Skip to content

Apple Cert Fix: Prevent verify callback from blocking ANCV invocation #9667

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
bigbrett wants to merge 2 commits into
base: master
Choose a base branch
from
Draft

Apple Cert Fix: Prevent verify callback from blocking ANCV invocation #9667

bigbrett wants to merge 2 commits into from
+31 −35

Conversation

@bigbrett
Copy link
Contributor

@bigbrett bigbrett commented Jan 14, 2026
edited
Loading

Fixes issue reported in 9604

Description

When system certificate store support is enabled on Apple platforms, wolfSSL is intended to fall back to Apple’s native trust APIs if verification against the wolfSSL CA bundle fails. However 9144 introduced a regression such that the Apple native validation routine never gets invoked if a user-provided verification callback is set and returns success. The verification result was overwritten before the Apple native validation check, preventing the fallback.

This PR fixes the regression in behavior and further improves the apple cert check integration

ProcessPeerCerts()
        |
        v
[TLS_ASYNC_BEGIN] - Parse cert chain into buffers
        |
        v
[TLS_ASYNC_BUILD] - Process intermediate certs (count-1 to 1)
        |
        |   For each intermediate cert:
        |     1. ProcessPeerCertParse() - validate cert
        |     2. ANCV bypass for ASN_NO_SIGNER_E (clears error)
        |     3. DoVerifyCallback() - callback can override/reject
        |     4. On fatal error: break loop, send fatal alert
        |
        v
[TLS_ASYNC_DO] - Process leaf cert (certIdx = 0)
        |
        |   1. ProcessPeerCertParse() - validate leaf
        |   2. If ASN_NO_SIGNER_E && ANCV enabled:
        |      - DoAppleNativeCertValidation() <--- Attempt to verify chain using Apple SDK
        |      - If success: ret = 0
        |   3. If ret != 0:
        |      - DoVerifyCallback() (sets leafVerifyErr)
        |   4. If ret != 0, send fatal alert and exit
        |
        v
[TLS_ASYNC_VERIFY] - OCSP/CRL, key usage, domain checks (internal to wolfSSL, only run on successful trust eval)
        |
        v
[TLS_ASYNC_FINALIZE]
        |
        |   1. Load lastErr if ret == 0
        |   2. DoVerifyCallback() if not already called for leaf
        |   3. Handle verifyNone for CRL errors
        |   4. Send alert if ret != 0 && !verifyNone
        |
        v
[TLS_ASYNC_END] 


# Checklist

 - [ ] added tests
 - [ ] updated/added doxygen
 - [ ] updated appropriate READMEs
 - [ ] Updated manual and documentation

@bigbrett
Prevent verify callback from blocking ANCV invocation when verify
b93751a 
callback is registered. Reverts behavior to pre-PR#9144
@bigbrett bigbrett requested a review from Copilot January 14, 2026 20:50
Copilot AI reviewed Jan 14, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bigbrett