wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2026-01-26 14:52:21 +01:00
Code Issues Packages Projects Releases Wiki Activity

Allow the keyCertSign bit to be asserted specifically for self-signed CAs.

Browse Source
This commit is contained in:
Kareem
2025-09-03 11:43:15 -07:00
parent 095fd88cbe
commit 37fc63ca39
1 changed files with 5 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
wolfcrypt/src/asn.c
View File

@@ -25810,7 +25810,11 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm,
* If the cA boolean is not asserted, then the keyCertSign bit in the
* key usage extension MUST NOT be asserted. */
if (!cert->isCA && cert->extKeyUsageSet &&
(cert->extKeyUsage & KEYUSE_KEY_CERT_SIGN) != 0) {
(cert->extKeyUsage & KEYUSE_KEY_CERT_SIGN) != 0
#ifdef ALLOW_SELFSIGNED_INVALID_CERTSIGN
&& !cert->selfSigned
#endif
) {
WOLFSSL_ERROR_VERBOSE(KEYUSAGE_E);
return KEYUSAGE_E;
}