Merge pull request #9584 from miyazakh/fix_qtfail

dgarske · web-flow · commit d25f98fd82b4 · 2026-01-08T10:58:20.000-08:00
Fix qt jenkins nightly test failure
diff --git a/src/x509_str.c b/src/x509_str.c
@@ -384,6 +384,22 @@ static int X509StoreVerifyCertDate(WOLFSSL_X509_STORE_CTX* ctx, int ret)
                     ret = ASN_BEFORE_DATE_E;
                 }
             }
+        #if defined(OPENSSL_ALL)
+            else {
+                WOLFSSL_MSG("Using system time for date validation");
+                /* use system time for date validation */
+                if (wc_ValidateDate(afterDate,
+                        (byte)ctx->current_cert->notAfter.type, ASN_AFTER,
+                        ctx->current_cert->notAfter.length) < 1) {
+                    ret = ASN_AFTER_DATE_E;
+                }
+                else if (wc_ValidateDate(beforeDate,
+                        (byte)ctx->current_cert->notBefore.type, ASN_BEFORE,
+                        ctx->current_cert->notBefore.length) < 1) {
+                    ret = ASN_BEFORE_DATE_E;
+                }
+            }
+        #endif
         }
 #else
         if (XVALIDATE_DATE(afterDate,
@@ -424,7 +440,26 @@ static int X509StoreVerifyCert(WOLFSSL_X509_STORE_CTX* ctx)
                                                         WOLFSSL_SUCCESS : ret;
     #endif
     }
-
+#if !defined(NO_ASN_TIME) && defined(OPENSSL_ALL)
+    if (ret != WC_NO_ERR_TRACE(ASN_BEFORE_DATE_E) &&
+        ret != WC_NO_ERR_TRACE(ASN_AFTER_DATE_E)) {
+        /* With OpenSSL, we need to check the certificate's date
+        * after certificate manager verification,
+        * as it skips date validation when other errors are present.
+        */
+        ret = X509StoreVerifyCertDate(ctx, ret);
+        SetupStoreCtxError(ctx, ret);
+        ret = ret == WOLFSSL_SUCCESS ? 1 : 0;
+        if (ctx->store->verify_cb) {
+            if (ctx->store->verify_cb(ret, ctx) == 1) {
+                ret = WOLFSSL_SUCCESS;
+            }
+            else {
+                ret = -1;
+            }
+        }
+    }
+#endif
     return ret;
 }
 
diff --git a/tests/api/test_ossl_x509_str.c b/tests/api/test_ossl_x509_str.c
@@ -36,6 +36,31 @@
 #include <tests/api/api.h>
 #include <tests/api/test_ossl_x509_str.h>
 
+#if defined(OPENSSL_ALL) && \
+        !defined(NO_RSA) && !defined(NO_FILESYSTEM)
+
+static int last_errcodes[10];
+static int last_errdepths[10];
+static int err_index = 0;
+
+static int X509CallbackCount(int ok, X509_STORE_CTX *ctx)
+{
+    if (!ok) {
+        if (err_index < 10) {
+            last_errcodes[err_index]  = X509_STORE_CTX_get_error(ctx);
+            last_errdepths[err_index] = X509_STORE_CTX_get_error_depth(ctx);
+            err_index++;
+        } else {
+            /* Should not happen in test */
+            WOLFSSL_MSG("Error index overflow in X509CallbackCount");
+            err_index = 0;
+        }
+    }
+    /* Always return OK to allow verification to continue.*/
+    return 1;
+}
+#endif
+
 int test_wolfSSL_X509_STORE_CTX_set_time(void)
 {
     EXPECT_DECLS;
@@ -161,6 +186,78 @@ int test_wolfSSL_X509_STORE_check_time(void)
     store = NULL;
     wolfSSL_X509_free(cert);
     cert = NULL;
+
+#if defined(OPENSSL_ALL) && \
+        !defined(NO_RSA) && !defined(NO_FILESYSTEM)
+
+    err_index = 0;
+
+    ExpectNotNull(store = X509_STORE_new());
+    ExpectNotNull(ctx = X509_STORE_CTX_new());
+    ExpectNotNull(ca = wolfSSL_X509_load_certificate_file(caCertFile,
+                        SSL_FILETYPE_PEM));
+    ExpectIntEQ(wolfSSL_X509_STORE_add_cert(store, ca), WOLFSSL_SUCCESS);
+
+    X509_STORE_set_verify_cb(store, X509CallbackCount);
+
+    ExpectNotNull(cert = wolfSSL_X509_load_certificate_file(expiredCertFile,
+                        SSL_FILETYPE_PEM));
+
+    ExpectIntEQ(X509_STORE_CTX_init(ctx, store, cert, NULL), WOLFSSL_SUCCESS);
+    ExpectIntEQ(X509_verify_cert(ctx), WOLFSSL_SUCCESS);
+    /* while verifying the certificate, it should have two errors */
+    ExpectIntEQ(err_index, 2);
+    /* self-signed */
+    ExpectIntEQ(last_errcodes[err_index - 2],
+                WOLFSSL_X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT);
+    /* expired */
+    ExpectIntEQ(last_errcodes[err_index - 1],
+                WOLFSSL_X509_V_ERR_CERT_HAS_EXPIRED);
+
+    X509_STORE_CTX_free(ctx);
+    ctx = NULL;
+    X509_STORE_free(store);
+    store = NULL;
+    X509_free(cert);
+    cert = NULL;
+    X509_free(ca);
+    ca = NULL;
+
+    err_index = 0;
+
+    ExpectNotNull(store = X509_STORE_new());
+    /* Set NO_CHECK_TIME flag to skip time validation */
+    ExpectIntEQ(X509_VERIFY_PARAM_set_flags(store->param,
+                        WOLFSSL_NO_CHECK_TIME), WOLFSSL_SUCCESS);
+    ExpectTrue((store->param->flags & WOLFSSL_NO_CHECK_TIME) ==
+        WOLFSSL_NO_CHECK_TIME);
+    ExpectNotNull(ctx = X509_STORE_CTX_new());
+    ExpectNotNull(ca = wolfSSL_X509_load_certificate_file(caCertFile,
+                        SSL_FILETYPE_PEM));
+    ExpectIntEQ(wolfSSL_X509_STORE_add_cert(store, ca), WOLFSSL_SUCCESS);
+
+    X509_STORE_set_verify_cb(store, X509CallbackCount);
+
+    ExpectNotNull(cert = wolfSSL_X509_load_certificate_file(expiredCertFile,
+                        SSL_FILETYPE_PEM));
+
+    ExpectIntEQ(X509_STORE_CTX_init(ctx, store, cert, NULL), WOLFSSL_SUCCESS);
+    ExpectIntEQ(X509_verify_cert(ctx), WOLFSSL_SUCCESS);
+    /* while verifying the certificate, it should have an error */
+    ExpectIntEQ(err_index, 1);
+    /* self-signed */
+    ExpectIntEQ(last_errcodes[err_index - 1],
+                WOLFSSL_X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT);
+    /* no expired because of no_check_time */
+    X509_STORE_CTX_free(ctx);
+    ctx = NULL;
+    X509_STORE_free(store);
+    store = NULL;
+    X509_free(cert);
+    cert = NULL;
+    X509_free(ca);
+    ca = NULL;
+#endif
 #endif /* OPENSSL_EXTRA && !NO_FILESYSTEM && !NO_ASN_TIME && !NO_RSA */
     return EXPECT_RESULT();
 }
