Skip to content

Update wolfSSL_X509_verify_cert to retry all certs until a valid chain is found. #8692

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 8 commits into
base: master
Choose a base branch
from
Open

Update wolfSSL_X509_verify_cert to retry all certs until a valid chain is found. #8692

wants to merge 8 commits into from
+138 −3

Conversation

kareem-wolfssl
Copy link
Contributor

Description

Previously wolfSSL_X509_verify_cert was failing out after finding an invalid chain, this commit updates it to remove the invalid cert and retry until a valid chain is found or all certs are exhausted. This matches OpenSSL's behavior according to the documentation and testing.
This allows wolfSSL_X509_verify_cert to work with multiple CA certs with the same subject key, ie. alt cert chains.

Fixes zd#19563

Testing

Tested with customer provided test.
Unit tests to be added. Confirming it passes CI/CD tests first.

Checklist

  • added tests
  • updated/added doxygen
  • updated appropriate READMEs
  • Updated manual and documentation

@kareem-wolfssl kareem-wolfssl self-assigned this Apr 17, 2025
@kareem-wolfssl kareem-wolfssl requested a review from Copilot April 17, 2025 21:41
Copilot
Copilot AI reviewed Apr 17, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR updates the wolfSSL certificate verification function to retry alternative certificate chains until a valid one is found, addressing issues with multiple CA certs having the same subject key.

  • Added a RemoveCA function prototype in wolfssl/internal.h and its implementation in src/ssl.c.
  • Updated wolfSSL_X509_verify_cert in src/x509_str.c to include retry logic that removes invalid certs and manages a failedCerts stack.
  • Introduced X509StorePopCert to extract a failing cert from the candidate stack.

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File Description
wolfssl/internal.h Added prototype for RemoveCA to support cert removal
src/x509_str.c Updated verify_cert to retry with alternative cert chains
src/ssl.c Implemented RemoveCA to remove a CA cert by subject hash
Comments suppressed due to low confidence (4)

wolfssl/internal.h:4262

  • [nitpick] Consider using 'const byte* hash' if the hash parameter is not modified within RemoveCA to enhance const-correctness and clarify intent.
WOLFSSL_LOCAL int RemoveCA(WOLFSSL_CERT_MANAGER* cm, byte* hash, byte type);

src/x509_str.c:409

  • Ensure that the updated return value documentation for wolfSSL_X509_verify_cert aligns with all call sites and the handling of WOLFSSL_SUCCESS/WOLFSSL_FAILURE macros.
 * returns 1 on success or 0 on failure.

src/x509_str.c:511

  • Review the retry logic condition and the manipulation of 'added' and 'depth' to ensure that it does not inadvertently lead to infinite loops or skipped retries when processing alternative cert chains.
if ((origDepth - depth) <= 1)

src/x509_str.c:1099

  • Verify that using pointer equality to identify the certificate in X509StorePopCert is the intended behavior and that it correctly handles cases with duplicate certificate pointers.
if (wolfSSL_sk_X509_value(certs_stack, i) == cert) {

@JacobBarthelmeh
Copy link
Contributor

Looks like it's currently failing unit tests with this configure --disable-sha --enable-opensslextra.

@kareem-wolfssl kareem-wolfssl force-pushed the zd19563_verify branch 2 times, most recently from c0be320 to e02811f Compare May 9, 2025 19:49
@kareem-wolfssl
Retry all certificates passed into wolfSSL_X509_verify_cert until a v…
96dba11 
…alid chain is found, rather than failing out on the first invalid chain. This allows for registering multiple certs with the same subject key, ie. alt cert chains.
@kareem-wolfssl
Add type parameter to RemoveCA to avoid removing CAs of the wrong type.
83e3467
@kareem-wolfssl
Fix missing cast and correct freeing of certs.
a05aeb1
@kareem-wolfssl
Remove incorrectly added NULL check, add debug logging to RemoveCA.
6fa5886
@kareem-wolfssl
Add X509StoreRemoveCa wrapper around RemoveCa
37982e7 
WOLFSSL_X509's calculated subject key hash is not guaranteed to match the cert's,
ie. in the case that NO_SHA is defined.  Use the same logic as AddCa,
parsing the DER cert and using the decoded cert's subject key hash.
@kareem-wolfssl
Add missing XFREE for dCert.
e08125f
@kareem-wolfssl
Don't fail out if X509StoreRemoveCa fails, since adding the temp CA w…
46df88c 
…as optional, it is possible there is no temp CA to remove.
@dgarske dgarske requested review from dgarske and removed request for ColtonWilley May 30, 2025 20:17
@dgarske dgarske self-assigned this May 30, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@dgarske dgarske Awaiting requested review from dgarske

At least 1 approving review is required to merge this pull request.

Assignees

@dgarske dgarske

@wolfSSL-Bot wolfSSL-Bot

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@kareem-wolfssl @JacobBarthelmeh @dgarske @ColtonWilley @wolfSSL-Bot