Skip to content

Report cert verify failure with MD5#10222

Open
embhorn wants to merge 2 commits intowolfSSL:masterfrom
embhorn:zd21597
Open

Report cert verify failure with MD5#10222
embhorn wants to merge 2 commits intowolfSSL:masterfrom
embhorn:zd21597

Conversation

@embhorn
Copy link
Copy Markdown
Member

@embhorn embhorn commented Apr 14, 2026

Description

Added a verify-mode guard to the CTC_MD5wRSA case in HashForSignature(), mirroring the existing MD2 sign/verify precedent. MD5-signed certificates now return HASH_TYPE_E during chain verification.

Fixes zd21597

Testing

Added test_wolfSSL_CertManagerRejectMD5Cert

Checklist

  • added tests
  • updated/added doxygen
  • updated appropriate READMEs
  • Updated manual and documentation

@embhorn embhorn self-assigned this Apr 14, 2026
Copilot AI review requested due to automatic review settings April 14, 2026 17:31
Copilot AI reviewed Apr 14, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

This PR makes certificate chain verification reject MD5-signed certificate signatures by returning HASH_TYPE_E when HashForSignature() is invoked in verify mode for CTC_MD5wRSA, and adds a regression test to ensure this behavior.

Changes:

  • Add a verify-mode guard for CTC_MD5wRSA in HashForSignature() (blocked unless WOLFSSL_ALLOW_MD5_CERT_SIGS is defined).
  • Add a new CertManager API test that generates an MD5-signed leaf cert and asserts verification fails with HASH_TYPE_E.
  • Register WOLFSSL_ALLOW_MD5_CERT_SIGS in the known macro extras list and wire the new test into the certman test group.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.

File Description
wolfcrypt/src/asn.c Adds verify-mode rejection path for MD5 certificate signatures (unless explicitly allowed).
tests/api/test_certman.h Declares and registers the new MD5-rejection certman test.
tests/api/test_certman.c Implements a regression test generating an MD5-signed leaf cert and verifying it is rejected.
.wolfssl_known_macro_extras Adds WOLFSSL_ALLOW_MD5_CERT_SIGS to macro discovery list.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

wolfSSL-Fenrir-bot
wolfSSL-Fenrir-bot reviewed Apr 14, 2026
View reviewed changes
Copy link
Copy Markdown

@wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fenrir Automated Review — PR #10222

Scan targets checked: wolfcrypt-api_misuse, wolfcrypt-bugs, wolfcrypt-compliance, wolfcrypt-concurrency, wolfcrypt-consttime, wolfcrypt-defaults, wolfcrypt-mutation, wolfcrypt-portability, wolfcrypt-proptest, wolfcrypt-src, wolfcrypt-zeroize

No new issues found in the changed files. ✅

@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 15, 2026

MemBrowse Memory Report

No memory changes detected for:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@embhorn embhorn

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@embhorn @wolfSSL-Fenrir-bot