-
Notifications
You must be signed in to change notification settings - Fork 834
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Not add a cert to CA cache if it doesn't set "CA:TRUE" as basic constraints #8060
Conversation
9696f39
to
e8074ed
Compare
cdc3a87
to
1ca5933
Compare
retest this please |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Found a few nits in certs/intermediate/ca_false_intermediate/gentestcert.sh
.
With --enable-all CFLAGS='-DWOLFSSL_X509_STRICT'
, I'm seeing the follow unit test failures (rebase on 3e1f365 to assure line numbers match):
686: test_wolfSSL_OCSP_REQ_CTX :
ERROR - tests/api.c line 76037 failed with:
expected: wolfSSL_X509_LOOKUP_load_file(lookup, "certs/ocsp/server1-cert.pem", WOLFSSL_FILETYPE_PEM) == 1
result: 0 != 1
[...]
793: test_wolfSSL_CertManagerLoadCABuffer_ex :
ERROR - tests/api.c line 3037 failed with:
expected: ret == (ASN_AFTER_DATE_E)
result: -357 != -151
[...]
848: test_wolfSSL_CTX_load_verify_locations :
ERROR - tests/api.c line 2573 failed with:
expected: wolfSSL_CTX_load_verify_locations_ex(ctx, ((void *)0), load_expired_path, 0x00000002 | 0x00000004) == WOLFSSL_SUCCESS
result: 0 != 1
|
||
# Script for generating RSA CA and server certs based on it. | ||
# | ||
SEVER_PEM='test_sign_bynoca_srv.pem' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
misspelled -- should be SERVER_PEM
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks.
# Server | ||
openssl x509 -in $SRV_CRT_HOME/server.crt -inform PEM -noout -text > $SRV_CRT_HOME/server.pem | ||
cat $SRV_CRT_HOME/server.crt >> $SRV_CRT_HOME/server.pem | ||
mv $SRV_CRT_HOME/server.pem $SEVER_PEM |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
misspelled -- should be SERVER_PEM
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks
rm -f wolfssl_ca.conf | ||
rm -f wolfssl_int_ca.conf | ||
rm -rf pki/ | ||
exit 0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the exit 0
here is masking the echo "Completed"
at the end of the script.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
moved "exit"
1ca5933
to
7b22b21
Compare
Fixed unit test failures with |
@miyazakh Please fix merge conflicts, then re-assign to @douzzer / @wolfSSL-Bot, thanks. |
68cb00c
to
370b925
Compare
Re-visited this PR based on PR8087. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
found some more spelling errors that need fixing before merge:
certs/intermediate/ca_false_intermediate/gentestcert.sh:142: genereated ==> generated
certs/intermediate/ca_false_intermediate/wolfssl_base.conf:29: Extention ==> Extension
certs/intermediate/ca_false_intermediate/wolfssl_base.conf:57: internaly ==> internally
certs/intermediate/ca_false_intermediate/wolfssl_srv.conf:2: genrate ==> generate
src/x509_str.c:409: curren ==> current
Thanks! |
3d8fa4c
to
85346d4
Compare
fix trusted peer cert cache
85346d4
to
fdb8893
Compare
Retest this please. History for PRB lost |
Description
Not add a cert to CA cache if it doesn't have
CA:TRUE
as basic constraints. The behavior is enabled when OPENSSL_ALL is defined. This change is needed for qt nightly Jenkins test failure fix.Fix trusted peer cert cache
It could not add a cert to trusted peer cert cache if the cert has the same subject as pre-added cert. For example,
./certs/server-ecc-self.pem
The cert above has the same subject to server-ecc.pem. Therefore, it could not add the cert to cache if there is "server-ecc.pem" in trusted peer cert cache already. This was revealed after changing "Not add a cert to CA cache".
Testing
Qt jenkins test. Unit test
Checklist