@@ -16219,23 +16219,31 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
1621916219 }
1622016220 #endif
1622116221
16222+ #if defined(__APPLE__) && defined(WOLFSSL_SYS_CA_CERTS)
16223+ /* If we can't validate the peer cert chain against the CAs
16224+ * loaded into wolfSSL, try to validate against the system
16225+ * certificates using Apple's native trust APIs BEFORE
16226+ * calling the verify callback so the callback sees the
16227+ * correct validation result */
16228+ if ((ret == WC_NO_ERR_TRACE(ASN_NO_SIGNER_E)) &&
16229+ (ssl->ctx->doAppleNativeCertValidationFlag)) {
16230+ if (DoAppleNativeCertValidation(ssl, args->certs,
16231+ args->totalCerts)) {
16232+ WOLFSSL_MSG("Apple native cert chain validation "
16233+ "SUCCESS");
16234+ ret = 0;
16235+ }
16236+ else {
16237+ WOLFSSL_MSG("Apple native cert chain validation "
16238+ "FAIL");
16239+ }
16240+ }
16241+ #endif /* defined(__APPLE__) && defined(WOLFSSL_SYS_CA_CERTS) */
16242+
1622216243 /* Do verify callback. */
1622316244 args->leafVerifyErr = ret =
1622416245 DoVerifyCallback(SSL_CM(ssl), ssl, ret, args);
1622516246
16226- #if defined(__APPLE__) && defined(WOLFSSL_SYS_CA_CERTS)
16227- /* Disregard failure to verify peer cert, as we will verify
16228- * the whole chain with the native API later */
16229- if (ssl->ctx->doAppleNativeCertValidationFlag) {
16230- WOLFSSL_MSG("\tApple native CA validation override"
16231- " available, will continue");
16232- /* check if fatal error */
16233- args->fatal = (args->verifyErr) ? 1 : 0;
16234- if (args->fatal)
16235- DoCertFatalAlert(ssl, ret);
16236- }
16237- else
16238- #endif/*defined(__APPLE__)&& defined(WOLFSSL_SYS_CA_CERTS)*/
1623916247 if (ret != 0) {
1624016248 WOLFSSL_MSG("\tfatal cert error");
1624116249 args->fatal = 1;
@@ -17004,23 +17012,6 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
1700417012 }
1700517013 #endif
1700617014
17007- #if defined(__APPLE__) && defined(WOLFSSL_SYS_CA_CERTS)
17008- /* If we can't validate the peer cert chain against the CAs loaded
17009- * into wolfSSL, try to validate against the system certificates
17010- * using Apple's native trust APIs */
17011- if ((ret == WC_NO_ERR_TRACE(ASN_NO_SIGNER_E)) &&
17012- (ssl->ctx->doAppleNativeCertValidationFlag)) {
17013- if (DoAppleNativeCertValidation(ssl, args->certs,
17014- args->totalCerts)) {
17015- WOLFSSL_MSG("Apple native cert chain validation SUCCESS");
17016- ret = 0;
17017- }
17018- else {
17019- WOLFSSL_MSG("Apple native cert chain validation FAIL");
17020- }
17021- }
17022- #endif /* defined(__APPLE__) && defined(WOLFSSL_SYS_CA_CERTS) */
17023-
1702417015 /* Do leaf verify callback when it wasn't called yet */
1702517016 if (ret == 0 || ret != args->leafVerifyErr)
1702617017 ret = DoVerifyCallback(SSL_CM(ssl), ssl, ret, args);
@@ -42037,12 +42028,17 @@ static int DoAppleNativeCertValidation(WOLFSSL* ssl,
4203742028 kCFAllocatorDefault, (const char*)ssl->buffers.domainName.buffer,
4203842029 kCFStringEncodingUTF8);
4203942030 }
42040- if (hostname != NULL) {
42041- policy = SecPolicyCreateSSL(true, hostname);
42042- }
42043- else {
42044- policy = SecPolicyCreateSSL(true, NULL);
42031+
42032+ /* If we're the client, we're validating the server's cert - use server
42033+ * policy (true). If we're the server, we're validating the client's cert -
42034+ * use client policy (false). Hostname validation only applies to server
42035+ * certs. */
42036+ {
42037+ int isServerCert = (ssl->options.side == WOLFSSL_CLIENT_END);
42038+ policy = SecPolicyCreateSSL(isServerCert,
42039+ isServerCert ? hostname : NULL);
4204542040 }
42041+
4204642042 status = SecTrustCreateWithCertificates(certArray, policy, &trust);
4204742043 if (status != errSecSuccess) {
4204842044 WOLFSSL_MSG_EX("Error creating trust object, "
0 commit comments