wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-07-30 02:37:28 +02:00
Code Issues Packages Projects Releases Wiki Activity

Allow intermediate CA certs without keycertsign when added through X509 STORE

Browse Source
This commit is contained in:
Colton Willey
2024-10-16 21:59:48 -07:00
committed by Daniel Pouzzner
parent 38c7de1707
commit 12f4f69fb4
1 changed files with 4 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/ssl.c
View File

@ -5535,13 +5535,15 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify)
}
}
if (ret == 0 && cert->isCA == 0 && type != WOLFSSL_USER_CA) {
if (ret == 0 && cert->isCA == 0 && type != WOLFSSL_USER_CA &&
type != WOLFSSL_INTER_CA) {
WOLFSSL_MSG("\tCan't add as CA if not actually one");
ret = NOT_CA_ERROR;
}
#ifndef ALLOW_INVALID_CERTSIGN
else if (ret == 0 && cert->isCA == 1 && type != WOLFSSL_USER_CA &&
!cert->selfSigned && (cert->extKeyUsage & KEYUSE_KEY_CERT_SIGN) == 0) {
type != WOLFSSL_INTER_CA && !cert->selfSigned &&
(cert->extKeyUsage & KEYUSE_KEY_CERT_SIGN) == 0) {
/* Intermediate CA certs are required to have the keyCertSign
* extension set. User loaded root certs are not. */
WOLFSSL_MSG("\tDoesn't have key usage certificate signing");