wolfssl icon indicating copy to clipboard operation
wolfssl copied to clipboard
verified publisher icon wolfSSL

[Bug]: WolfSSL reject a critical Policy Mappings

Open dulanshuangqiao opened this issue 10 months ago • 1 comments

Contact Details

[email protected]

Version

ubutun 5.7.6

Description

./configure make sudo make install ./testsuite/testsuite.test wolfSSL is configured and built by default

Reproduction steps

Use this script for certificate verification // gcc -g verify.c -o verify -lwolfssl

#include <wolfssl/options.h>
#include <stdlib.h>
#include <wolfssl/wolfcrypt/error-crypt.h>
#include <wolfssl/ssl.h>

int wolfSSL_Verify_PEM(char * cac, char * ec){
int ret = 0;
// to create a new wolfSSL cert manager
WOLFSSL_CERT_MANAGER* cm;
cm = wolfSSL_CertManagerNew();
if (cm == NULL){
	printf("Creating a new wolfSSL_CertManager failed!\n");
	exit(1);
}

// to load cac to the created wolfSSL_CertManager
ret = wolfSSL_CertManagerLoadCA(cm, cac, NULL);
if (ret != SSL_SUCCESS){
	printf("Loading cac to the created wolfSSL_CertManager failed!\n");
	exit(2);
}

// to verify the ec in the created wolfSSL_CertManager
ret = wolfSSL_CertManagerVerify(cm, ec, SSL_FILETYPE_PEM);
if (ret != SSL_SUCCESS){
	printf("wolfSSL_CertManagerVerify filed and with return code %d and error message %s\n",
		 ret,
		 wolfSSL_ERR_reason_error_string(ret));
}
else{
	printf("The target cert has passed through verification.\n");
}

// to free cm
wolfSSL_CertManagerFree(cm);

return ret;
}

int main(int argc, char ** argv){
char * cac = argv[1];
char * ec = argv[2];
wolfSSL_Verify_PEM(cac, ec);
return 0;
}

Actual result: ./verify RootCA.pem Cert17408146207.pem wolfSSL_CertManagerVerify failed with return code -160 and error message X.509 Critical extension ignored or invalid. Cert17408146207.pem failed verification. Expected result: Consistent verification result between wolfSSL and RFC 5280+other TLS(OpenSSL:Verifying Cert17408146207.pem: OK) implementations. The target cert Cert17408146207.pem has passed verification. RFC5280Section 4.2.1.5 mentions:Conforming CAs SHOULD mark this extension as critical.

certs_pm.zip

Relevant log output

dulanshuangqiao avatar Mar 03 '25 08:03 dulanshuangqiao

Hello @dulanshuangqiao

I believe you are correct that we are incorrectly returning an error on a certificate that should verify. I was able to recreate this with openssl, they verify the cert and we do not. We will definitely be fixing this issue, I will let you know when I have a PR available to test.

Thanks, Colton Willey, wolfSSL.

ColtonWilley avatar Mar 03 '25 20:03 ColtonWilley