From e9e00c47ab5f4acee758a34cfff0a3e830347f98 Mon Sep 17 00:00:00 2001
From: Mattia Moffa <mattia@moffa.xyz>
Date: Wed, 25 Jun 2025 22:48:53 +0200
Subject: [PATCH] Allow CA:FALSE on wolftpm

The Intel CSME fTFM sets this basic constraint on their EK certificates
and by default wolfSSL fails to parse because of this.
---
 CMakeLists.txt | 1 +
 configure.ac   | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index a33712f03..0e8e62a3d 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -2085,6 +2085,7 @@ if(WOLFSSL_TPM)
     override_cache(WOLFSSL_CERTEXT  "yes")
     override_cache(WOLFSSL_PKCS7    "yes")
     override_cache(WOLFSSL_AESCFB   "yes")
+    list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_ALLOW_ENCODING_CA_FALSE")
 endif()
 
 if(WOLFSSL_CLU)
diff --git a/configure.ac b/configure.ac
index 21dfb0c79..9334d3cd5 100644
--- a/configure.ac
+++ b/configure.ac
@@ -7243,6 +7243,9 @@ then
 
     # Requires public mp_
     AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_PUBLIC_MP"
+
+    # Requires allowing CA:FALSE in BasicConstraints
+    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ALLOW_ENCODING_CA_FALSE"
 fi
 
 if test "x$ENABLED_SMIME" = "xyes"