Allows wolfclu to verify a cert chain of more than 2 certs. #159
Conversation
|
@JacobBarthelmeh , failing on CRL check. Does the CRL check need the store and/or lookup? |
|
I'll answer my own question. Yes, the CA file contains a CRL as well. So the lookup is used to loop through the various things in the CA file. But somehow, this interferes with being able to load multiple certs when doing the verify. Should we have CRL as a different file like in the example app ? |
|
@anhu thanks for the code changes! Lets try not to make adjustments to the tests if possible (if having the CRL in a different file means adjusting the test), some of them are in place for regression tests on previous reports. Could you add a test case here for the addition of support to handle a certificate chain in a single file? |
| @@ -168,8 +156,7 @@ int wolfCLU_x509Verify(int argc, char** argv) | |||
| } | |||
|
|
|||
| if (ret == WOLFCLU_SUCCESS && caCert != NULL) { | |||
| if (wolfSSL_X509_LOOKUP_load_file(lookup, caCert, X509_FILETYPE_PEM) | |||
| != WOLFSSL_SUCCESS) { | |||
| if (wolfSSL_CertManagerLoadCA(cm, caCert, NULL) != WOLFSSL_SUCCESS) { | |||
There was a problem hiding this comment.
I think this is the biggest change right? Is calling wolfSSL_X509_LOOKUP_load_file incorrect i.e. does it behave different then X509_LOOKUP_load_file() would if called in the same manner?
There was a problem hiding this comment.
Yes. Note that I have not root caused the problem. I just noticed that if there is no lookup, (only use certmanager directly) then for some reason, certmanager will go through all the certificates in the verifyCert file. I do not know why using the store makes a difference and IMHO I think it should not make a difference so maybe the root cause is somewhere else?
|
When it doesn't work, (ie 3 certs in the CA file and without this PR) @JacobBarthelmeh , care to comment? |
Fixes ZD18976