Allow AddCA for root CA's over the wire that do not have the extended key usage cert_sign set.

2019-12-04 14:14:37 -08:00
parent b01c558adb
commit 9b437384de
1 changed files with 1 additions and 1 deletions
--- a/src/ssl.c
+++ b/src/ssl.c
@ -4807,7 +4807,7 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify)
    }
 #ifndef ALLOW_INVALID_CERTSIGN
    else if (ret == 0 && cert->isCA == 1 && type != WOLFSSL_USER_CA &&
-             (cert->extKeyUsage & KEYUSE_KEY_CERT_SIGN) == 0) {
+        !cert->selfSigned && (cert->extKeyUsage & KEYUSE_KEY_CERT_SIGN) == 0) {
        /* Intermediate CA certs are required to have the keyCertSign
        * extension set. User loaded root certs are not. */
        WOLFSSL_MSG("\tDoesn't have key usage certificate signing");