mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2026-07-09 08:00:52 +02:00
x509_str.c: gate pathLen decrement on isCa
X509StoreCheckPathLen() consumed a unit of the issuer's path length budget for any non-self-issued intermediate. Gate the RFC 5280 sec. 6.1.4 (l) decrement on cert->isCa so only CA certificates count, matching ParseCertRelative() (wolfcrypt/src/asn.c) and the (m) tightening step. This prevents a false PATH_LENGTH_EXCEEDED when a non-CA intermediate is tolerated via verify_cb.
This commit is contained in:
+7
-4
@@ -693,10 +693,13 @@ static int X509StoreCheckPathLen(WOLFSSL_X509_STORE_CTX* ctx)
|
||||
selfIssued =
|
||||
(wolfSSL_X509_NAME_cmp(&cert->issuer, &cert->subject) == 0);
|
||||
|
||||
/* RFC 5280 sec. 6.1.4 (l): a non-self-issued certificate consumes one
|
||||
* unit of the issuer's remaining path length budget. Only meaningful
|
||||
* once a CA above has asserted a constraint (haveConstraint). */
|
||||
if (!selfIssued && haveConstraint) {
|
||||
/* RFC 5280 sec. 6.1.4 (l): a non-self-issued *CA* certificate consumes
|
||||
* one unit of the issuer's remaining path length budget. Gate on isCa
|
||||
* to match ParseCertRelative() (wolfcrypt/src/asn.c) and the (m) step
|
||||
* below, so a non-CA intermediate tolerated via verify_cb does not
|
||||
* trigger a false PATH_LENGTH_EXCEEDED. Only meaningful once a CA above
|
||||
* has asserted a constraint (haveConstraint). */
|
||||
if (!selfIssued && cert->isCa && haveConstraint) {
|
||||
if (maxPathLen == 0) {
|
||||
SetupStoreCtxError_ex(ctx,
|
||||
WOLFSSL_X509_V_ERR_PATH_LENGTH_EXCEEDED, i);
|
||||
|
||||
Reference in New Issue
Block a user