In wolfSSL_CTX_set_cert_store, send certificates into the CertMgr #8708
Conversation
|
Will need to add test so that will kick off another round of PRB
|
anhu
force-pushed
the
wolfSSL_CTX_set_cert_store
branch
from
6eda342 to
f83ebb2
Compare
|
Jenkins retest this please (lost the build data) |
|
Jenkins retest this please
|
anhu
force-pushed
the
wolfSSL_CTX_set_cert_store
branch
2 times, most recently
from
adc18d7 to
c90fb03
Compare
|
Jenkins retest this please (aborted after 1.5 hours) |
|
jenkins retest this please |
anhu
force-pushed
the
wolfSSL_CTX_set_cert_store
branch
from
8166be6 to
5e78122
Compare
|
Jenkins retest this please |
There was a problem hiding this comment.
Pull Request Overview
Adds support for moving existing certificates into the CertMgr when setting a certificate store on an SSL context.
- Introduces
X509StoreAddCaand updateswolfSSL_sk_X509_numandwolfSSL_sk_X509_popdeclarations - Modifies
wolfSSL_CTX_set_cert_storeto transfer all stored certs into the CertMgr and clear the original stack - Adds a unit test to verify the store’s cert stack is cleared after calling
wolfSSL_CTX_set_cert_store
Reviewed Changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| wolfssl/ssl.h | Moved declaration of wolfSSL_sk_X509_num out of the legacy block |
| wolfssl/internal.h | Declared X509StoreAddCa for internal CertMgr additions |
| tests/api.c | Added test_wolfSSL_CTX_set_cert_store_null_certs |
| src/x509_str.c | Implemented X509StoreAddCa and removed duplicate static copy |
| src/x509.c | Added wolfSSL_sk_X509_pop wrapper and extended sk_X509_num scope |
| src/ssl.c | Updated wolfSSL_CTX_set_cert_store to move certs into CertMgr |
Comments suppressed due to low confidence (2)
tests/api.c:28775
- The new test only verifies that
store->certsis set to NULL; consider adding a complementary test case to confirm that certificates are actually added into the internal CertMgr (e.g., by inspectingctx->cm).
static int test_wolfSSL_CTX_set_cert_store_null_certs(void)
src/x509.c:4180
- The function signature for
wolfSSL_sk_X509_popusesWOLFSSL_X509_NAMEinstead ofWOLFSSL_X509. This mismatch may cause invalid casts or runtime errors. Update the parameter toWOLF_STACK_OF(WOLFSSL_X509)* sk.
WOLFSSL_X509* wolfSSL_sk_X509_pop(WOLF_STACK_OF(WOLFSSL_X509_NAME)* sk)
Don't ignore return code. Co-authored-by: Copilot <[email protected]>
| SSL_FILETYPE_PEM)); | ||
|
|
||
| /* Add the certificate to the store */ | ||
| ExpectIntEQ(X509_STORE_add_cert(store, cert), SSL_SUCCESS); |
There was a problem hiding this comment.
I was looking over the support case referenced and I don't think this test reflects the edge case reported. It looks like we should be testing the order of :
wolfSSL_CTX_set_cert_store(ctx, store);
then
X509_STORE_add_cert(store, cert)
Where a cert store is assigned to the WOLFSSL_CTX struct and after it is assigned to it there is certificates added.
There was a problem hiding this comment.
This is going to be tricky or even impossible to fully support with the current design. X509_STORE owned by SSL_CTX expects everything to be in underlying CM, while X509_STORE not-owned expects them in str->certs. I should say this flow will work for TLS, but setting a X509_STORE inside a SSL_CTX, then expecting direct X509_STORE APIs to work right is likely not going to work with current model.
| if (str->certs != NULL) { | ||
| while (wolfSSL_sk_X509_num(str->certs) > 0) { | ||
| int ret; | ||
| x = wolfSSL_sk_X509_pop(str->certs); |
There was a problem hiding this comment.
The cert store has 3 X509 stacks, one for certs, one for trusted, and one named owned. Are we sure that it is the certs stack that should get added as CA's?
There was a problem hiding this comment.
In my opinion, certs should get added but trusted should also.
| break; /* Exit the loop on failure */ | ||
| } | ||
| } | ||
| wolfSSL_sk_X509_pop_free(str->certs, NULL); |
There was a problem hiding this comment.
Why does the certs stack need free'd and emptied here? Is it being converted over to a WOLFSSL_CTX cert store, and that future calls to wolfSSL_X509_STORE_add_cert would then load certs as a CA?
There was a problem hiding this comment.
Also it would be worth checking if this behavior conforms to the expected OpenSSL compat behavior. Attempting untrusted vs trusted self signed certificate loads after the store is set to the WOLFSSL_CTX struct.
There was a problem hiding this comment.
There is a concept of SSL_CTX owned X509_STORE vs non-owned. While confusing, it was done this way to leave all existing code for TLS and CM usage unmodified. To determine if X509_STORE is owned by SSL_CTX or not, we do NULL checks on str->certs. So that is why it needs to be pop_freed here, otherwise logic in X509_STORE wont work right.
| wolfSSL_CTX_set_cert_store(ctx, store); | ||
|
|
||
| /* Verify that the certs member of the store is null */ | ||
| ExpectNull(store->certs); |
There was a problem hiding this comment.
We should be testing a successful verification making use of the loaded CA's.
|
Assigned to @ColtonWilley as agreed in offline conversation. |
Fixes ZD 19760
Before this fix, the certificates were not getting into the certificate manager. This makes sure they are going in.