From 1a144b69bd346e27bd53d71426bc2d286ce0e21c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tobias=20Frauenschl=C3=A4ger?= Date: Fri, 19 Jun 2026 11:03:41 +0200 Subject: [PATCH] x509_str.c: gate pathLen decrement on isCa X509StoreCheckPathLen() consumed a unit of the issuer's path length budget for any non-self-issued intermediate. Gate the RFC 5280 sec. 6.1.4 (l) decrement on cert->isCa so only CA certificates count, matching ParseCertRelative() (wolfcrypt/src/asn.c) and the (m) tightening step. This prevents a false PATH_LENGTH_EXCEEDED when a non-CA intermediate is tolerated via verify_cb. --- src/x509_str.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/src/x509_str.c b/src/x509_str.c index b459300605..30055ba840 100644 --- a/src/x509_str.c +++ b/src/x509_str.c @@ -693,10 +693,13 @@ static int X509StoreCheckPathLen(WOLFSSL_X509_STORE_CTX* ctx) selfIssued = (wolfSSL_X509_NAME_cmp(&cert->issuer, &cert->subject) == 0); - /* RFC 5280 sec. 6.1.4 (l): a non-self-issued certificate consumes one - * unit of the issuer's remaining path length budget. Only meaningful - * once a CA above has asserted a constraint (haveConstraint). */ - if (!selfIssued && haveConstraint) { + /* RFC 5280 sec. 6.1.4 (l): a non-self-issued *CA* certificate consumes + * one unit of the issuer's remaining path length budget. Gate on isCa + * to match ParseCertRelative() (wolfcrypt/src/asn.c) and the (m) step + * below, so a non-CA intermediate tolerated via verify_cb does not + * trigger a false PATH_LENGTH_EXCEEDED. Only meaningful once a CA above + * has asserted a constraint (haveConstraint). */ + if (!selfIssued && cert->isCa && haveConstraint) { if (maxPathLen == 0) { SetupStoreCtxError_ex(ctx, WOLFSSL_X509_V_ERR_PATH_LENGTH_EXCEEDED, i);