wolfssl icon indicating copy to clipboard operation
wolfssl copied to clipboard
verified publisher icon wolfSSL

Update wolfSSL_X509_verify_cert to retry all certs until a valid chain is found.

Open kareem-wolfssl opened this issue 8 months ago • 2 comments

Description

Previously wolfSSL_X509_verify_cert was failing out after finding an invalid chain, this commit updates it to remove the invalid cert and retry until a valid chain is found or all certs are exhausted. This matches OpenSSL's behavior according to the documentation and testing. This allows wolfSSL_X509_verify_cert to work with multiple CA certs with the same subject key, ie. alt cert chains.

Fixes zd#19563

Testing

Tested with customer provided test. Unit tests to be added. Confirming it passes CI/CD tests first.

Checklist

  • [ ] added tests
  • [ ] updated/added doxygen
  • [ ] updated appropriate READMEs
  • [ ] Updated manual and documentation

kareem-wolfssl avatar Apr 17 '25 19:04 kareem-wolfssl

Looks like it's currently failing unit tests with this configure --disable-sha --enable-opensslextra.

JacobBarthelmeh avatar Apr 18 '25 19:04 JacobBarthelmeh

Needs a test case added to avoid regression and to excersice the code with the CI make check's.

JacobBarthelmeh avatar Jun 02 '25 16:06 JacobBarthelmeh