Allow larger pathLen values in Basic Constraints.

2025-07-31 19:24:42 +02:00 · 2025-06-04 15:19:43 -07:00
parent ed6d189f1a
commit f0459eb1cf
2 changed files with 4 additions and 9 deletions
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -20631,7 +20631,7 @@ static int DecodeBasicCaConstraint(const byte* input, int sz, DecodedCert* cert)
    if (ret == 0) {
        /* Get the CA boolean and path length when present. */
        GetASN_Boolean(&dataASN[BASICCONSASN_IDX_CA], &isCA);
-        GetASN_Int8Bit(&dataASN[BASICCONSASN_IDX_PLEN], &cert->pathLength);
+        GetASN_Int16Bit(&dataASN[BASICCONSASN_IDX_PLEN], &cert->pathLength);

        ret = GetASN_Items(basicConsASN, dataASN, basicConsASN_Length, 1, input,
                           &idx, (word32)sz);
@@ -20648,11 +20648,6 @@ static int DecodeBasicCaConstraint(const byte* input, int sz, DecodedCert* cert)
            ret = ASN_PARSE_E;
        }
 #endif
-        /* Path length must be a 7-bit value. */
-        if ((ret == 0) && (cert->pathLength >= (1 << 7))) {
-            WOLFSSL_ERROR_VERBOSE(ASN_PARSE_E);
-            ret = ASN_PARSE_E;
-        }
        if ((ret == 0) && cert->pathLength > WOLFSSL_MAX_PATH_LEN) {
            WOLFSSL_ERROR_VERBOSE(ASN_PATHLEN_SIZE_E);
            ret = ASN_PATHLEN_SIZE_E;
--- a/wolfssl/wolfcrypt/asn.h
+++ b/wolfssl/wolfcrypt/asn.h
@@ -1642,8 +1642,8 @@ struct DecodedCert {
    const byte* extAuthKeyIdIssuerSN; /* Authority Key ID authorityCertSerialNumber */
    word32  extAuthKeyIdIssuerSNSz;   /* Authority Key ID authorityCertSerialNumber length */
 #endif
-    byte    pathLength;              /* CA basic constraint path length  */
-    byte    maxPathLen;              /* max_path_len see RFC 5280 section
+    word16    pathLength;              /* CA basic constraint path length  */
+    word16    maxPathLen;              /* max_path_len see RFC 5280 section
                                      * 6.1.2 "Initialization" - (k) for
                                      * description of max_path_len */
    byte    policyConstSkip;         /* Policy Constraints skip certs value */
@@ -1943,7 +1943,7 @@ struct Signer {
    word32  pubKeySize;
    word32  keyOID;                  /* key type */
    word16  keyUsage;
-    byte    maxPathLen;
+    word16    maxPathLen;
    WC_BITFIELD selfSigned:1;
    const byte* publicKey;
    int     nameLen;