Skip to content

Fix error reporting and document EC explicit params single-cert beha…#3044

Merged
justsmth merged 1 commit intoaws:mainfrom
justsmth:doc-ec-single-cert
Feb 25, 2026
Merged

Fix error reporting and document EC explicit params single-cert beha…#3044
justsmth merged 1 commit intoaws:mainfrom
justsmth:doc-ec-single-cert

Conversation

@justsmth
Copy link
Copy Markdown
Contributor

@justsmth justsmth commented Feb 25, 2026
edited by skmcgrail
Loading

Description of changes:

Two small fixes in crypto/x509/x509_vfy.c:

  1. In internal_verify, the post-loop leaf public key check was setting ctx->current_cert = xi (the issuer) instead of xs (the subject). The chain was still correctly rejected — just the diagnostic metadata pointed at the wrong cert. Fixed to xs.

  2. Added a comment explaining why the EC explicit params check in check_chain_extensions intentionally skips single-cert chains (num > 1). This matches OpenSSL 1.1.1 behavior and is fine because single-cert chains are already in the trust store. No behavioral change.

Call-outs:

Neither issue is a security vulnerability. One is a one-line code fix, the other is comment-only.

Testing:

All existing X509 tests pass. X509Test.SignatureVerification and X509CompatTest.LeafCertificateWithExplicitECParams both cover the relevant code paths.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.

@justsmth justsmth requested a review from a team as a code owner February 25, 2026 19:18
@codecov-commenter
Copy link
Copy Markdown

codecov-commenter commented Feb 25, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 78.35%. Comparing base (129ffc0) to head (ce6e25c).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #3044      +/-   ##
==========================================
- Coverage   78.52%   78.35%   -0.18%     
==========================================
  Files         689      689              
  Lines      121012   121017       +5     
  Branches    16996    16967      -29     
==========================================
- Hits        95030    94824     -206     
- Misses      25083    25296     +213     
+ Partials      899      897       -2

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@justsmth justsmth merged commit 8e79629 into aws:main Feb 25, 2026
452 of 455 checks passed
@justsmth justsmth deleted the doc-ec-single-cert branch February 25, 2026 22:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@skmcgrail skmcgrail skmcgrail approved these changes

@samuel40791765 samuel40791765 samuel40791765 approved these changes

@torben-hansen torben-hansen Awaiting requested review from torben-hansen

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@justsmth @codecov-commenter @skmcgrail @samuel40791765