From 68219953a21fcceb5db2409952fab4d449cd7fe7 Mon Sep 17 00:00:00 2001
From: Lindsay Stewart <slindsay@amazon.com>
Date: Mon, 30 Oct 2023 11:20:04 -0700
Subject: [PATCH 1/3] Change pkey parse methods to return s2n_result

---
 crypto/s2n_certificate.c                      |  6 +-
 crypto/s2n_ecdsa.c                            | 18 ++--
 crypto/s2n_ecdsa.h                            |  6 +-
 crypto/s2n_pkey.c                             | 83 +++++++------------
 crypto/s2n_pkey.h                             |  6 +-
 crypto/s2n_rsa.c                              | 18 ++--
 crypto/s2n_rsa.h                              |  6 +-
 crypto/s2n_rsa_pss.c                          | 38 ++++-----
 crypto/s2n_rsa_pss.h                          |  6 +-
 tests/fuzz/s2n_client_cert_verify_recv_test.c |  2 +-
 tests/unit/s2n_ecdsa_test.c                   |  6 +-
 tests/unit/s2n_evp_signing_test.c             |  2 +-
 tests/unit/s2n_pem_rsa_dhe_test.c             |  4 +-
 tests/unit/s2n_rsa_pss_rsae_test.c            |  8 +-
 tests/unit/s2n_rsa_pss_test.c                 | 10 +--
 tests/unit/s2n_tls13_cert_verify_test.c       | 16 ++--
 tests/unit/s2n_x509_validator_test.c          |  2 +-
 tls/s2n_async_pkey.c                          |  2 +-
 tls/s2n_client_cert.c                         |  2 +-
 tls/s2n_server_cert.c                         |  2 +-
 tls/s2n_x509_validator.c                      |  3 +-
 21 files changed, 110 insertions(+), 136 deletions(-)

diff --git a/crypto/s2n_certificate.c b/crypto/s2n_certificate.c
index 896b8e77bf3..b52e9498567 100644
--- a/crypto/s2n_certificate.c
+++ b/crypto/s2n_certificate.c
@@ -36,7 +36,7 @@ int s2n_cert_set_cert_type(struct s2n_cert *cert, s2n_pkey_type pkey_type)
 {
     POSIX_ENSURE_REF(cert);
     cert->pkey_type = pkey_type;
-    POSIX_GUARD(s2n_pkey_setup_for_type(&cert->public_key, pkey_type));
+    POSIX_GUARD_RESULT(s2n_pkey_setup_for_type(&cert->public_key, pkey_type));
     return 0;
 }
 
@@ -127,7 +127,7 @@ int s2n_cert_chain_and_key_set_private_key_from_stuffer(struct s2n_cert_chain_an
     key_blob.data = s2n_stuffer_raw_read(key_out_stuffer, key_blob.size);
     POSIX_ENSURE_REF(key_blob.data);
 
-    POSIX_GUARD(s2n_asn1der_to_private_key(cert_and_key->private_key, &key_blob, type));
+    POSIX_GUARD_RESULT(s2n_asn1der_to_private_key(cert_and_key->private_key, &key_blob, type));
     return S2N_SUCCESS;
 }
 
@@ -364,7 +364,7 @@ int s2n_cert_chain_and_key_load(struct s2n_cert_chain_and_key *chain_and_key)
     /* Parse the leaf cert for the public key and certificate type */
     DEFER_CLEANUP(struct s2n_pkey public_key = { 0 }, s2n_pkey_free);
     s2n_pkey_type pkey_type = S2N_PKEY_TYPE_UNKNOWN;
-    POSIX_GUARD(s2n_asn1der_to_public_key_and_type(&public_key, &pkey_type, &head->raw));
+    POSIX_GUARD_RESULT(s2n_asn1der_to_public_key_and_type(&public_key, &pkey_type, &head->raw));
     POSIX_ENSURE(pkey_type != S2N_PKEY_TYPE_UNKNOWN, S2N_ERR_CERT_TYPE_UNSUPPORTED);
     POSIX_GUARD(s2n_cert_set_cert_type(head, pkey_type));
 
diff --git a/crypto/s2n_ecdsa.c b/crypto/s2n_ecdsa.c
index 2761f933272..5ab9a45f721 100644
--- a/crypto/s2n_ecdsa.c
+++ b/crypto/s2n_ecdsa.c
@@ -184,25 +184,25 @@ static int s2n_ecdsa_check_key_exists(const struct s2n_pkey *pkey)
     return 0;
 }
 
-int s2n_evp_pkey_to_ecdsa_private_key(s2n_ecdsa_private_key *ecdsa_key, EVP_PKEY *evp_private_key)
+S2N_RESULT s2n_evp_pkey_to_ecdsa_private_key(s2n_ecdsa_private_key *ecdsa_key, EVP_PKEY *evp_private_key)
 {
     const EC_KEY *ec_key = EVP_PKEY_get1_EC_KEY(evp_private_key);
-    S2N_ERROR_IF(ec_key == NULL, S2N_ERR_DECODE_PRIVATE_KEY);
+    RESULT_ENSURE(ec_key != NULL, S2N_ERR_DECODE_PRIVATE_KEY);
 
     ecdsa_key->ec_key = ec_key;
-    return 0;
+    return S2N_RESULT_OK;
 }
 
-int s2n_evp_pkey_to_ecdsa_public_key(s2n_ecdsa_public_key *ecdsa_key, EVP_PKEY *evp_public_key)
+S2N_RESULT s2n_evp_pkey_to_ecdsa_public_key(s2n_ecdsa_public_key *ecdsa_key, EVP_PKEY *evp_public_key)
 {
     const EC_KEY *ec_key = EVP_PKEY_get1_EC_KEY(evp_public_key);
-    S2N_ERROR_IF(ec_key == NULL, S2N_ERR_DECODE_CERTIFICATE);
+    RESULT_ENSURE(ec_key != NULL, S2N_ERR_DECODE_CERTIFICATE);
 
     ecdsa_key->ec_key = ec_key;
-    return 0;
+    return S2N_RESULT_OK;
 }
 
-int s2n_ecdsa_pkey_init(struct s2n_pkey *pkey)
+S2N_RESULT s2n_ecdsa_pkey_init(struct s2n_pkey *pkey)
 {
     pkey->size = &s2n_ecdsa_der_signature_size;
     pkey->sign = &s2n_ecdsa_sign;
@@ -212,8 +212,8 @@ int s2n_ecdsa_pkey_init(struct s2n_pkey *pkey)
     pkey->match = &s2n_ecdsa_keys_match;
     pkey->free = &s2n_ecdsa_key_free;
     pkey->check_key = &s2n_ecdsa_check_key_exists;
-    POSIX_GUARD_RESULT(s2n_evp_signing_set_pkey_overrides(pkey));
-    return 0;
+    RESULT_GUARD(s2n_evp_signing_set_pkey_overrides(pkey));
+    return S2N_RESULT_OK;
 }
 
 int s2n_ecdsa_pkey_matches_curve(const struct s2n_ecdsa_key *ecdsa_key, const struct s2n_ecc_named_curve *curve)
diff --git a/crypto/s2n_ecdsa.h b/crypto/s2n_ecdsa.h
index 53d32aea51c..3bf4b77b6d7 100644
--- a/crypto/s2n_ecdsa.h
+++ b/crypto/s2n_ecdsa.h
@@ -43,8 +43,8 @@ struct s2n_ecdsa_key {
 typedef struct s2n_ecdsa_key s2n_ecdsa_public_key;
 typedef struct s2n_ecdsa_key s2n_ecdsa_private_key;
 
-int s2n_ecdsa_pkey_init(struct s2n_pkey *pkey);
+S2N_RESULT s2n_ecdsa_pkey_init(struct s2n_pkey *pkey);
 int s2n_ecdsa_pkey_matches_curve(const struct s2n_ecdsa_key *ecdsa_key, const struct s2n_ecc_named_curve *curve);
 
-int s2n_evp_pkey_to_ecdsa_public_key(s2n_ecdsa_public_key *ecdsa_key, EVP_PKEY *pkey);
-int s2n_evp_pkey_to_ecdsa_private_key(s2n_ecdsa_private_key *ecdsa_key, EVP_PKEY *pkey);
+S2N_RESULT s2n_evp_pkey_to_ecdsa_public_key(s2n_ecdsa_public_key *ecdsa_key, EVP_PKEY *pkey);
+S2N_RESULT s2n_evp_pkey_to_ecdsa_private_key(s2n_ecdsa_private_key *ecdsa_key, EVP_PKEY *pkey);
diff --git a/crypto/s2n_pkey.c b/crypto/s2n_pkey.c
index b44535a01c4..28671f9199c 100644
--- a/crypto/s2n_pkey.c
+++ b/crypto/s2n_pkey.c
@@ -40,7 +40,7 @@ int s2n_pkey_zero_init(struct s2n_pkey *pkey)
     return 0;
 }
 
-int s2n_pkey_setup_for_type(struct s2n_pkey *pkey, s2n_pkey_type pkey_type)
+S2N_RESULT s2n_pkey_setup_for_type(struct s2n_pkey *pkey, s2n_pkey_type pkey_type)
 {
     switch (pkey_type) {
         case S2N_PKEY_TYPE_RSA:
@@ -51,9 +51,9 @@ int s2n_pkey_setup_for_type(struct s2n_pkey *pkey, s2n_pkey_type pkey_type)
             return s2n_rsa_pss_pkey_init(pkey);
         case S2N_PKEY_TYPE_SENTINEL:
         case S2N_PKEY_TYPE_UNKNOWN:
-            POSIX_BAIL(S2N_ERR_CERT_TYPE_UNSUPPORTED);
+            RESULT_BAIL(S2N_ERR_CERT_TYPE_UNSUPPORTED);
     }
-    POSIX_BAIL(S2N_ERR_CERT_TYPE_UNSUPPORTED);
+    RESULT_BAIL(S2N_ERR_CERT_TYPE_UNSUPPORTED);
 }
 
 int s2n_pkey_check_key_exists(const struct s2n_pkey *pkey)
@@ -129,7 +129,7 @@ int s2n_pkey_free(struct s2n_pkey *key)
     return S2N_SUCCESS;
 }
 
-int s2n_asn1der_to_private_key(struct s2n_pkey *priv_key, struct s2n_blob *asn1der, int type_hint)
+S2N_RESULT s2n_asn1der_to_private_key(struct s2n_pkey *priv_key, struct s2n_blob *asn1der, int type_hint)
 {
     const unsigned char *key_to_parse = asn1der->data;
 
@@ -151,58 +151,45 @@ int s2n_asn1der_to_private_key(struct s2n_pkey *priv_key, struct s2n_blob *asn1d
     if (evp_private_key == NULL) {
         evp_private_key = d2i_PrivateKey(type_hint, NULL, &key_to_parse, asn1der->size);
     }
-    POSIX_ENSURE(evp_private_key, S2N_ERR_DECODE_PRIVATE_KEY);
+    RESULT_ENSURE(evp_private_key, S2N_ERR_DECODE_PRIVATE_KEY);
 
     /* If key parsing is successful, d2i_AutoPrivateKey increments *key_to_parse to the byte following the parsed data */
     uint32_t parsed_len = key_to_parse - asn1der->data;
-    if (parsed_len != asn1der->size) {
-        POSIX_BAIL(S2N_ERR_DECODE_PRIVATE_KEY);
-    }
+    RESULT_ENSURE(parsed_len == asn1der->size, S2N_ERR_DECODE_PRIVATE_KEY);
 
     /* Initialize s2n_pkey according to key type */
     int type = EVP_PKEY_base_id(evp_private_key);
-
-    int ret;
     switch (type) {
         case EVP_PKEY_RSA:
-            ret = s2n_rsa_pkey_init(priv_key);
-            if (ret != 0) {
-                break;
-            }
-            ret = s2n_evp_pkey_to_rsa_private_key(&priv_key->key.rsa_key, evp_private_key);
+            RESULT_GUARD(s2n_rsa_pkey_init(priv_key));
+            RESULT_GUARD(s2n_evp_pkey_to_rsa_private_key(&priv_key->key.rsa_key, evp_private_key));
             break;
         case EVP_PKEY_RSA_PSS:
-            ret = s2n_rsa_pss_pkey_init(priv_key);
-            if (ret != 0) {
-                break;
-            }
-            ret = s2n_evp_pkey_to_rsa_pss_private_key(&priv_key->key.rsa_key, evp_private_key);
+            RESULT_GUARD(s2n_rsa_pss_pkey_init(priv_key));
+            RESULT_GUARD(s2n_evp_pkey_to_rsa_pss_private_key(&priv_key->key.rsa_key, evp_private_key));
             break;
         case EVP_PKEY_EC:
-            ret = s2n_ecdsa_pkey_init(priv_key);
-            if (ret != 0) {
-                break;
-            }
-            ret = s2n_evp_pkey_to_ecdsa_private_key(&priv_key->key.ecdsa_key, evp_private_key);
+            RESULT_GUARD(s2n_ecdsa_pkey_init(priv_key));
+            RESULT_GUARD(s2n_evp_pkey_to_ecdsa_private_key(&priv_key->key.ecdsa_key, evp_private_key));
             break;
         default:
-            POSIX_BAIL(S2N_ERR_DECODE_PRIVATE_KEY);
+            RESULT_BAIL(S2N_ERR_DECODE_PRIVATE_KEY);
     }
 
     priv_key->pkey = evp_private_key;
-    /* Reset to avoid DEFER_CLEANUP freeing our key */
-    evp_private_key = NULL;
+    ZERO_TO_DISABLE_DEFER_CLEANUP(evp_private_key);
 
-    return ret;
+    return S2N_RESULT_OK;
 }
 
-int s2n_asn1der_to_public_key_and_type(struct s2n_pkey *pub_key, s2n_pkey_type *pkey_type_out, struct s2n_blob *asn1der)
+S2N_RESULT s2n_asn1der_to_public_key_and_type(struct s2n_pkey *pub_key,
+        s2n_pkey_type *pkey_type_out, struct s2n_blob *asn1der)
 {
     uint8_t *cert_to_parse = asn1der->data;
     DEFER_CLEANUP(X509 *cert = NULL, X509_free_pointer);
 
     cert = d2i_X509(NULL, (const unsigned char **) (void *) &cert_to_parse, asn1der->size);
-    S2N_ERROR_IF(cert == NULL, S2N_ERR_DECODE_CERTIFICATE);
+    RESULT_ENSURE(cert != NULL, S2N_ERR_DECODE_CERTIFICATE);
 
     /* If cert parsing is successful, d2i_X509 increments *cert_to_parse to the byte following the parsed data */
     uint32_t parsed_len = cert_to_parse - asn1der->data;
@@ -210,47 +197,35 @@ int s2n_asn1der_to_public_key_and_type(struct s2n_pkey *pub_key, s2n_pkey_type *
     /* Some TLS clients in the wild send extra trailing bytes after the Certificate.
      * Allow this in s2n for backwards compatibility with existing clients. */
     uint32_t trailing_bytes = asn1der->size - parsed_len;
-    POSIX_ENSURE(trailing_bytes <= S2N_MAX_ALLOWED_CERT_TRAILING_BYTES, S2N_ERR_DECODE_CERTIFICATE);
+    RESULT_ENSURE(trailing_bytes <= S2N_MAX_ALLOWED_CERT_TRAILING_BYTES, S2N_ERR_DECODE_CERTIFICATE);
 
     DEFER_CLEANUP(EVP_PKEY *evp_public_key = X509_get_pubkey(cert), EVP_PKEY_free_pointer);
-    S2N_ERROR_IF(evp_public_key == NULL, S2N_ERR_DECODE_CERTIFICATE);
+    RESULT_ENSURE(evp_public_key != NULL, S2N_ERR_DECODE_CERTIFICATE);
 
     /* Check for success in decoding certificate according to type */
     int type = EVP_PKEY_base_id(evp_public_key);
-
-    int ret;
     switch (type) {
         case EVP_PKEY_RSA:
-            ret = s2n_rsa_pkey_init(pub_key);
-            if (ret != 0) {
-                break;
-            }
-            ret = s2n_evp_pkey_to_rsa_public_key(&pub_key->key.rsa_key, evp_public_key);
+            RESULT_GUARD(s2n_rsa_pkey_init(pub_key));
+            RESULT_GUARD(s2n_evp_pkey_to_rsa_public_key(&pub_key->key.rsa_key, evp_public_key));
             *pkey_type_out = S2N_PKEY_TYPE_RSA;
             break;
         case EVP_PKEY_RSA_PSS:
-            ret = s2n_rsa_pss_pkey_init(pub_key);
-            if (ret != 0) {
-                break;
-            }
-            ret = s2n_evp_pkey_to_rsa_pss_public_key(&pub_key->key.rsa_key, evp_public_key);
+            RESULT_GUARD(s2n_rsa_pss_pkey_init(pub_key));
+            RESULT_GUARD(s2n_evp_pkey_to_rsa_pss_public_key(&pub_key->key.rsa_key, evp_public_key));
             *pkey_type_out = S2N_PKEY_TYPE_RSA_PSS;
             break;
         case EVP_PKEY_EC:
-            ret = s2n_ecdsa_pkey_init(pub_key);
-            if (ret != 0) {
-                break;
-            }
-            ret = s2n_evp_pkey_to_ecdsa_public_key(&pub_key->key.ecdsa_key, evp_public_key);
+            RESULT_GUARD(s2n_ecdsa_pkey_init(pub_key));
+            RESULT_GUARD(s2n_evp_pkey_to_ecdsa_public_key(&pub_key->key.ecdsa_key, evp_public_key));
             *pkey_type_out = S2N_PKEY_TYPE_ECDSA;
             break;
         default:
-            POSIX_BAIL(S2N_ERR_DECODE_CERTIFICATE);
+            RESULT_BAIL(S2N_ERR_DECODE_CERTIFICATE);
     }
 
     pub_key->pkey = evp_public_key;
-    /* Reset to avoid DEFER_CLEANUP freeing our key */
-    evp_public_key = NULL;
+    ZERO_TO_DISABLE_DEFER_CLEANUP(evp_public_key);
 
-    return ret;
+    return S2N_RESULT_OK;
 }
diff --git a/crypto/s2n_pkey.h b/crypto/s2n_pkey.h
index a826ebdc3d5..33870a25295 100644
--- a/crypto/s2n_pkey.h
+++ b/crypto/s2n_pkey.h
@@ -56,7 +56,7 @@ struct s2n_pkey {
 };
 
 int s2n_pkey_zero_init(struct s2n_pkey *pkey);
-int s2n_pkey_setup_for_type(struct s2n_pkey *pkey, s2n_pkey_type pkey_type);
+S2N_RESULT s2n_pkey_setup_for_type(struct s2n_pkey *pkey, s2n_pkey_type pkey_type);
 int s2n_pkey_check_key_exists(const struct s2n_pkey *pkey);
 
 S2N_RESULT s2n_pkey_size(const struct s2n_pkey *pkey, uint32_t *size_out);
@@ -69,5 +69,5 @@ int s2n_pkey_decrypt(const struct s2n_pkey *pkey, struct s2n_blob *in, struct s2
 int s2n_pkey_match(const struct s2n_pkey *pub_key, const struct s2n_pkey *priv_key);
 int s2n_pkey_free(struct s2n_pkey *pkey);
 
-int s2n_asn1der_to_private_key(struct s2n_pkey *priv_key, struct s2n_blob *asn1der, int type_hint);
-int s2n_asn1der_to_public_key_and_type(struct s2n_pkey *pub_key, s2n_pkey_type *pkey_type, struct s2n_blob *asn1der);
+S2N_RESULT s2n_asn1der_to_private_key(struct s2n_pkey *priv_key, struct s2n_blob *asn1der, int type_hint);
+S2N_RESULT s2n_asn1der_to_public_key_and_type(struct s2n_pkey *pub_key, s2n_pkey_type *pkey_type, struct s2n_blob *asn1der);
diff --git a/crypto/s2n_rsa.c b/crypto/s2n_rsa.c
index 96ce8f41406..2c5219ec86e 100644
--- a/crypto/s2n_rsa.c
+++ b/crypto/s2n_rsa.c
@@ -193,25 +193,25 @@ static int s2n_rsa_check_key_exists(const struct s2n_pkey *pkey)
     return 0;
 }
 
-int s2n_evp_pkey_to_rsa_public_key(s2n_rsa_public_key *rsa_key, EVP_PKEY *evp_public_key)
+S2N_RESULT s2n_evp_pkey_to_rsa_public_key(s2n_rsa_public_key *rsa_key, EVP_PKEY *evp_public_key)
 {
     const RSA *rsa = EVP_PKEY_get1_RSA(evp_public_key);
-    S2N_ERROR_IF(rsa == NULL, S2N_ERR_DECODE_CERTIFICATE);
+    RESULT_ENSURE(rsa != NULL, S2N_ERR_DECODE_CERTIFICATE);
 
     rsa_key->rsa = rsa;
-    return 0;
+    return S2N_RESULT_OK;
 }
 
-int s2n_evp_pkey_to_rsa_private_key(s2n_rsa_private_key *rsa_key, EVP_PKEY *evp_private_key)
+S2N_RESULT s2n_evp_pkey_to_rsa_private_key(s2n_rsa_private_key *rsa_key, EVP_PKEY *evp_private_key)
 {
     const RSA *rsa = EVP_PKEY_get1_RSA(evp_private_key);
-    S2N_ERROR_IF(rsa == NULL, S2N_ERR_DECODE_PRIVATE_KEY);
+    RESULT_ENSURE(rsa != NULL, S2N_ERR_DECODE_PRIVATE_KEY);
 
     rsa_key->rsa = rsa;
-    return 0;
+    return S2N_RESULT_OK;
 }
 
-int s2n_rsa_pkey_init(struct s2n_pkey *pkey)
+S2N_RESULT s2n_rsa_pkey_init(struct s2n_pkey *pkey)
 {
     pkey->size = &s2n_rsa_encrypted_size;
     pkey->sign = &s2n_rsa_sign;
@@ -221,6 +221,6 @@ int s2n_rsa_pkey_init(struct s2n_pkey *pkey)
     pkey->match = &s2n_rsa_keys_match;
     pkey->free = &s2n_rsa_key_free;
     pkey->check_key = &s2n_rsa_check_key_exists;
-    POSIX_GUARD_RESULT(s2n_evp_signing_set_pkey_overrides(pkey));
-    return 0;
+    RESULT_GUARD(s2n_evp_signing_set_pkey_overrides(pkey));
+    return S2N_RESULT_OK;
 }
diff --git a/crypto/s2n_rsa.h b/crypto/s2n_rsa.h
index 480cc62294f..a71bc05c314 100644
--- a/crypto/s2n_rsa.h
+++ b/crypto/s2n_rsa.h
@@ -43,7 +43,7 @@ RSA *s2n_unsafe_rsa_get_non_const(const struct s2n_rsa_key *rsa_key);
 typedef struct s2n_rsa_key s2n_rsa_public_key;
 typedef struct s2n_rsa_key s2n_rsa_private_key;
 
-int s2n_rsa_pkey_init(struct s2n_pkey *pkey);
+S2N_RESULT s2n_rsa_pkey_init(struct s2n_pkey *pkey);
 
-int s2n_evp_pkey_to_rsa_public_key(s2n_rsa_public_key *rsa_key, EVP_PKEY *pkey);
-int s2n_evp_pkey_to_rsa_private_key(s2n_rsa_private_key *rsa_key, EVP_PKEY *pkey);
+S2N_RESULT s2n_evp_pkey_to_rsa_public_key(s2n_rsa_public_key *rsa_key, EVP_PKEY *pkey);
+S2N_RESULT s2n_evp_pkey_to_rsa_private_key(s2n_rsa_private_key *rsa_key, EVP_PKEY *pkey);
diff --git a/crypto/s2n_rsa_pss.c b/crypto/s2n_rsa_pss.c
index cddc617a13c..e99da354473 100644
--- a/crypto/s2n_rsa_pss.c
+++ b/crypto/s2n_rsa_pss.c
@@ -187,37 +187,37 @@ static int s2n_rsa_pss_key_free(struct s2n_pkey *pkey)
     return S2N_SUCCESS;
 }
 
-int s2n_evp_pkey_to_rsa_pss_public_key(struct s2n_rsa_key *rsa_key, EVP_PKEY *pkey)
+S2N_RESULT s2n_evp_pkey_to_rsa_pss_public_key(struct s2n_rsa_key *rsa_key, EVP_PKEY *pkey)
 {
     const RSA *pub_rsa_key = EVP_PKEY_get1_RSA(pkey);
-    POSIX_ENSURE_REF(pub_rsa_key);
+    RESULT_ENSURE_REF(pub_rsa_key);
 
-    S2N_ERROR_IF(s2n_rsa_is_private_key(pub_rsa_key), S2N_ERR_KEY_MISMATCH);
+    RESULT_ENSURE(!s2n_rsa_is_private_key(pub_rsa_key), S2N_ERR_KEY_MISMATCH);
 
     rsa_key->rsa = pub_rsa_key;
-    return 0;
+    return S2N_RESULT_OK;
 }
 
-int s2n_evp_pkey_to_rsa_pss_private_key(struct s2n_rsa_key *rsa_key, EVP_PKEY *pkey)
+S2N_RESULT s2n_evp_pkey_to_rsa_pss_private_key(struct s2n_rsa_key *rsa_key, EVP_PKEY *pkey)
 {
     const RSA *priv_rsa_key = EVP_PKEY_get1_RSA(pkey);
-    POSIX_ENSURE_REF(priv_rsa_key);
+    RESULT_ENSURE_REF(priv_rsa_key);
 
     /* Documentation: https://www.openssl.org/docs/man1.1.1/man3/RSA_check_key.html */
-    S2N_ERROR_IF(!s2n_rsa_is_private_key(priv_rsa_key), S2N_ERR_KEY_MISMATCH);
+    RESULT_ENSURE(s2n_rsa_is_private_key(priv_rsa_key), S2N_ERR_KEY_MISMATCH);
 
     /* Check that the mandatory properties of a RSA Private Key are valid.
      *  - Documentation: https://www.openssl.org/docs/man1.1.1/man3/RSA_check_key.html
      */
-    POSIX_GUARD_OSSL(RSA_check_key(priv_rsa_key), S2N_ERR_KEY_CHECK);
+    RESULT_GUARD_OSSL(RSA_check_key(priv_rsa_key), S2N_ERR_KEY_CHECK);
 
     rsa_key->rsa = priv_rsa_key;
-    return 0;
+    return S2N_RESULT_OK;
 }
 
-int s2n_rsa_pss_pkey_init(struct s2n_pkey *pkey)
+S2N_RESULT s2n_rsa_pss_pkey_init(struct s2n_pkey *pkey)
 {
-    POSIX_GUARD(s2n_rsa_pkey_init(pkey));
+    RESULT_GUARD(s2n_rsa_pkey_init(pkey));
 
     pkey->size = &s2n_rsa_pss_size;
     pkey->sign = &s2n_rsa_pss_key_sign;
@@ -231,25 +231,25 @@ int s2n_rsa_pss_pkey_init(struct s2n_pkey *pkey)
     pkey->match = &s2n_rsa_pss_keys_match;
     pkey->free = &s2n_rsa_pss_key_free;
 
-    POSIX_GUARD_RESULT(s2n_evp_signing_set_pkey_overrides(pkey));
-    return 0;
+    RESULT_GUARD(s2n_evp_signing_set_pkey_overrides(pkey));
+    return S2N_RESULT_OK;
 }
 
 #else
 
-int s2n_evp_pkey_to_rsa_pss_public_key(struct s2n_rsa_key *rsa_pss_key, EVP_PKEY *pkey)
+S2N_RESULT s2n_evp_pkey_to_rsa_pss_public_key(struct s2n_rsa_key *rsa_pss_key, EVP_PKEY *pkey)
 {
-    POSIX_BAIL(S2N_ERR_RSA_PSS_NOT_SUPPORTED);
+    RESULT_BAIL(S2N_ERR_RSA_PSS_NOT_SUPPORTED);
 }
 
-int s2n_evp_pkey_to_rsa_pss_private_key(struct s2n_rsa_key *rsa_pss_key, EVP_PKEY *pkey)
+S2N_RESULT s2n_evp_pkey_to_rsa_pss_private_key(struct s2n_rsa_key *rsa_pss_key, EVP_PKEY *pkey)
 {
-    POSIX_BAIL(S2N_ERR_RSA_PSS_NOT_SUPPORTED);
+    RESULT_BAIL(S2N_ERR_RSA_PSS_NOT_SUPPORTED);
 }
 
-int s2n_rsa_pss_pkey_init(struct s2n_pkey *pkey)
+S2N_RESULT s2n_rsa_pss_pkey_init(struct s2n_pkey *pkey)
 {
-    POSIX_BAIL(S2N_ERR_RSA_PSS_NOT_SUPPORTED);
+    RESULT_BAIL(S2N_ERR_RSA_PSS_NOT_SUPPORTED);
 }
 
 #endif
diff --git a/crypto/s2n_rsa_pss.h b/crypto/s2n_rsa_pss.h
index c76a8bf1b6d..b4600eff69b 100644
--- a/crypto/s2n_rsa_pss.h
+++ b/crypto/s2n_rsa_pss.h
@@ -41,6 +41,6 @@
 #endif
 
 int s2n_is_rsa_pss_certs_supported();
-int s2n_rsa_pss_pkey_init(struct s2n_pkey *pkey);
-int s2n_evp_pkey_to_rsa_pss_public_key(struct s2n_rsa_key *rsa_key, EVP_PKEY *pkey);
-int s2n_evp_pkey_to_rsa_pss_private_key(struct s2n_rsa_key *rsa_key, EVP_PKEY *pkey);
+S2N_RESULT s2n_rsa_pss_pkey_init(struct s2n_pkey *pkey);
+S2N_RESULT s2n_evp_pkey_to_rsa_pss_public_key(struct s2n_rsa_key *rsa_key, EVP_PKEY *pkey);
+S2N_RESULT s2n_evp_pkey_to_rsa_pss_private_key(struct s2n_rsa_key *rsa_key, EVP_PKEY *pkey);
diff --git a/tests/fuzz/s2n_client_cert_verify_recv_test.c b/tests/fuzz/s2n_client_cert_verify_recv_test.c
index af71a9af4a1..b891d59205b 100644
--- a/tests/fuzz/s2n_client_cert_verify_recv_test.c
+++ b/tests/fuzz/s2n_client_cert_verify_recv_test.c
@@ -132,7 +132,7 @@ int s2n_fuzz_init(int *argc, char **argv[])
     POSIX_ENSURE(s2n_config_get_num_default_certs(server_config) != 0, S2N_ERR_NUM_DEFAULT_CERTIFICATES);
     struct s2n_cert_chain_and_key *cert = s2n_config_get_single_default_cert(server_config);
     POSIX_ENSURE_REF(cert);
-    POSIX_GUARD(s2n_asn1der_to_public_key_and_type(&public_key, &pkey_type, &cert->cert_chain->head->raw));
+    POSIX_GUARD_RESULT(s2n_asn1der_to_public_key_and_type(&public_key, &pkey_type, &cert->cert_chain->head->raw));
 
     return S2N_SUCCESS;
 }
diff --git a/tests/unit/s2n_ecdsa_test.c b/tests/unit/s2n_ecdsa_test.c
index 2741a3e4b6c..199b3fe63e0 100644
--- a/tests/unit/s2n_ecdsa_test.c
+++ b/tests/unit/s2n_ecdsa_test.c
@@ -127,7 +127,7 @@ int main(int argc, char **argv)
 
     available_size = s2n_stuffer_data_available(&certificate_out);
     EXPECT_SUCCESS(s2n_blob_init(&b, s2n_stuffer_raw_read(&certificate_out, available_size), available_size));
-    EXPECT_SUCCESS(s2n_asn1der_to_public_key_and_type(&pub_key, &pkey_type, &b));
+    EXPECT_OK(s2n_asn1der_to_public_key_and_type(&pub_key, &pkey_type, &b));
 
     /* Test without a type hint */
     int wrong_type = 0;
@@ -135,11 +135,11 @@ int main(int argc, char **argv)
 
     available_size = s2n_stuffer_data_available(&ecdsa_key_out);
     EXPECT_SUCCESS(s2n_blob_init(&b, s2n_stuffer_raw_read(&ecdsa_key_out, available_size), available_size));
-    EXPECT_SUCCESS(s2n_asn1der_to_private_key(&priv_key, &b, wrong_type));
+    EXPECT_OK(s2n_asn1der_to_private_key(&priv_key, &b, wrong_type));
 
     available_size = s2n_stuffer_data_available(&unmatched_ecdsa_key_out);
     EXPECT_SUCCESS(s2n_blob_init(&b, s2n_stuffer_raw_read(&unmatched_ecdsa_key_out, available_size), available_size));
-    EXPECT_SUCCESS(s2n_asn1der_to_private_key(&unmatched_priv_key, &b, wrong_type));
+    EXPECT_OK(s2n_asn1der_to_private_key(&unmatched_priv_key, &b, wrong_type));
 
     /* Verify that the public/private key pair match */
     EXPECT_SUCCESS(s2n_pkey_match(&pub_key, &priv_key));
diff --git a/tests/unit/s2n_evp_signing_test.c b/tests/unit/s2n_evp_signing_test.c
index d287ac47213..a9186ac4413 100644
--- a/tests/unit/s2n_evp_signing_test.c
+++ b/tests/unit/s2n_evp_signing_test.c
@@ -52,7 +52,7 @@ static S2N_RESULT s2n_test_hash_init(struct s2n_hash_state *hash_state, s2n_hash
 static S2N_RESULT s2n_setup_public_key(struct s2n_pkey *public_key, struct s2n_cert_chain_and_key *chain)
 {
     s2n_pkey_type pkey_type = S2N_PKEY_TYPE_UNKNOWN;
-    EXPECT_SUCCESS(s2n_asn1der_to_public_key_and_type(public_key, &pkey_type,
+    EXPECT_OK(s2n_asn1der_to_public_key_and_type(public_key, &pkey_type,
             &chain->cert_chain->head->raw));
     EXPECT_EQUAL(pkey_type, chain->cert_chain->head->pkey_type);
     return S2N_RESULT_OK;
diff --git a/tests/unit/s2n_pem_rsa_dhe_test.c b/tests/unit/s2n_pem_rsa_dhe_test.c
index edea5b16674..f2c47e5e87e 100644
--- a/tests/unit/s2n_pem_rsa_dhe_test.c
+++ b/tests/unit/s2n_pem_rsa_dhe_test.c
@@ -109,7 +109,7 @@ int main(int argc, char **argv)
     uint32_t available_size = 0;
     available_size = s2n_stuffer_data_available(&certificate_out);
     EXPECT_SUCCESS(s2n_blob_init(&b, s2n_stuffer_raw_read(&certificate_out, available_size), available_size));
-    EXPECT_SUCCESS(s2n_asn1der_to_public_key_and_type(&pub_key, &pkey_type, &b));
+    EXPECT_OK(s2n_asn1der_to_public_key_and_type(&pub_key, &pkey_type, &b));
 
     /* Test without a type hint */
     int wrong_type = 0;
@@ -117,7 +117,7 @@ int main(int argc, char **argv)
 
     available_size = s2n_stuffer_data_available(&rsa_key_out);
     EXPECT_SUCCESS(s2n_blob_init(&b, s2n_stuffer_raw_read(&rsa_key_out, available_size), available_size));
-    EXPECT_SUCCESS(s2n_asn1der_to_private_key(&priv_key, &b, wrong_type));
+    EXPECT_OK(s2n_asn1der_to_private_key(&priv_key, &b, wrong_type));
 
     EXPECT_SUCCESS(s2n_pkey_match(&pub_key, &priv_key));
 
diff --git a/tests/unit/s2n_rsa_pss_rsae_test.c b/tests/unit/s2n_rsa_pss_rsae_test.c
index 2b6d373077b..bfdafd3e536 100644
--- a/tests/unit/s2n_rsa_pss_rsae_test.c
+++ b/tests/unit/s2n_rsa_pss_rsae_test.c
@@ -175,7 +175,7 @@ int main(int argc, char **argv)
     {
         struct s2n_pkey rsa_public_key;
         s2n_pkey_type rsa_pkey_type;
-        EXPECT_SUCCESS(s2n_asn1der_to_public_key_and_type(&rsa_public_key, &rsa_pkey_type, &rsa_cert_chain->cert_chain->head->raw));
+        EXPECT_OK(s2n_asn1der_to_public_key_and_type(&rsa_public_key, &rsa_pkey_type, &rsa_cert_chain->cert_chain->head->raw));
         EXPECT_EQUAL(rsa_pkey_type, S2N_PKEY_TYPE_RSA);
 
         hash_state_new(sign_hash, random_msg);
@@ -206,7 +206,7 @@ int main(int argc, char **argv)
     {
         struct s2n_pkey rsa_public_key;
         s2n_pkey_type rsa_pkey_type;
-        EXPECT_SUCCESS(s2n_asn1der_to_public_key_and_type(&rsa_public_key, &rsa_pkey_type, &rsa_cert_chain->cert_chain->head->raw));
+        EXPECT_OK(s2n_asn1der_to_public_key_and_type(&rsa_public_key, &rsa_pkey_type, &rsa_cert_chain->cert_chain->head->raw));
         EXPECT_EQUAL(rsa_pkey_type, S2N_PKEY_TYPE_RSA);
 
         /* Test: RSA cert can sign/verify with PSS */
@@ -243,7 +243,7 @@ int main(int argc, char **argv)
         {
             struct s2n_pkey rsa_pss_public_key;
             s2n_pkey_type rsa_pss_pkey_type;
-            EXPECT_SUCCESS(s2n_asn1der_to_public_key_and_type(&rsa_pss_public_key, &rsa_pss_pkey_type, &rsa_pss_cert_chain->cert_chain->head->raw));
+            EXPECT_OK(s2n_asn1der_to_public_key_and_type(&rsa_pss_public_key, &rsa_pss_pkey_type, &rsa_pss_cert_chain->cert_chain->head->raw));
             EXPECT_EQUAL(rsa_pss_pkey_type, S2N_PKEY_TYPE_RSA_PSS);
 
             /* Set the keys equal. */
@@ -281,7 +281,7 @@ int main(int argc, char **argv)
 
         struct s2n_pkey rsa_public_key = { 0 };
         s2n_pkey_type rsa_pkey_type = 0;
-        EXPECT_SUCCESS(s2n_asn1der_to_public_key_and_type(&rsa_public_key, &rsa_pkey_type,
+        EXPECT_OK(s2n_asn1der_to_public_key_and_type(&rsa_public_key, &rsa_pkey_type,
                 &rsa_cert_chain->cert_chain->head->raw));
         EXPECT_EQUAL(rsa_pkey_type, S2N_PKEY_TYPE_RSA);
 
diff --git a/tests/unit/s2n_rsa_pss_test.c b/tests/unit/s2n_rsa_pss_test.c
index 15a58f9c04d..2e0bf263c58 100644
--- a/tests/unit/s2n_rsa_pss_test.c
+++ b/tests/unit/s2n_rsa_pss_test.c
@@ -76,7 +76,7 @@ int main(int argc, char **argv)
         EXPECT_SUCCESS(s2n_cert_chain_and_key_load_pem(chain_and_key, cert_chain_pem, private_key_pem));
 
         /* Load the Public Key */
-        EXPECT_SUCCESS(s2n_asn1der_to_public_key_and_type(&public_key, &pkey_type, &chain_and_key->cert_chain->head->raw));
+        EXPECT_OK(s2n_asn1der_to_public_key_and_type(&public_key, &pkey_type, &chain_and_key->cert_chain->head->raw));
         EXPECT_EQUAL(pkey_type, S2N_PKEY_TYPE_RSA_PSS);
 
         /* Sign and Verify a Random Value to ensure that Public and Private Key Matches */
@@ -148,7 +148,7 @@ int main(int argc, char **argv)
         EXPECT_SUCCESS(s2n_cert_chain_and_key_set_private_key(chain_and_key, private_key_pem));
 
         /* Parse the leaf cert for the public key and certificate type */
-        EXPECT_SUCCESS(s2n_asn1der_to_public_key_and_type(&public_key, &pkey_type, &chain_and_key->cert_chain->head->raw));
+        EXPECT_OK(s2n_asn1der_to_public_key_and_type(&public_key, &pkey_type, &chain_and_key->cert_chain->head->raw));
         EXPECT_NOT_EQUAL(pkey_type, S2N_PKEY_TYPE_UNKNOWN);
         EXPECT_SUCCESS(s2n_cert_set_cert_type(chain_and_key->cert_chain->head, pkey_type));
 
@@ -226,8 +226,8 @@ int main(int argc, char **argv)
         EXPECT_SUCCESS(s2n_cert_chain_and_key_set_private_key(leaf_chain_and_key, leaf_private_key_pem));
 
         /* Parse the cert for the public key and certificate type */
-        EXPECT_SUCCESS(s2n_asn1der_to_public_key_and_type(&root_public_key, &root_pkey_type, &root_chain_and_key->cert_chain->head->raw));
-        EXPECT_SUCCESS(s2n_asn1der_to_public_key_and_type(&leaf_public_key, &leaf_pkey_type, &leaf_chain_and_key->cert_chain->head->raw));
+        EXPECT_OK(s2n_asn1der_to_public_key_and_type(&root_public_key, &root_pkey_type, &root_chain_and_key->cert_chain->head->raw));
+        EXPECT_OK(s2n_asn1der_to_public_key_and_type(&leaf_public_key, &leaf_pkey_type, &leaf_chain_and_key->cert_chain->head->raw));
         EXPECT_NOT_EQUAL(root_pkey_type, S2N_PKEY_TYPE_UNKNOWN);
         EXPECT_NOT_EQUAL(leaf_pkey_type, S2N_PKEY_TYPE_UNKNOWN);
 
@@ -304,7 +304,7 @@ int main(int argc, char **argv)
         EXPECT_SUCCESS(s2n_cert_chain_and_key_set_private_key(chain_and_key, private_key_pem));
 
         /* Parse the leaf cert for the public key and certificate type */
-        EXPECT_SUCCESS(s2n_asn1der_to_public_key_and_type(&public_key, &pkey_type, &chain_and_key->cert_chain->head->raw));
+        EXPECT_OK(s2n_asn1der_to_public_key_and_type(&public_key, &pkey_type, &chain_and_key->cert_chain->head->raw));
         EXPECT_NOT_EQUAL(pkey_type, S2N_PKEY_TYPE_UNKNOWN);
         EXPECT_SUCCESS(s2n_cert_set_cert_type(chain_and_key->cert_chain->head, pkey_type));
 
diff --git a/tests/unit/s2n_tls13_cert_verify_test.c b/tests/unit/s2n_tls13_cert_verify_test.c
index 0afbdf67091..7155f4ca347 100644
--- a/tests/unit/s2n_tls13_cert_verify_test.c
+++ b/tests/unit/s2n_tls13_cert_verify_test.c
@@ -93,10 +93,10 @@ int run_tests(const struct s2n_tls13_cert_verify_test *test_case, s2n_mode verif
         uint32_t available_size = s2n_stuffer_data_available(&certificate_out);
         EXPECT_SUCCESS(s2n_blob_init(&b, s2n_stuffer_raw_read(&certificate_out, available_size), available_size));
         if (verifying_conn->mode == S2N_CLIENT) {
-            EXPECT_SUCCESS(s2n_asn1der_to_public_key_and_type(&verifying_conn->handshake_params.server_public_key, &pkey_type, &b));
+            EXPECT_OK(s2n_asn1der_to_public_key_and_type(&verifying_conn->handshake_params.server_public_key, &pkey_type, &b));
             EXPECT_SUCCESS(s2n_pkey_match(&verifying_conn->handshake_params.server_public_key, sending_conn->handshake_params.our_chain_and_key->private_key));
         } else {
-            EXPECT_SUCCESS(s2n_asn1der_to_public_key_and_type(&verifying_conn->handshake_params.client_public_key, &pkey_type, &b));
+            EXPECT_OK(s2n_asn1der_to_public_key_and_type(&verifying_conn->handshake_params.client_public_key, &pkey_type, &b));
             EXPECT_SUCCESS(s2n_pkey_match(&verifying_conn->handshake_params.client_public_key, sending_conn->handshake_params.our_chain_and_key->private_key));
         }
 
@@ -171,10 +171,10 @@ int run_tests(const struct s2n_tls13_cert_verify_test *test_case, s2n_mode verif
         uint32_t available_size = s2n_stuffer_data_available(&certificate_out);
         EXPECT_SUCCESS(s2n_blob_init(&b, s2n_stuffer_raw_read(&certificate_out, available_size), available_size));
         if (verifying_conn->mode == S2N_CLIENT) {
-            EXPECT_SUCCESS(s2n_asn1der_to_public_key_and_type(&verifying_conn->handshake_params.server_public_key, &pkey_type, &b));
+            EXPECT_OK(s2n_asn1der_to_public_key_and_type(&verifying_conn->handshake_params.server_public_key, &pkey_type, &b));
             EXPECT_SUCCESS(s2n_pkey_match(&verifying_conn->handshake_params.server_public_key, verifying_conn->handshake_params.our_chain_and_key->private_key));
         } else {
-            EXPECT_SUCCESS(s2n_asn1der_to_public_key_and_type(&verifying_conn->handshake_params.client_public_key, &pkey_type, &b));
+            EXPECT_OK(s2n_asn1der_to_public_key_and_type(&verifying_conn->handshake_params.client_public_key, &pkey_type, &b));
             EXPECT_SUCCESS(s2n_pkey_match(&verifying_conn->handshake_params.client_public_key, verifying_conn->handshake_params.our_chain_and_key->private_key));
         }
         /* Initialize send hash with hello */
@@ -240,9 +240,9 @@ int run_tests(const struct s2n_tls13_cert_verify_test *test_case, s2n_mode verif
         uint32_t available_size = s2n_stuffer_data_available(&certificate_out);
         EXPECT_SUCCESS(s2n_blob_init(&b, s2n_stuffer_raw_read(&certificate_out, available_size), available_size));
         if (verifying_conn->mode == S2N_CLIENT) {
-            EXPECT_SUCCESS(s2n_asn1der_to_public_key_and_type(&verifying_conn->handshake_params.server_public_key, &pkey_type, &b));
+            EXPECT_OK(s2n_asn1der_to_public_key_and_type(&verifying_conn->handshake_params.server_public_key, &pkey_type, &b));
         } else {
-            EXPECT_SUCCESS(s2n_asn1der_to_public_key_and_type(&verifying_conn->handshake_params.client_public_key, &pkey_type, &b));
+            EXPECT_OK(s2n_asn1der_to_public_key_and_type(&verifying_conn->handshake_params.client_public_key, &pkey_type, &b));
         }
 
         /* Initialize send hash with hello */
@@ -312,9 +312,9 @@ int run_tests(const struct s2n_tls13_cert_verify_test *test_case, s2n_mode verif
         uint32_t available_size = s2n_stuffer_data_available(&certificate_out);
         EXPECT_SUCCESS(s2n_blob_init(&b, s2n_stuffer_raw_read(&certificate_out, available_size), available_size));
         if (verifying_conn->mode == S2N_CLIENT) {
-            EXPECT_SUCCESS(s2n_asn1der_to_public_key_and_type(&verifying_conn->handshake_params.server_public_key, &pkey_type, &b));
+            EXPECT_OK(s2n_asn1der_to_public_key_and_type(&verifying_conn->handshake_params.server_public_key, &pkey_type, &b));
         } else {
-            EXPECT_SUCCESS(s2n_asn1der_to_public_key_and_type(&verifying_conn->handshake_params.client_public_key, &pkey_type, &b));
+            EXPECT_OK(s2n_asn1der_to_public_key_and_type(&verifying_conn->handshake_params.client_public_key, &pkey_type, &b));
         }
 
         /* Hash initialization */
diff --git a/tests/unit/s2n_x509_validator_test.c b/tests/unit/s2n_x509_validator_test.c
index cf0cc3c7662..1afb5d0d6d3 100644
--- a/tests/unit/s2n_x509_validator_test.c
+++ b/tests/unit/s2n_x509_validator_test.c
@@ -1806,7 +1806,7 @@ int main(int argc, char **argv)
         /* Expect to return S2N_CERT_ERR_UNTRUSTED */
         EXPECT_ERROR_WITH_ERRNO(s2n_x509_validator_validate_cert_chain(&validator, connection, chain_data, chain_len,
                                         &pkey_type, &public_key_out),
-                S2N_ERR_CERT_UNTRUSTED);
+                S2N_ERR_DECODE_CERTIFICATE);
 
         s2n_stuffer_free(&chain_stuffer);
         s2n_connection_free(connection);
diff --git a/tls/s2n_async_pkey.c b/tls/s2n_async_pkey.c
index 3010947086b..d537c0c3344 100644
--- a/tls/s2n_async_pkey.c
+++ b/tls/s2n_async_pkey.c
@@ -458,7 +458,7 @@ S2N_RESULT s2n_async_pkey_verify_signature(struct s2n_connection *conn, s2n_sign
     /* Parse public key for the cert */
     DEFER_CLEANUP(struct s2n_pkey public_key = { 0 }, s2n_pkey_free);
     s2n_pkey_type pkey_type = S2N_PKEY_TYPE_UNKNOWN;
-    RESULT_GUARD_POSIX(s2n_asn1der_to_public_key_and_type(&public_key, &pkey_type,
+    RESULT_GUARD(s2n_asn1der_to_public_key_and_type(&public_key, &pkey_type,
             &conn->handshake_params.our_chain_and_key->cert_chain->head->raw));
     RESULT_ENSURE(s2n_pkey_verify(&public_key, sig_alg, digest, signature) == S2N_SUCCESS, S2N_ERR_VERIFY_SIGNATURE);
 
diff --git a/tls/s2n_client_cert.c b/tls/s2n_client_cert.c
index ec50ed7835b..d2183277dfd 100644
--- a/tls/s2n_client_cert.c
+++ b/tls/s2n_client_cert.c
@@ -134,7 +134,7 @@ int s2n_client_cert_recv(struct s2n_connection *conn)
             cert_chain_size, &pkey_type, &public_key));
 
     conn->handshake_params.client_cert_pkey_type = pkey_type;
-    POSIX_GUARD(s2n_pkey_setup_for_type(&public_key, pkey_type));
+    POSIX_GUARD_RESULT(s2n_pkey_setup_for_type(&public_key, pkey_type));
 
     POSIX_GUARD(s2n_pkey_check_key_exists(&public_key));
     conn->handshake_params.client_public_key = public_key;
diff --git a/tls/s2n_server_cert.c b/tls/s2n_server_cert.c
index 608af527458..ac3415a2c2c 100644
--- a/tls/s2n_server_cert.c
+++ b/tls/s2n_server_cert.c
@@ -47,7 +47,7 @@ int s2n_server_cert_recv(struct s2n_connection *conn)
             cert_chain.size, &actual_cert_pkey_type, &public_key));
 
     POSIX_GUARD(s2n_is_cert_type_valid_for_auth(conn, actual_cert_pkey_type));
-    POSIX_GUARD(s2n_pkey_setup_for_type(&public_key, actual_cert_pkey_type));
+    POSIX_GUARD_RESULT(s2n_pkey_setup_for_type(&public_key, actual_cert_pkey_type));
     conn->handshake_params.server_public_key = public_key;
 
     return 0;
diff --git a/tls/s2n_x509_validator.c b/tls/s2n_x509_validator.c
index a1d0a1729ff..7403a8f2886 100644
--- a/tls/s2n_x509_validator.c
+++ b/tls/s2n_x509_validator.c
@@ -645,8 +645,7 @@ static S2N_RESULT s2n_x509_validator_read_leaf_info(struct s2n_connection *conn,
     struct s2n_blob asn1_cert = { 0 };
     RESULT_GUARD(s2n_x509_validator_read_asn1_cert(&cert_chain_in_stuffer, &asn1_cert));
 
-    RESULT_ENSURE(s2n_asn1der_to_public_key_and_type(public_key, pkey_type, &asn1_cert) == 0,
-            S2N_ERR_CERT_UNTRUSTED);
+    RESULT_GUARD(s2n_asn1der_to_public_key_and_type(public_key, pkey_type, &asn1_cert));
 
     /* certificate extensions is a field in TLS 1.3 - https://tools.ietf.org/html/rfc8446#section-4.4.2 */
     if (conn->actual_protocol_version >= S2N_TLS13) {

From 73127f6f746bb69baba3e543f2b8e6627949b51a Mon Sep 17 00:00:00 2001
From: Lindsay Stewart <slindsay@amazon.com>
Date: Mon, 30 Oct 2023 14:13:40 -0700
Subject: [PATCH 2/3] Add test

---
 tests/pems/ecdsa_brainpoolP512t1_cert.pem | 16 +++++++++
 tests/pems/ecdsa_brainpoolP512t1_key.pem  | 10 ++++++
 tests/testlib/s2n_testlib.h               |  3 ++
 tests/unit/s2n_x509_validator_test.c      | 42 +++++++++++++++++++++--
 4 files changed, 68 insertions(+), 3 deletions(-)
 create mode 100644 tests/pems/ecdsa_brainpoolP512t1_cert.pem
 create mode 100644 tests/pems/ecdsa_brainpoolP512t1_key.pem

diff --git a/tests/pems/ecdsa_brainpoolP512t1_cert.pem b/tests/pems/ecdsa_brainpoolP512t1_cert.pem
new file mode 100644
index 00000000000..d29cae9b275
--- /dev/null
+++ b/tests/pems/ecdsa_brainpoolP512t1_cert.pem
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICjjCCAfKgAwIBAgIUJIa/I/yxgIOVfg1A8gDPcFF6RAIwCgYIKoZIzj0EAwIw
+YTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMRAwDgYDVQQHDAdTZWF0dGxlMQ8w
+DQYDVQQKDAZBbWF6b24xDDAKBgNVBAsMA3MybjEUMBIGA1UEAwwLczJuVGVzdENl
+cnQwIBcNMjMxMDMwMTkzNjU3WhgPMjEyMzEwMDYxOTM2NTdaMGExCzAJBgNVBAYT
+AlVTMQswCQYDVQQIDAJXQTEQMA4GA1UEBwwHU2VhdHRsZTEPMA0GA1UECgwGQW1h
+em9uMQwwCgYDVQQLDANzMm4xFDASBgNVBAMMC3MyblRlc3RDZXJ0MIGbMBQGByqG
+SM49AgEGCSskAwMCCAEBDgOBggAEOCPyLYnUlP7anK35kNiDdfdozNmHaZZIGaJC
+h+yJeEl/3931anSo3uehV/LpiPPOX0he+3r28qSlOMn9ViS/yiy59mC4KKGywuIx
+TaDws4ncUwFw1ujIqlOrKcgX/BQl0PW8/krM7qldoVKTnX42LUedMusuCaVwtfdd
+kqkdmUKjQzBBMAsGA1UdDwQEAwIEsDATBgNVHSUEDDAKBggrBgEFBQcDATAdBgNV
+HQ4EFgQUHtKoEGERU7R3el8WUUBulyfsFsEwCgYIKoZIzj0EAwIDgYkAMIGFAkEA
+hTqeqN44HBU6QwDFudOzdFDK6Om/LxFwbMbfWjZzZNfftWygS4d7qT0m8B3/lnsL
+EkBO7/T88qEf3NkrlIC4nAJAKn+0GYz6CroWhaqynkYtlNTLuAB6CMhlMkQ2GTo9
+kj+9z2+SpULpZqc46TjEyder2wUfx+FlDahdSyJUBf5h8A==
+-----END CERTIFICATE-----
diff --git a/tests/pems/ecdsa_brainpoolP512t1_key.pem b/tests/pems/ecdsa_brainpoolP512t1_key.pem
new file mode 100644
index 00000000000..1ddeac314bb
--- /dev/null
+++ b/tests/pems/ecdsa_brainpoolP512t1_key.pem
@@ -0,0 +1,10 @@
+-----BEGIN EC PARAMETERS-----
+BgkrJAMDAggBAQ4=
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MIHaAgEBBEBFZTOEB8STkbxwEbGSOevERT6QaF6x2EN/vIxD3q5Y88gYVsOLdydx
+gv9SyxDqrqjCa3Sr9e/zJYg4up5O22HpoAsGCSskAwMCCAEBDqGBhQOBggAEOCPy
+LYnUlP7anK35kNiDdfdozNmHaZZIGaJCh+yJeEl/3931anSo3uehV/LpiPPOX0he
++3r28qSlOMn9ViS/yiy59mC4KKGywuIxTaDws4ncUwFw1ujIqlOrKcgX/BQl0PW8
+/krM7qldoVKTnX42LUedMusuCaVwtfddkqkdmUI=
+-----END EC PRIVATE KEY-----
diff --git a/tests/testlib/s2n_testlib.h b/tests/testlib/s2n_testlib.h
index e67aaff6a7c..7791452f16b 100644
--- a/tests/testlib/s2n_testlib.h
+++ b/tests/testlib/s2n_testlib.h
@@ -151,6 +151,9 @@ S2N_RESULT s2n_connection_set_test_master_secret(struct s2n_connection *conn, co
 #define S2N_WEIRD_DASHES_CERT_CHAIN    "../pems/rsa_2048_weird_dashes_cert.pem"
 #define S2N_NO_DASHES_CERT_CHAIN       "../pems/rsa_2048_no_dashes_cert.pem"
 
+/* Certificate with unusual curve not supported by awslc */
+#define S2N_BRAINPOOL_CURVE_CERT "../pems/ecdsa_brainpoolP512t1_cert.pem"
+
 /* OCSP Stapled Response Testing files */
 #define S2N_OCSP_SERVER_CERT              "../pems/ocsp/server_cert.pem"
 #define S2N_OCSP_SERVER_CERT_EARLY_EXPIRE "../pems/ocsp/server_cert_early_expire.pem"
diff --git a/tests/unit/s2n_x509_validator_test.c b/tests/unit/s2n_x509_validator_test.c
index 1afb5d0d6d3..8f68a4e92b5 100644
--- a/tests/unit/s2n_x509_validator_test.c
+++ b/tests/unit/s2n_x509_validator_test.c
@@ -1803,9 +1803,9 @@ int main(int argc, char **argv)
         EXPECT_SUCCESS(s2n_pkey_zero_init(&public_key_out));
         s2n_pkey_type pkey_type = S2N_PKEY_TYPE_UNKNOWN;
 
-        /* Expect to return S2N_CERT_ERR_UNTRUSTED */
-        EXPECT_ERROR_WITH_ERRNO(s2n_x509_validator_validate_cert_chain(&validator, connection, chain_data, chain_len,
-                                        &pkey_type, &public_key_out),
+        EXPECT_ERROR_WITH_ERRNO(
+                s2n_x509_validator_validate_cert_chain(&validator,
+                        connection, chain_data, chain_len, &pkey_type, &public_key_out),
                 S2N_ERR_DECODE_CERTIFICATE);
 
         s2n_stuffer_free(&chain_stuffer);
@@ -1814,6 +1814,42 @@ int main(int argc, char **argv)
         s2n_x509_validator_wipe(&validator);
     };
 
+    /* Test unknown curve in cert validator for negative case */
+    if (s2n_libcrypto_is_awslc()) {
+        struct s2n_x509_validator validator = { 0 };
+        EXPECT_SUCCESS(s2n_x509_validator_init_no_x509_validation(&validator));
+
+        DEFER_CLEANUP(struct s2n_connection *conn = s2n_connection_new(S2N_CLIENT),
+                s2n_connection_ptr_free);
+        EXPECT_NOT_NULL(conn);
+
+        char pem_str[S2N_MAX_TEST_PEM_SIZE] = { 0 };
+        EXPECT_SUCCESS(s2n_read_test_pem(S2N_BRAINPOOL_CURVE_CERT, pem_str, sizeof(pem_str)));
+
+        DEFER_CLEANUP(struct s2n_cert_chain_and_key *chain_and_key = s2n_cert_chain_and_key_new(),
+                s2n_cert_chain_and_key_ptr_free);
+        EXPECT_SUCCESS(s2n_cert_chain_and_key_set_cert_chain(chain_and_key, pem_str));
+
+        DEFER_CLEANUP(struct s2n_stuffer message = { 0 }, s2n_stuffer_free);
+        EXPECT_SUCCESS(s2n_stuffer_growable_alloc(&message, 0));
+        EXPECT_SUCCESS(s2n_send_cert_chain(conn, &message, chain_and_key));
+        EXPECT_SUCCESS(s2n_stuffer_skip_read(&message, 3));
+
+        uint32_t chain_len = s2n_stuffer_data_available(&message);
+        EXPECT_TRUE(chain_len > 0);
+        uint8_t *chain_data = s2n_stuffer_raw_read(&message, chain_len);
+        EXPECT_NOT_NULL(chain_data);
+
+        DEFER_CLEANUP(struct s2n_pkey public_key_out = { 0 }, s2n_pkey_free);
+        EXPECT_SUCCESS(s2n_pkey_zero_init(&public_key_out));
+
+        s2n_pkey_type pkey_type = S2N_PKEY_TYPE_UNKNOWN;
+        EXPECT_ERROR_WITH_ERRNO(
+                s2n_x509_validator_validate_cert_chain(&validator,
+                        conn, chain_data, chain_len, &pkey_type, &public_key_out),
+                S2N_ERR_DECODE_CERTIFICATE);
+    };
+
     /* Test validator trusts a SHA-1 signature in a certificate chain if certificate validation is off */
     {
         struct s2n_x509_trust_store trust_store;

From 26e6b9699e258d180339d15eee07faca64cee36e Mon Sep 17 00:00:00 2001
From: Lindsay Stewart <slindsay@amazon.com>
Date: Mon, 30 Oct 2023 15:05:50 -0700
Subject: [PATCH 3/3] Clean up test memory

---
 tests/unit/s2n_x509_validator_test.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/unit/s2n_x509_validator_test.c b/tests/unit/s2n_x509_validator_test.c
index 8f68a4e92b5..117d714ffc3 100644
--- a/tests/unit/s2n_x509_validator_test.c
+++ b/tests/unit/s2n_x509_validator_test.c
@@ -1816,7 +1816,7 @@ int main(int argc, char **argv)
 
     /* Test unknown curve in cert validator for negative case */
     if (s2n_libcrypto_is_awslc()) {
-        struct s2n_x509_validator validator = { 0 };
+        DEFER_CLEANUP(struct s2n_x509_validator validator = { 0 }, s2n_x509_validator_wipe);
         EXPECT_SUCCESS(s2n_x509_validator_init_no_x509_validation(&validator));
 
         DEFER_CLEANUP(struct s2n_connection *conn = s2n_connection_new(S2N_CLIENT),