JNI/JSSE: fix certificate order of array returned from WolfSSLX509StoreCtx.getCerts()

[cconlon]

This PR fixes the WolfSSLX509StoreCtx.freeCerts() method to correctly return the certificate chain with peer cert first, followed by the rest of the chain.

Native wolfSSL wolfSSL_X509_STORE_GetCerts() returns certs in order of root to peer, but JSSE layer expects peer to root for internal verify callback and X509TrustManager.checkClient/ServerTrusted().

This showed up in a test against httpbin.org:443, where the reversed certificate order caused hostname verification to fail:

2025-07-29 22:26:50.348 [wolfJSSE INFO: TID 1: WolfSSLEngineHelper] calling native wolfSSL_connect()
2025-07-29 22:26:50.441 [wolfJSSE INFO: TID 1: WolfSSLInternalVerifyCb] Native wolfSSL peer verification passed (clientMode: true)
2025-07-29 22:26:50.442 [wolfJSSE INFO: TID 1: WolfSSLInternalVerifyCb] Peer cert: CN=Amazon Root CA 1, O=Amazon, C=US
2025-07-29 22:26:50.442 [wolfJSSE INFO: TID 1: WolfSSLInternalVerifyCb] Peer cert: CN=Amazon RSA 2048 M03, O=Amazon, C=US
2025-07-29 22:26:50.442 [wolfJSSE INFO: TID 1: WolfSSLInternalVerifyCb] Peer cert: CN=httpbin.org
2025-07-29 22:26:50.442 [wolfJSSE INFO: TID 1: WolfSSLInternalVerifyCb] Auth type: RSA
2025-07-29 22:26:50.442 [wolfJSSE INFO: TID 1: WolfSSLInternalVerifyCb] checking hostname verification using SSLSocket
2025-07-29 22:26:50.442 [wolfJSSE INFO: TID 1: WolfSSLTrustX509] entered verifyHostname, using SSLSocket for host info
2025-07-29 22:26:50.442 [wolfJSSE INFO: TID 1: WolfSSLSocket] entered getSSLParameters()
2025-07-29 22:26:50.443 [wolfJSSE INFO: TID 1: WolfSSLTrustX509] verifying hostname, endpoint identification algorithm = HTTPS
2025-07-29 22:26:50.444 [wolfJSSE INFO: TID 1: WolfSSLTrustX509] verifying hostname type HTTPS
2025-07-29 22:26:50.444 [wolfJSSE INFO: TID 1: WolfSSLSocket] entered getHandshakeSession()
2025-07-29 22:26:50.444 [wolfJSSE INFO: TID 1: WolfSSLImplementSSLSession] calling getRequestedServerNames (client)
2025-07-29 22:26:50.444 [wolfJSSE INFO: TID 1: WolfSSLTrustX509] trying hostname verification against SNI: httpbin.org
2025-07-29 22:26:50.445 [wolfJSSE INFO: TID 1: WolfSSLTrustX509] hostname match with SNI failed

This can be tested using the example JSSE client against httpbin.org. This fails before this PR, and passes with it:

./java.sh
ant
ant examples

./examples/provider/ClientJSSE.sh -h httpbin.org -p 443 -sysca

[Copilot]

Pull Request Overview

This PR fixes the certificate order returned by WolfSSLX509StoreCtx.getCerts() to match Java/JSSE expectations. The native wolfSSL returns certificates in root-to-peer order, but JSSE requires peer-to-root order for proper hostname verification and trust manager operations.

• Reverses certificate array order in native C code to return peer certificate first
• Updates documentation to clarify the expected certificate ordering
• Fixes hostname verification failures that occurred due to incorrect certificate chain ordering

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File	Description
src/java/com/wolfssl/provider/jsse/WolfSSLInternalVerifyCb.java	Updates comment to clarify expected certificate ordering from getCerts()
src/java/com/wolfssl/WolfSSLX509StoreCtx.java	Adds documentation explaining the peer-to-root certificate ordering
native/com_wolfssl_WolfSSLX509StoreCtx.c	Implements array index reversal to return certificates in peer-to-root order