Merge pull request #2163 from ejohnstown/config-fixes

Configuration Fixes

configure.ac

@@ -194,7 +194,7 @@ then
     AM_CFLAGS="$AM_CFLAGS -DHAVE_AES_DECRYPT -DHAVE_AES_ECB -DWOLFSSL_ALT_NAMES -DWOLFSSL_DER_LOAD -DKEEP_OUR_CERT -DKEEP_PEER_CERT -DHAVE_CRL_IO -DHAVE_IO_TIMEOUT"
 
     # Enable DH const table speedups (eliminates `-lm` math lib dependency)
-    AM_CFLAGS="$AM_CFLAGS -DHAVE_FFDHE_2048 -DHAVE_FFDHE_3072 -DFP_MAX_BITS=6144"
+    AM_CFLAGS="$AM_CFLAGS -DHAVE_FFDHE_2048 -DHAVE_FFDHE_3072 -DFP_MAX_BITS=8192"
 fi
 AM_CONDITIONAL([BUILD_ALL], [test "x$ENABLED_ALL" = "xyes"])
 

examples/server/server.c

@@ -1889,6 +1889,8 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
                 wolfSSL_CTX_EnableOCSP(ctx, WOLFSSL_OCSP_NO_NONCE);
         }
 #endif
+#ifndef NO_RSA
+/* All the OSCP Stapling test certs are RSA. */
 #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \
  || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
         if (wolfSSL_CTX_EnableOCSPStapling(ctx) != WOLFSSL_SUCCESS)
@@ -1900,6 +1902,7 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
         if (SSL_CTX_load_verify_locations(ctx, "certs/ocsp/intermediate3-ca-cert.pem", 0) != WOLFSSL_SUCCESS)
             err_sys_ex(runWithErrors, "can't load ca file, Please run from wolfSSL home dir");
 #endif
+#endif
 
 #ifdef HAVE_PK_CALLBACKS
         if (pkCallbacks)

scripts/include.am

@@ -15,6 +15,9 @@ dist_noinst_SCRIPTS+= scripts/resume.test
 EXTRA_DIST+= scripts/benchmark.test
 EXTRA_DIST+= scripts/memtest.sh
 
+# The CRL and OCSP tests use RSA certificates.
+if BUILD_RSA
+
 if BUILD_CRL
 # make revoked test rely on completion of resume test
 dist_noinst_SCRIPTS+= scripts/crl-revoked.test
@@ -46,6 +49,8 @@ endif
 
 endif
 
+endif
+
 if BUILD_PSK
 dist_noinst_SCRIPTS+= scripts/psk.test
 endif

src/ssl.c

@@ -26559,6 +26559,8 @@ static int EncryptDerKey(byte *der, int *derSz, const EVP_CIPHER* cipher,
 #endif /* WOLFSSL_KEY_GEN || WOLFSSL_PEM_TO_DER */
 
 #if defined(WOLFSSL_KEY_GEN) || defined(WOLFSSL_CERT_GEN)
+
+#ifndef NO_RSA
 /* Takes a WOLFSSL_RSA key and writes it out to a WOLFSSL_BIO
  *
  * bio    the WOLFSSL_BIO to write to
@@ -26639,6 +26641,8 @@ int wolfSSL_PEM_write_bio_RSAPrivateKey(WOLFSSL_BIO* bio, WOLFSSL_RSA* key,
     return ret;
 }
 
+#endif /* NO_RSA */
+
 
 int wolfSSL_PEM_write_bio_PrivateKey(WOLFSSL_BIO* bio, WOLFSSL_EVP_PKEY* key,
                                         const WOLFSSL_EVP_CIPHER* cipher,
@@ -26666,9 +26670,11 @@ int wolfSSL_PEM_write_bio_PrivateKey(WOLFSSL_BIO* bio, WOLFSSL_EVP_PKEY* key,
     keyDer = (byte*)key->pkey.ptr;
 
     switch (key->type) {
+#ifndef NO_RSA
         case EVP_PKEY_RSA:
             type = PRIVATEKEY_TYPE;
             break;
+#endif
 
 #ifndef NO_DSA
         case EVP_PKEY_DSA:
@@ -29920,8 +29926,7 @@ void* wolfSSL_GetDhAgreeCtx(WOLFSSL* ssl)
     }
 
 
-#if defined(WOLFSSL_CERT_GEN) && !defined(NO_RSA)
+#if defined(WOLFSSL_CERT_GEN)
-/* needed SetName function from asn.c is wrapped by NO_RSA */
     /* helper function for CopyX509NameToCertName()
      *
      * returns WOLFSSL_SUCCESS on success
@@ -35598,6 +35603,8 @@ int wolfSSL_X509_get_signature_nid(const WOLFSSL_X509 *x)
 #endif  /* OPENSSL_EXTRA */
 
 #if defined(OPENSSL_ALL)
+
+#ifndef NO_RSA
 int wolfSSL_EVP_PKEY_assign_RSA(EVP_PKEY* pkey, WOLFSSL_RSA* key)
 {
     if (pkey == NULL || key == NULL)
@@ -35609,6 +35616,7 @@ int wolfSSL_EVP_PKEY_assign_RSA(EVP_PKEY* pkey, WOLFSSL_RSA* key)
 
     return WOLFSSL_SUCCESS;
 }
+#endif
 
 int wolfSSL_EVP_PKEY_assign_EC_KEY(EVP_PKEY* pkey, WOLFSSL_EC_KEY* key)
 {
@@ -36189,12 +36197,16 @@ int wolfSSL_X509_REQ_sign(WOLFSSL_X509 *req, WOLFSSL_EVP_PKEY *pkey,
     Cert cert;
     byte der[2048];
     int derSz = sizeof(der);
-    void* key;
+    void* key = NULL;
-    int type;
+    int type = -1;
     int sigType;
     int hashType;
+#ifndef NO_RSA
     RsaKey rsa;
+#endif
+#ifdef HAVE_ECC
     ecc_key ecc;
+#endif
     WC_RNG rng;
     word32 idx = 0;
 
@@ -36257,6 +36269,7 @@ int wolfSSL_X509_REQ_sign(WOLFSSL_X509 *req, WOLFSSL_EVP_PKEY *pkey,
         return WOLFSSL_FAILURE;
 
     /* Create a public key object from requests public key. */
+#ifndef NO_RSA
     if (req->pubKeyOID == RSAk) {
         type = RSA_TYPE;
         ret = wc_InitRsaKey(&rsa, req->heap);
@@ -36270,7 +36283,9 @@ int wolfSSL_X509_REQ_sign(WOLFSSL_X509 *req, WOLFSSL_EVP_PKEY *pkey,
         }
         key = (void*)&rsa;
     }
-    else {
+#endif
+#ifdef HAVE_ECC
+    if (req->pubKeyOID == ECDSAk) {
         type = ECC_TYPE;
         ret = wc_ecc_init(&ecc);
         if (ret != 0)
@@ -36283,6 +36298,9 @@ int wolfSSL_X509_REQ_sign(WOLFSSL_X509 *req, WOLFSSL_EVP_PKEY *pkey,
         }
         key = (void*)&ecc;
     }
+#endif
+    if (key == NULL)
+        return WOLFSSL_FAILURE;
 
     /* Make the body of the certificate request. */
     ret = wc_MakeCertReq_ex(&cert, der, derSz, type, key);
@@ -36290,21 +36308,29 @@ int wolfSSL_X509_REQ_sign(WOLFSSL_X509 *req, WOLFSSL_EVP_PKEY *pkey,
         return WOLFSSL_FAILURE;
 
     /* Dispose of the public key object. */
+#ifndef NO_RSA
     if (req->pubKeyOID == RSAk)
         wc_FreeRsaKey(&rsa);
-    else
+#endif
+#ifdef HAVE_ECC
+    if (req->pubKeyOID == ECDSAk)
         wc_ecc_free(&ecc);
+#endif
 
     idx = 0;
     /* Get the private key object and type from pkey. */
+#ifndef NO_RSA
     if (pkey->type == EVP_PKEY_RSA) {
         type = RSA_TYPE;
         key = pkey->rsa->internal;
     }
-    else {
+#endif
+#ifdef HAVE_ECC
+    if (pkey->type == EVP_PKEY_EC) {
         type = ECC_TYPE;
         key = pkey->ecc->internal;
     }
+#endif
 
     /* Sign the certificate request body. */
     ret = wc_InitRng(&rng);

tests/api.c

@@ -744,7 +744,7 @@ static void test_wolfSSL_CTX_use_certificate_file(void)
 #endif
 }
 
-#if defined(OPENSSL_ALL) || defined(WOLFSSL_ASIO)
+#if (defined(OPENSSL_ALL) || defined(WOLFSSL_ASIO)) && !defined(NO_RSA)
 static int test_wolfSSL_CTX_use_certificate_ASN1(void)
 {
 #if !defined(NO_CERTS) && !defined(NO_WOLFSSL_SERVER) && !defined(NO_ASN)
@@ -765,7 +765,7 @@ static int test_wolfSSL_CTX_use_certificate_ASN1(void)
     return WOLFSSL_SUCCESS;
 #endif
 }
-#endif /* OPENSSL_ALL || WOLFSSL_ASIO */
+#endif /* (OPENSSL_ALL || WOLFSSL_ASIO) && !NO_RSA */
 
 /*  Test function for wolfSSL_CTX_use_certificate_buffer. Load cert into
  *  context using buffer.
@@ -880,10 +880,12 @@ static void test_wolfSSL_CTX_load_verify_locations(void)
 {
 #if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_WOLFSSL_CLIENT)
     WOLFSSL_CTX *ctx;
+#ifndef NO_RSA
     WOLFSSL_CERT_MANAGER* cm;
 #ifdef PERSIST_CERT_CACHE
     int cacheSz;
 #endif
+#endif
 #if !defined(NO_WOLFSSL_DIR) && !defined(WOLFSSL_TIRTOS)
     const char* load_certs_path = "./certs/external";
     const char* load_no_certs_path = "./examples";
@@ -908,9 +910,8 @@ static void test_wolfSSL_CTX_load_verify_locations(void)
     /* load ca cert */
 #ifdef NO_RSA
     AssertIntEQ(wolfSSL_CTX_load_verify_locations(ctx, caCertFile, NULL), ASN_UNKNOWN_OID_E);
-#else
+#else /* Skip the following test without RSA certs. */
     AssertIntEQ(wolfSSL_CTX_load_verify_locations(ctx, caCertFile, NULL), WOLFSSL_SUCCESS);
-#endif
 
 #ifdef PERSIST_CERT_CACHE
     /* Get cert cache size */
@@ -925,11 +926,7 @@ static void test_wolfSSL_CTX_load_verify_locations(void)
 #endif
 
     /* load ca cert again */
-#ifdef NO_RSA
-    AssertIntEQ(wolfSSL_CTX_load_verify_locations(ctx, caCertFile, NULL), ASN_UNKNOWN_OID_E);
-#else
     AssertIntEQ(wolfSSL_CTX_load_verify_locations(ctx, caCertFile, NULL), WOLFSSL_SUCCESS);
-#endif
 
     /* Test getting CERT_MANAGER */
     AssertNotNull(cm = wolfSSL_CTX_GetCertManager(ctx));
@@ -941,6 +938,7 @@ static void test_wolfSSL_CTX_load_verify_locations(void)
     /* Verify no certs (result is less than cacheSz) */
     AssertIntGT(cacheSz, wolfSSL_CTX_get_cert_cache_memsize(ctx));
 #endif
+#endif
 
 #if !defined(NO_WOLFSSL_DIR) && !defined(WOLFSSL_TIRTOS)
     /* Test loading CA certificates using a path */
@@ -1067,7 +1065,8 @@ static int test_wolfSSL_CertManagerLoadCABuffer(void)
 
 static void test_wolfSSL_CertManagerCRL(void)
 {
-#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && defined(HAVE_CRL)
+#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && defined(HAVE_CRL) && \
+    !defined(NO_RSA)
 
     const char* ca_cert = "./certs/ca-cert.pem";
     const char* crl1     = "./certs/crl/crl.pem";
@@ -1097,7 +1096,7 @@ static void test_wolfSSL_CTX_load_verify_chain_buffer_format(void)
 {
 #if !defined(NO_CERTS) && !defined(NO_WOLFSSL_CLIENT) && \
 defined(USE_CERT_BUFFERS_2048) && defined(OPENSSL_EXTRA) && \
-defined(WOLFSSL_CERT_GEN)
+defined(WOLFSSL_CERT_GEN) && !defined(NO_RSA)
 
     WOLFSSL_CTX* ctx;
 
@@ -1246,9 +1245,11 @@ static void test_wolfSSL_CTX_der_load_verify_locations(void)
     /* Case 5 filePath empty */
     AssertIntEQ(wolfSSL_CTX_der_load_verify_locations(ctx, emptyPath,
                 WOLFSSL_FILETYPE_ASN1), WOLFSSL_FAILURE);
+#ifndef NO_RSA
     /* Case 6 success case */
     AssertIntEQ(wolfSSL_CTX_der_load_verify_locations(ctx, derCert,
                 WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
+#endif
 
     wolfSSL_CTX_free(ctx);
 #endif
@@ -16354,7 +16355,11 @@ static void test_wc_PKCS7_Degenerate(void)
     AssertNotNull(pkcs7 = wc_PKCS7_New(HEAP_HINT, devId));
     AssertIntEQ(wc_PKCS7_Init(pkcs7, HEAP_HINT, INVALID_DEVID), 0);
     AssertIntEQ(wc_PKCS7_InitWithCert(pkcs7, NULL, 0), 0);
+#ifndef NO_RSA
     AssertIntEQ(wc_PKCS7_VerifySignedData(pkcs7, der, derSz), 0);
+#else
+    AssertIntNE(wc_PKCS7_VerifySignedData(pkcs7, der, derSz), 0);
+#endif
     wc_PKCS7_Free(pkcs7);
 
     /* test with turning off degenerate cases */
@@ -16589,7 +16594,11 @@ static void test_wc_PKCS7_BER(void)
     AssertNotNull(pkcs7 = wc_PKCS7_New(HEAP_HINT, devId));
     AssertIntEQ(wc_PKCS7_Init(pkcs7, HEAP_HINT, INVALID_DEVID), 0);
     AssertIntEQ(wc_PKCS7_InitWithCert(pkcs7, NULL, 0), 0);
+#ifndef NO_RSA
     AssertIntEQ(wc_PKCS7_VerifySignedData(pkcs7, der, derSz), 0);
+#else
+    AssertIntNE(wc_PKCS7_VerifySignedData(pkcs7, der, derSz), 0);
+#endif
     wc_PKCS7_Free(pkcs7);
 
 #ifndef NO_DES3
@@ -16599,7 +16608,11 @@ static void test_wc_PKCS7_BER(void)
     derSz = (word32)ret;
     XFCLOSE(f);
     AssertNotNull(pkcs7 = wc_PKCS7_New(HEAP_HINT, devId));
+#ifndef NO_RSA
     AssertIntEQ(wc_PKCS7_InitWithCert(pkcs7, der, derSz), 0);
+#else
+    AssertIntNE(wc_PKCS7_InitWithCert(pkcs7, der, derSz), 0);
+#endif
 
     AssertNotNull(f = XFOPEN("./certs/1024/client-key.der", "rb"));
     AssertIntGT((ret = (int)fread(der, 1, sizeof(der), f)), 0);
@@ -16607,8 +16620,13 @@ static void test_wc_PKCS7_BER(void)
     XFCLOSE(f);
     pkcs7->privateKey   = der;
     pkcs7->privateKeySz = derSz;
+#ifndef NO_RSA
     AssertIntGT(wc_PKCS7_DecodeEnvelopedData(pkcs7, berContent,
         sizeof(berContent), decoded, sizeof(decoded)), 0);
+#else
+    AssertIntEQ(wc_PKCS7_DecodeEnvelopedData(pkcs7, berContent,
+        sizeof(berContent), decoded, sizeof(decoded)), NOT_COMPILED_IN);
+#endif
     wc_PKCS7_Free(pkcs7);
 #endif /* !NO_DES3 */
 
@@ -17671,7 +17689,8 @@ static void test_wolfSSL_PEM_PrivateKey(void)
     #endif
 
     /* key is DES encrypted */
-    #if !defined(NO_DES3) && defined(WOLFSSL_ENCRYPTED_KEYS) && !defined(NO_FILESYSTEM)
+    #if !defined(NO_DES3) && defined(WOLFSSL_ENCRYPTED_KEYS) && \
+    !defined(NO_RSA) && !defined(NO_FILESYSTEM)
     {
         pem_password_cb* passwd_cb;
         void* passwd_cb_userdata;
@@ -18766,7 +18785,7 @@ static void test_wolfSSL_CTX_set_srp_password(void)
 
 static void test_wolfSSL_X509_STORE(void)
 {
-#if defined(OPENSSL_EXTRA) && defined(HAVE_CRL)
+#if defined(OPENSSL_EXTRA) && defined(HAVE_CRL) && !defined(NO_RSA)
     X509_STORE *store;
     X509_CRL *crl;
     X509 *x509;
@@ -19243,7 +19262,8 @@ static void test_wolfSSL_set_options(void)
  * PRE: OPENSSL and HAVE_CERTIFICATE_STATUS_REQUEST defined.
  */
 static void test_wolfSSL_set_tlsext_status_type(void){
-    #if defined(OPENSSL_EXTRA) && defined(HAVE_CERTIFICATE_STATUS_REQUEST)
+    #if defined(OPENSSL_EXTRA) && defined(HAVE_CERTIFICATE_STATUS_REQUEST) && \
+    !defined(NO_RSA)
     SSL*     ssl;
     SSL_CTX* ctx;
 
@@ -19257,7 +19277,7 @@ static void test_wolfSSL_set_tlsext_status_type(void){
                == SSL_SUCCESS);
     SSL_free(ssl);
     SSL_CTX_free(ctx);
-    #endif  /* OPENSSL_EXTRA && HAVE_CERTIFICATE_STATUS_REQUEST */
+    #endif  /* OPENSSL_EXTRA && HAVE_CERTIFICATE_STATUS_REQUEST && !NO_RSA */
 }
 
 static void test_wolfSSL_PEM_read_bio(void)
@@ -20546,12 +20566,14 @@ static void test_wolfSSL_d2i_PUBKEY(void)
     #endif
 }
 
-#if defined(OPENSSL_ALL) || defined(WOLFSSL_ASIO)
+#if (defined(OPENSSL_ALL) || defined(WOLFSSL_ASIO)) && !defined(NO_RSA)
 static void test_wolfSSL_d2i_PrivateKeys_bio(void)
 {
     BIO*      bio = NULL;
     EVP_PKEY* pkey  = NULL;
+#ifndef NO_RSA
     RSA*  rsa  = NULL;
+#endif
     WOLFSSL_CTX* ctx;
 
 #if defined(WOLFSSL_KEY_GEN)
@@ -20624,13 +20646,14 @@ static void test_wolfSSL_d2i_PrivateKeys_bio(void)
     AssertNotNull(bio = BIO_new(BIO_s_mem()));
     AssertNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method()));
 
+#ifndef NO_RSA
     /* Tests bad parameters */
     AssertNull(d2i_RSAPrivateKey_bio(NULL, NULL));
 
     /* RSA not set yet, expecting to fail*/
     AssertIntEQ(SSL_CTX_use_RSAPrivateKey(ctx, rsa), BAD_FUNC_ARG);
 
-#if defined(USE_CERT_BUFFERS_2048) && !defined(NO_RSA)  && defined(WOLFSSL_KEY_GEN)
+#if defined(USE_CERT_BUFFERS_2048) && defined(WOLFSSL_KEY_GEN)
     /* set RSA using bio*/
     AssertIntGT(BIO_write(bio, client_key_der_2048,
                 sizeof_client_key_der_2048), 0);
@@ -20642,13 +20665,13 @@ static void test_wolfSSL_d2i_PrivateKeys_bio(void)
     AssertIntEQ(wolfSSL_i2d_RSAPrivateKey(NULL, NULL), BAD_FUNC_ARG);
     AssertIntEQ(wolfSSL_i2d_RSAPrivateKey(rsa, &bufPtr),
                                            sizeof_client_key_der_2048);
+#endif /* USE_CERT_BUFFERS_2048 WOLFSSL_KEY_GEN */
     RSA_free(rsa);
-#endif
+#endif /* NO_RSA */
     SSL_CTX_free(ctx);
     ctx = NULL;
     BIO_free(bio);
     bio = NULL;
-    (void)rsa;
     printf(resultFmt, passed);
 }
 #endif /* OPENSSL_ALL || WOLFSSL_ASIO */
@@ -21849,7 +21872,7 @@ static void test_wc_GetPkcs8TraditionalOffset(void)
 static void test_wc_SetSubjectRaw(void)
 {
 #if !defined(NO_ASN) && !defined(NO_FILESYSTEM) && defined(OPENSSL_EXTRA) && \
-    defined(WOLFSSL_CERT_GEN) && defined(WOLFSSL_CERT_EXT)
+    defined(WOLFSSL_CERT_GEN) && defined(WOLFSSL_CERT_EXT) && !defined(NO_RSA)
     const char* joiCertFile = "./certs/test/cert-ext-joi.pem";
     WOLFSSL_X509* x509;
     int peerCertSz;
@@ -21891,7 +21914,7 @@ static void test_wc_GetSubjectRaw(void)
 static void test_wc_SetIssuerRaw(void)
 {
 #if !defined(NO_ASN) && !defined(NO_FILESYSTEM) && defined(OPENSSL_EXTRA) && \
-    defined(WOLFSSL_CERT_GEN) && defined(WOLFSSL_CERT_EXT)
+    defined(WOLFSSL_CERT_GEN) && defined(WOLFSSL_CERT_EXT) && !defined(NO_RSA)
     const char* joiCertFile = "./certs/test/cert-ext-joi.pem";
     WOLFSSL_X509* x509;
     int peerCertSz;
@@ -21917,7 +21940,7 @@ static void test_wc_SetIssuerRaw(void)
 static void test_wc_SetIssueBuffer(void)
 {
 #if !defined(NO_ASN) && !defined(NO_FILESYSTEM) && defined(OPENSSL_EXTRA) && \
-    defined(WOLFSSL_CERT_GEN) && defined(WOLFSSL_CERT_EXT)
+    defined(WOLFSSL_CERT_GEN) && defined(WOLFSSL_CERT_EXT) && !defined(NO_RSA)
     const char* joiCertFile = "./certs/test/cert-ext-joi.pem";
     WOLFSSL_X509* x509;
     int peerCertSz;
@@ -23253,7 +23276,8 @@ static void test_wolfSSL_X509_CRL(void)
 
 static void test_wolfSSL_PEM_read_X509(void)
 {
-#if defined(OPENSSL_EXTRA) && defined(HAVE_CRL) && !defined(NO_FILESYSTEM)
+#if defined(OPENSSL_EXTRA) && defined(HAVE_CRL) && !defined(NO_FILESYSTEM) && \
+    !defined(NO_RSA)
     X509 *x509 = NULL;
     XFILE fp;
 
@@ -23870,7 +23894,7 @@ void ApiTest(void)
     test_wolfSSL_DES_ncbc();
     test_wolfSSL_AES_cbc_encrypt();
 
-#if defined(OPENSSL_ALL) || defined(WOLFSSL_ASIO)
+#if (defined(OPENSSL_ALL) || defined(WOLFSSL_ASIO)) && !defined(NO_RSA)
     AssertIntEQ(test_wolfSSL_CTX_use_certificate_ASN1(), WOLFSSL_SUCCESS);
     test_wolfSSL_d2i_PrivateKeys_bio();
 #endif /* OPENSSL_ALL || WOLFSSL_ASIO */

wolfcrypt/test/test.c

@@ -8685,7 +8685,10 @@ byte GetEntropy(ENTROPY_CMD cmd, byte* out)
             static const char* eccKeyDerFile = CERT_ROOT "ecc-key.der";
         #endif
         #ifdef WOLFSSL_CERT_GEN
-            static const char* eccKeyPubFile = CERT_ROOT "ecc-keyPub.der";
+            #ifndef NO_RSA
+                /* eccKeyPubFile is used in a test that requires RSA. */
+                static const char* eccKeyPubFile = CERT_ROOT "ecc-keyPub.der";
+            #endif
             static const char* eccCaKeyFile  = CERT_ROOT "ca-ecc-key.der";
             static const char* eccCaCertFile = CERT_ROOT "ca-ecc-cert.pem";
             #ifdef ENABLE_ECC384_CERT_GEN_TEST
@@ -8836,7 +8839,7 @@ static const CertName certDefaultName = {
     static const char certKeyUsage[] =
         "digitalSignature,nonRepudiation";
     #endif
-    #if defined(WOLFSSL_CERT_REQ) || defined(HAVE_NTRU)
+    #if (defined(WOLFSSL_CERT_REQ) || defined(HAVE_NTRU)) && !defined(NO_RSA)
         static const char certKeyUsage2[] =
         "digitalSignature,nonRepudiation,keyEncipherment,keyAgreement";
     #endif