From 946f20ccc70c17da0231b23cafa02ef876dc8ca9 Mon Sep 17 00:00:00 2001
From: Kareem <kareem@wolfssl.com>
Date: Thu, 17 Apr 2025 12:36:54 -0700
Subject: [PATCH] Add type parameter to RemoveCA to avoid removing CAs of the
 wrong type.

---
 src/ssl.c          | 5 +++--
 src/x509_str.c     | 2 +-
 wolfssl/internal.h | 2 +-
 3 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/src/ssl.c b/src/ssl.c
index ea567919e..4949758c6 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -6143,7 +6143,7 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify)
 }
 
 /* Removes the CA with the passed in subject hash from the cert manager's CA cert store. */
-int RemoveCA(WOLFSSL_CERT_MANAGER* cm, byte* hash)
+int RemoveCA(WOLFSSL_CERT_MANAGER* cm, byte* hash, byte type)
 {
     Signer* current;
     Signer* prev;
@@ -6170,7 +6170,8 @@ int RemoveCA(WOLFSSL_CERT_MANAGER* cm, byte* hash)
         subjectHash = current->subjectNameHash;
     #endif
 
-        if (XMEMCMP(hash, subjectHash, SIGNER_DIGEST_SIZE) == 0) {
+        if ((current->type == type) &&
+            (XMEMCMP(hash, subjectHash, SIGNER_DIGEST_SIZE) == 0)) {
             if (current == cm->caTable[row]) {
                 cm->caTable[row] = cm->caTable[row]->next;
             }
diff --git a/src/x509_str.c b/src/x509_str.c
index 45c5f5651..6f09e6d8a 100644
--- a/src/x509_str.c
+++ b/src/x509_str.c
@@ -571,7 +571,7 @@ retry:
          * cert with the same subject key which will work.  Retry until all
          * possible candidate certs are exhausted. */
          WOLFSSL_MSG("X509_verify_cert current cert failed, retrying with other certs.");
-         RemoveCA(ctx->store->cm, ctx->current_cert->subjKeyId);
+         RemoveCA(ctx->store->cm, ctx->current_cert->subjKeyId, WOLFSSL_TEMP_CA);
          X509StorePopCert(certs, failedCerts, ctx->current_cert);
          if (numInterAdd > 0)
             numInterAdd--;
diff --git a/wolfssl/internal.h b/wolfssl/internal.h
index f17162b9a..e2e560917 100644
--- a/wolfssl/internal.h
+++ b/wolfssl/internal.h
@@ -4276,7 +4276,7 @@ int ProcessOldClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
     WOLFSSL_LOCAL int AddSigner(WOLFSSL_CERT_MANAGER* cm, Signer *s);
     WOLFSSL_LOCAL
     int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify);
-    WOLFSSL_LOCAL int RemoveCA(WOLFSSL_CERT_MANAGER* cm, byte* hash);
+    WOLFSSL_LOCAL int RemoveCA(WOLFSSL_CERT_MANAGER* cm, byte* hash, byte type);
     WOLFSSL_LOCAL
     int AlreadySigner(WOLFSSL_CERT_MANAGER* cm, byte* hash);
 #ifdef WOLFSSL_TRUST_PEER_CERT