From 9b437384de0201a3c822fbdb11564b0c16231f70 Mon Sep 17 00:00:00 2001
From: David Garske <david@wolfssl.com>
Date: Wed, 4 Dec 2019 14:14:37 -0800
Subject: [PATCH] Allow `AddCA` for root CA's over the wire that do not have
 the extended key usage cert_sign set.

---
 src/ssl.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/ssl.c b/src/ssl.c
index 090561b1f..6123a2ac9 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -4807,7 +4807,7 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify)
     }
 #ifndef ALLOW_INVALID_CERTSIGN
     else if (ret == 0 && cert->isCA == 1 && type != WOLFSSL_USER_CA &&
-             (cert->extKeyUsage & KEYUSE_KEY_CERT_SIGN) == 0) {
+        !cert->selfSigned && (cert->extKeyUsage & KEYUSE_KEY_CERT_SIGN) == 0) {
         /* Intermediate CA certs are required to have the keyCertSign
         * extension set. User loaded root certs are not. */
         WOLFSSL_MSG("\tDoesn't have key usage certificate signing");