add TrustedSystemCAKeys sshd option for system CA load

JacobBarthelmeh · JacobBarthelmeh · commit 40302ac4ed27 · 2026-03-24T21:32:58.000-04:00
diff --git a/apps/wolfsshd/configuration.c b/apps/wolfsshd/configuration.c
@@ -89,6 +89,7 @@ struct WOLFSSHD_CONFIG {
     byte permitRootLogin:1;
     byte permitEmptyPasswords:1;
     byte authKeysFileSet:1; /* if not set then no explicit authorized keys */
+    byte useSystemCA:1;
 };
 
 int CountWhitespace(const char* in, int inSz, byte inv);
@@ -350,6 +351,7 @@ enum {
     OPT_TRUSTED_USER_CA_KEYS    = 21,
     OPT_PIDFILE                 = 22,
     OPT_BANNER                  = 23,
+    OPT_TRUSTED_SYSTEM_CA_KEYS  = 24,
 };
 enum {
     NUM_OPTIONS = 24
@@ -378,6 +380,7 @@ static const CONFIG_OPTION options[NUM_OPTIONS] = {
     {OPT_FORCE_CMD,               "ForceCommand"},
     {OPT_HOST_CERT,               "HostCertificate"},
     {OPT_TRUSTED_USER_CA_KEYS,    "TrustedUserCAKeys"},
+    {OPT_TRUSTED_SYSTEM_CA_KEYS,  "TrustedSystemCAKeys"},
     {OPT_PIDFILE,                 "PidFile"},
     {OPT_BANNER,                  "Banner"},
 };
@@ -1021,6 +1024,9 @@ static int HandleConfigOption(WOLFSSHD_CONFIG** conf, int opt,
             /* TODO: Add logic to check if file exists? */
             ret = wolfSSHD_ConfigSetUserCAKeysFile(*conf, value);
             break;
+        case OPT_TRUSTED_SYSTEM_CA_KEYS:
+            ret = wolfSSHD_ConfigSetSystemCA(*conf, value);
+            break;
         case OPT_PIDFILE:
             ret = SetFileString(&(*conf)->pidFile, value, (*conf)->heap);
             break;
@@ -1309,6 +1315,44 @@ char* wolfSSHD_ConfigGetHostCertFile(const WOLFSSHD_CONFIG* conf)
     return ret;
 }
 
+
+/* getter function for if using system CAs
+ * return 1 if true and 0 if false */
+int wolfSSHD_ConfigGetSystemCA(const WOLFSSHD_CONFIG* conf)
+{
+    if (conf != NULL) {
+        return conf->useSystemCA;
+    }
+    return 0;
+}
+
+
+/* setter function for if using system CAs
+ * 'yes' if true and 'no' if false
+ * returns WS_SUCCESS on success */
+int wolfSSHD_ConfigSetSystemCA(WOLFSSHD_CONFIG* conf, const char* value)
+{
+    int ret = WS_SUCCESS;
+
+    if (conf != NULL) {
+        if (WSTRCMP(value, "yes") == 0) {
+            wolfSSH_Log(WS_LOG_INFO, "[SSHD] System CAs enabled");
+            conf->useSystemCA = 1;
+        }
+        else if (WSTRCMP(value, "no") == 0) {
+            wolfSSH_Log(WS_LOG_INFO, "[SSHD] System CAs disabled");
+            conf->useSystemCA = 0;
+        }
+        else {
+            wolfSSH_Log(WS_LOG_INFO, "[SSHD] System CAs unexpected flag");
+            ret = WS_FATAL_ERROR;
+        }
+    }
+
+    return ret;
+}
+
+
 char* wolfSSHD_ConfigGetUserCAKeysFile(const WOLFSSHD_CONFIG* conf)
 {
     char* ret = NULL;
diff --git a/apps/wolfsshd/configuration.h b/apps/wolfsshd/configuration.h
@@ -42,6 +42,8 @@ char* wolfSSHD_ConfigGetHostCertFile(const WOLFSSHD_CONFIG* conf);
 char* wolfSSHD_ConfigGetUserCAKeysFile(const WOLFSSHD_CONFIG* conf);
 int wolfSSHD_ConfigSetHostKeyFile(WOLFSSHD_CONFIG* conf, const char* file);
 int wolfSSHD_ConfigSetHostCertFile(WOLFSSHD_CONFIG* conf, const char* file);
+int wolfSSHD_ConfigSetSystemCA(WOLFSSHD_CONFIG* conf, const char* value);
+int wolfSSHD_ConfigGetSystemCA(const WOLFSSHD_CONFIG* conf);
 int wolfSSHD_ConfigSetUserCAKeysFile(WOLFSSHD_CONFIG* conf, const char* file);
 word16 wolfSSHD_ConfigGetPort(const WOLFSSHD_CONFIG* conf);
 char* wolfSSHD_ConfigGetAuthKeysFile(const WOLFSSHD_CONFIG* conf);
diff --git a/apps/wolfsshd/wolfsshd.c b/apps/wolfsshd/wolfsshd.c
@@ -433,6 +433,39 @@ static int SetupCTX(WOLFSSHD_CONFIG* conf, WOLFSSH_CTX** ctx,
 #endif /* WOLFSSH_OSSH_CERTS || WOLFSSH_CERTS */
 
 #ifdef WOLFSSH_CERTS
+    /* check if loading in system CA certs */
+    if (ret == WS_SUCCESS && wolfSSHD_ConfigGetSystemCA(conf)) {
+        WOLFSSL_CTX* sslCtx;
+
+        wolfSSH_Log(WS_LOG_INFO, "[SSHD] Using system CAs");
+        sslCtx = wolfSSL_CTX_new(wolfSSLv23_method());
+        if (sslCtx == NULL) {
+            wolfSSH_Log(WS_LOG_INFO, "[SSHD] Unable to create temporary CTX");
+            ret = WS_FATAL_ERROR;
+        }
+
+        if (ret == WS_SUCCESS) {
+            if (wolfSSL_CTX_load_system_CA_certs(sslCtx) != WOLFSSL_SUCCESS) {
+                wolfSSH_Log(WS_LOG_INFO, "[SSHD] Issue loading system CAs");
+                ret = WS_FATAL_ERROR;
+            }
+        }
+
+        if (ret == WS_SUCCESS) {
+            if (wolfSSH_SetCertManager(*ctx,
+                wolfSSL_CTX_GetCertManager(sslCtx)) != WS_SUCCESS) {
+                wolfSSH_Log(WS_LOG_INFO,
+                    "[SSHD] Issue copying over system CAs");
+                ret = WS_FATAL_ERROR;
+            }
+        }
+
+        if (sslCtx != NULL) {
+            wolfSSL_CTX_free(sslCtx);
+        }
+    }
+
+    /* load in CA certs from file set */
     if (ret == WS_SUCCESS) {
         char* caCert = wolfSSHD_ConfigGetUserCAKeysFile(conf);
         if (caCert != NULL) {
diff --git a/src/certman.c b/src/certman.c
@@ -36,7 +36,6 @@
 #endif
 
 
-#include <wolfssl/ssl.h>
 #include <wolfssl/ocsp.h>
 #include <wolfssl/wolfcrypt/error-crypt.h>
 #include <wolfssl/error-ssl.h>
@@ -84,6 +83,26 @@ struct WOLFSSH_CERTMAN {
 };
 
 
+/* used to import an external cert manager, frees and replaces existing manager
+ * returns WS_SUCCESS on success
+ */
+int wolfSSH_SetCertManager(WOLFSSH_CTX* ctx, WOLFSSL_CERT_MANAGER* cm)
+{
+    if (ctx == NULL || cm == NULL) {
+        return WS_BAD_ARGUMENT;
+    }
+
+    /* free up existing cm if present */
+    if (ctx->certMan != NULL && ctx->certMan->cm != NULL) {
+        wolfSSL_CertManagerFree(ctx->certMan->cm);
+    }
+    wolfSSL_CertManager_up_ref(cm);
+    ctx->certMan->cm = cm;
+
+    return WS_SUCCESS;
+}
+
+
 static WOLFSSH_CERTMAN* _CertMan_init(WOLFSSH_CERTMAN* cm, void* heap)
 {
     WOLFSSH_CERTMAN* ret = NULL;
diff --git a/wolfssh/certman.h b/wolfssh/certman.h
@@ -30,6 +30,7 @@
 
 #include <wolfssh/settings.h>
 #include <wolfssh/port.h>
+#include <wolfssl/ssl.h> /* included for WOLFSSL_CERT_MANAGER struct */
 
 #ifdef __cplusplus
 extern "C" {
@@ -40,6 +41,9 @@ struct WOLFSSH_CERTMAN;
 typedef struct WOLFSSH_CERTMAN WOLFSSH_CERTMAN;
 
 
+WOLFSSH_API
+int wolfSSH_SetCertManager(WOLFSSH_CTX* ctx, WOLFSSL_CERT_MANAGER* cm);
+
 WOLFSSH_API
 WOLFSSH_CERTMAN* wolfSSH_CERTMAN_new(void* heap);
 
diff --git a/wolfssh/test.h b/wolfssh/test.h
@@ -1109,6 +1109,7 @@ static INLINE void build_addr_ipv6(struct sockaddr_in6* addr, const char* peer,
 
 #define BAD 0xFF
 
+#ifndef WOLFSSL_BASE16
 static const byte hexDecode[] =
 {
     0, 1, 2, 3, 4, 5, 6, 7, 8, 9,
@@ -1178,7 +1179,9 @@ static int Base16_Decode(const byte* in, word32 inLen,
     *outLen = outIdx;
     return 0;
 }
-
+#else
+    #include <wolfssl/wolfcrypt/coding.h>
+#endif /* !WOLFSSL_BASE16 */
 
 static void FreeBins(byte* b1, byte* b2, byte* b3, byte* b4)
 {

Original file line number	Diff line number	Diff line change
`@@ -1109,6 +1109,7 @@ static INLINE void build_addr_ipv6(struct sockaddr_in6* addr, const char* peer,`
`1109`	`1109`
`1110`	`1110`	`#define BAD 0xFF`
`1111`	`1111`
	`1112`	`+#ifndef WOLFSSL_BASE16`
`1112`	`1113`	`static const byte hexDecode[] =`
`1113`	`1114`	`{`
`1114`	`1115`	`0, 1, 2, 3, 4, 5, 6, 7, 8, 9,`
`@@ -1178,7 +1179,9 @@ static int Base16_Decode(const byte* in, word32 inLen,`
`1178`	`1179`	`*outLen = outIdx;`
`1179`	`1180`	`return 0;`
`1180`	`1181`	`}`
`1181`		`-`
	`1182`	`+#else`
	`1183`	`+ #include <wolfssl/wolfcrypt/coding.h>`
	`1184`	`+#endif /* !WOLFSSL_BASE16 */`
`1182`	`1185`
`1183`	`1186`	`static void FreeBins(byte* b1, byte* b2, byte* b3, byte* b4)`
`1184`	`1187`	`{`