From 0b7f2936917d94a90764b843ad6d0f43501b798d Mon Sep 17 00:00:00 2001
From: David Garske <david@wolfssl.com>
Date: Wed, 29 May 2024 16:32:31 -0700
Subject: [PATCH 1/2] Expose `wc_CheckCertSigPubKey` with
 `WOLFSSL_SMALL_CERT_VERIFY`.

---
 wolfcrypt/src/asn.c     | 8 ++------
 wolfssl/wolfcrypt/asn.h | 4 ++--
 2 files changed, 4 insertions(+), 8 deletions(-)

diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index f5ed8804ff..1a7b0cd364 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -23217,9 +23217,7 @@ static int CheckCertSignature_ex(const byte* cert, word32 certSz, void* heap,
 #endif /* WOLFSSL_ASN_TEMPLATE */
 }
 
-#ifdef OPENSSL_EXTRA
-/* Call CheckCertSignature_ex using a public key buffer for verification
- */
+/* Call CheckCertSignature_ex using a public key buffer for verification */
 int CheckCertSignaturePubKey(const byte* cert, word32 certSz, void* heap,
         const byte* pubKey, word32 pubKeySz, int pubKeyOID)
 {
@@ -23242,15 +23240,13 @@ int CheckCSRSignaturePubKey(const byte* cert, word32 certSz, void* heap,
             pubKey, pubKeySz, pubKeyOID, 1);
 }
 #endif /* WOLFSSL_CERT_REQ */
-#endif /* OPENSSL_EXTRA */
-#ifdef WOLFSSL_SMALL_CERT_VERIFY
+
 /* Call CheckCertSignature_ex using a certificate manager (cm)
  */
 int CheckCertSignature(const byte* cert, word32 certSz, void* heap, void* cm)
 {
     return CheckCertSignature_ex(cert, certSz, heap, cm, NULL, 0, 0, 0);
 }
-#endif /* WOLFSSL_SMALL_CERT_VERIFY */
 #endif /* WOLFSSL_SMALL_CERT_VERIFY || OPENSSL_EXTRA */
 
 #if (defined(HAVE_ED25519) && defined(HAVE_ED25519_KEY_IMPORT) || \
diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h
index d848dbc4dc..cfd76e3743 100644
--- a/wolfssl/wolfcrypt/asn.h
+++ b/wolfssl/wolfcrypt/asn.h
@@ -2138,11 +2138,11 @@ WOLFSSL_LOCAL int EncodePolicyOID(byte *out, word32 *outSz,
 WOLFSSL_API int CheckCertSignature(const byte*,word32,void*,void* cm);
 WOLFSSL_LOCAL int CheckCertSignaturePubKey(const byte* cert, word32 certSz,
         void* heap, const byte* pubKey, word32 pubKeySz, int pubKeyOID);
-#ifdef OPENSSL_EXTRA
+#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_SMALL_CERT_VERIFY)
 WOLFSSL_API int wc_CheckCertSigPubKey(const byte* cert, word32 certSz,
                                       void* heap, const byte* pubKey,
                                       word32 pubKeySz, int pubKeyOID);
-#endif
+#endif /* OPENSSL_EXTRA || WOLFSSL_SMALL_CERT_VERIFY */
 #ifdef WOLFSSL_DUAL_ALG_CERTS
 WOLFSSL_LOCAL int wc_ConfirmAltSignature(
     const byte* buf, word32 bufSz,

From 0789ecb808cb37e607c1ea9b761b21c9ab83f36c Mon Sep 17 00:00:00 2001
From: David Garske <david@wolfssl.com>
Date: Fri, 31 May 2024 06:58:35 -0700
Subject: [PATCH 2/2] Fix the `CheckCertSignature` API mess.

---
 src/internal.c          |  2 +-
 tests/api.c             | 24 ++++++++++++------------
 wolfcrypt/src/asn.c     |  6 +++---
 wolfssl/wolfcrypt/asn.h | 14 ++++++++++----
 4 files changed, 26 insertions(+), 20 deletions(-)

diff --git a/src/internal.c b/src/internal.c
index b4f822119b..520b62c6bc 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -14041,7 +14041,7 @@ PRAGMA_GCC_DIAG_POP
         }
 
         /* perform cert parsing and signature check */
-        sigRet = CheckCertSignature(cert->buffer, cert->length,
+        sigRet = wc_CheckCertSignature(cert->buffer, cert->length,
                                          ssl->heap, SSL_CM(ssl));
         /* fail on errors here after the ParseCertRelative call, so dCert is populated */
 
diff --git a/tests/api.c b/tests/api.c
index 785924a16a..442efd91e0 100644
--- a/tests/api.c
+++ b/tests/api.c
@@ -53043,37 +53043,37 @@ static int test_CheckCertSignature(void)
     int   certSz;
 #endif
 
-    ExpectIntEQ(BAD_FUNC_ARG, CheckCertSignature(NULL, 0, NULL, NULL));
+    ExpectIntEQ(BAD_FUNC_ARG, wc_CheckCertSignature(NULL, 0, NULL, NULL));
     ExpectNotNull(cm = wolfSSL_CertManagerNew_ex(NULL));
-    ExpectIntEQ(BAD_FUNC_ARG, CheckCertSignature(NULL, 0, NULL, cm));
+    ExpectIntEQ(BAD_FUNC_ARG, wc_CheckCertSignature(NULL, 0, NULL, cm));
 
 #ifndef NO_RSA
 #ifdef USE_CERT_BUFFERS_1024
-    ExpectIntEQ(ASN_NO_SIGNER_E, CheckCertSignature(server_cert_der_1024,
+    ExpectIntEQ(ASN_NO_SIGNER_E, wc_CheckCertSignature(server_cert_der_1024,
                 sizeof_server_cert_der_1024, NULL, cm));
     ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_CertManagerLoadCABuffer(cm,
                 ca_cert_der_1024, sizeof_ca_cert_der_1024,
                 WOLFSSL_FILETYPE_ASN1));
-    ExpectIntEQ(0, CheckCertSignature(server_cert_der_1024,
+    ExpectIntEQ(0, wc_CheckCertSignature(server_cert_der_1024,
                 sizeof_server_cert_der_1024, NULL, cm));
 #elif defined(USE_CERT_BUFFERS_2048)
-    ExpectIntEQ(ASN_NO_SIGNER_E, CheckCertSignature(server_cert_der_2048,
+    ExpectIntEQ(ASN_NO_SIGNER_E, wc_CheckCertSignature(server_cert_der_2048,
                 sizeof_server_cert_der_2048, NULL, cm));
     ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_CertManagerLoadCABuffer(cm,
                 ca_cert_der_2048, sizeof_ca_cert_der_2048,
                 WOLFSSL_FILETYPE_ASN1));
-    ExpectIntEQ(0, CheckCertSignature(server_cert_der_2048,
+    ExpectIntEQ(0, wc_CheckCertSignature(server_cert_der_2048,
                 sizeof_server_cert_der_2048, NULL, cm));
 #endif
 #endif
 
 #if defined(HAVE_ECC) && defined(USE_CERT_BUFFERS_256)
-    ExpectIntEQ(ASN_NO_SIGNER_E, CheckCertSignature(serv_ecc_der_256,
+    ExpectIntEQ(ASN_NO_SIGNER_E, wc_CheckCertSignature(serv_ecc_der_256,
                 sizeof_serv_ecc_der_256, NULL, cm));
     ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_CertManagerLoadCABuffer(cm,
                 ca_ecc_cert_der_256, sizeof_ca_ecc_cert_der_256,
                 WOLFSSL_FILETYPE_ASN1));
-    ExpectIntEQ(0, CheckCertSignature(serv_ecc_der_256, sizeof_serv_ecc_der_256,
+    ExpectIntEQ(0, wc_CheckCertSignature(serv_ecc_der_256, sizeof_serv_ecc_der_256,
                 NULL, cm));
 #endif
 
@@ -53088,10 +53088,10 @@ static int test_CheckCertSignature(void)
         XFCLOSE(fp);
         fp = XBADFILE;
     }
-    ExpectIntEQ(ASN_NO_SIGNER_E, CheckCertSignature(cert, certSz, NULL, cm));
+    ExpectIntEQ(ASN_NO_SIGNER_E, wc_CheckCertSignature(cert, certSz, NULL, cm));
     ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_CertManagerLoadCA(cm,
                 "./certs/ca-cert.pem", NULL));
-    ExpectIntEQ(0, CheckCertSignature(cert, certSz, NULL, cm));
+    ExpectIntEQ(0, wc_CheckCertSignature(cert, certSz, NULL, cm));
 #endif
 #ifdef HAVE_ECC
     ExpectTrue((fp = XFOPEN("./certs/server-ecc.der", "rb")) != XBADFILE);
@@ -53100,10 +53100,10 @@ static int test_CheckCertSignature(void)
         XFCLOSE(fp);
         fp = XBADFILE;
     }
-    ExpectIntEQ(ASN_NO_SIGNER_E, CheckCertSignature(cert, certSz, NULL, cm));
+    ExpectIntEQ(ASN_NO_SIGNER_E, wc_CheckCertSignature(cert, certSz, NULL, cm));
     ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_CertManagerLoadCA(cm,
                 "./certs/ca-ecc-cert.pem", NULL));
-    ExpectIntEQ(0, CheckCertSignature(cert, certSz, NULL, cm));
+    ExpectIntEQ(0, wc_CheckCertSignature(cert, certSz, NULL, cm));
 #endif
 #endif
 
diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index 1a7b0cd364..eec9ba8531 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -23225,6 +23225,7 @@ int CheckCertSignaturePubKey(const byte* cert, word32 certSz, void* heap,
             pubKey, pubKeySz, pubKeyOID, 0);
 }
 
+/* Call CheckCertSignature_ex using a public key and oid */
 int wc_CheckCertSigPubKey(const byte* cert, word32 certSz, void* heap,
         const byte* pubKey, word32 pubKeySz, int pubKeyOID)
 {
@@ -23241,9 +23242,8 @@ int CheckCSRSignaturePubKey(const byte* cert, word32 certSz, void* heap,
 }
 #endif /* WOLFSSL_CERT_REQ */
 
-/* Call CheckCertSignature_ex using a certificate manager (cm)
- */
-int CheckCertSignature(const byte* cert, word32 certSz, void* heap, void* cm)
+/* Call CheckCertSignature_ex using a certificate manager (cm) */
+int wc_CheckCertSignature(const byte* cert, word32 certSz, void* heap, void* cm)
 {
     return CheckCertSignature_ex(cert, certSz, heap, cm, NULL, 0, 0, 0);
 }
diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h
index cfd76e3743..7bdd47c976 100644
--- a/wolfssl/wolfcrypt/asn.h
+++ b/wolfssl/wolfcrypt/asn.h
@@ -2135,14 +2135,20 @@ WOLFSSL_LOCAL int DecodePolicyOID(char *out, word32 outSz, const byte *in,
                                   word32 inSz);
 WOLFSSL_LOCAL int EncodePolicyOID(byte *out, word32 *outSz,
                                   const char *in, void* heap);
-WOLFSSL_API int CheckCertSignature(const byte*,word32,void*,void* cm);
 WOLFSSL_LOCAL int CheckCertSignaturePubKey(const byte* cert, word32 certSz,
         void* heap, const byte* pubKey, word32 pubKeySz, int pubKeyOID);
 #if defined(OPENSSL_EXTRA) || defined(WOLFSSL_SMALL_CERT_VERIFY)
-WOLFSSL_API int wc_CheckCertSigPubKey(const byte* cert, word32 certSz,
-                                      void* heap, const byte* pubKey,
-                                      word32 pubKeySz, int pubKeyOID);
+    WOLFSSL_API int wc_CheckCertSignature(const byte* cert, word32 certSz,
+                                          void* heap, void* cm);
+    /* Depricated public API name kept for backwards build compatibility */
+    #define CheckCertSignature(cert, certSz, heap, cm) \
+        wc_CheckCertSignature(cert, certSz, heap, cm)
+
+    WOLFSSL_API int wc_CheckCertSigPubKey(const byte* cert, word32 certSz,
+                                        void* heap, const byte* pubKey,
+                                        word32 pubKeySz, int pubKeyOID);
 #endif /* OPENSSL_EXTRA || WOLFSSL_SMALL_CERT_VERIFY */
+
 #ifdef WOLFSSL_DUAL_ALG_CERTS
 WOLFSSL_LOCAL int wc_ConfirmAltSignature(
     const byte* buf, word32 bufSz,