Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: WolfSSL reject a critical Policy Mappings #8524

Open
dulanshuangqiao opened this issue Mar 3, 2025 · 1 comment
Open

[Bug]: WolfSSL reject a critical Policy Mappings #8524

dulanshuangqiao opened this issue Mar 3, 2025 · 1 comment
Assignees
@ColtonWilley @kareem-wolfssl
Labels
bug

Comments

@dulanshuangqiao
Copy link

Contact Details

[email protected]

Version

ubutun 5.6.4

Description

./configure
make
sudo make install
./testsuite/testsuite.test
wolfSSL is configured and built by default

Reproduction steps

Use this script for certificate verification
// gcc -g verify.c -o verify -lwolfssl

#include <wolfssl/options.h>
#include <stdlib.h>
#include <wolfssl/wolfcrypt/error-crypt.h>
#include <wolfssl/ssl.h>

int wolfSSL_Verify_PEM(char * cac, char * ec){
int ret = 0;
// to create a new wolfSSL cert manager
WOLFSSL_CERT_MANAGER* cm;
cm = wolfSSL_CertManagerNew();
if (cm == NULL){
	printf("Creating a new wolfSSL_CertManager failed!\n");
	exit(1);
}

// to load cac to the created wolfSSL_CertManager
ret = wolfSSL_CertManagerLoadCA(cm, cac, NULL);
if (ret != SSL_SUCCESS){
	printf("Loading cac to the created wolfSSL_CertManager failed!\n");
	exit(2);
}

// to verify the ec in the created wolfSSL_CertManager
ret = wolfSSL_CertManagerVerify(cm, ec, SSL_FILETYPE_PEM);
if (ret != SSL_SUCCESS){
	printf("wolfSSL_CertManagerVerify filed and with return code %d and error message %s\n",
		 ret,
		 wolfSSL_ERR_reason_error_string(ret));
}
else{
	printf("The target cert has passed through verification.\n");
}

// to free cm
wolfSSL_CertManagerFree(cm);

return ret;
}

int main(int argc, char ** argv){
char * cac = argv[1];
char * ec = argv[2];
wolfSSL_Verify_PEM(cac, ec);
return 0;
}

Actual result:
./verify RootCA.pem Cert17408146207.pem
wolfSSL_CertManagerVerify failed with return code -160 and error message X.509 Critical extension ignored or invalid.
Cert17408146207.pem failed verification.
Expected result:
Consistent verification result between wolfSSL and RFC 5280+other TLS(OpenSSL:Verifying Cert17408146207.pem: OK) implementations.
The target cert Cert17408146207.pem has passed verification.
RFC5280Section 4.2.1.5 mentions:Conforming CAs SHOULD mark this extension as critical.

certs_pm.zip

Relevant log output


      		
    

      
  





        



            

              
            

        

      


      
    








      

    



      

  
            


    







      

  
      



  

  @ColtonWilley





  


    

      

  

    

        
    
    

  


      
          
  
      
            Copy link

  

      
    

  


  

      

  
    Contributor


      

  


  

    

  





      


        


  
    

      
          
Hello @dulanshuangqiao


I believe you are correct that we are incorrectly returning an error on a certificate that should verify. I was able to recreate this with openssl, they verify the cert and we do not. We will definitely be fixing this issue, I will let you know when I have a PR available to test.


Thanks,

Colton Willey, wolfSSL.

      		
    

  





        


            

            

              
            

        

      


      

            
  

    
  
    
    

  

  



    
















  
  

    

      

  





  




  
  

              

  
    Sign up for free
    to join this conversation on GitHub.
    Already have an account?
    Sign in to comment


  



  






  
                  




    

  


      
  

    Assignees
  



        

      

        

  
      @ColtonWilley
  
    ColtonWilley
    

      

      

        

  
      @kareem-wolfssl
  
    kareem-wolfssl
    

      








      


  


  

    Labels
  



    

      

    bug









      

  

    

        

    Projects
  


        




    None yet




  



      


  

    
  

    Milestone
  


      No milestone





    
      
          


  

    

      
        

          
    

    Development
  




            
    
No branches or pull requests







      
    

  




      

    

  
      

  

    

      3 participants
    

    

        
          @ColtonWilley 
        
          @kareem-wolfssl 
        
          @dulanshuangqiao