Skip to content

JSSE/JNI: wantClientAuth cert validation and RsaVerify callback exception fixes#381

Open
cconlon wants to merge 2 commits into
wolfSSL:masterfrom
cconlon:fenrirJuly16
Open

JSSE/JNI: wantClientAuth cert validation and RsaVerify callback exception fixes#381
cconlon wants to merge 2 commits into
wolfSSL:masterfrom
cconlon:fenrirJuly16

Conversation

@cconlon

@cconlon cconlon commented Jul 16, 2026

Copy link
Copy Markdown
Member

This PR fixes two Fenrir issues related to certificate and callback handling.

F-6307: validate presented client certs under wantClientAuth

WolfSSLInternalVerifyCb.verifyCallback() was calling the TrustManager for a presented client certificate under wantClientAuth(true) / needClientAuth(false) but discarding the result, so a client certificate that failed validation was accepted and the handshake continued. This changes that path to abort the handshake (return failure) when the TrustManager rejects a presented cert.

wantClientAuth now only makes an absent client certificate non-fatal. A certificate that is presented must still validate. This matches SunJSSE. The absent-cert path is unchanged, so optional client auth without a cert still succeeds.

F-3912: return failure from NativeRsaVerifyCb on Java callback exception

When the Java RSA verify PK callback threw, NativeRsaVerifyCb detected and cleared the exception but continued with an undefined retval (per the JNI spec) and leaked its local refs. It now deletes the local refs and returns failure on exception, matching the sibling NativeRsaSignCb / NativeEccVerifyCb callbacks. Compiled under HAVE_PK_CALLBACKS.

@cconlon cconlon self-assigned this Jul 16, 2026
Copilot AI review requested due to automatic review settings July 16, 2026 22:55

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants