additional debugging

Author: bigbrett

src/internal.c

@@ -42849,7 +42849,7 @@ static int DisplaySecTrustError(CFErrorRef error, SecTrustRef trust)
 
     info = CFErrorCopyUserInfo(error);
     if (info) {
-        printf("Trust error info dump:\n");
+        WOLFSSL_MSG("Trust error info dump:\n");
         CFShow(info);
         CFRelease(info);
     }
@@ -42935,6 +42935,7 @@ static int DoAppleNativeCertValidation(WOLFSSL*                   ssl,
 #if defined(WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION)
     /* TEST ONLY CODE:
      * Set accumulated list of trusted CA certificates as trust anchors */
+    WOLFSSL_MSG("Setting anchor certificates");
     if (ssl->ctx->testTrustedCAs != NULL) {
         status = SecTrustSetAnchorCertificates(trust, ssl->ctx->testTrustedCAs);
         if (status != errSecSuccess) {
@@ -42967,6 +42968,7 @@ static int DoAppleNativeCertValidation(WOLFSSL*                   ssl,
             if (code == errSecCertificateValidityPeriodTooLong) {
                 WOLFSSL_MSG("Skipping certificate validity period error");
                 ret = 1;
+                /* TODO: ensure other errors aren't masked by this error */
             }
 #endif
 

src/ssl_load.c

@@ -2159,9 +2159,14 @@ static int ProcessBufferCertHandleDer(WOLFSSL_CTX* ctx, WOLFSSL* ssl,
     /* CA certificate to verify with. */
     if (type == CA_TYPE) {
 #ifdef WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION
+        /* TEST ONLY CODE:
+         * Store the DER encoding of the CA certificate so we can append it to
+         * the list of trusted CA certificates if the subsequent call to AddCA
+         * is successful */
         word32 derLen;
         byte* derBuf;
         if (ctx->doAppleNativeCertValidationFlag == 1) {
+            WOLFSSL_MSG("ANCV Test: copy DER CA cert");
             derLen = der->length;
             derBuf = (byte*)XMALLOC(derLen, NULL, DYNAMIC_TYPE_TMP_BUFFER);
             if (derBuf == NULL) {
@@ -2176,12 +2181,16 @@ static int ProcessBufferCertHandleDer(WOLFSSL_CTX* ctx, WOLFSSL* ssl,
 #endif
         /* verify CA unless user set to no verify */
         ret = AddCA(ctx->cm, &der, WOLFSSL_USER_CA, verify);
+
 #ifdef WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION
+        /* TEST ONLY CODE:
+         * Append the DER encoded CA certificate to the list of trusted CA
+         * certificates so we can inject them at verification time */
         if (ret == 1 && ctx->doAppleNativeCertValidationFlag == 1) {
-            WOLFSSL_MSG("Appending CA to cert list for native cert validation test");
+            WOLFSSL_MSG("ANCV Test: Appending CA to cert list");
             ret = wolfSSL_TestAppleNativeCertValidation_AppendCA(ctx, derBuf, (int)derLen);
             if (ret == WOLFSSL_SUCCESS) {
-                WOLFSSL_MSG("Clearing CA table for native cert validation test");
+                WOLFSSL_MSG("ANCV Test: Clearing CA table");
                 /* Clear the CA table so we can ensure they won't be used for
                  * verification */
                 ret = wolfSSL_CertManagerUnloadCAs(ctx->cm);
@@ -2192,6 +2201,7 @@ static int ProcessBufferCertHandleDer(WOLFSSL_CTX* ctx, WOLFSSL* ssl,
             XFREE(derBuf, NULL, DYNAMIC_TYPE_TMP_BUFFER);
         }
 #endif /* !WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION */
+
         if (ret == 1) {
             ret = 0;
         }
@@ -2978,6 +2988,14 @@ int wolfSSL_CTX_load_verify_locations_ex(WOLFSSL_CTX* ctx, const char* file,
         ret = 0;
     }
 
+#ifdef WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION
+    if (ret == 1) {
+    /* TEST ONLY CODE: force native cert validation on */
+        WOLFSSL_MSG("ANCV Test: Loading system CA certs");
+        wolfSSL_CTX_load_system_CA_certs(ctx);
+    }
+#endif
+
     if (ret == 1) {
         /* Get setting on how to verify certificates. */
         verify = GET_VERIFY_SETTING_CTX(ctx);
@@ -2990,19 +3008,19 @@ int wolfSSL_CTX_load_verify_locations_ex(WOLFSSL_CTX* ctx, const char* file,
             /* Load the PEM formatted CA file */
             ret = ProcessFile(ctx, file, WOLFSSL_FILETYPE_PEM, CA_TYPE, NULL, 0,
                 NULL, verify);
-    #ifndef NO_WOLFSSL_DIR
+#ifndef NO_WOLFSSL_DIR
             if (ret == 1) {
                 /* Include success in overall count. */
                 successCount++;
             }
-    #endif
-    #if defined(WOLFSSL_TRUST_PEER_CERT) && defined(OPENSSL_COMPATIBLE_DEFAULTS)
+#endif
+#if defined(WOLFSSL_TRUST_PEER_CERT) && defined(OPENSSL_COMPATIBLE_DEFAULTS)
             /* Load CA as a trusted peer certificate. */
             ret = wolfSSL_CTX_trust_peer_cert(ctx, file, WOLFSSL_FILETYPE_PEM);
             if (ret != 1) {
                 WOLFSSL_MSG("wolfSSL_CTX_trust_peer_cert error");
             }
-    #endif
+#endif
         }
     }
 
@@ -3015,12 +3033,6 @@ int wolfSSL_CTX_load_verify_locations_ex(WOLFSSL_CTX* ctx, const char* file,
         ret = NOT_COMPILED_IN;
         (void)flags;
 #endif
-
-#ifdef WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION
-    if (ret == 1) {
-        wolfSSL_CTX_load_system_CA_certs(ctx);
-    }
-#endif
     }
 
     return ret;
@@ -3461,15 +3473,14 @@ int wolfSSL_CTX_der_load_verify_locations(WOLFSSL_CTX* ctx, const char* file,
         ret = 0;
     }
     else {
-        ret = ProcessFile(ctx, file, format, CA_TYPE, NULL, 0, NULL,
-            GET_VERIFY_SETTING_CTX(ctx));
-    }
-
 #ifdef WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION
-    if (ret == 1) {
+        /* TEST ONLY CODE: force native cert validation on */
+        WOLFSSL_MSG("ANCV Test: loading system CA certs");
         wolfSSL_CTX_load_system_CA_certs(ctx);
-    }
 #endif
+        ret = ProcessFile(ctx, file, format, CA_TYPE, NULL, 0, NULL,
+            GET_VERIFY_SETTING_CTX(ctx));
+    }
 
     /* Return 1 on success or 0 on failure. */
     return WS_RC(ret);
@@ -3975,6 +3986,14 @@ int wolfSSL_CTX_load_verify_buffer_ex(WOLFSSL_CTX* ctx, const unsigned char* in,
 
     WOLFSSL_ENTER("wolfSSL_CTX_load_verify_buffer_ex");
 
+#ifdef WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION
+    /* TEST ONLY CODE: force native cert validation on */
+    if (ctx != NULL) {
+        WOLFSSL_MSG("ANCV Test: loading system CA certs");
+        wolfSSL_CTX_load_system_CA_certs(ctx);
+    }
+#endif
+
     /* Get setting on how to verify certificates. */
     verify = GET_VERIFY_SETTING_CTX(ctx);
     /* Overwrite setting when flag set. */
@@ -3999,12 +4018,6 @@ int wolfSSL_CTX_load_verify_buffer_ex(WOLFSSL_CTX* ctx, const unsigned char* in,
     }
 #endif
 
-#ifdef WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION
-    if (ret == 1) {
-        wolfSSL_CTX_load_system_CA_certs(ctx);
-    }
-#endif
-
     WOLFSSL_LEAVE("wolfSSL_CTX_load_verify_buffer_ex", ret);
     return ret;
 }

tests/api.c

@@ -68151,7 +68151,7 @@ TEST_CASE testCases[] = {
     TEST_DECL(test_wolfSSL_CertManagerCRL),
     TEST_DECL(test_wolfSSL_CertManagerCheckOCSPResponse),
     TEST_DECL(test_wolfSSL_CheckOCSPResponse),
-#ifdef HAVE_CERT_CHAIN_VALIDATION
+#if defined(HAVE_CERT_CHAIN_VALIDATION) && !defined(WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION)
     TEST_DECL(test_various_pathlen_chains),
 #endif
 
@@ -68201,7 +68201,8 @@ TEST_CASE testCases[] = {
     TEST_DECL(test_CONF_CTX_CMDLINE),
 
 #if !defined(NO_CERTS) && (!defined(NO_WOLFSSL_CLIENT) || \
-    !defined(WOLFSSL_NO_CLIENT_AUTH)) && !defined(NO_FILESYSTEM)
+    !defined(WOLFSSL_NO_CLIENT_AUTH)) && !defined(NO_FILESYSTEM) && \
+    !defined(WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION)
     /* Use the Cert Manager(CM) API to generate the error ASN_SIG_CONFIRM_E */
     /* Bad certificate signature tests */
     TEST_DECL(test_EccSigFailure_cm),
@@ -68246,7 +68247,8 @@ TEST_CASE testCases[] = {
     /* Large number of memory allocations. */
     TEST_DECL(test_wolfSSL_CTX_load_system_CA_certs),
 
-#ifdef HAVE_CERT_CHAIN_VALIDATION
+#if defined(HAVE_CERT_CHAIN_VALIDATION) && \
+    !defined(WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION)
     TEST_DECL(test_wolfSSL_CertRsaPss),
 #endif
     TEST_DECL(test_wolfSSL_CTX_load_verify_locations_ex),