From 10d3e251fd23586b54442e05ee6e06577ac42106 Mon Sep 17 00:00:00 2001 From: Hideki Miyazaki Date: Fri, 26 Dec 2025 17:22:00 +0900 Subject: [PATCH 1/6] fix qt jenkins nightly test failure --- src/x509_str.c | 29 +++++++- tests/api/test_ossl_x509_str.c | 117 ++++++++++++++++++++++++++------- 2 files changed, 123 insertions(+), 23 deletions(-) diff --git a/src/x509_str.c b/src/x509_str.c index 6432bab2d84..6a081177fa4 100644 --- a/src/x509_str.c +++ b/src/x509_str.c @@ -384,6 +384,20 @@ static int X509StoreVerifyCertDate(WOLFSSL_X509_STORE_CTX* ctx, int ret) ret = ASN_BEFORE_DATE_E; } } + #if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) + else { + WOLFSSL_MSG("Using system time for date validation"); + /* use system time for date validation */ + if (wc_ValidateDate(afterDate, + (byte)ctx->current_cert->notAfter.type, ASN_AFTER) < 1) { + ret = ASN_AFTER_DATE_E; + } + else if (wc_ValidateDate(beforeDate, + (byte)ctx->current_cert->notBefore.type, ASN_BEFORE) < 1) { + ret = ASN_BEFORE_DATE_E; + } + } + #endif } #else if (XVALIDATE_DATE(afterDate, @@ -424,7 +438,20 @@ static int X509StoreVerifyCert(WOLFSSL_X509_STORE_CTX* ctx) WOLFSSL_SUCCESS : ret; #endif } - + #if !defined(NO_ASN_TIME) && (defined(OPENSSL_ALL) || defined(WOLFSSL_QT)) + if (ret != WC_NO_ERR_TRACE(ASN_BEFORE_DATE_E) && + ret != WC_NO_ERR_TRACE(ASN_AFTER_DATE_E)) { + /* With Qt and OpenSSL, we need to check the certificate's date + * after certificate manager verification, + * as it skips date validation when other errors are present. + */ + ret = X509StoreVerifyCertDate(ctx, ret); + SetupStoreCtxError(ctx, ret); + if (ctx->store->verify_cb) + ret = ctx->store->verify_cb(ret >= 0 ? 1 : 0, + ctx) == 1 ? WOLFSSL_SUCCESS : -1; + } + #endif return ret; } diff --git a/tests/api/test_ossl_x509_str.c b/tests/api/test_ossl_x509_str.c index 53206b2c30e..0a6d0c8b0f9 100644 --- a/tests/api/test_ossl_x509_str.c +++ b/tests/api/test_ossl_x509_str.c @@ -36,6 +36,26 @@ #include #include +#if (defined(OPENSSL_ALL) || defined(WOLFSSL_QT)) && \ + !defined(NO_RSA) && !defined(NO_FILESYSTEM) + +static int last_errcode[2]; +static int last_errdepth[2]; +static int err_index = 0; + +static int X509Callback(int ok, X509_STORE_CTX *ctx) +{ + + if (!ok) { + last_errcode[err_index] = X509_STORE_CTX_get_error(ctx); + last_errdepth[err_index++] = X509_STORE_CTX_get_error_depth(ctx); + } + /* Always return OK to allow verification to continue.*/ + return 1; +} + +#endif + int test_wolfSSL_X509_STORE_CTX_set_time(void) { EXPECT_DECLS; @@ -161,6 +181,78 @@ int test_wolfSSL_X509_STORE_check_time(void) store = NULL; wolfSSL_X509_free(cert); cert = NULL; + +#if (defined(OPENSSL_ALL) || defined(WOLFSSL_QT)) && \ + !defined(NO_RSA) && !defined(NO_FILESYSTEM) + + err_index = 0; + + ExpectNotNull(store = X509_STORE_new()); + ExpectNotNull(ctx = X509_STORE_CTX_new()); + ExpectNotNull(ca = wolfSSL_X509_load_certificate_file(caCertFile, + SSL_FILETYPE_PEM)); + ExpectIntEQ(wolfSSL_X509_STORE_add_cert(store, ca), WOLFSSL_SUCCESS); + + X509_STORE_set_verify_cb(store, X509Callback); + + ExpectNotNull(cert = wolfSSL_X509_load_certificate_file(expiredCertFile, + SSL_FILETYPE_PEM)); + + ExpectIntEQ(X509_STORE_CTX_init(ctx, store, cert, NULL), WOLFSSL_SUCCESS); + ExpectIntEQ(X509_verify_cert(ctx), WOLFSSL_SUCCESS); + /* while verifying the certificate, it should have two errors */ + ExpectIntEQ(err_index, 2); + /* self-signed */ + ExpectIntEQ(last_errcode[err_index - 2], + WOLFSSL_X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT); + /* expired */ + ExpectIntEQ(last_errcode[err_index - 1], + WOLFSSL_X509_V_ERR_CERT_HAS_EXPIRED); + + X509_STORE_CTX_free(ctx); + ctx = NULL; + X509_STORE_free(store); + store = NULL; + X509_free(cert); + cert = NULL; + X509_free(ca); + ca = NULL; + + err_index = 0; + + ExpectNotNull(store = X509_STORE_new()); + /* Set NO_CHECK_TIME flag to skip time validation */ + ExpectIntEQ(X509_VERIFY_PARAM_set_flags(store->param, + WOLFSSL_NO_CHECK_TIME), WOLFSSL_SUCCESS); + ExpectTrue((store->param->flags & WOLFSSL_NO_CHECK_TIME) == + WOLFSSL_NO_CHECK_TIME); + ExpectNotNull(ctx = X509_STORE_CTX_new()); + ExpectNotNull(ca = wolfSSL_X509_load_certificate_file(caCertFile, + SSL_FILETYPE_PEM)); + ExpectIntEQ(wolfSSL_X509_STORE_add_cert(store, ca), WOLFSSL_SUCCESS); + + X509_STORE_set_verify_cb(store, X509Callback); + + ExpectNotNull(cert = wolfSSL_X509_load_certificate_file(expiredCertFile, + SSL_FILETYPE_PEM)); + + ExpectIntEQ(X509_STORE_CTX_init(ctx, store, cert, NULL), WOLFSSL_SUCCESS); + ExpectIntEQ(X509_verify_cert(ctx), WOLFSSL_SUCCESS); + /* while verifying the certificate, it should have an error */ + ExpectIntEQ(err_index, 1); + /* self-signed */ + ExpectIntEQ(last_errcode[err_index - 1], + WOLFSSL_X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT); + /* no expired because of no_check_time */ + X509_STORE_CTX_free(ctx); + ctx = NULL; + X509_STORE_free(store); + store = NULL; + X509_free(cert); + cert = NULL; + X509_free(ca); + ca = NULL; +#endif #endif /* OPENSSL_EXTRA && !NO_FILESYSTEM && !NO_ASN_TIME && !NO_RSA */ return EXPECT_RESULT(); } @@ -919,24 +1011,6 @@ int test_X509_STORE_untrusted(void) return EXPECT_RESULT(); } -#if defined(OPENSSL_ALL) && !defined(NO_RSA) && !defined(NO_FILESYSTEM) - -static int last_errcode; -static int last_errdepth; - -static int X509Callback(int ok, X509_STORE_CTX *ctx) -{ - - if (!ok) { - last_errcode = X509_STORE_CTX_get_error(ctx); - last_errdepth = X509_STORE_CTX_get_error_depth(ctx); - } - /* Always return OK to allow verification to continue.*/ - return 1; -} - -#endif - int test_X509_STORE_InvalidCa(void) { EXPECT_DECLS; @@ -951,9 +1025,7 @@ int test_X509_STORE_InvalidCa(void) X509* cert = NULL; STACK_OF(X509)* untrusted = NULL; - last_errcode = 0; - last_errdepth = 0; - + err_index = 0; ExpectTrue((fp = XFOPEN(srvfile, "rb")) != XBADFILE); ExpectNotNull(cert = PEM_read_X509(fp, 0, 0, 0 )); @@ -978,7 +1050,8 @@ int test_X509_STORE_InvalidCa(void) ExpectIntEQ(X509_STORE_CTX_init(ctx, str, cert, untrusted), 1); ExpectIntEQ(X509_verify_cert(ctx), 1); - ExpectIntEQ(last_errcode, X509_V_ERR_INVALID_CA); + ExpectIntEQ(err_index, 1); + ExpectIntEQ(last_errcode[err_index - 1], X509_V_ERR_INVALID_CA); X509_free(cert); X509_STORE_free(str); From 30fe079763af5f7d1bcb8ec70998b99ab95a06fb Mon Sep 17 00:00:00 2001 From: Hideki Miyazaki Date: Wed, 7 Jan 2026 06:46:51 +0900 Subject: [PATCH 2/6] Addressed review comments --- src/x509_str.c | 18 ++++++++++------ tests/api/test_ossl_x509_str.c | 38 +++++++++++++++++++++------------- 2 files changed, 36 insertions(+), 20 deletions(-) diff --git a/src/x509_str.c b/src/x509_str.c index 6a081177fa4..389b966f657 100644 --- a/src/x509_str.c +++ b/src/x509_str.c @@ -384,7 +384,7 @@ static int X509StoreVerifyCertDate(WOLFSSL_X509_STORE_CTX* ctx, int ret) ret = ASN_BEFORE_DATE_E; } } - #if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) + #if defined(OPENSSL_ALL) else { WOLFSSL_MSG("Using system time for date validation"); /* use system time for date validation */ @@ -438,18 +438,24 @@ static int X509StoreVerifyCert(WOLFSSL_X509_STORE_CTX* ctx) WOLFSSL_SUCCESS : ret; #endif } - #if !defined(NO_ASN_TIME) && (defined(OPENSSL_ALL) || defined(WOLFSSL_QT)) + #if !defined(NO_ASN_TIME) && defined(OPENSSL_ALL) if (ret != WC_NO_ERR_TRACE(ASN_BEFORE_DATE_E) && ret != WC_NO_ERR_TRACE(ASN_AFTER_DATE_E)) { - /* With Qt and OpenSSL, we need to check the certificate's date + /* With OpenSSL, we need to check the certificate's date * after certificate manager verification, * as it skips date validation when other errors are present. */ ret = X509StoreVerifyCertDate(ctx, ret); SetupStoreCtxError(ctx, ret); - if (ctx->store->verify_cb) - ret = ctx->store->verify_cb(ret >= 0 ? 1 : 0, - ctx) == 1 ? WOLFSSL_SUCCESS : -1; + ret = ret == WOLFSSL_SUCCESS ? 1 : 0; + if (ctx->store->verify_cb) { + if (ctx->store->verify_cb(ret, ctx) == 1) { + ret = WOLFSSL_SUCCESS; + } + else { + ret = -1; + } + } } #endif return ret; diff --git a/tests/api/test_ossl_x509_str.c b/tests/api/test_ossl_x509_str.c index 0a6d0c8b0f9..2124fd184a2 100644 --- a/tests/api/test_ossl_x509_str.c +++ b/tests/api/test_ossl_x509_str.c @@ -36,24 +36,36 @@ #include #include -#if (defined(OPENSSL_ALL) || defined(WOLFSSL_QT)) && \ +#if defined(OPENSSL_ALL) && \ !defined(NO_RSA) && !defined(NO_FILESYSTEM) -static int last_errcode[2]; -static int last_errdepth[2]; +static int last_errcode; +static int last_errdepth; +static int last_errcodes[10]; +static int last_errdepths[10]; static int err_index = 0; static int X509Callback(int ok, X509_STORE_CTX *ctx) { if (!ok) { - last_errcode[err_index] = X509_STORE_CTX_get_error(ctx); - last_errdepth[err_index++] = X509_STORE_CTX_get_error_depth(ctx); + last_errcode = X509_STORE_CTX_get_error(ctx); + last_errdepth = X509_STORE_CTX_get_error_depth(ctx); } /* Always return OK to allow verification to continue.*/ return 1; } +static int X509CallbackCount(int ok, X509_STORE_CTX *ctx) +{ + if (!ok) { + last_errcodes[err_index] = X509_STORE_CTX_get_error(ctx); + last_errdepths[err_index] = X509_STORE_CTX_get_error_depth(ctx); + err_index++; + } + /* Always return OK to allow verification to continue.*/ + return 1; +} #endif int test_wolfSSL_X509_STORE_CTX_set_time(void) @@ -182,7 +194,7 @@ int test_wolfSSL_X509_STORE_check_time(void) wolfSSL_X509_free(cert); cert = NULL; -#if (defined(OPENSSL_ALL) || defined(WOLFSSL_QT)) && \ +#if defined(OPENSSL_ALL) && \ !defined(NO_RSA) && !defined(NO_FILESYSTEM) err_index = 0; @@ -193,7 +205,7 @@ int test_wolfSSL_X509_STORE_check_time(void) SSL_FILETYPE_PEM)); ExpectIntEQ(wolfSSL_X509_STORE_add_cert(store, ca), WOLFSSL_SUCCESS); - X509_STORE_set_verify_cb(store, X509Callback); + X509_STORE_set_verify_cb(store, X509CallbackCount); ExpectNotNull(cert = wolfSSL_X509_load_certificate_file(expiredCertFile, SSL_FILETYPE_PEM)); @@ -203,10 +215,10 @@ int test_wolfSSL_X509_STORE_check_time(void) /* while verifying the certificate, it should have two errors */ ExpectIntEQ(err_index, 2); /* self-signed */ - ExpectIntEQ(last_errcode[err_index - 2], + ExpectIntEQ(last_errcodes[err_index - 2], WOLFSSL_X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT); /* expired */ - ExpectIntEQ(last_errcode[err_index - 1], + ExpectIntEQ(last_errcodes[err_index - 1], WOLFSSL_X509_V_ERR_CERT_HAS_EXPIRED); X509_STORE_CTX_free(ctx); @@ -231,7 +243,7 @@ int test_wolfSSL_X509_STORE_check_time(void) SSL_FILETYPE_PEM)); ExpectIntEQ(wolfSSL_X509_STORE_add_cert(store, ca), WOLFSSL_SUCCESS); - X509_STORE_set_verify_cb(store, X509Callback); + X509_STORE_set_verify_cb(store, X509CallbackCount); ExpectNotNull(cert = wolfSSL_X509_load_certificate_file(expiredCertFile, SSL_FILETYPE_PEM)); @@ -241,7 +253,7 @@ int test_wolfSSL_X509_STORE_check_time(void) /* while verifying the certificate, it should have an error */ ExpectIntEQ(err_index, 1); /* self-signed */ - ExpectIntEQ(last_errcode[err_index - 1], + ExpectIntEQ(last_errcodes[err_index - 1], WOLFSSL_X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT); /* no expired because of no_check_time */ X509_STORE_CTX_free(ctx); @@ -1025,7 +1037,6 @@ int test_X509_STORE_InvalidCa(void) X509* cert = NULL; STACK_OF(X509)* untrusted = NULL; - err_index = 0; ExpectTrue((fp = XFOPEN(srvfile, "rb")) != XBADFILE); ExpectNotNull(cert = PEM_read_X509(fp, 0, 0, 0 )); @@ -1050,8 +1061,7 @@ int test_X509_STORE_InvalidCa(void) ExpectIntEQ(X509_STORE_CTX_init(ctx, str, cert, untrusted), 1); ExpectIntEQ(X509_verify_cert(ctx), 1); - ExpectIntEQ(err_index, 1); - ExpectIntEQ(last_errcode[err_index - 1], X509_V_ERR_INVALID_CA); + ExpectIntEQ(last_errcode, X509_V_ERR_INVALID_CA); X509_free(cert); X509_STORE_free(str); From c923c4c0262b3b336099737220b5374c26816e6f Mon Sep 17 00:00:00 2001 From: Hideki Miyazaki Date: Wed, 7 Jan 2026 07:16:28 +0900 Subject: [PATCH 3/6] fix compile error --- src/x509_str.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/x509_str.c b/src/x509_str.c index 389b966f657..e3a6e1f0769 100644 --- a/src/x509_str.c +++ b/src/x509_str.c @@ -389,11 +389,13 @@ static int X509StoreVerifyCertDate(WOLFSSL_X509_STORE_CTX* ctx, int ret) WOLFSSL_MSG("Using system time for date validation"); /* use system time for date validation */ if (wc_ValidateDate(afterDate, - (byte)ctx->current_cert->notAfter.type, ASN_AFTER) < 1) { + (byte)ctx->current_cert->notAfter.type, ASN_AFTER, + ctx->current_cert->notAfter.length) < 1) { ret = ASN_AFTER_DATE_E; } else if (wc_ValidateDate(beforeDate, - (byte)ctx->current_cert->notBefore.type, ASN_BEFORE) < 1) { + (byte)ctx->current_cert->notBefore.type, ASN_BEFORE, + ctx->current_cert->notBefore.length) < 1) { ret = ASN_BEFORE_DATE_E; } } From c6dd1a745e03480d1ab2ba73da6042957977c292 Mon Sep 17 00:00:00 2001 From: Hideki Miyazaki Date: Wed, 7 Jan 2026 09:19:43 +0900 Subject: [PATCH 4/6] boundary check --- tests/api/test_ossl_x509_str.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/tests/api/test_ossl_x509_str.c b/tests/api/test_ossl_x509_str.c index 2124fd184a2..db05e9b0de9 100644 --- a/tests/api/test_ossl_x509_str.c +++ b/tests/api/test_ossl_x509_str.c @@ -59,9 +59,15 @@ static int X509Callback(int ok, X509_STORE_CTX *ctx) static int X509CallbackCount(int ok, X509_STORE_CTX *ctx) { if (!ok) { - last_errcodes[err_index] = X509_STORE_CTX_get_error(ctx); - last_errdepths[err_index] = X509_STORE_CTX_get_error_depth(ctx); - err_index++; + if (err_index < 10) { + last_errcodes[err_index] = X509_STORE_CTX_get_error(ctx); + last_errdepths[err_index] = X509_STORE_CTX_get_error_depth(ctx); + err_index++; + } else { + /* Should not happen in test */ + WOLFSSL_MSG("Error index overflow in X509CallbackCount"); + err_index = 0; + } } /* Always return OK to allow verification to continue.*/ return 1; From 6392c2b42054ab0e4b8ab91a1f7265711fb377b0 Mon Sep 17 00:00:00 2001 From: Hideki Miyazaki Date: Thu, 8 Jan 2026 07:10:25 +0900 Subject: [PATCH 5/6] undo changes fix indentation --- src/x509_str.c | 8 ++++---- tests/api/test_ossl_x509_str.c | 34 +++++++++++++++++++++------------- 2 files changed, 25 insertions(+), 17 deletions(-) diff --git a/src/x509_str.c b/src/x509_str.c index e3a6e1f0769..e24715e074f 100644 --- a/src/x509_str.c +++ b/src/x509_str.c @@ -443,10 +443,10 @@ static int X509StoreVerifyCert(WOLFSSL_X509_STORE_CTX* ctx) #if !defined(NO_ASN_TIME) && defined(OPENSSL_ALL) if (ret != WC_NO_ERR_TRACE(ASN_BEFORE_DATE_E) && ret != WC_NO_ERR_TRACE(ASN_AFTER_DATE_E)) { - /* With OpenSSL, we need to check the certificate's date - * after certificate manager verification, - * as it skips date validation when other errors are present. - */ + /* With OpenSSL, we need to check the certificate's date + * after certificate manager verification, + * as it skips date validation when other errors are present. + */ ret = X509StoreVerifyCertDate(ctx, ret); SetupStoreCtxError(ctx, ret); ret = ret == WOLFSSL_SUCCESS ? 1 : 0; diff --git a/tests/api/test_ossl_x509_str.c b/tests/api/test_ossl_x509_str.c index db05e9b0de9..79f1ce55811 100644 --- a/tests/api/test_ossl_x509_str.c +++ b/tests/api/test_ossl_x509_str.c @@ -39,23 +39,10 @@ #if defined(OPENSSL_ALL) && \ !defined(NO_RSA) && !defined(NO_FILESYSTEM) -static int last_errcode; -static int last_errdepth; static int last_errcodes[10]; static int last_errdepths[10]; static int err_index = 0; -static int X509Callback(int ok, X509_STORE_CTX *ctx) -{ - - if (!ok) { - last_errcode = X509_STORE_CTX_get_error(ctx); - last_errdepth = X509_STORE_CTX_get_error_depth(ctx); - } - /* Always return OK to allow verification to continue.*/ - return 1; -} - static int X509CallbackCount(int ok, X509_STORE_CTX *ctx) { if (!ok) { @@ -1029,6 +1016,24 @@ int test_X509_STORE_untrusted(void) return EXPECT_RESULT(); } +#if defined(OPENSSL_ALL) && !defined(NO_RSA) && !defined(NO_FILESYSTEM) + +static int last_errcode; +static int last_errdepth; + +static int X509Callback(int ok, X509_STORE_CTX *ctx) +{ + + if (!ok) { + last_errcode = X509_STORE_CTX_get_error(ctx); + last_errdepth = X509_STORE_CTX_get_error_depth(ctx); + } + /* Always return OK to allow verification to continue.*/ + return 1; +} + +#endif + int test_X509_STORE_InvalidCa(void) { EXPECT_DECLS; @@ -1043,6 +1048,9 @@ int test_X509_STORE_InvalidCa(void) X509* cert = NULL; STACK_OF(X509)* untrusted = NULL; + last_errcode = 0; + last_errdepth = 0; + ExpectTrue((fp = XFOPEN(srvfile, "rb")) != XBADFILE); ExpectNotNull(cert = PEM_read_X509(fp, 0, 0, 0 )); From cdd75ff5ef1772f281dd8a137d7a508800d72051 Mon Sep 17 00:00:00 2001 From: Hideki Miyazaki Date: Thu, 8 Jan 2026 08:46:22 +0900 Subject: [PATCH 6/6] fix indent --- src/x509_str.c | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/src/x509_str.c b/src/x509_str.c index e24715e074f..99f195b4ea8 100644 --- a/src/x509_str.c +++ b/src/x509_str.c @@ -440,26 +440,26 @@ static int X509StoreVerifyCert(WOLFSSL_X509_STORE_CTX* ctx) WOLFSSL_SUCCESS : ret; #endif } - #if !defined(NO_ASN_TIME) && defined(OPENSSL_ALL) - if (ret != WC_NO_ERR_TRACE(ASN_BEFORE_DATE_E) && - ret != WC_NO_ERR_TRACE(ASN_AFTER_DATE_E)) { - /* With OpenSSL, we need to check the certificate's date - * after certificate manager verification, - * as it skips date validation when other errors are present. - */ - ret = X509StoreVerifyCertDate(ctx, ret); - SetupStoreCtxError(ctx, ret); - ret = ret == WOLFSSL_SUCCESS ? 1 : 0; - if (ctx->store->verify_cb) { - if (ctx->store->verify_cb(ret, ctx) == 1) { - ret = WOLFSSL_SUCCESS; - } - else { - ret = -1; - } +#if !defined(NO_ASN_TIME) && defined(OPENSSL_ALL) + if (ret != WC_NO_ERR_TRACE(ASN_BEFORE_DATE_E) && + ret != WC_NO_ERR_TRACE(ASN_AFTER_DATE_E)) { + /* With OpenSSL, we need to check the certificate's date + * after certificate manager verification, + * as it skips date validation when other errors are present. + */ + ret = X509StoreVerifyCertDate(ctx, ret); + SetupStoreCtxError(ctx, ret); + ret = ret == WOLFSSL_SUCCESS ? 1 : 0; + if (ctx->store->verify_cb) { + if (ctx->store->verify_cb(ret, ctx) == 1) { + ret = WOLFSSL_SUCCESS; + } + else { + ret = -1; } } - #endif + } +#endif return ret; }