Add X509StoreRemoveCa wrapper around RemoveCa

kareem-wolfssl · kareem-wolfssl · commit 37982e778c0a · 2025-05-21T12:08:55.000-07:00
WOLFSSL_X509's calculated subject key hash is not guaranteed to match the cert's,
ie. in the case that NO_SHA is defined.  Use the same logic as AddCa,
parsing the DER cert and using the decoded cert's subject key hash.
diff --git a/src/ssl.c b/src/ssl.c
@@ -6097,7 +6097,7 @@ int RemoveCA(WOLFSSL_CERT_MANAGER* cm, byte* hash, byte type)
 {
     Signer* current;
     Signer* prev;
-    int     ret = 0;
+    int     ret = WC_NO_ERR_TRACE(WOLFSSL_FAILURE);
     word32  row;
 
     WOLFSSL_MSG("Removing a CA");
@@ -6131,7 +6131,7 @@ int RemoveCA(WOLFSSL_CERT_MANAGER* cm, byte* hash, byte type)
                 prev->next = current->next;
             }
             FreeSigner(current, cm->heap);
-            ret = 1;
+            ret = WOLFSSL_SUCCESS;
             break;
         }
         prev = current;
diff --git a/src/x509_str.c b/src/x509_str.c
@@ -38,6 +38,8 @@ static int X509StorePopCert(WOLFSSL_STACK *certs_stack, WOLFSSL_STACK *dest_stac
                             WOLFSSL_X509 *cert);
 static int X509StoreAddCa(WOLFSSL_X509_STORE* store,
                                           WOLFSSL_X509* x509, int type);
+static int X509StoreRemoveCa(WOLFSSL_X509_STORE* store,
+                                            WOLFSSL_X509* x509, int type);
 #endif
 
 /* Based on OpenSSL default max depth */
@@ -568,7 +570,9 @@ int wolfSSL_X509_verify_cert(WOLFSSL_X509_STORE_CTX* ctx)
          * cert with the same subject key which will work.  Retry until all
          * possible candidate certs are exhausted. */
          WOLFSSL_MSG("X509_verify_cert current cert failed, retrying with other certs.");
-         RemoveCA(ctx->store->cm, ctx->current_cert->subjKeyId, WOLFSSL_TEMP_CA);
+         ret = X509StoreRemoveCa(ctx->store, ctx->current_cert, WOLFSSL_TEMP_CA);
+         if (ret != WOLFSSL_SUCCESS)
+            goto exit;
          X509StorePopCert(certs, failedCerts, ctx->current_cert);
          ctx->current_cert = wolfSSL_sk_X509_pop(ctx->chain);
          depth++;
@@ -1439,6 +1443,33 @@ static int X509StoreAddCa(WOLFSSL_X509_STORE* store,
     return result;
 }
 
+static int X509StoreRemoveCa(WOLFSSL_X509_STORE* store,
+                                            WOLFSSL_X509* x509, int type) {
+    int result = WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR);
+    DecodedCert* dCert = NULL;
+
+    if (store != NULL && x509 != NULL && x509->derCert != NULL) {
+        dCert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL,
+                                                DYNAMIC_TYPE_DCERT);
+
+        if (dCert == NULL) {
+            return result;
+        }
+        XMEMSET(dCert, 0, sizeof(DecodedCert));
+        wc_InitDecodedCert(dCert, x509->derCert->buffer, x509->derCert->length, NULL);
+        result = wc_ParseCert(dCert, CA_TYPE, NO_VERIFY, store->cm);
+        if (result)
+            return WOLFSSL_FATAL_ERROR;
+
+        result = RemoveCA(store->cm, dCert->extSubjKeyId, type);
+    }
+
+    if (dCert)
+        wc_FreeDecodedCert(dCert);
+
+    return result;
+}
+
 
 int wolfSSL_X509_STORE_add_cert(WOLFSSL_X509_STORE* store, WOLFSSL_X509* x509)
 {

Original file line number	Diff line number	Diff line change
`@@ -6097,7 +6097,7 @@ int RemoveCA(WOLFSSL_CERT_MANAGER* cm, byte* hash, byte type)`
`6097`	`6097`	`{`
`6098`	`6098`	`Signer* current;`
`6099`	`6099`	`Signer* prev;`
`6100`		`- int ret = 0;`
	`6100`	`+ int ret = WC_NO_ERR_TRACE(WOLFSSL_FAILURE);`
`6101`	`6101`	`word32 row;`
`6102`	`6102`
`6103`	`6103`	`WOLFSSL_MSG("Removing a CA");`
`@@ -6131,7 +6131,7 @@ int RemoveCA(WOLFSSL_CERT_MANAGER* cm, byte* hash, byte type)`
`6131`	`6131`	`prev->next = current->next;`
`6132`	`6132`	`}`
`6133`	`6133`	`FreeSigner(current, cm->heap);`
`6134`		`- ret = 1;`
	`6134`	`+ ret = WOLFSSL_SUCCESS;`
`6135`	`6135`	`break;`
`6136`	`6136`	`}`
`6137`	`6137`	`prev = current;`