Skip to content

Commit 592341c

Browse files
kareem-wolfsslkareem-wolfssl
committed
Add test case for new x509_verify_cert retry functionality.
Add CA cert with the same SKI and intentionally invalid AKI as part of x509_verify_cert test case.
1 parent 86b5590 commit 592341c

File tree

4 files changed

+99
-0
lines changed

4 files changed

+99
-0
lines changed

certs/intermediate/ca-ecc-bad-aki.der

851 Bytes
Binary file not shown.

certs/intermediate/ca-ecc-bad-aki.pem

Lines changed: 67 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,67 @@
1+
Certificate:
2+
Data:
3+
Version: 3 (0x2)
4+
Serial Number: 4113 (0x1011)
5+
Signature Algorithm: sha256WithRSAEncryption
6+
Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Development, CN = wolfSSL Intermediate CA, emailAddress = info@wolfssl.com
7+
Validity
8+
Not Before: Jun 18 22:52:02 2025 GMT
9+
Not After : Jun 13 22:52:02 2045 GMT
10+
Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Development, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
11+
Subject Public Key Info:
12+
Public Key Algorithm: id-ecPublicKey
13+
Public-Key: (256 bit)
14+
pub:
15+
04:02:d3:d9:6e:d6:01:8e:45:c8:b9:90:31:e5:c0:
16+
4c:e3:9e:ad:29:38:98:ba:10:d6:e9:09:2a:80:a9:
17+
2e:17:2a:b9:8a:bf:33:83:46:e3:95:0b:e4:77:40:
18+
b5:3b:43:45:33:0f:61:53:7c:37:44:c1:cb:fc:80:
19+
ca:e8:43:ea:a7
20+
ASN1 OID: prime256v1
21+
NIST CURVE: P-256
22+
X509v3 extensions:
23+
X509v3 Subject Key Identifier:
24+
56:8E:9A:C3:F0:42:DE:18:B9:45:55:6E:F9:93:CF:EA:C3:F3:A5:21
25+
X509v3 Authority Key Identifier:
26+
EF:69:E0:F7:D5:1D:E6:99:EC:DC:6D:D0:F7:E2:B9:5C:64:71:83:35
27+
X509v3 Basic Constraints: critical
28+
CA:TRUE, pathlen:1
29+
X509v3 Key Usage: critical
30+
Digital Signature, Certificate Sign, CRL Sign
31+
Signature Algorithm: sha256WithRSAEncryption
32+
Signature Value:
33+
43:55:80:10:fb:06:b8:58:4c:02:3f:43:f7:bb:fd:46:ae:83:
34+
c7:fe:d3:b9:5c:58:00:49:b1:4c:ed:17:84:14:72:02:05:93:
35+
d7:87:b0:27:ff:bf:8a:50:50:26:41:b5:6b:83:8e:eb:46:ab:
36+
bb:da:f8:42:b2:df:3c:41:54:11:18:09:1c:a6:6e:63:56:be:
37+
7a:20:0d:08:d2:c0:25:ce:a4:d0:3d:09:02:fb:7b:41:59:49:
38+
b5:e1:f7:72:84:b4:c7:10:c8:a0:07:64:73:6b:80:06:7a:31:
39+
62:ad:49:92:53:ef:d7:d6:b4:89:9c:15:20:a5:c4:ed:c0:39:
40+
7c:68:f2:19:e0:cf:e5:bb:5a:16:10:d5:de:80:da:0f:0e:91:
41+
0b:39:73:d6:a7:73:b2:b6:2b:c6:fb:bc:33:e6:fd:d9:1c:dc:
42+
48:3d:1e:8b:6b:9f:8f:60:26:69:53:3b:17:ed:62:bd:34:ab:
43+
8c:e4:4c:17:f4:c3:bc:81:63:ad:67:c1:5d:e3:72:ac:a5:8a:
44+
bc:6f:0c:2e:33:81:81:92:20:d4:4b:e0:a3:22:12:d6:b4:27:
45+
1f:37:14:a2:c4:76:c0:3c:29:44:4d:a9:35:67:21:1d:11:7f:
46+
76:98:02:f7:5a:f9:05:cb:2d:3b:39:45:e9:9d:82:9a:20:b0:
47+
c6:56:1c:d4
48+
-----BEGIN CERTIFICATE-----
49+
MIIDTzCCAjegAwIBAgICEBEwDQYJKoZIhvcNAQELBQAwgZ8xCzAJBgNVBAYTAlVT
50+
MRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYDVQQK
51+
DAd3b2xmU1NMMRQwEgYDVQQLDAtEZXZlbG9wbWVudDEgMB4GA1UEAwwXd29sZlNT
52+
TCBJbnRlcm1lZGlhdGUgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5j
53+
b20wHhcNMjUwNjE4MjI1MjAyWhcNNDUwNjEzMjI1MjAyWjCBlzELMAkGA1UEBhMC
54+
VVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNV
55+
BAoMB3dvbGZTU0wxFDASBgNVBAsMC0RldmVsb3BtZW50MRgwFgYDVQQDDA93d3cu
56+
d29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wWTAT
57+
BgcqhkjOPQIBBggqhkjOPQMBBwNCAAQC09lu1gGORci5kDHlwEzjnq0pOJi6ENbp
58+
CSqAqS4XKrmKvzODRuOVC+R3QLU7Q0UzD2FTfDdEwcv8gMroQ+qno2YwZDAdBgNV
59+
HQ4EFgQUVo6aw/BC3hi5RVVu+ZPP6sPzpSEwHwYDVR0jBBgwFoAU72ng99Ud5pns
60+
3G3Q9+K5XGRxgzUwEgYDVR0TAQH/BAgwBgEB/wIBATAOBgNVHQ8BAf8EBAMCAYYw
61+
DQYJKoZIhvcNAQELBQADggEBAENVgBD7BrhYTAI/Q/e7/Uaug8f+07lcWABJsUzt
62+
F4QUcgIFk9eHsCf/v4pQUCZBtWuDjutGq7va+EKy3zxBVBEYCRymbmNWvnogDQjS
63+
wCXOpNA9CQL7e0FZSbXh93KEtMcQyKAHZHNrgAZ6MWKtSZJT79fWtImcFSClxO3A
64+
OXxo8hngz+W7WhYQ1d6A2g8OkQs5c9anc7K2K8b7vDPm/dkc3Eg9Hotrn49gJmlT
65+
OxftYr00q4zkTBf0w7yBY61nwV3jcqylirxvDC4zgYGSINRL4KMiEta0Jx83FKLE
66+
dsA8KURNqTVnIR0Rf3aYAvda+QXLLTs5RemdgpogsMZWHNQ=
67+
-----END CERTIFICATE-----

certs/intermediate/genintcerts.sh

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -313,6 +313,9 @@ create_cert wolfssl_int2_ecc wolfssl_int2_ecc ./certs/ecc-key.pem server-int-ecc
313313
echo "Create ECC Client Certificate signed by intermediate2"
314314
create_cert wolfssl_int2_ecc wolfssl_int2_ecc ./certs/ecc-client-key.pem client-int-ecc-cert usr_cert "wolfSSL Client Chain ECC" 3650
315315

316+
echo "Create alt CA with intentionally invalid AKI"
317+
create_cert wolfssl_root_ecc wolfssl_int ./certs/ca-ecc-key.pem ca-ecc-bad-aki v3_intermediate_ca "www.wolfssl.com" 7300
318+
316319
echo "Generate CRLs for new certificates"
317320
openssl ca -config ./certs/intermediate/wolfssl_root_ecc.cnf -gencrl -crldays 1000 -out ./certs/crl/ca-int-ecc.pem -keyfile ./certs/intermediate/ca-int-ecc-key.pem -cert ./certs/intermediate/ca-int-ecc-cert.pem
318321
check_result $?

tests/api.c

Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -27325,6 +27325,34 @@ static int test_wolfSSL_X509_STORE_CTX_ex11(X509_STORE_test_data *testData)
2732527325
X509_STORE_free(store);
2732627326
return EXPECT_RESULT();
2732727327
}
27328+
27329+
static int test_wolfSSL_X509_STORE_CTX_ex12(void)
27330+
{
27331+
EXPECT_DECLS;
27332+
X509_STORE* store = NULL;
27333+
X509_STORE_CTX* ctx = NULL;
27334+
STACK_OF(X509)* chain = NULL;
27335+
27336+
const char* intCARootECCFile = "./certs/ca-ecc-cert.pem";
27337+
const char* intCA1ECCFile = "./certs/intermediate/ca-int-ecc-cert.pem";
27338+
const char* intCABadAKIECCFile = "./certs/intermediate/ca-ecc-bad-aki.pem";
27339+
27340+
/* Test case 12, multiple CAs with the same SKI including 1 with intentionally
27341+
bad/unregistered AKI. x509_verify_cert should still form a valid chain
27342+
using the valid CA, ignoring the bad CA. Developed from customer provided
27343+
reproducer. */
27344+
27345+
ExpectNotNull(store = X509_STORE_new());
27346+
ExpectIntEQ(X509_STORE_add_cert(store, test_wolfSSL_X509_STORE_CTX_ex_helper(intCARootECCFile)), 1);
27347+
ExpectIntEQ(X509_STORE_add_cert(store, test_wolfSSL_X509_STORE_CTX_ex_helper(intCABadAKIECCFile)), 1);
27348+
ExpectNotNull(ctx = X509_STORE_CTX_new());
27349+
ExpectIntEQ(X509_STORE_CTX_init(ctx, store, test_wolfSSL_X509_STORE_CTX_ex_helper(intCA1ECCFile), NULL), 1);
27350+
ExpectIntEQ(X509_verify_cert(ctx), 1);
27351+
ExpectNotNull(chain = X509_STORE_CTX_get_chain(ctx));
27352+
X509_STORE_CTX_free(ctx);
27353+
X509_STORE_free(store);
27354+
return EXPECT_RESULT();
27355+
}
2732827356
#endif
2732927357

2733027358
static int test_wolfSSL_X509_STORE_CTX_ex(void)
@@ -27364,6 +27392,7 @@ static int test_wolfSSL_X509_STORE_CTX_ex(void)
2736427392
ExpectIntEQ(test_wolfSSL_X509_STORE_CTX_ex9(&testData), 1);
2736527393
ExpectIntEQ(test_wolfSSL_X509_STORE_CTX_ex10(&testData), 1);
2736627394
ExpectIntEQ(test_wolfSSL_X509_STORE_CTX_ex11(&testData), 1);
27395+
ExpectIntEQ(test_wolfSSL_X509_STORE_CTX_ex12(), 1);
2736727396

2736827397
if(testData.x509Ca) {
2736927398
X509_free(testData.x509Ca);

0 commit comments

Comments
 (0)