Modify ParseCertRelative to ensure issuerKeyHash gets parsed and copied into the

decoded cert for self-signed CA certs. The bit of code that does this copy was previously inside a conditional that's only entered if the certificate is not self-signed. The primary purpose of this conditional is to set the maxPathLen field. It's possible that the copying of the issuerKeyHash was mistakenly included in the "else" block here, when it should be outside.
2025-07-29 18:27:29 +02:00 · 2021-01-04 10:29:27 -06:00
parent 413bde9146
commit 96ece3ac7d
1 changed files with 11 additions and 11 deletions
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@ -9903,18 +9903,18 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm)
                    }
                }
            }
-            #ifdef HAVE_OCSP
-            if (verify != NO_VERIFY && type != CA_TYPE &&
-                                                    type != TRUSTED_PEER_TYPE) {
-                if (cert->ca) {
-                    /* Need the CA's public key hash for OCSP */
-                    XMEMCPY(cert->issuerKeyHash, cert->ca->subjectKeyHash,
-                                                                    KEYID_SIZE);
-                }
-
-            }
-            #endif /* HAVE_OCSP */
        }
+
+        #ifdef HAVE_OCSP
+        if (verify != NO_VERIFY && type != CA_TYPE &&
+                                                type != TRUSTED_PEER_TYPE) {
+            if (cert->ca) {
+                /* Need the CA's public key hash for OCSP */
+                XMEMCPY(cert->issuerKeyHash, cert->ca->subjectKeyHash,
+                                                                KEYID_SIZE);
+            }
+        }
+        #endif /* HAVE_OCSP */
    }
 #if defined(WOLFSSL_RENESAS_TSIP)
    /* prepare for TSIP TLS cert verification API use */