prevent apple native cert validation from overriding error codes other than ASN_NO_SIGNER_E

2025-06-04 15:48:15 -06:00
parent 9864959e41
commit bc8eeea703
1 changed files with 2 additions and 1 deletions
--- a/src/internal.c
+++ b/src/internal.c
@@ -16809,7 +16809,8 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
            /* If we can't validate the peer cert chain against the CAs loaded
             * into wolfSSL, try to validate against the system certificates
             * using Apple's native trust APIs */
-            if ((ret != 0) && (ssl->ctx->doAppleNativeCertValidationFlag)) {
+            if ((ret == ASN_NO_SIGNER_E) &&
+                (ssl->ctx->doAppleNativeCertValidationFlag)) {
                if (DoAppleNativeCertValidation(ssl, args->certs,
                                                     args->totalCerts)) {
                    WOLFSSL_MSG("Apple native cert chain validation SUCCESS");