Merge pull request #8833 from rlm2002/AppleNativeCert

SparkiDev · web-flow · commit fbc483e23a3e · 2025-06-05T12:22:20.000+10:00
domain name policy for WOLFSSL_APPLE_NATIVE_CERT_VALIDATION
diff --git a/src/internal.c b/src/internal.c
@@ -213,7 +213,7 @@ int writeAeadAuthData(WOLFSSL* ssl, word16 sz, byte type, byte* additional,
 #include <Security/SecCertificate.h>
 #include <Security/SecTrust.h>
 #include <Security/SecPolicy.h>
-static int DoAppleNativeCertValidation(const WOLFSSL_BUFFER_INFO* certs,
+static int DoAppleNativeCertValidation(WOLFSSL* ssl, const WOLFSSL_BUFFER_INFO* certs,
                                             int totalCerts);
 #endif /* #if defined(__APPLE__) && defined(WOLFSSL_SYS_CA_CERTS) */
 
@@ -16809,8 +16809,9 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
             /* If we can't validate the peer cert chain against the CAs loaded
              * into wolfSSL, try to validate against the system certificates
              * using Apple's native trust APIs */
-            if ((ret != 0) && (ssl->ctx->doAppleNativeCertValidationFlag)) {
-                if (DoAppleNativeCertValidation(args->certs,
+            if ((ret == WC_NO_ERR_TRACE(ASN_NO_SIGNER_E)) &&
+                (ssl->ctx->doAppleNativeCertValidationFlag)) {
+                if (DoAppleNativeCertValidation(ssl, args->certs,
                                                      args->totalCerts)) {
                     WOLFSSL_MSG("Apple native cert chain validation SUCCESS");
                     ret = 0;
@@ -42744,7 +42745,8 @@ static SecCertificateRef ConvertToSecCertificateRef(const byte* derCert,
  * wolfSSL's built-in certificate validation mechanisms anymore. We instead
  * must call into the Security Framework APIs to authenticate peer certificates
  */
-static int DoAppleNativeCertValidation(const WOLFSSL_BUFFER_INFO* certs,
+static int DoAppleNativeCertValidation(WOLFSSL* ssl,
+                                            const WOLFSSL_BUFFER_INFO* certs,
                                             int totalCerts)
 {
     int i;
@@ -42753,7 +42755,8 @@ static int DoAppleNativeCertValidation(const WOLFSSL_BUFFER_INFO* certs,
     CFMutableArrayRef certArray = NULL;
     SecCertificateRef secCert   = NULL;
     SecTrustRef       trust     = NULL;
-    SecPolicyRef      policy    = NULL ;
+    SecPolicyRef      policy    = NULL;
+    CFStringRef       hostname  = NULL;
 
     WOLFSSL_ENTER("DoAppleNativeCertValidation");
 
@@ -42782,7 +42785,18 @@ static int DoAppleNativeCertValidation(const WOLFSSL_BUFFER_INFO* certs,
     }
 
     /* Create trust object for SecCertifiate Ref */
-    policy = SecPolicyCreateSSL(true, NULL);
+    if (ssl->buffers.domainName.buffer &&
+            ssl->buffers.domainName.length > 0) {
+        /* Create policy with specified value to require host name match */
+        hostname = CFStringCreateWithCString(kCFAllocatorDefault,
+                                (const char*)ssl->buffers.domainName.buffer,
+                                 kCFStringEncodingUTF8);
+    }
+    if (hostname != NULL) {
+        policy = SecPolicyCreateSSL(true, hostname);
+    } else {
+        policy = SecPolicyCreateSSL(true, NULL);
+    }
     status = SecTrustCreateWithCertificates(certArray, policy, &trust);
     if (status != errSecSuccess) {
         WOLFSSL_MSG_EX("Error creating trust object, "
@@ -42813,6 +42827,9 @@ static int DoAppleNativeCertValidation(const WOLFSSL_BUFFER_INFO* certs,
     if (policy) {
         CFRelease(policy);
     }
+    if (hostname) {
+        CFRelease(hostname);
+    }
 
     WOLFSSL_LEAVE("DoAppleNativeCertValidation", ret);
 
