wolfssl icon indicating copy to clipboard operation
wolfssl copied to clipboard
verified publisher icon wolfSSL

Not add a cert to CA cache if it doesn't set "CA:TRUE" as basic constraints

Open miyazakh opened this issue 1 year ago • 2 comments

Description

Not add a cert to CA cache if it doesn't have CA:TRUE as basic constraints. The behavior is enabled when OPENSSL_ALL is defined. This change is needed for qt nightly Jenkins test failure fix.

Fix trusted peer cert cache It could not add a cert to trusted peer cert cache if the cert has the same subject as pre-added cert. For example, ./certs/server-ecc-self.pem The cert above has the same subject to server-ecc.pem. Therefore, it could not add the cert to cache if there is "server-ecc.pem" in trusted peer cert cache already. This was revealed after changing "Not add a cert to CA cache".

Testing

Qt jenkins test. Unit test

Checklist

  • [X] added tests
  • [ ] updated/added doxygen
  • [ ] updated appropriate READMEs
  • [ ] Updated manual and documentation

miyazakh avatar Oct 10 '24 05:10 miyazakh

retest this please

miyazakh avatar Oct 11 '24 06:10 miyazakh

Fixed unit test failures with --enable-all CFLAGS='-DWOLFSSL_X509_STRICT'

miyazakh avatar Oct 16 '24 12:10 miyazakh

@miyazakh Please fix merge conflicts, then re-assign to @douzzer / @wolfSSL-Bot, thanks.

cconlon avatar Oct 28 '24 15:10 cconlon

Re-visited this PR based on PR8087. Removed WOLFSSL_X509_STRICT macro and WOLFSSL_MUST_BE_CA enum

miyazakh avatar Nov 01 '24 02:11 miyazakh

Thanks!

miyazakh avatar Nov 05 '24 22:11 miyazakh

Retest this please. History for PRB lost

dgarske avatar Nov 15 '24 17:11 dgarske