Allow CA:FALSE on wolftpm

The Intel CSME fTFM sets this basic constraint on their EK certificates and by default wolfSSL fails to parse because of this.
2025-07-31 19:24:42 +02:00 · 2025-06-25 22:48:53 +02:00
parent 1c1c556e5e
commit e9e00c47ab
2 changed files with 4 additions and 0 deletions
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -2085,6 +2085,7 @@ if(WOLFSSL_TPM)
    override_cache(WOLFSSL_CERTEXT  "yes")
    override_cache(WOLFSSL_PKCS7    "yes")
    override_cache(WOLFSSL_AESCFB   "yes")
+    list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_ALLOW_ENCODING_CA_FALSE")
 endif()

 if(WOLFSSL_CLU)
--- a/configure.ac
+++ b/configure.ac
@@ -7243,6 +7243,9 @@ then

    # Requires public mp_
    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_PUBLIC_MP"
+
+    # Requires allowing CA:FALSE in BasicConstraints
+    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ALLOW_ENCODING_CA_FALSE"
 fi

 if test "x$ENABLED_SMIME" = "xyes"