address review comments

wolfSSL · Oct 29, 2024 · b265259 · b265259
1 parent 3533563
commit b265259
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 9 deletions.
diff --git a/certs/intermediate/ca_false_intermediate/gentestcert.sh b/certs/intermediate/ca_false_intermediate/gentestcert.sh
@@ -2,7 +2,7 @@
 
 # Script for generating RSA CA and server certs based on it.
 #
-SEVER_PEM='test_sign_bynoca_srv.pem'
+SERVER_PEM='test_sign_bynoca_srv.pem'
 INTCA_PEM='test_int_not_cacert.pem'
 CA_PEM='test_ca.pem'
 
@@ -75,20 +75,21 @@ cleanup_files(){
     rm -f wolfssl_ca.conf
     rm -f wolfssl_int_ca.conf
     rm -rf pki/
-    exit 0
 }
 
 # clean up
 if [ "$1" = "clean" ]; then
     echo "Cleaning temp files"
     cleanup_files
+    exit 0
 fi
 if [ "$1" = "cleanall" ]; then
     echo "Cleaning all files"
     rm -f ./"$SERVER_PEM"
     rm -f ./"$INTCA_PEM"
     rm -f ./"$CA_PEM"
     cleanup_files
+    exit 0
 fi
 # Generate OpenSSL Conf files
 Generate_conf
@@ -152,7 +153,7 @@ mv $INT_CA_HOME/$INTCA_NAME.pem $INTCA_PEM
 # Server
 openssl x509 -in $SRV_CRT_HOME/server.crt -inform PEM -noout -text > $SRV_CRT_HOME/server.pem
 cat $SRV_CRT_HOME/server.crt >> $SRV_CRT_HOME/server.pem
-mv $SRV_CRT_HOME/server.pem $SEVER_PEM
+mv $SRV_CRT_HOME/server.pem $SERVER_PEM
 
 # clean up
 cleanup_files

diff --git a/tests/api.c b/tests/api.c
@@ -2565,7 +2565,7 @@ static int test_wolfSSL_CTX_load_verify_locations(void)
         WC_NO_ERR_TRACE(WOLFSSL_FAILURE));
 
     /* Test loading expired CA certificates */
-    #ifdef NO_RSA
+    #if defined(NO_RSA) || defined(WOLFSSL_X509_STRICT)
     ExpectIntNE(wolfSSL_CTX_load_verify_locations_ex(ctx, NULL,
         load_expired_path,
         WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY | WOLFSSL_LOAD_FLAG_PEM_CA_ONLY),
@@ -3035,7 +3035,11 @@ static int test_wolfSSL_CertManagerLoadCABuffer_ex(void)
 #elif !(WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS & WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY) && \
       !defined(NO_ASN_TIME) && defined(WOLFSSL_TRUST_PEER_CERT) && \
       defined(OPENSSL_COMPATIBLE_DEFAULTS)
-    ExpectIntEQ(ret, WC_NO_ERR_TRACE(ASN_AFTER_DATE_E));
+    #if defined(WOLFSSL_X509_STRICT)
+        ExpectIntEQ(ret, WC_NO_ERR_TRACE(NOT_CA_ERROR));
+    #else
+        ExpectIntEQ(ret, WC_NO_ERR_TRACE(ASN_AFTER_DATE_E));
+    #endif
 #else
     #if defined(OPENSSL_ALL) && defined(WOLFSSL_X509_STRICT)
         ExpectIntEQ(ret, NOT_CA_ERROR);
@@ -72692,7 +72696,7 @@ static int test_wolfSSL_X509_CA_num(void)
     int ca_num = 0;
 
     ExpectNotNull(store = wolfSSL_X509_STORE_new());
-#if defined(OPENSSL_EXTRA)
+#if defined(OPENSSL_ALL) && defined(WOLFSSL_X509_STRICT)
     ExpectNotNull(x509_1 = wolfSSL_X509_load_certificate_file(caCertFile,
         WOLFSSL_FILETYPE_PEM));
 #else
@@ -72701,7 +72705,7 @@ static int test_wolfSSL_X509_CA_num(void)
 #endif
     ExpectIntEQ(wolfSSL_X509_STORE_add_cert(store, x509_1), 1);
     ExpectIntEQ(ca_num = wolfSSL_X509_CA_num(store), 1);
-#if defined(OPENSSL_EXTRA)
+#if defined(OPENSSL_ALL) && defined(WOLFSSL_X509_STRICT)
     ExpectNotNull(x509_2 = wolfSSL_X509_load_certificate_file(caEccCertFile,
         WOLFSSL_FILETYPE_PEM));
 #else
@@ -76282,7 +76286,7 @@ static int test_wolfSSL_OCSP_parse_url(void)
 
 #if defined(OPENSSL_ALL) && defined(HAVE_OCSP) && \
     defined(WOLFSSL_SIGNER_DER_CERT) && !defined(NO_FILESYSTEM) && \
-    !defined(NO_ASN_TIME)
+    !defined(NO_ASN_TIME) && !defined(WOLFSSL_X509_STRICT)
 static time_t test_wolfSSL_OCSP_REQ_CTX_time_cb(time_t* t)
 {
     if (t != NULL) {
@@ -76297,7 +76301,8 @@ static int test_wolfSSL_OCSP_REQ_CTX(void)
 {
     EXPECT_DECLS;
 #if defined(OPENSSL_ALL) && defined(HAVE_OCSP) && \
-    defined(WOLFSSL_SIGNER_DER_CERT) && !defined(NO_FILESYSTEM)
+    defined(WOLFSSL_SIGNER_DER_CERT) && !defined(NO_FILESYSTEM) && \
+    !defined(WOLFSSL_X509_STRICT)
     /* This buffer was taken from the ocsp-stapling.test test case 1. The ocsp
      * response was captured in wireshark. It contains both the http and binary
      * parts. The time test_wolfSSL_OCSP_REQ_CTX_time_cb is set exactly so that

diff --git a/tests/suites.c b/tests/suites.c
@@ -263,7 +263,11 @@ static int IsValidCA(const char* line)
 {
     int ret = 1;
 #if !defined(NO_FILESYSTEM) && !defined(NO_CERTS)
+    #if defined(OPENSSL_ALL) && defined(WOLFSSL_X509_STRICT)
+    X509_STORE* str = NULL;
+    #else
     WOLFSSL_CTX* ctx;
+    #endif
     size_t i;
     const char* begin;
     char cert[80];
@@ -277,11 +281,23 @@ static int IsValidCA(const char* line)
         cert[i] = *(begin++);
     cert[i] = '\0';
 
+    #if defined(OPENSSL_ALL) && defined(WOLFSSL_X509_STRICT)
+    str = X509_STORE_new();
+    if (str == NULL)
+        return 0;
+    #else
     ctx = wolfSSL_CTX_new(wolfSSLv23_server_method_ex(NULL));
     if (ctx == NULL)
         return 0;
+    #endif
+    #if defined(OPENSSL_ALL) && defined(WOLFSSL_X509_STRICT)
+    /* skip if CA: at basic constraints sets to FALSE */
+    ret = wolfSSL_X509_STORE_load_locations(str, cert, NULL) == WOLFSSL_SUCCESS;
+    X509_STORE_free(str);
+    #else
     ret = wolfSSL_CTX_use_certificate_chain_file(ctx, cert) == WOLFSSL_SUCCESS;
     wolfSSL_CTX_free(ctx);
+    #endif
 #endif /* !NO_FILESYSTEM && !NO_CERTS */
 
     (void)line;