From bc8eeea703253bd65d472a9541b54fef326e8050 Mon Sep 17 00:00:00 2001
From: Brett <bigbrett@users.noreply.github.com>
Date: Wed, 4 Jun 2025 15:48:15 -0600
Subject: [PATCH] prevent apple native cert validation from overriding error
 codes other than ASN_NO_SIGNER_E

---
 src/internal.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/internal.c b/src/internal.c
index 6dde8ece2..e80c7ca95 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -16809,7 +16809,8 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
             /* If we can't validate the peer cert chain against the CAs loaded
              * into wolfSSL, try to validate against the system certificates
              * using Apple's native trust APIs */
-            if ((ret != 0) && (ssl->ctx->doAppleNativeCertValidationFlag)) {
+            if ((ret == ASN_NO_SIGNER_E) &&
+                (ssl->ctx->doAppleNativeCertValidationFlag)) {
                 if (DoAppleNativeCertValidation(ssl, args->certs,
                                                      args->totalCerts)) {
                     WOLFSSL_MSG("Apple native cert chain validation SUCCESS");