feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Allow AddCA for root CA's over the wire that do not have the extended key usage cert_sign set.

Browse Source
This commit is contained in:
David Garske
2019-12-04 14:14:37 -08:00
parent b01c558adb
commit 9b437384de
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/ssl.c
View File

@@ -4807,7 +4807,7 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify)
} }
#ifndef ALLOW_INVALID_CERTSIGN #ifndef ALLOW_INVALID_CERTSIGN
else if (ret == 0 && cert->isCA == 1 && type != WOLFSSL_USER_CA && else if (ret == 0 && cert->isCA == 1 && type != WOLFSSL_USER_CA &&
(cert->extKeyUsage & KEYUSE_KEY_CERT_SIGN) == 0) { !cert->selfSigned && (cert->extKeyUsage & KEYUSE_KEY_CERT_SIGN) == 0) {
/* Intermediate CA certs are required to have the keyCertSign /* Intermediate CA certs are required to have the keyCertSign
* extension set. User loaded root certs are not. */ * extension set. User loaded root certs are not. */
WOLFSSL_MSG("\tDoesn't have key usage certificate signing"); WOLFSSL_MSG("\tDoesn't have key usage certificate signing");