@@ -38,6 +38,8 @@ static int X509StorePopCert(WOLFSSL_STACK *certs_stack, WOLFSSL_STACK *dest_stac
38
38
WOLFSSL_X509 * cert );
39
39
static int X509StoreAddCa (WOLFSSL_X509_STORE * store ,
40
40
WOLFSSL_X509 * x509 , int type );
41
+ static int X509StoreRemoveCa (WOLFSSL_X509_STORE * store ,
42
+ WOLFSSL_X509 * x509 , int type );
41
43
#endif
42
44
43
45
/* Based on OpenSSL default max depth */
@@ -568,7 +570,9 @@ int wolfSSL_X509_verify_cert(WOLFSSL_X509_STORE_CTX* ctx)
568
570
* cert with the same subject key which will work. Retry until all
569
571
* possible candidate certs are exhausted. */
570
572
WOLFSSL_MSG ("X509_verify_cert current cert failed, retrying with other certs." );
571
- RemoveCA (ctx -> store -> cm , ctx -> current_cert -> subjKeyId , WOLFSSL_TEMP_CA );
573
+ ret = X509StoreRemoveCa (ctx -> store , ctx -> current_cert , WOLFSSL_TEMP_CA );
574
+ if (ret != WOLFSSL_SUCCESS )
575
+ goto exit ;
572
576
X509StorePopCert (certs , failedCerts , ctx -> current_cert );
573
577
ctx -> current_cert = wolfSSL_sk_X509_pop (ctx -> chain );
574
578
depth ++ ;
@@ -1439,6 +1443,33 @@ static int X509StoreAddCa(WOLFSSL_X509_STORE* store,
1439
1443
return result ;
1440
1444
}
1441
1445
1446
+ static int X509StoreRemoveCa (WOLFSSL_X509_STORE * store ,
1447
+ WOLFSSL_X509 * x509 , int type ) {
1448
+ int result = WC_NO_ERR_TRACE (WOLFSSL_FATAL_ERROR );
1449
+ DecodedCert * dCert = NULL ;
1450
+
1451
+ if (store != NULL && x509 != NULL && x509 -> derCert != NULL ) {
1452
+ dCert = (DecodedCert * )XMALLOC (sizeof (DecodedCert ), NULL ,
1453
+ DYNAMIC_TYPE_DCERT );
1454
+
1455
+ if (dCert == NULL ) {
1456
+ return result ;
1457
+ }
1458
+ XMEMSET (dCert , 0 , sizeof (DecodedCert ));
1459
+ wc_InitDecodedCert (dCert , x509 -> derCert -> buffer , x509 -> derCert -> length , NULL );
1460
+ result = wc_ParseCert (dCert , CA_TYPE , NO_VERIFY , store -> cm );
1461
+ if (result )
1462
+ return WOLFSSL_FATAL_ERROR ;
1463
+
1464
+ result = RemoveCA (store -> cm , dCert -> extSubjKeyId , type );
1465
+ }
1466
+
1467
+ if (dCert )
1468
+ wc_FreeDecodedCert (dCert );
1469
+
1470
+ return result ;
1471
+ }
1472
+
1442
1473
1443
1474
int wolfSSL_X509_STORE_add_cert (WOLFSSL_X509_STORE * store , WOLFSSL_X509 * x509 )
1444
1475
{
0 commit comments