Not add a cert to CA cache if it doesn't set "CA:TRUE" as basic constraints #8060
Conversation
miyazakh
force-pushed
the
qt_jenkins_failure
branch
2 times, most recently
from
9696f39 to
e8074ed
Compare
miyazakh
changed the title
miyazakh
force-pushed
the
qt_jenkins_failure
branch
from
cdc3a87 to
1ca5933
Compare
|
retest this please |
There was a problem hiding this comment.
Found a few nits in certs/intermediate/ca_false_intermediate/gentestcert.sh.
With --enable-all CFLAGS='-DWOLFSSL_X509_STRICT', I'm seeing the follow unit test failures (rebase on 3e1f365 to assure line numbers match):
686: test_wolfSSL_OCSP_REQ_CTX :
ERROR - tests/api.c line 76037 failed with:
expected: wolfSSL_X509_LOOKUP_load_file(lookup, "certs/ocsp/server1-cert.pem", WOLFSSL_FILETYPE_PEM) == 1
result: 0 != 1
[...]
793: test_wolfSSL_CertManagerLoadCABuffer_ex :
ERROR - tests/api.c line 3037 failed with:
expected: ret == (ASN_AFTER_DATE_E)
result: -357 != -151
[...]
848: test_wolfSSL_CTX_load_verify_locations :
ERROR - tests/api.c line 2573 failed with:
expected: wolfSSL_CTX_load_verify_locations_ex(ctx, ((void *)0), load_expired_path, 0x00000002 | 0x00000004) == WOLFSSL_SUCCESS
result: 0 != 1
|
|
||
| # Script for generating RSA CA and server certs based on it. | ||
| # | ||
| SEVER_PEM='test_sign_bynoca_srv.pem' |
There was a problem hiding this comment.
misspelled -- should be SERVER_PEM.
| # Server | ||
| openssl x509 -in $SRV_CRT_HOME/server.crt -inform PEM -noout -text > $SRV_CRT_HOME/server.pem | ||
| cat $SRV_CRT_HOME/server.crt >> $SRV_CRT_HOME/server.pem | ||
| mv $SRV_CRT_HOME/server.pem $SEVER_PEM |
There was a problem hiding this comment.
misspelled -- should be SERVER_PEM.
| rm -f wolfssl_ca.conf | ||
| rm -f wolfssl_int_ca.conf | ||
| rm -rf pki/ | ||
| exit 0 |
There was a problem hiding this comment.
the exit 0 here is masking the echo "Completed" at the end of the script.
miyazakh
force-pushed
the
qt_jenkins_failure
branch
from
1ca5933 to
7b22b21
Compare
|
Fixed unit test failures with |
|
@miyazakh Please fix merge conflicts, then re-assign to @douzzer / @wolfSSL-Bot, thanks. |
miyazakh
force-pushed
the
qt_jenkins_failure
branch
2 times, most recently
from
68cb00c to
370b925
Compare
|
Re-visited this PR based on PR8087. |
There was a problem hiding this comment.
found some more spelling errors that need fixing before merge:
certs/intermediate/ca_false_intermediate/gentestcert.sh:142: genereated ==> generated
certs/intermediate/ca_false_intermediate/wolfssl_base.conf:29: Extention ==> Extension
certs/intermediate/ca_false_intermediate/wolfssl_base.conf:57: internaly ==> internally
certs/intermediate/ca_false_intermediate/wolfssl_srv.conf:2: genrate ==> generate
src/x509_str.c:409: curren ==> current
|
Thanks! |
miyazakh
force-pushed
the
qt_jenkins_failure
branch
from
3d8fa4c to
85346d4
Compare
fix trusted peer cert cache
miyazakh
force-pushed
the
qt_jenkins_failure
branch
from
85346d4 to
fdb8893
Compare
|
Retest this please. History for PRB lost |
Description
Not add a cert to CA cache if it doesn't have
CA:TRUEas basic constraints. The behavior is enabled when OPENSSL_ALL is defined. This change is needed for qt nightly Jenkins test failure fix.Fix trusted peer cert cache
It could not add a cert to trusted peer cert cache if the cert has the same subject as pre-added cert. For example,
./certs/server-ecc-self.pemThe cert above has the same subject to server-ecc.pem. Therefore, it could not add the cert to cache if there is "server-ecc.pem" in trusted peer cert cache already. This was revealed after changing "Not add a cert to CA cache".
Testing
Qt jenkins test. Unit test
Checklist