certs: re-sign orphaned rsapss/mldsa leaves and add chain guard#10835
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR fixes TLS 1.3 handshake failures caused by committed leaf certificates no longer matching their re-issued CAs, and adds a lightweight CI guard to prevent future leaf/CA drift from landing unnoticed.
Changes:
- Re-sign the RSA-PSS and ML-DSA leaf certificates so their issuer/AKID chain correctly matches the currently committed CA subject/SKID.
- Add
certs/check_cert_chains.shto validate pinned leaf→CA pairs via issuer/subject + AKID/SKID identity checks, and crypto verification where OpenSSL supports the algorithm. - Add a GitHub Actions workflow to run the guard on non-draft PRs; run the guard at the end of
certs/renewcerts.sh.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
certs/rsapss/ecc-leaf-rsapss.pem |
Re-signed RSA-PSS leaf to match the current RSA-PSS CA identity. |
certs/mldsa/ecc-leaf-mldsa44.pem |
Re-signed ML-DSA leaf to match the current ML-DSA CA identity. |
certs/check_cert_chains.sh |
New script to check pinned leaf/CA identity and (when supported) cryptographic verification. |
.github/workflows/check-cert-chains.yml |
New CI workflow running the guard with stock OpenSSL on non-draft PRs. |
certs/renewcerts.sh |
Runs the new guard after certificate regeneration/cleanup to catch drift before commit. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
wolfSSL-Fenrir-bot
left a comment
There was a problem hiding this comment.
Fenrir Automated Review — PR #10835
No scan targets match the changed files in this PR. Review skipped.
This was referenced Jul 2, 2026
Merged
Frauschi
approved these changes
Jul 2, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
certs: re-sign orphaned rsapss/mldsa leaves and add a leaf-to-CA chain guard
Problem
The
tinytls13-cert-rsaverifyCI config (and any PR that had picked up currentmaster) fails during the TLS 1.3 smoke test:-188=ASN_NO_SIGNER_E— no signer found for the presented cert-313=FATAL_ERROR— received the fatal alert the client sentRoot cause
Two committed leaf certificates were signed by CAs that were later re-issued,
so each leaf's
issuerno longer matches its CA'ssubject:certs/rsapss/ecc-leaf-rsapss.pememailAddress=info@wolfssl.comcerts/rsapss/ca-rsapss.pem→emailAddress=facts@wolfssl.comcerts/mldsa/ecc-leaf-mldsa44.pemCN=Test mldsa44certs/mldsa/mldsa44-cert.pem→CN=ML-DSA-44The CAs were re-issued (the
facts@wolfssl.comemail change, and the ML-DSA CACN change) without regenerating the leaves they had signed. This is a
cert/data sync issue, not a code defect, which is why it reproduced on every
open PR regardless of its content.
Fix
Regenerate both leaves against the current committed CAs (same keys, no other
cert in the tree touched):
certs/rsapss/ecc-leaf-rsapss.pem— re-signed byca-rsapss.pem(RSA-PSS),matching
certs/rsapss/renew-rsapss-certs.sh.certs/mldsa/ecc-leaf-mldsa44.pem— re-signed bymldsa44-cert.pem,matching the ML-DSA leaf section of
certs/renewcerts.sh.Prevent recurrence
Add a guard so a future CA re-issue that skips the leaf fails loudly at PR time
instead of as a runtime handshake error buried in one config:
certs/check_cert_chains.sh(new) — a data-driven checker for the pinnedleaf/CA pairs. Per pair it runs:
and leaf AKID == CA SKID) that works on any OpenSSL and catches the exact
DN-drift class that broke here;
openssl verifywhen the local OpenSSL supports the CA'salgorithm. ML-DSA verification needs OpenSSL 3.5+, so on older toolchains
the crypto step is skipped with an explicit notice while the identity
check still runs.
.github/workflows/check-cert-chains.yml(new) — a ~30s OpenSSL-only job(modeled on
gencertbuf.yml) that runs the script on every non-draft PR.certs/renewcerts.sh— calls the guard at the end of a full regen sodrift is caught before the refreshed certs are committed.
Adding a new pinned leaf later is one line in the
pairslist incheck_cert_chains.sh.Testing
cd certs && ./check_cert_chains.sh→ both pairs reportOK,exit 0 (crypto-verified locally on OpenSSL 3.6.1).
ecc-leaf-rsapss.pemmakes theguard print the
info@vsfacts@mismatch and exit 1.openssl verify -partial_chain -CAfile ca-rsapss.pem ecc-leaf-rsapss.pem→ OK;full chain via
root-rsapss.pem(untrustedca-rsapss.pem) → OK.sh -n/bash -nclean on both scripts; workflow YAML parses.Notes
gets the identity check on stock runners (OpenSSL 3.0.x). The ML-DSA leaf is
still fully exercised at handshake time by the existing
tinytls13/pq-alltests, so a capable-OpenSSL build was intentionally left out to keep the job
lightweight.