Address third round of review comments

- Include <ctype.h> for isalpha() in Windows absolute path check
- Reject zero-length payload (length <= saltAndIvSize) in decrypt
- Assert x509 extraction succeeds and produces output file in client test

Author: julek-wolfssl

src/crypto/clu_decrypt.c

@@ -77,9 +77,11 @@ int wolfCLU_decrypt(int alg, char* mode, byte* pwdKey, byte* key, int size,
     length = (int)XFTELL(inFile);
     XFSEEK(inFile, 0, SEEK_SET);
 
-    /* Validate file is large enough for salt + IV header */
-    if (length < saltAndIvSize) {
-        wolfCLU_LogError("Input file too small (missing salt/IV).");
+    /* Validate file contains salt + IV header plus at least one byte of
+     * ciphertext. A length equal to saltAndIvSize means there is no
+     * encrypted payload to decrypt. */
+    if (length <= saltAndIvSize) {
+        wolfCLU_LogError("Input file too small (missing salt/IV or payload).");
         XFCLOSE(inFile);
         XFCLOSE(outFile);
         return DECRYPT_ERROR;

src/x509/clu_x509_sign.c

@@ -25,6 +25,8 @@
 #include <wolfclu/x509/clu_parse.h>
 #include <wolfclu/x509/clu_x509_sign.h>
 #include <wolfclu/x509/clu_cert.h>
+
+#include <ctype.h>
 #ifdef HAVE_DILITHIUM
     #include <wolfssl/wolfcrypt/dilithium.h>
 #endif  /* HAVE_DILITHIUM */

tests/client/client-test.py

@@ -49,6 +49,11 @@ def test_s_client_x509(self):
             capture_output=True,
             timeout=60,
         )
+        self.assertEqual(x509_extract.returncode, 0,
+                         f"x509 extraction failed: {x509_extract.stderr}")
+        self.assertTrue(os.path.exists(tmp_crt),
+                        f"x509 did not create output file: "
+                        f"{x509_extract.stderr}")
 
         # Read back the cert
         result = run_wolfssl("x509", "-in", tmp_crt)