In wolfSSL_CTX_set_cert_store, send certificates into the CertMgr

Author: anhu

src/ssl.c

@@ -12930,6 +12930,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
 
     void wolfSSL_CTX_set_cert_store(WOLFSSL_CTX* ctx, WOLFSSL_X509_STORE* str)
     {
+        WOLFSSL_X509 *x = NULL;
         WOLFSSL_ENTER("wolfSSL_CTX_set_cert_store");
         if (ctx == NULL || str == NULL || ctx->cm == str->cm) {
             return;
@@ -12946,6 +12947,20 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
         ctx->cm               = str->cm;
         ctx->x509_store.cm    = str->cm;
 
+        /* wolfSSL_CTX_set_cert_store() (this function) associates str with the
+         * wolfSSL_CTX. It is clear that this is a TLS use case which means we
+         * should move all the certs, if any, into the CertMgr and set
+         * str->certs to NULL as that will allow the certs to be properly
+         * processed. */
+        if (str->certs != NULL) {
+            while (wolfSSL_sk_X509_num(str->certs) > 0) {
+                x = wolfSSL_sk_X509_pop(str->certs);
+                X509StoreAddCa(str, x, WOLFSSL_USER_CA);
+            }
+            wolfSSL_sk_X509_pop_free(str->certs, NULL);
+            str->certs = NULL;
+        }
+
         /* free existing store if it exists */
         wolfSSL_X509_STORE_free(ctx->x509_store_pt);
         ctx->x509_store.cache = str->cache;

src/x509_str.c

@@ -34,8 +34,6 @@
 #ifdef OPENSSL_EXTRA
 static int X509StoreGetIssuerEx(WOLFSSL_X509 **issuer,
                             WOLFSSL_STACK *certs, WOLFSSL_X509 *x);
-static int X509StoreAddCa(WOLFSSL_X509_STORE* store,
-                                          WOLFSSL_X509* x509, int type);
 #endif
 
 /* Based on OpenSSL default max depth */
@@ -1367,8 +1365,7 @@ WOLFSSL_X509_LOOKUP* wolfSSL_X509_STORE_add_lookup(WOLFSSL_X509_STORE* store,
     return &store->lookup;
 }
 
-static int X509StoreAddCa(WOLFSSL_X509_STORE* store,
-                                          WOLFSSL_X509* x509, int type)
+int X509StoreAddCa(WOLFSSL_X509_STORE* store, WOLFSSL_X509* x509, int type)
 {
     int result = WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR);
     DerBuffer* derCert = NULL;

tests/api.c

@@ -28412,6 +28412,47 @@ static int test_wolfSSL_CTX_set_srp_password(void)
     return EXPECT_RESULT();
 }
 
+static int test_wolfSSL_CTX_set_cert_store_null_certs(void)
+{
+    EXPECT_DECLS;
+#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && !defined(NO_TLS) && \
+    !defined(NO_WOLFSSL_SERVER)
+    X509_STORE *store = NULL;
+    WOLFSSL_CTX *ctx = NULL;
+    WOLFSSL_METHOD *method = NULL;
+    X509 *cert = NULL;
+    const char caCert[] = "./certs/ca-cert.pem";
+
+    /* Create a new X509_STORE */
+    ExpectNotNull(store = X509_STORE_new());
+
+    /* Load a certificate */
+    ExpectNotNull(cert = wolfSSL_X509_load_certificate_file(caCert,
+                                                            SSL_FILETYPE_PEM));
+
+    /* Add the certificate to the store */
+    ExpectIntEQ(X509_STORE_add_cert(store, cert), SSL_SUCCESS);
+    ExpectNotNull(store->certs);
+
+    /* Create a new SSL_CTX */
+    ExpectNotNull(method = wolfSSLv23_server_method());
+    ExpectNotNull(ctx = wolfSSL_CTX_new(method));
+
+    /* Set the store in the SSL_CTX */
+    wolfSSL_CTX_set_cert_store(ctx, store);
+
+    /* Verify that the certs member of the store is null */
+    ExpectNull(store->certs);
+
+    /* Clean up */
+    wolfSSL_CTX_free(ctx);
+    X509_free(cert);
+
+#endif
+    return EXPECT_RESULT();
+}
+
+
 static int test_wolfSSL_X509_STORE(void)
 {
     EXPECT_DECLS;
@@ -67156,6 +67197,7 @@ TEST_CASE testCases[] = {
     TEST_DECL(test_wolfSSL_X509_VERIFY_PARAM_set1_ip),
     TEST_DECL(test_wolfSSL_X509_STORE_CTX_get0_store),
     TEST_DECL(test_wolfSSL_X509_STORE),
+    TEST_DECL(test_wolfSSL_CTX_set_cert_store_null_certs),
     TEST_DECL(test_wolfSSL_X509_STORE_load_locations),
     TEST_DECL(test_X509_STORE_get0_objects),
     TEST_DECL(test_wolfSSL_X509_load_crl_file),

wolfssl/internal.h

@@ -2781,6 +2781,11 @@ WOLFSSL_LOCAL int X509StoreLoadCertBuffer(WOLFSSL_X509_STORE *str,
                                         byte *buf, word32 bufLen, int type);
 #endif /* !defined NO_CERTS */
 
+#ifdef OPENSSL_EXTRA
+WOLFSSL_LOCAL int X509StoreAddCa(WOLFSSL_X509_STORE* store,
+                                 WOLFSSL_X509* x509, int type);
+#endif
+
 /* wolfSSL Sock Addr */
 struct WOLFSSL_SOCKADDR {
     unsigned int sz; /* sockaddr size */