Add type parameter to RemoveCA to avoid removing CAs of the wrong type.

src/ssl.c

@@ -6143,7 +6143,7 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify)
 }
 
 /* Removes the CA with the passed in subject hash from the cert manager's CA cert store. */
-int RemoveCA(WOLFSSL_CERT_MANAGER* cm, byte* hash)
+int RemoveCA(WOLFSSL_CERT_MANAGER* cm, byte* hash, byte type)
 {
     Signer* current;
     Signer* prev;
@@ -6170,7 +6170,8 @@ int RemoveCA(WOLFSSL_CERT_MANAGER* cm, byte* hash)
         subjectHash = current->subjectNameHash;
     #endif
 
-        if (XMEMCMP(hash, subjectHash, SIGNER_DIGEST_SIZE) == 0) {
+        if ((current->type == type) &&
+            (XMEMCMP(hash, subjectHash, SIGNER_DIGEST_SIZE) == 0)) {
             if (current == cm->caTable[row]) {
                 cm->caTable[row] = cm->caTable[row]->next;
             }

src/x509_str.c

@@ -571,7 +571,7 @@ retry:
          * cert with the same subject key which will work.  Retry until all
          * possible candidate certs are exhausted. */
          WOLFSSL_MSG("X509_verify_cert current cert failed, retrying with other certs.");
-         RemoveCA(ctx->store->cm, ctx->current_cert->subjKeyId);
+         RemoveCA(ctx->store->cm, ctx->current_cert->subjKeyId, WOLFSSL_TEMP_CA);
          X509StorePopCert(certs, failedCerts, ctx->current_cert);
          if (numInterAdd > 0)
             numInterAdd--;

wolfssl/internal.h

@@ -4276,7 +4276,7 @@ int ProcessOldClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
     WOLFSSL_LOCAL int AddSigner(WOLFSSL_CERT_MANAGER* cm, Signer *s);
     WOLFSSL_LOCAL
     int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify);
-    WOLFSSL_LOCAL int RemoveCA(WOLFSSL_CERT_MANAGER* cm, byte* hash);
+    WOLFSSL_LOCAL int RemoveCA(WOLFSSL_CERT_MANAGER* cm, byte* hash, byte type);
     WOLFSSL_LOCAL
     int AlreadySigner(WOLFSSL_CERT_MANAGER* cm, byte* hash);
 #ifdef WOLFSSL_TRUST_PEER_CERT