Check underlying error, want only maximum validity period error

rlm2002 · rlm2002 · commit d3b30f8d5189 · 2025-06-26T08:38:28.000-06:00
add apple test macros to tests requiring cert manager
diff --git a/src/internal.c b/src/internal.c
@@ -42857,6 +42857,46 @@ static int DisplaySecTrustError(CFErrorRef error, SecTrustRef trust)
     return 0;
 }
 
+static int MaxValidityPeriodErrorOnly(CFErrorRef error)
+{
+    int multiple = 0;
+
+    CFDictionaryRef userInfo = CFErrorCopyUserInfo(error);
+    if (userInfo) {
+        /* Get underlying error */
+        CFTypeRef underlying  =
+            CFDictionaryGetValue(userInfo, kCFErrorUnderlyingErrorKey);
+        if (underlying) {
+            /* Get underlying error value*/
+            CFDictionaryRef underlyingDict =
+                CFErrorCopyUserInfo((CFErrorRef)underlying);
+            if (underlyingDict) {
+                char buffer[512];
+                CFStringRef values = 
+                    CFDictionaryGetValue(underlyingDict,
+                        kCFErrorLocalizedDescriptionKey);
+                if(CFStringGetCString(values, buffer, sizeof(buffer),
+                    kCFStringEncodingUTF8)) {
+                    if (XSTRSTR(buffer, "Certificate exceeds maximum "
+                            "temporal validity period") &&
+                        (!XSTRSTR(buffer, "Certificate exceeds maximum "
+                            "temporal validity period,") ||
+                        !XSTRSTR(buffer, ", Certificate exceeds maximum "
+                            "temporal validity period"))) {
+                        WOLFSSL_MSG("Maximum validity period error only");
+                    } else {
+                        WOLFSSL_MSG("Found other errors");
+                        multiple = 1;
+                    }
+                }
+                CFRelease(underlyingDict);
+            }
+        }
+        CFRelease(userInfo);
+    }
+    return multiple;
+}
+
 /*
  * Validates a chain of certificates using the Apple system trust APIs
  *
@@ -42966,8 +43006,14 @@ static int DoAppleNativeCertValidation(WOLFSSL*                   ssl,
              * (See: https://support.apple.com/en-us/103769)
              * therefore we should skip over this particular error */
             if (code == errSecCertificateValidityPeriodTooLong) {
-                WOLFSSL_MSG("Skipping certificate validity period error");
-                ret = 1;
+                if (MaxValidityPeriodErrorOnly(error)) {
+                    WOLFSSL_MSG("Multiple reasons for validity period error, "
+                                "not skipping");
+                    ret = 0;
+                } else {
+                    WOLFSSL_MSG("Skipping certificate validity period error");
+                    ret = 1;
+                }
                 /* TODO: ensure other errors aren't masked by this error */
             }
 #endif
diff --git a/tests/api.c b/tests/api.c
@@ -5039,6 +5039,7 @@ static int test_wolfSSL_OtherName(void)
 }
 
 #ifdef HAVE_CERT_CHAIN_VALIDATION
+#ifndef WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION
 static int test_wolfSSL_CertRsaPss(void)
 {
     EXPECT_DECLS;
@@ -5097,7 +5098,7 @@ static int test_wolfSSL_CertRsaPss(void)
     return EXPECT_RESULT();
 }
 #endif
-
+#endif
 static int test_wolfSSL_CTX_load_verify_locations_ex(void)
 {
     EXPECT_DECLS;
@@ -48425,6 +48426,7 @@ static int verify_sig_cm(const char* ca, byte* cert_buf, size_t cert_sz,
 #endif
 
 #if !defined(NO_FILESYSTEM)
+#ifndef WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION
 static int test_RsaSigFailure_cm(void)
 {
     EXPECT_DECLS;
@@ -48499,7 +48501,7 @@ static int test_EccSigFailure_cm(void)
 #endif /* HAVE_ECC */
     return EXPECT_RESULT();
 }
-
+#endif
 #endif /* !NO_FILESYSTEM */
 #endif /* NO_CERTS */
 
@@ -58104,6 +58106,7 @@ static int test_chainJ(WOLFSSL_CERT_MANAGER* cm)
     return ret;
 }
 
+#ifndef WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION
 static int test_various_pathlen_chains(void)
 {
     EXPECT_DECLS;
@@ -58162,6 +58165,7 @@ static int test_various_pathlen_chains(void)
 
     return EXPECT_RESULT();
 }
+#endif
 #endif /* !NO_RSA && !NO_SHA && !NO_FILESYSTEM && !NO_CERTS */
 
 #if defined(HAVE_KEYING_MATERIAL) && defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES)
@@ -67013,6 +67017,7 @@ static int test_tls_cert_store_unchanged_ssl_ready(WOLFSSL* ssl)
 }
 #endif
 
+#ifndef WOLFSSL_TEST_NATIVE_CERT_VALIDATION
 static int test_tls_cert_store_unchanged(void)
 {
     EXPECT_DECLS;
@@ -67069,6 +67074,7 @@ static int test_tls_cert_store_unchanged(void)
 #endif
     return EXPECT_RESULT();
 }
+#endif
 
 static int test_wolfSSL_SendUserCanceled(void)
 {

Original file line number	Diff line number	Diff line change
`@@ -5039,6 +5039,7 @@ static int test_wolfSSL_OtherName(void)`
`5039`	`5039`	`}`
`5040`	`5040`
`5041`	`5041`	`#ifdef HAVE_CERT_CHAIN_VALIDATION`
	`5042`	`+#ifndef WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION`
`5042`	`5043`	`static int test_wolfSSL_CertRsaPss(void)`
`5043`	`5044`	`{`
`5044`	`5045`	`EXPECT_DECLS;`
`@@ -5097,7 +5098,7 @@ static int test_wolfSSL_CertRsaPss(void)`
`5097`	`5098`	`return EXPECT_RESULT();`
`5098`	`5099`	`}`
`5099`	`5100`	`#endif`
`5100`		`-`
	`5101`	`+#endif`
`5101`	`5102`	`static int test_wolfSSL_CTX_load_verify_locations_ex(void)`
`5102`	`5103`	`{`
`5103`	`5104`	`EXPECT_DECLS;`
`@@ -48425,6 +48426,7 @@ static int verify_sig_cm(const char* ca, byte* cert_buf, size_t cert_sz,`
`48425`	`48426`	`#endif`
`48426`	`48427`
`48427`	`48428`	`#if !defined(NO_FILESYSTEM)`
	`48429`	`+#ifndef WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION`
`48428`	`48430`	`static int test_RsaSigFailure_cm(void)`
`48429`	`48431`	`{`
`48430`	`48432`	`EXPECT_DECLS;`
`@@ -48499,7 +48501,7 @@ static int test_EccSigFailure_cm(void)`
`48499`	`48501`	`#endif /* HAVE_ECC */`
`48500`	`48502`	`return EXPECT_RESULT();`
`48501`	`48503`	`}`
`48502`		`-`
	`48504`	`+#endif`
`48503`	`48505`	`#endif /* !NO_FILESYSTEM */`
`48504`	`48506`	`#endif /* NO_CERTS */`
`48505`	`48507`
`@@ -58104,6 +58106,7 @@ static int test_chainJ(WOLFSSL_CERT_MANAGER* cm)`
`58104`	`58106`	`return ret;`
`58105`	`58107`	`}`
`58106`	`58108`
	`58109`	`+#ifndef WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION`
`58107`	`58110`	`static int test_various_pathlen_chains(void)`
`58108`	`58111`	`{`
`58109`	`58112`	`EXPECT_DECLS;`
`@@ -58162,6 +58165,7 @@ static int test_various_pathlen_chains(void)`
`58162`	`58165`
`58163`	`58166`	`return EXPECT_RESULT();`
`58164`	`58167`	`}`
	`58168`	`+#endif`
`58165`	`58169`	`#endif /* !NO_RSA && !NO_SHA && !NO_FILESYSTEM && !NO_CERTS */`
`58166`	`58170`
`58167`	`58171`	`#if defined(HAVE_KEYING_MATERIAL) && defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES)`
`@@ -67013,6 +67017,7 @@ static int test_tls_cert_store_unchanged_ssl_ready(WOLFSSL* ssl)`
`67013`	`67017`	`}`
`67014`	`67018`	`#endif`
`67015`	`67019`
	`67020`	`+#ifndef WOLFSSL_TEST_NATIVE_CERT_VALIDATION`
`67016`	`67021`	`static int test_tls_cert_store_unchanged(void)`
`67017`	`67022`	`{`
`67018`	`67023`	`EXPECT_DECLS;`
`@@ -67069,6 +67074,7 @@ static int test_tls_cert_store_unchanged(void)`
`67069`	`67074`	`#endif`
`67070`	`67075`	`return EXPECT_RESULT();`
`67071`	`67076`	`}`
	`67077`	`+#endif`
`67072`	`67078`
`67073`	`67079`	`static int test_wolfSSL_SendUserCanceled(void)`
`67074`	`67080`	`{`