From 03e0dd6ca369586c3bfb2229a62309554371dd5b Mon Sep 17 00:00:00 2001 From: David Garske Date: Tue, 12 Mar 2019 11:05:07 -0700 Subject: [PATCH] Add back this path length check for self-signed CA as special case for the supplicant only. --- wolfcrypt/src/asn.c | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 06f0675b2..33a5bab76 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -8101,6 +8101,16 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm) if (cert->ca) { /* Check if cert is CA type and signer has path length set */ if (cert->isCA && cert->ca->pathLengthSet) { + #if defined(WOLFSSL_WPAS) && !defined(WOLFSSL_NO_ASN_STRICT) + /* WPA Supplicant - has test case that expects self-signed + root CA to have path length == 0 */ + if (cert->selfSigned) { + if (cert->ca->pathLength != 0) { + WOLFSSL_MSG("Root CA with path length > 0"); + return ASN_PATHLEN_INV_E; + } + } + #endif /* Check if signer is root CA (self-signed) */ if (cert->ca->selfSigned) { /* Root CA as signer: @@ -8127,10 +8137,11 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm) } } - #ifdef HAVE_OCSP - /* Need the CA's public key hash for OCSP */ - XMEMCPY(cert->issuerKeyHash, cert->ca->subjectKeyHash, KEYID_SIZE); - #endif /* HAVE_OCSP */ + #ifdef HAVE_OCSP + /* Need the CA's public key hash for OCSP */ + XMEMCPY(cert->issuerKeyHash, cert->ca->subjectKeyHash, + KEYID_SIZE); + #endif /* HAVE_OCSP */ } } }