x509_str: verify leaf signature even when verify_cb overrides INVALID_CA

julek-wolfssl · julek-wolfssl · commit 47abfb55474e · 2026-04-28T11:36:50.000+02:00
When verify_cb returned WOLFSSL_SUCCESS to suppress X509_V_ERR_INVALID_CA
for a non-CA issuer, control skipped X509StoreVerifyCert and the leaf
signature was never checked. Drop the else so signature verification
runs on every issuer.
diff --git a/src/x509_str.c b/src/x509_str.c
@@ -705,7 +705,10 @@ int wolfSSL_X509_verify_cert(WOLFSSL_X509_STORE_CTX* ctx)
 
             /* We found our issuer in the non-trusted cert list, add it
              * to the CM and verify the current cert against it */
-            /* RFC 5280 4.2.1.9: reject non-CA issuer. */
+            /* RFC 5280 4.2.1.9: reject non-CA issuer. verify_cb may
+             * suppress the INVALID_CA error to keep building the chain,
+             * but the leaf signature must still be verified against the
+             * issuer below — never skip X509StoreVerifyCert. */
             if (!issuer->isCa) {
                 SetupStoreCtxError_ex(ctx, X509_V_ERR_INVALID_CA,
                                 (ctx->chain) ? (int)(ctx->chain->num + 1) : 1);
@@ -724,26 +727,23 @@ int wolfSSL_X509_verify_cert(WOLFSSL_X509_STORE_CTX* ctx)
                     goto exit;
                 }
             }
-            else {
-                ret = X509StoreAddCa(ctx->store, issuer,
-                                                WOLFSSL_TEMP_CA);
-                if (ret != WOLFSSL_SUCCESS) {
-                    X509VerifyCertSetupRetry(ctx, certs, failedCerts,
-                        &depth, origDepth);
-                    continue;
-                }
-                added = 1;
-                ret = X509StoreVerifyCert(ctx);
-                if (ret != WOLFSSL_SUCCESS) {
-                    if ((origDepth - depth) <= 1)
-                        added = 0;
-                    X509VerifyCertSetupRetry(ctx, certs, failedCerts,
-                        &depth, origDepth);
-                    continue;
-                }
-                /* Add it to the current chain and look at the issuer cert next */
-                wolfSSL_sk_X509_push(ctx->chain, ctx->current_cert);
+            ret = X509StoreAddCa(ctx->store, issuer, WOLFSSL_TEMP_CA);
+            if (ret != WOLFSSL_SUCCESS) {
+                X509VerifyCertSetupRetry(ctx, certs, failedCerts,
+                    &depth, origDepth);
+                continue;
             }
+            added = 1;
+            ret = X509StoreVerifyCert(ctx);
+            if (ret != WOLFSSL_SUCCESS) {
+                if ((origDepth - depth) <= 1)
+                    added = 0;
+                X509VerifyCertSetupRetry(ctx, certs, failedCerts,
+                    &depth, origDepth);
+                continue;
+            }
+            /* Add it to the current chain and look at the issuer cert next */
+            wolfSSL_sk_X509_push(ctx->chain, ctx->current_cert);
             ctx->current_cert = issuer;
         }
         else if (ret == WC_NO_ERR_TRACE(WOLFSSL_FAILURE)) {
