Skip to content

Commit

Permalink
address review comments
Browse files Browse the repository at this point in the history
  • Loading branch information
miyazakh committed Oct 16, 2024
1 parent 081fec9 commit 7b22b21
Show file tree
Hide file tree
Showing 3 changed files with 31 additions and 9 deletions.
7 changes: 4 additions & 3 deletions certs/intermediate/ca_false_intermediate/gentestcert.sh
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

# Script for generating RSA CA and server certs based on it.
#
SEVER_PEM='test_sign_bynoca_srv.pem'
SERVER_PEM='test_sign_bynoca_srv.pem'
INTCA_PEM='test_int_not_cacert.pem'
CA_PEM='test_ca.pem'

Expand Down Expand Up @@ -75,20 +75,21 @@ cleanup_files(){
rm -f wolfssl_ca.conf
rm -f wolfssl_int_ca.conf
rm -rf pki/
exit 0
}

# clean up
if [ "$1" = "clean" ]; then
echo "Cleaning temp files"
cleanup_files
exit 0
fi
if [ "$1" = "cleanall" ]; then
echo "Cleaning all files"
rm -f ./"$SERVER_PEM"
rm -f ./"$INTCA_PEM"
rm -f ./"$CA_PEM"
cleanup_files
exit 0
fi
# Generate OpenSSL Conf files
Generate_conf
Expand Down Expand Up @@ -152,7 +153,7 @@ mv $INT_CA_HOME/$INTCA_NAME.pem $INTCA_PEM
# Server
openssl x509 -in $SRV_CRT_HOME/server.crt -inform PEM -noout -text > $SRV_CRT_HOME/server.pem
cat $SRV_CRT_HOME/server.crt >> $SRV_CRT_HOME/server.pem
mv $SRV_CRT_HOME/server.pem $SEVER_PEM
mv $SRV_CRT_HOME/server.pem $SERVER_PEM

# clean up
cleanup_files
Expand Down
17 changes: 11 additions & 6 deletions tests/api.c
Original file line number Diff line number Diff line change
Expand Up @@ -2564,7 +2564,7 @@ static int test_wolfSSL_CTX_load_verify_locations(void)
WC_NO_ERR_TRACE(WOLFSSL_FAILURE));

/* Test loading expired CA certificates */
#ifdef NO_RSA
#if defined(NO_RSA) || defined(WOLFSSL_X509_STRICT)
ExpectIntNE(wolfSSL_CTX_load_verify_locations_ex(ctx, NULL,
load_expired_path,
WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY | WOLFSSL_LOAD_FLAG_PEM_CA_ONLY),
Expand Down Expand Up @@ -3034,7 +3034,11 @@ static int test_wolfSSL_CertManagerLoadCABuffer_ex(void)
#elif !(WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS & WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY) && \
!defined(NO_ASN_TIME) && defined(WOLFSSL_TRUST_PEER_CERT) && \
defined(OPENSSL_COMPATIBLE_DEFAULTS)
ExpectIntEQ(ret, WC_NO_ERR_TRACE(ASN_AFTER_DATE_E));
#if defined(WOLFSSL_X509_STRICT)
ExpectIntEQ(ret, WC_NO_ERR_TRACE(NOT_CA_ERROR));
#else
ExpectIntEQ(ret, WC_NO_ERR_TRACE(ASN_AFTER_DATE_E));
#endif
#else
#if defined(OPENSSL_ALL) && defined(WOLFSSL_X509_STRICT)
ExpectIntEQ(ret, NOT_CA_ERROR);
Expand Down Expand Up @@ -72240,7 +72244,7 @@ static int test_wolfSSL_X509_CA_num(void)
int ca_num = 0;

ExpectNotNull(store = wolfSSL_X509_STORE_new());
#if defined(OPENSSL_EXTRA)
#if defined(OPENSSL_ALL) && defined(WOLFSSL_X509_STRICT)
ExpectNotNull(x509_1 = wolfSSL_X509_load_certificate_file(caCertFile,
WOLFSSL_FILETYPE_PEM));
#else
Expand All @@ -72249,7 +72253,7 @@ static int test_wolfSSL_X509_CA_num(void)
#endif
ExpectIntEQ(wolfSSL_X509_STORE_add_cert(store, x509_1), 1);
ExpectIntEQ(ca_num = wolfSSL_X509_CA_num(store), 1);
#if defined(OPENSSL_EXTRA)
#if defined(OPENSSL_ALL) && defined(WOLFSSL_X509_STRICT)
ExpectNotNull(x509_2 = wolfSSL_X509_load_certificate_file(caEccCertFile,
WOLFSSL_FILETYPE_PEM));
#else
Expand Down Expand Up @@ -75830,7 +75834,7 @@ static int test_wolfSSL_OCSP_parse_url(void)

#if defined(OPENSSL_ALL) && defined(HAVE_OCSP) && \
defined(WOLFSSL_SIGNER_DER_CERT) && !defined(NO_FILESYSTEM) && \
!defined(NO_ASN_TIME)
!defined(NO_ASN_TIME) && !defined(WOLFSSL_X509_STRICT)
static time_t test_wolfSSL_OCSP_REQ_CTX_time_cb(time_t* t)
{
if (t != NULL) {
Expand All @@ -75845,7 +75849,8 @@ static int test_wolfSSL_OCSP_REQ_CTX(void)
{
EXPECT_DECLS;
#if defined(OPENSSL_ALL) && defined(HAVE_OCSP) && \
defined(WOLFSSL_SIGNER_DER_CERT) && !defined(NO_FILESYSTEM)
defined(WOLFSSL_SIGNER_DER_CERT) && !defined(NO_FILESYSTEM) && \
!defined(WOLFSSL_X509_STRICT)
/* This buffer was taken from the ocsp-stapling.test test case 1. The ocsp
* response was captured in wireshark. It contains both the http and binary
* parts. The time test_wolfSSL_OCSP_REQ_CTX_time_cb is set exactly so that
Expand Down
16 changes: 16 additions & 0 deletions tests/suites.c
Original file line number Diff line number Diff line change
Expand Up @@ -263,7 +263,11 @@ static int IsValidCA(const char* line)
{
int ret = 1;
#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS)
#if defined(OPENSSL_ALL) && defined(WOLFSSL_X509_STRICT)
X509_STORE* str = NULL;
#else
WOLFSSL_CTX* ctx;
#endif
size_t i;
const char* begin;
char cert[80];
Expand All @@ -277,11 +281,23 @@ static int IsValidCA(const char* line)
cert[i] = *(begin++);
cert[i] = '\0';

#if defined(OPENSSL_ALL) && defined(WOLFSSL_X509_STRICT)
str = X509_STORE_new();
if (str == NULL)
return 0;
#else
ctx = wolfSSL_CTX_new(wolfSSLv23_server_method_ex(NULL));
if (ctx == NULL)
return 0;
#endif
#if defined(OPENSSL_ALL) && defined(WOLFSSL_X509_STRICT)
/* skip if CA: at basic constraints sets to FALSE */
ret = wolfSSL_X509_STORE_load_locations(str, cert, NULL) == WOLFSSL_SUCCESS;
X509_STORE_free(str);
#else
ret = wolfSSL_CTX_use_certificate_chain_file(ctx, cert) == WOLFSSL_SUCCESS;
wolfSSL_CTX_free(ctx);
#endif
#endif /* !NO_FILESYSTEM && !NO_CERTS */

(void)line;
Expand Down

0 comments on commit 7b22b21

Please sign in to comment.