From 6b01053d984fa386d0eade1e10fe6e79890baa49 Mon Sep 17 00:00:00 2001
From: Kareem <kareem@wolfssl.com>
Date: Fri, 20 Jun 2025 11:31:18 -0700
Subject: [PATCH] Add test case for new x509_verify_cert retry functionality.

Add CA cert with the same SKI and intentionally invalid AKI as part of x509_verify_cert test case.
---
 certs/intermediate/ca-ecc-bad-aki.der | Bin 0 -> 851 bytes
 certs/intermediate/ca-ecc-bad-aki.pem |  67 ++++++++++++++++++++++++++
 certs/intermediate/genintcerts.sh     |   3 ++
 certs/intermediate/include.am         |   2 +
 tests/api.c                           |  29 +++++++++++
 5 files changed, 101 insertions(+)
 create mode 100644 certs/intermediate/ca-ecc-bad-aki.der
 create mode 100644 certs/intermediate/ca-ecc-bad-aki.pem

diff --git a/certs/intermediate/ca-ecc-bad-aki.der b/certs/intermediate/ca-ecc-bad-aki.der
new file mode 100644
index 0000000000000000000000000000000000000000..599aa517736b9dd0a72e3909986a5be2af585c70
GIT binary patch
literal 851
zcmXqLV)i#^VlrRA%*4pV#3UeSz{|#|)#lOmotKf3o0Y+!alRq90Vf-CC<~h~Q)sZE
zuz?_m!@<K9o>-ibnU`LYpJymwzy}g!=V1>{O)M$NNrj1U@vxWY=cEM(`xuHC2!Yga
z^KiSQmZj$87v!eql^7}*$bm$edBmaW6g=}vQj2m^Q!*1vQWcyX4do4F;V$B26cfnI
zOUrivDK0L~(M!(HHINhMH8M3YGqf-=GBq+ViW28F0db9?T!Y5xH1&amff&RG{N?54
zdPoi<?D9whVK#PPV4t&PVr1h0Gng6KnVlF|m@ePUyT;h(dSd4U!>0#)9?x5=X)$A$
zz_pj0S`91p#I<&I?Kf_Adpwo<Nx8#TYiCzu{>0!KbC-js|1_L>;rwd(;xvO4V7M`d
z%JQ*@v518A%{u(S>7K++*U-G5lh408{CTOOfjmfBnFZ+n29fuf558ZOeKzyWo!krG
zAMK1uDQq?c$Cs=yBjbM-4g)qI#l*-6j%QhZkQfUv#k8TN7Um{KMh55527%vfJ0g6T
z?47^w{_D1``S`!fJ7XdkJU9Bh6>kwKVq%?qy?ulF|NUJ70cwt0vzz-~yRF`R>xa{(
z`!<dtf)boE%kq-L_EjnHa$Gu~dTz-DTTZ6m)sB&#TOWQeYT0sJ;KTy<l;Z3LwkpG<
zwVsoL-(SDBrE`v`!qOve4_MY@e3E={{^{;0F@dZ18gB9PP2{#LzP7x0(>Cp6zxNnF
z`+HO7j)$#WclP}L1hvdyYw@>9dremNJn<3#a(GW;^4j!+v5$+^EbZEp&!cDD*f>ey
ziuZ%XN<!DRsLPv+EILwlz(&)>ccp2%qO4$j*$k%dQ9oHv>snj7zMR`MOJT#YFqta=
Dx!50}

literal 0
HcmV?d00001

diff --git a/certs/intermediate/ca-ecc-bad-aki.pem b/certs/intermediate/ca-ecc-bad-aki.pem
new file mode 100644
index 000000000..3d8221fbe
--- /dev/null
+++ b/certs/intermediate/ca-ecc-bad-aki.pem
@@ -0,0 +1,67 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 4113 (0x1011)
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Development, CN = wolfSSL Intermediate CA, emailAddress = info@wolfssl.com
+        Validity
+            Not Before: Jun 18 22:52:02 2025 GMT
+            Not After : Jun 13 22:52:02 2045 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Development, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (256 bit)
+                pub:
+                    04:02:d3:d9:6e:d6:01:8e:45:c8:b9:90:31:e5:c0:
+                    4c:e3:9e:ad:29:38:98:ba:10:d6:e9:09:2a:80:a9:
+                    2e:17:2a:b9:8a:bf:33:83:46:e3:95:0b:e4:77:40:
+                    b5:3b:43:45:33:0f:61:53:7c:37:44:c1:cb:fc:80:
+                    ca:e8:43:ea:a7
+                ASN1 OID: prime256v1
+                NIST CURVE: P-256
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                56:8E:9A:C3:F0:42:DE:18:B9:45:55:6E:F9:93:CF:EA:C3:F3:A5:21
+            X509v3 Authority Key Identifier: 
+                EF:69:E0:F7:D5:1D:E6:99:EC:DC:6D:D0:F7:E2:B9:5C:64:71:83:35
+            X509v3 Basic Constraints: critical
+                CA:TRUE, pathlen:1
+            X509v3 Key Usage: critical
+                Digital Signature, Certificate Sign, CRL Sign
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        43:55:80:10:fb:06:b8:58:4c:02:3f:43:f7:bb:fd:46:ae:83:
+        c7:fe:d3:b9:5c:58:00:49:b1:4c:ed:17:84:14:72:02:05:93:
+        d7:87:b0:27:ff:bf:8a:50:50:26:41:b5:6b:83:8e:eb:46:ab:
+        bb:da:f8:42:b2:df:3c:41:54:11:18:09:1c:a6:6e:63:56:be:
+        7a:20:0d:08:d2:c0:25:ce:a4:d0:3d:09:02:fb:7b:41:59:49:
+        b5:e1:f7:72:84:b4:c7:10:c8:a0:07:64:73:6b:80:06:7a:31:
+        62:ad:49:92:53:ef:d7:d6:b4:89:9c:15:20:a5:c4:ed:c0:39:
+        7c:68:f2:19:e0:cf:e5:bb:5a:16:10:d5:de:80:da:0f:0e:91:
+        0b:39:73:d6:a7:73:b2:b6:2b:c6:fb:bc:33:e6:fd:d9:1c:dc:
+        48:3d:1e:8b:6b:9f:8f:60:26:69:53:3b:17:ed:62:bd:34:ab:
+        8c:e4:4c:17:f4:c3:bc:81:63:ad:67:c1:5d:e3:72:ac:a5:8a:
+        bc:6f:0c:2e:33:81:81:92:20:d4:4b:e0:a3:22:12:d6:b4:27:
+        1f:37:14:a2:c4:76:c0:3c:29:44:4d:a9:35:67:21:1d:11:7f:
+        76:98:02:f7:5a:f9:05:cb:2d:3b:39:45:e9:9d:82:9a:20:b0:
+        c6:56:1c:d4
+-----BEGIN CERTIFICATE-----
+MIIDTzCCAjegAwIBAgICEBEwDQYJKoZIhvcNAQELBQAwgZ8xCzAJBgNVBAYTAlVT
+MRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYDVQQK
+DAd3b2xmU1NMMRQwEgYDVQQLDAtEZXZlbG9wbWVudDEgMB4GA1UEAwwXd29sZlNT
+TCBJbnRlcm1lZGlhdGUgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5j
+b20wHhcNMjUwNjE4MjI1MjAyWhcNNDUwNjEzMjI1MjAyWjCBlzELMAkGA1UEBhMC
+VVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNV
+BAoMB3dvbGZTU0wxFDASBgNVBAsMC0RldmVsb3BtZW50MRgwFgYDVQQDDA93d3cu
+d29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wWTAT
+BgcqhkjOPQIBBggqhkjOPQMBBwNCAAQC09lu1gGORci5kDHlwEzjnq0pOJi6ENbp
+CSqAqS4XKrmKvzODRuOVC+R3QLU7Q0UzD2FTfDdEwcv8gMroQ+qno2YwZDAdBgNV
+HQ4EFgQUVo6aw/BC3hi5RVVu+ZPP6sPzpSEwHwYDVR0jBBgwFoAU72ng99Ud5pns
+3G3Q9+K5XGRxgzUwEgYDVR0TAQH/BAgwBgEB/wIBATAOBgNVHQ8BAf8EBAMCAYYw
+DQYJKoZIhvcNAQELBQADggEBAENVgBD7BrhYTAI/Q/e7/Uaug8f+07lcWABJsUzt
+F4QUcgIFk9eHsCf/v4pQUCZBtWuDjutGq7va+EKy3zxBVBEYCRymbmNWvnogDQjS
+wCXOpNA9CQL7e0FZSbXh93KEtMcQyKAHZHNrgAZ6MWKtSZJT79fWtImcFSClxO3A
+OXxo8hngz+W7WhYQ1d6A2g8OkQs5c9anc7K2K8b7vDPm/dkc3Eg9Hotrn49gJmlT
+OxftYr00q4zkTBf0w7yBY61nwV3jcqylirxvDC4zgYGSINRL4KMiEta0Jx83FKLE
+dsA8KURNqTVnIR0Rf3aYAvda+QXLLTs5RemdgpogsMZWHNQ=
+-----END CERTIFICATE-----
diff --git a/certs/intermediate/genintcerts.sh b/certs/intermediate/genintcerts.sh
index 8ed892f28..13fe30c3e 100755
--- a/certs/intermediate/genintcerts.sh
+++ b/certs/intermediate/genintcerts.sh
@@ -313,6 +313,9 @@ create_cert wolfssl_int2_ecc wolfssl_int2_ecc ./certs/ecc-key.pem server-int-ecc
 echo "Create ECC Client Certificate signed by intermediate2"
 create_cert wolfssl_int2_ecc wolfssl_int2_ecc ./certs/ecc-client-key.pem client-int-ecc-cert usr_cert "wolfSSL Client Chain ECC" 3650
 
+echo "Create alt CA with intentionally invalid AKI"
+create_cert wolfssl_root_ecc wolfssl_int ./certs/ca-ecc-key.pem ca-ecc-bad-aki v3_intermediate_ca "www.wolfssl.com" 7300
+
 echo "Generate CRLs for new certificates"
 openssl ca -config ./certs/intermediate/wolfssl_root_ecc.cnf -gencrl -crldays 1000 -out ./certs/crl/ca-int-ecc.pem -keyfile ./certs/intermediate/ca-int-ecc-key.pem -cert ./certs/intermediate/ca-int-ecc-cert.pem
 check_result $?
diff --git a/certs/intermediate/include.am b/certs/intermediate/include.am
index ad3a66b21..4773ef8b5 100644
--- a/certs/intermediate/include.am
+++ b/certs/intermediate/include.am
@@ -4,6 +4,8 @@
 
 EXTRA_DIST += \
 	     certs/intermediate/genintcerts.sh \
+	     certs/intermediate/ca-ecc-bad-aki.der \
+	     certs/intermediate/ca-ecc-bad-aki.pem \
 	     certs/intermediate/ca-int-cert.der \
 	     certs/intermediate/ca-int-cert.pem \
 	     certs/intermediate/ca-int-ecc-cert.der \
diff --git a/tests/api.c b/tests/api.c
index b96d9de1c..e68983d8d 100644
--- a/tests/api.c
+++ b/tests/api.c
@@ -20362,6 +20362,34 @@ static int test_wolfSSL_X509_STORE_CTX_ex11(X509_STORE_test_data *testData)
     X509_STORE_free(store);
     return EXPECT_RESULT();
 }
+
+static int test_wolfSSL_X509_STORE_CTX_ex12(void)
+{
+    EXPECT_DECLS;
+    X509_STORE* store = NULL;
+    X509_STORE_CTX* ctx = NULL;
+    STACK_OF(X509)* chain = NULL;
+
+    const char* intCARootECCFile    = "./certs/ca-ecc-cert.pem";
+    const char* intCA1ECCFile       = "./certs/intermediate/ca-int-ecc-cert.pem";
+    const char* intCABadAKIECCFile = "./certs/intermediate/ca-ecc-bad-aki.pem";
+
+    /* Test case 12, multiple CAs with the same SKI including 1 with intentionally
+       bad/unregistered AKI.  x509_verify_cert should still form a valid chain
+       using the valid CA, ignoring the bad CA. Developed from customer provided
+       reproducer. */
+
+    ExpectNotNull(store = X509_STORE_new());
+    ExpectIntEQ(X509_STORE_add_cert(store, test_wolfSSL_X509_STORE_CTX_ex_helper(intCARootECCFile)), 1);
+    ExpectIntEQ(X509_STORE_add_cert(store, test_wolfSSL_X509_STORE_CTX_ex_helper(intCABadAKIECCFile)), 1);
+    ExpectNotNull(ctx = X509_STORE_CTX_new());
+    ExpectIntEQ(X509_STORE_CTX_init(ctx, store, test_wolfSSL_X509_STORE_CTX_ex_helper(intCA1ECCFile), NULL), 1);
+    ExpectIntEQ(X509_verify_cert(ctx), 1);
+    ExpectNotNull(chain = X509_STORE_CTX_get_chain(ctx));
+    X509_STORE_CTX_free(ctx);
+    X509_STORE_free(store);
+    return EXPECT_RESULT();
+}
 #endif
 
 static int test_wolfSSL_X509_STORE_CTX_ex(void)
@@ -20401,6 +20429,7 @@ static int test_wolfSSL_X509_STORE_CTX_ex(void)
     ExpectIntEQ(test_wolfSSL_X509_STORE_CTX_ex9(&testData), 1);
     ExpectIntEQ(test_wolfSSL_X509_STORE_CTX_ex10(&testData), 1);
     ExpectIntEQ(test_wolfSSL_X509_STORE_CTX_ex11(&testData), 1);
+    ExpectIntEQ(test_wolfSSL_X509_STORE_CTX_ex12(), 1);
 
     if(testData.x509Ca) {
         X509_free(testData.x509Ca);