wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-07-31 19:24:42 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fix to resolve wolfCrypt test for `cert_test nameConstraints test. Fixed ASN check to properly determine if certificate is CA type.

Browse Source
This commit is contained in:
David Garske
2018-02-07 12:48:33 -08:00
parent 4a6bb20ba6
commit c2a0de93b8
6 changed files with 13 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
certs/test/cert-ext-ia.cfg
View File

@@ -10,7 +10,7 @@ L = Brisbane
O = wolfSSL Inc
OU = Engineering
CN = www.wolfssl.com
emailAddress = support@www.wolfsssl.com
emailAddress = support@wolfsssl.com
[ v3_ca ]
inhibitAnyPolicy = critical,1

BIN
certs/test/cert-ext-ia.der
View File

Binary file not shown.

6
certs/test/cert-ext-nc.cfg
View File

@@ -10,9 +10,13 @@ L = Brisbane
O = wolfSSL Inc
OU = Engineering
CN = www.wolfssl.com
emailAddress = support@www.wolfsssl.com
emailAddress = support@wolfsssl.com
[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
nameConstraints = critical,permitted;email:.wolfssl.com
nsComment = "Testing name constraints"

BIN
certs/test/cert-ext-nc.der
View File

Binary file not shown.

8
certs/test/gen-ext-certs.sh Normal file → Executable file
View File

@@ -33,9 +33,13 @@ L = Brisbane
O = wolfSSL Inc
OU = Engineering
CN = www.wolfssl.com
emailAddress = support@www.wolfsssl.com
emailAddress = support@wolfsssl.com
[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
nameConstraints = critical,permitted;email:.wolfssl.com
nsComment = "Testing name constraints"
@@ -58,7 +62,7 @@ L = Brisbane
O = wolfSSL Inc
OU = Engineering
CN = www.wolfssl.com
emailAddress = support@www.wolfsssl.com
emailAddress = support@wolfsssl.com
[ v3_ca ]
inhibitAnyPolicy = critical,1

2
wolfcrypt/src/asn.c
View File

@@ -6363,7 +6363,7 @@ static int DecodeCertExtensions(DecodedCert* cert)
/* Verify RFC 5280 Sec 4.2.1.10 rule:
"The name constraints extension,
which MUST be used only in a CA certificate" */
if (!cert->ca) {
if (!cert->isCA) {
WOLFSSL_MSG("Name constraints allowed only for CA certs");
return ASN_NAME_INVALID_E;
}