");
|
||||
/* Clear the CA table so we can ensure they won't be used for
|
||||
* verification */
|
||||
ret = wolfSSL_CertManagerUnloadCAs(ctx->cm);
|
||||
if (ret == WOLFSSL_SUCCESS) {
|
||||
ret = 0;
|
||||
}
|
||||
}
|
||||
XFREE(derBuf, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
||||
}
|
||||
#endif /* !WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION */
|
||||
|
||||
if (ret == 1) {
|
||||
ret = 0;
|
||||
}
|
||||
@@ -2941,6 +2988,14 @@ int wolfSSL_CTX_load_verify_locations_ex(WOLFSSL_CTX* ctx, const char* file,
|
||||
ret = 0;
|
||||
}
|
||||
|
||||
#ifdef WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION
|
||||
if (ret == 1) {
|
||||
/* TEST ONLY CODE: force native cert validation on */
|
||||
WOLFSSL_MSG("ANCV Test: Loading system CA certs");
|
||||
wolfSSL_CTX_load_system_CA_certs(ctx);
|
||||
}
|
||||
#endif
|
||||
|
||||
if (ret == 1) {
|
||||
/* Get setting on how to verify certificates. */
|
||||
verify = GET_VERIFY_SETTING_CTX(ctx);
|
||||
@@ -2953,19 +3008,19 @@ int wolfSSL_CTX_load_verify_locations_ex(WOLFSSL_CTX* ctx, const char* file,
|
||||
/* Load the PEM formatted CA file */
|
||||
ret = ProcessFile(ctx, file, WOLFSSL_FILETYPE_PEM, CA_TYPE, NULL, 0,
|
||||
NULL, verify);
|
||||
#ifndef NO_WOLFSSL_DIR
|
||||
#ifndef NO_WOLFSSL_DIR
|
||||
if (ret == 1) {
|
||||
/* Include success in overall count. */
|
||||
successCount++;
|
||||
}
|
||||
#endif
|
||||
#if defined(WOLFSSL_TRUST_PEER_CERT) && defined(OPENSSL_COMPATIBLE_DEFAULTS)
|
||||
#endif
|
||||
#if defined(WOLFSSL_TRUST_PEER_CERT) && defined(OPENSSL_COMPATIBLE_DEFAULTS)
|
||||
/* Load CA as a trusted peer certificate. */
|
||||
ret = wolfSSL_CTX_trust_peer_cert(ctx, file, WOLFSSL_FILETYPE_PEM);
|
||||
if (ret != 1) {
|
||||
WOLFSSL_MSG("wolfSSL_CTX_trust_peer_cert error");
|
||||
}
|
||||
#endif
|
||||
#endif
|
||||
}
|
||||
}
|
||||
|
||||
@@ -3418,6 +3473,11 @@ int wolfSSL_CTX_der_load_verify_locations(WOLFSSL_CTX* ctx, const char* file,
|
||||
ret = 0;
|
||||
}
|
||||
else {
|
||||
#ifdef WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION
|
||||
/* TEST ONLY CODE: force native cert validation on */
|
||||
WOLFSSL_MSG("ANCV Test: loading system CA certs");
|
||||
wolfSSL_CTX_load_system_CA_certs(ctx);
|
||||
#endif
|
||||
ret = ProcessFile(ctx, file, format, CA_TYPE, NULL, 0, NULL,
|
||||
GET_VERIFY_SETTING_CTX(ctx));
|
||||
}
|
||||
@@ -3926,6 +3986,14 @@ int wolfSSL_CTX_load_verify_buffer_ex(WOLFSSL_CTX* ctx, const unsigned char* in,
|
||||
|
||||
WOLFSSL_ENTER("wolfSSL_CTX_load_verify_buffer_ex");
|
||||
|
||||
#ifdef WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION
|
||||
/* TEST ONLY CODE: force native cert validation on */
|
||||
if (ctx != NULL) {
|
||||
WOLFSSL_MSG("ANCV Test: loading system CA certs");
|
||||
wolfSSL_CTX_load_system_CA_certs(ctx);
|
||||
}
|
||||
#endif
|
||||
|
||||
/* Get setting on how to verify certificates. */
|
||||
verify = GET_VERIFY_SETTING_CTX(ctx);
|
||||
/* Overwrite setting when flag set. */
|
||||
|
||||
+19
-19
@@ -5077,6 +5077,7 @@ static int test_wolfSSL_OtherName(void)
|
||||
}
|
||||
|
||||
#ifdef HAVE_CERT_CHAIN_VALIDATION
|
||||
#ifndef WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION
|
||||
static int test_wolfSSL_CertRsaPss(void)
|
||||
{
|
||||
EXPECT_DECLS;
|
||||
@@ -5134,7 +5135,8 @@ static int test_wolfSSL_CertRsaPss(void)
|
||||
|
||||
return EXPECT_RESULT();
|
||||
}
|
||||
#endif
|
||||
#endif /* WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION */
|
||||
#endif /* HAVE_CERT_CHAIN_VALIDATION */
|
||||
|
||||
static int test_wolfSSL_CTX_load_verify_locations_ex(void)
|
||||
{
|
||||
@@ -32836,18 +32838,8 @@ static int test_wolfSSL_check_domain(void)
|
||||
}
|
||||
|
||||
#endif /* OPENSSL_EXTRA && HAVE_SSL_MEMIO_TESTS_DEPENDENCIES */
|
||||
#if defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && \
|
||||
defined(WOLFSSL_SYS_CA_CERTS)
|
||||
#if defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && !defined(OPENSSL_COMPATIBLE_DEFAULTS)
|
||||
static const char* dn = NULL;
|
||||
static int test_wolfSSL_check_domain_basic_client_ctx(WOLFSSL_CTX* ctx)
|
||||
{
|
||||
EXPECT_DECLS;
|
||||
|
||||
ExpectIntEQ(wolfSSL_CTX_load_system_CA_certs(ctx), WOLFSSL_SUCCESS);
|
||||
wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_PEER, NULL);
|
||||
|
||||
return EXPECT_RESULT();
|
||||
}
|
||||
static int test_wolfSSL_check_domain_basic_client_ssl(WOLFSSL* ssl)
|
||||
{
|
||||
EXPECT_DECLS;
|
||||
@@ -32865,8 +32857,6 @@ static int test_wolfSSL_check_domain_basic(void)
|
||||
XMEMSET(&func_cb_client, 0, sizeof(func_cb_client));
|
||||
XMEMSET(&func_cb_server, 0, sizeof(func_cb_server));
|
||||
|
||||
func_cb_client.ctx_ready = &test_wolfSSL_check_domain_basic_client_ctx;
|
||||
|
||||
dn = "invalid.com";
|
||||
func_cb_client.ssl_ready = &test_wolfSSL_check_domain_basic_client_ssl;
|
||||
|
||||
@@ -48411,6 +48401,7 @@ static int test_X509_LOOKUP_add_dir(void)
|
||||
!defined(WOLFSSL_NO_CLIENT_AUTH)) && !defined(NO_FILESYSTEM)
|
||||
#if !defined(NO_RSA) || defined(HAVE_ECC)
|
||||
/* Use the Cert Manager(CM) API to generate the error ASN_SIG_CONFIRM_E */
|
||||
#ifndef WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION
|
||||
static int verify_sig_cm(const char* ca, byte* cert_buf, size_t cert_sz,
|
||||
int type)
|
||||
{
|
||||
@@ -48461,7 +48452,7 @@ static int verify_sig_cm(const char* ca, byte* cert_buf, size_t cert_sz,
|
||||
|
||||
return ret;
|
||||
}
|
||||
#endif
|
||||
|
||||
|
||||
#if !defined(NO_FILESYSTEM)
|
||||
static int test_RsaSigFailure_cm(void)
|
||||
@@ -48538,8 +48529,9 @@ static int test_EccSigFailure_cm(void)
|
||||
#endif /* HAVE_ECC */
|
||||
return EXPECT_RESULT();
|
||||
}
|
||||
|
||||
#endif /* !NO_FILESYSTEM */
|
||||
#endif /* !WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION*/
|
||||
#endif /* !NO_RSA || HAVE_ECC */
|
||||
#endif /* NO_CERTS */
|
||||
|
||||
#ifdef WOLFSSL_TLS13
|
||||
@@ -57965,6 +57957,7 @@ static int test_wolfSSL_dtls_stateless(void)
|
||||
* HAVE_IO_TESTS_DEPENDENCIES && !SINGLE_THREADED */
|
||||
|
||||
#ifdef HAVE_CERT_CHAIN_VALIDATION
|
||||
#ifndef WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION
|
||||
static int load_ca_into_cm(WOLFSSL_CERT_MANAGER* cm, char* certA)
|
||||
{
|
||||
int ret;
|
||||
@@ -58201,6 +58194,7 @@ static int test_various_pathlen_chains(void)
|
||||
|
||||
return EXPECT_RESULT();
|
||||
}
|
||||
#endif
|
||||
#endif /* !NO_RSA && !NO_SHA && !NO_FILESYSTEM && !NO_CERTS */
|
||||
|
||||
#if defined(HAVE_KEYING_MATERIAL) && defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES)
|
||||
@@ -66962,6 +66956,7 @@ static int test_get_signature_nid(void)
|
||||
return EXPECT_RESULT();
|
||||
}
|
||||
|
||||
#ifndef WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION
|
||||
#if !defined(NO_CERTS) && defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES)
|
||||
static word32 test_tls_cert_store_unchanged_HashCaTable(Signer** caTable)
|
||||
{
|
||||
@@ -67108,6 +67103,7 @@ static int test_tls_cert_store_unchanged(void)
|
||||
#endif
|
||||
return EXPECT_RESULT();
|
||||
}
|
||||
#endif /* !WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION */
|
||||
|
||||
static int test_wolfSSL_SendUserCanceled(void)
|
||||
{
|
||||
@@ -68191,7 +68187,7 @@ TEST_CASE testCases[] = {
|
||||
TEST_DECL(test_wolfSSL_CRL_duplicate_extensions),
|
||||
TEST_DECL(test_wolfSSL_CertManagerCheckOCSPResponse),
|
||||
TEST_DECL(test_wolfSSL_CheckOCSPResponse),
|
||||
#ifdef HAVE_CERT_CHAIN_VALIDATION
|
||||
#if defined(HAVE_CERT_CHAIN_VALIDATION) && !defined(WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION)
|
||||
TEST_DECL(test_various_pathlen_chains),
|
||||
#endif
|
||||
|
||||
@@ -68241,7 +68237,8 @@ TEST_CASE testCases[] = {
|
||||
TEST_DECL(test_CONF_CTX_CMDLINE),
|
||||
|
||||
#if !defined(NO_CERTS) && (!defined(NO_WOLFSSL_CLIENT) || \
|
||||
!defined(WOLFSSL_NO_CLIENT_AUTH)) && !defined(NO_FILESYSTEM)
|
||||
!defined(WOLFSSL_NO_CLIENT_AUTH)) && !defined(NO_FILESYSTEM) && \
|
||||
!defined(WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION)
|
||||
/* Use the Cert Manager(CM) API to generate the error ASN_SIG_CONFIRM_E */
|
||||
/* Bad certificate signature tests */
|
||||
TEST_DECL(test_EccSigFailure_cm),
|
||||
@@ -68286,7 +68283,8 @@ TEST_CASE testCases[] = {
|
||||
/* Large number of memory allocations. */
|
||||
TEST_DECL(test_wolfSSL_CTX_load_system_CA_certs),
|
||||
|
||||
#ifdef HAVE_CERT_CHAIN_VALIDATION
|
||||
#if defined(HAVE_CERT_CHAIN_VALIDATION) && \
|
||||
!defined(WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION)
|
||||
TEST_DECL(test_wolfSSL_CertRsaPss),
|
||||
#endif
|
||||
TEST_DECL(test_wolfSSL_CTX_load_verify_locations_ex),
|
||||
@@ -68534,7 +68532,9 @@ TEST_CASE testCases[] = {
|
||||
TEST_DECL(test_write_dup),
|
||||
TEST_DECL(test_read_write_hs),
|
||||
TEST_DECL(test_get_signature_nid),
|
||||
#ifndef WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION
|
||||
TEST_DECL(test_tls_cert_store_unchanged),
|
||||
#endif
|
||||
TEST_DECL(test_wolfSSL_SendUserCanceled),
|
||||
TEST_DECL(test_wolfSSL_SSLDisableRead),
|
||||
TEST_DECL(test_wolfSSL_inject),
|
||||
|
||||
@@ -300,6 +300,10 @@
|
||||
#include <wolfssl/sniffer.h>
|
||||
#endif /* WOLFSSL_SNIFFER && WOLFSSL_SNIFFER_KEYLOGFILE */
|
||||
|
||||
#ifdef WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION
|
||||
#include <CoreFoundation/CoreFoundation.h>
|
||||
#endif /* WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION */
|
||||
|
||||
#ifdef __cplusplus
|
||||
extern "C" {
|
||||
#endif
|
||||
@@ -4242,6 +4246,10 @@ struct WOLFSSL_CTX {
|
||||
#if defined(WOLFSSL_SYS_CRYPTO_POLICY)
|
||||
int secLevel; /* The security level of system-wide crypto policy. */
|
||||
#endif /* WOLFSSL_SYS_CRYPTO_POLICY */
|
||||
|
||||
#ifdef WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION
|
||||
CFMutableArrayRef testTrustedCAs;
|
||||
#endif /* WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION */
|
||||
};
|
||||
|
||||
WOLFSSL_LOCAL
|
||||
@@ -4278,6 +4286,13 @@ int ProcessOldClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
|
||||
#endif
|
||||
#endif
|
||||
|
||||
#ifdef WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION
|
||||
WOLFSSL_API
|
||||
int wolfSSL_TestAppleNativeCertValidation_AppendCA(WOLFSSL_CTX* ctx,
|
||||
const byte* derCert,
|
||||
int derLen);
|
||||
#endif /* WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION */
|
||||
|
||||
/* All cipher suite related info
|
||||
* Keep as a constant size (no ifdefs) for session export */
|
||||
typedef struct CipherSpecs {
|
||||
|
||||
Reference in New Issue
Block a user