wolfSSL · ColtonWilley · Jun 6, 2025 · Jun 6, 2025 · Jun 6, 2025 · Jun 30, 2025
diff --git a/src/x509.c b/src/x509.c
@@ -7587,19 +7587,7 @@ const char* wolfSSL_X509_verify_cert_error_string(long err)
 
 #ifdef OPENSSL_EXTRA
 
-/* Add directory path that will be used for loading certs and CRLs
- * which have the <hash>.rn name format.
- * type may be WOLFSSL_FILETYPE_PEM or WOLFSSL_FILETYPE_ASN1.
- * returns WOLFSSL_SUCCESS on successful, otherwise negative or zero. */
-int wolfSSL_X509_LOOKUP_add_dir(WOLFSSL_X509_LOOKUP* lookup, const char* dir,
-                               long type)
-{
-    return wolfSSL_X509_LOOKUP_ctrl(lookup, WOLFSSL_X509_L_ADD_DIR, dir, type,
-                                    NULL);
-}
-
-int wolfSSL_X509_LOOKUP_load_file(WOLFSSL_X509_LOOKUP* lookup,
-                                 const char* file, long type)
+int X509LoadPemFile(WOLFSSL_X509_STORE *store, const char* file)
 {
 #if !defined(NO_FILESYSTEM) && \
     (defined(WOLFSSL_PEM_TO_DER) || defined(WOLFSSL_DER_TO_PEM))
@@ -7612,9 +7600,6 @@ int wolfSSL_X509_LOOKUP_load_file(WOLFSSL_X509_LOOKUP* lookup,
     const char* header = NULL;
     const char* footer = NULL;
 
-    if (type != WOLFSSL_FILETYPE_PEM)
-        return WS_RETURN_CODE(BAD_FUNC_ARG, (int)WOLFSSL_FAILURE);
-
     fp = XFOPEN(file, "rb");
     if (fp == XBADFILE)
         return WS_RETURN_CODE(BAD_FUNC_ARG, (int)WOLFSSL_FAILURE);
@@ -7650,7 +7635,7 @@ int wolfSSL_X509_LOOKUP_load_file(WOLFSSL_X509_LOOKUP* lookup,
         if (wc_PemGetHeaderFooter(CRL_TYPE, &header, &footer) == 0 &&
                 XSTRNSTR((char*)curr, header, (unsigned int)sz) != NULL) {
 #ifdef HAVE_CRL
-            WOLFSSL_CERT_MANAGER* cm = lookup->store->cm;
+            WOLFSSL_CERT_MANAGER* cm = store->cm;
 
             if (cm->crl == NULL) {
                 if (wolfSSL_CertManagerEnableCRL(cm, WOLFSSL_CRL_CHECK)
@@ -7669,7 +7654,7 @@ int wolfSSL_X509_LOOKUP_load_file(WOLFSSL_X509_LOOKUP* lookup,
         }
         else if (wc_PemGetHeaderFooter(CERT_TYPE, &header, &footer) == 0 &&
                 XSTRNSTR((char*)curr, header, (unsigned int)sz) != NULL) {
-            ret = X509StoreLoadCertBuffer(lookup->store, curr,
+            ret = X509StoreLoadCertBuffer(store, curr,
                                         (word32)sz, WOLFSSL_FILETYPE_PEM);
             if (ret != WOLFSSL_SUCCESS)
                 goto end;
@@ -7691,6 +7676,34 @@ int wolfSSL_X509_LOOKUP_load_file(WOLFSSL_X509_LOOKUP* lookup,
     XFREE(pem, 0, DYNAMIC_TYPE_PEM);
     XFCLOSE(fp);
     return WS_RETURN_CODE(ret, (int)WOLFSSL_FAILURE);
+#else
+    (void)store;
+    (void)file;
+    return WS_RETURN_CODE(WOLFSSL_FAILURE,WOLFSSL_FAILURE);
+#endif
+}
+
+/* Add directory path that will be used for loading certs and CRLs
+ * which have the <hash>.rn name format.
+ * type may be WOLFSSL_FILETYPE_PEM or WOLFSSL_FILETYPE_ASN1.
+ * returns WOLFSSL_SUCCESS on successful, otherwise negative or zero. */
+int wolfSSL_X509_LOOKUP_add_dir(WOLFSSL_X509_LOOKUP* lookup, const char* dir,
+                               long type)
+{
+    return wolfSSL_X509_LOOKUP_ctrl(lookup, WOLFSSL_X509_L_ADD_DIR, dir, type,
+                                    NULL);
+}
+
+int wolfSSL_X509_LOOKUP_load_file(WOLFSSL_X509_LOOKUP* lookup,
+                                 const char* file, long type)
+{
+#if !defined(NO_FILESYSTEM) && \
+    (defined(WOLFSSL_PEM_TO_DER) || defined(WOLFSSL_DER_TO_PEM))
+
+    if (type != WOLFSSL_FILETYPE_PEM)
+        return WS_RETURN_CODE(BAD_FUNC_ARG, (int)WOLFSSL_FAILURE);
+
+    return X509LoadPemFile(lookup->store, file);
 #else
     (void)lookup;
     (void)file;

diff --git a/src/x509_str.c b/src/x509_str.c
@@ -1512,74 +1512,6 @@ int X509StoreLoadCertBuffer(WOLFSSL_X509_STORE *str,
 
 #if !defined(NO_FILESYSTEM) && !defined(NO_WOLFSSL_DIR)
 
-static int X509StoreReadFile(const char *fname,
-                StaticBuffer *content, word32 *bytesRead, int *type)
-{
-    int ret = -1;
-    long sz = 0;
-#ifdef HAVE_CRL
-    const char* header = NULL;
-    const char* footer = NULL;
-#endif
-
-    ret = wolfssl_read_file_static(fname, content, NULL, DYNAMIC_TYPE_FILE,
-        &sz);
-    if (ret == 0) {
-        *type = CERT_TYPE;
-        *bytesRead = (word32)sz;
-#ifdef HAVE_CRL
-        /* Look for CRL header and footer. */
-        if (wc_PemGetHeaderFooter(CRL_TYPE, &header, &footer) == 0 &&
-                (XSTRNSTR((char*)content->buffer, header, (word32)sz) !=
-                    NULL)) {
-            *type = CRL_TYPE;
-        }
-#endif
-    }
-
-    return (ret == 0 ? WOLFSSL_SUCCESS : WOLFSSL_FAILURE);
-}
-
-static int X509StoreLoadFile(WOLFSSL_X509_STORE *str,
-                                        const char *fname)
-{
-    int ret = WOLFSSL_SUCCESS;
-    int type = 0;
-#ifndef WOLFSSL_SMALL_STACK
-    byte   stackBuffer[FILE_BUFFER_SIZE];
-#endif
-    StaticBuffer content;
-    word32 contentLen = 0;
-
-#ifdef WOLFSSL_SMALL_STACK
-    static_buffer_init(&content);
-#else
-    static_buffer_init(&content, stackBuffer, FILE_BUFFER_SIZE);
-#endif
-
-    WOLFSSL_MSG_EX("X509StoreLoadFile: Loading file: %s", fname);
-
-    ret = X509StoreReadFile(fname, &content, &contentLen, &type);
-    if (ret != WOLFSSL_SUCCESS) {
-        WOLFSSL_MSG("Failed to load file");
-        ret = WOLFSSL_FAILURE;
-    }
-
-    if ((ret == WOLFSSL_SUCCESS) && (type == CERT_TYPE)) {
-        ret = X509StoreLoadCertBuffer(str, content.buffer,
-                                        contentLen, WOLFSSL_FILETYPE_PEM);
-    }
-#ifdef HAVE_CRL
-    else if ((ret == WOLFSSL_SUCCESS) && (type == CRL_TYPE)) {
-        ret = BufferLoadCRL(str->cm->crl, content.buffer, contentLen,
-                                        WOLFSSL_FILETYPE_PEM, 0);
-    }
-#endif
-
-    static_buffer_free(&content, NULL, DYNAMIC_TYPE_FILE);
-    return ret;
-}
-
 /* Loads certificate(s) files in pem format into X509_STORE struct from either
  * a file or directory.
  * Returns WOLFSSL_SUCCESS on success or WOLFSSL_FAILURE if an error occurs.
@@ -1609,23 +1541,9 @@ WOLFSSL_API int wolfSSL_X509_STORE_load_locations(WOLFSSL_X509_STORE *str,
     wolfSSL_CertManagerFree(ctx->cm);
     ctx->cm = str->cm;
 
-#ifdef HAVE_CRL
-    if (str->cm->crl == NULL) {
-        /* Workaround to allocate the internals to load CRL's but don't enable
-         * CRL checking by default */
-        if (wolfSSL_CertManagerEnableCRL(str->cm, WOLFSSL_CRL_CHECK)
-                != WOLFSSL_SUCCESS ||
-                wolfSSL_CertManagerDisableCRL(str->cm) != WOLFSSL_SUCCESS) {
-            WOLFSSL_MSG("Enable CRL failed");
-            wolfSSL_CTX_free(ctx);
-            return WOLFSSL_FAILURE;
-        }
-    }
-#endif
-
     /* Load individual file */
     if (file) {
-        ret = X509StoreLoadFile(str, file);
+        ret = X509LoadPemFile(str, file);
         if (ret != WOLFSSL_SUCCESS) {
             WOLFSSL_MSG("Failed to load file");
             ret = WOLFSSL_FAILURE;
@@ -1651,7 +1569,7 @@ WOLFSSL_API int wolfSSL_X509_STORE_load_locations(WOLFSSL_X509_STORE *str,
         while (ret == 0 && name) {
             WOLFSSL_MSG(name);
 
-            ret = X509StoreLoadFile(str, name);
+            ret = X509LoadPemFile(str, name);
             /* Not failing on load errors */
             if (ret != WOLFSSL_SUCCESS)
                 WOLFSSL_MSG("Failed to load file in path, continuing");

diff --git a/tests/api/test_x509.c b/tests/api/test_x509.c
@@ -148,3 +148,44 @@ int test_x509_rfc2818_verification_callback(void)
 #endif
     return EXPECT_RESULT();
 }
+
+int test_wolfSSL_X509_STORE_load_multiple_certs(void)
+{
+    EXPECT_DECLS;
+#if defined(OPENSSL_ALL) && !defined(NO_FILESYSTEM) && \
+    !defined(NO_WOLFSSL_DIR) && !defined(NO_CERTS) && \
+    defined(WOLFSSL_SIGNER_DER_CERT)
+    X509_STORE *store = NULL;
+    STACK_OF(X509_OBJECT) *objs = NULL;
+    const char multi_cert_file[] = "./certs/intermediate/server-chain.pem";
+    int cert_count = 0;
+    int i;
+
+    /* The server-chain.pem file contains 3 certificates, ensure they
+     * all load into the store correctly */
+    ExpectNotNull(store = X509_STORE_new());
+    ExpectIntEQ(X509_STORE_load_locations(store, multi_cert_file, NULL),
+        WOLFSSL_SUCCESS);
+
+    /* Count X509 certificate objects in store and verify subject names */
+    ExpectNotNull(objs = X509_STORE_get0_objects(store));
+    for (i = 0; i < sk_X509_OBJECT_num(objs) && EXPECT_SUCCESS(); i++) {
+        X509_OBJECT *obj = (X509_OBJECT*)sk_X509_OBJECT_value(objs, i);
+        if (obj && X509_OBJECT_get_type(obj) == X509_LU_X509) {
+            WOLFSSL_X509* cert = X509_OBJECT_get0_X509(obj);
+            WOLFSSL_X509_NAME* name = X509_get_subject_name(cert);
+            char* subject = X509_NAME_oneline(name, NULL, 0);
+
+            ExpectNotNull(subject);
+            ExpectIntNE(XSTRLEN(subject), 0);
+
+            XFREE(subject, NULL, DYNAMIC_TYPE_OPENSSL);
+            cert_count++;
+        }
+    }
+
+    ExpectIntEQ(cert_count, 3);
+    X509_STORE_free(store);
+#endif
+    return EXPECT_RESULT();
+}
diff --git a/tests/api/test_x509.h b/tests/api/test_x509.h
@@ -23,8 +23,10 @@
 #define WOLFCRYPT_TEST_X509_H
 
 int test_x509_rfc2818_verification_callback(void);
+int test_wolfSSL_X509_STORE_load_multiple_certs(void);
 
 #define TEST_X509_DECLS                                                        \
-    TEST_DECL_GROUP("x509", test_x509_rfc2818_verification_callback)
+    TEST_DECL_GROUP("x509", test_x509_rfc2818_verification_callback),          \
+    TEST_DECL_GROUP("x509", test_wolfSSL_X509_STORE_load_multiple_certs)
 
 #endif /* WOLFCRYPT_TEST_X509_H */
diff --git a/wolfssl/internal.h b/wolfssl/internal.h
@@ -2791,6 +2791,7 @@ WOLFSSL_LOCAL void CleanupStoreCtxCallback(WOLFSSL_X509_STORE_CTX* store,
 #endif /* !defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH) */
 WOLFSSL_LOCAL int X509StoreLoadCertBuffer(WOLFSSL_X509_STORE *str,
                                         byte *buf, word32 bufLen, int type);
+WOLFSSL_LOCAL int X509LoadPemFile(WOLFSSL_X509_STORE *str, const char* file);
 #endif /* !defined NO_CERTS */
 
 /* wolfSSL Sock Addr */