From 37fc63ca390e7412840cddd22f87f34e6464b033 Mon Sep 17 00:00:00 2001
From: Kareem <kareem@wolfssl.com>
Date: Wed, 3 Sep 2025 11:43:15 -0700
Subject: [PATCH] Allow the keyCertSign bit to be asserted specifically for
 self-signed CAs.

---
 wolfcrypt/src/asn.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index a237a1716..ec57900cd 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -25810,7 +25810,11 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm,
          *   If the cA boolean is not asserted, then the keyCertSign bit in the
          *   key usage extension MUST NOT be asserted. */
         if (!cert->isCA && cert->extKeyUsageSet &&
-                (cert->extKeyUsage & KEYUSE_KEY_CERT_SIGN) != 0) {
+                (cert->extKeyUsage & KEYUSE_KEY_CERT_SIGN) != 0
+        #ifdef ALLOW_SELFSIGNED_INVALID_CERTSIGN
+                && !cert->selfSigned
+        #endif
+        ) {
             WOLFSSL_ERROR_VERBOSE(KEYUSAGE_E);
             return KEYUSAGE_E;
         }