From f518a8f7d51b2f7d551e3958ea472b759c999b84 Mon Sep 17 00:00:00 2001
From: Stanislav Klima <sklima@ra.rockwell.com>
Date: Wed, 8 Nov 2023 10:51:25 +0100
Subject: [PATCH] new build flag WOLFSSL_ALLOW_ENCODING_CA_FALSE

---
 tests/api.c                    |  5 ++---
 wolfcrypt/src/asn.c            | 20 ++++++++++----------
 wolfssl/wolfcrypt/asn.h        |  3 ---
 wolfssl/wolfcrypt/asn_public.h |  2 +-
 4 files changed, 13 insertions(+), 17 deletions(-)

diff --git a/tests/api.c b/tests/api.c
index 7d9690f3e..c18a83366 100644
--- a/tests/api.c
+++ b/tests/api.c
@@ -49918,9 +49918,8 @@ static int test_MakeCertWithPathLen(void)
 static int test_MakeCertWithCaFalse(void)
 {
     EXPECT_DECLS;
-#if (defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)) && \
-    defined(WOLFSSL_CERT_REQ) && !defined(NO_ASN_TIME) && \
-    defined(WOLFSSL_CERT_GEN) && defined(HAVE_ECC)
+#if defined(WOLFSSL_ALLOW_ENCODING_CA_FALSE) && defined(WOLFSSL_CERT_REQ) && \
+    !defined(NO_ASN_TIME) && defined(WOLFSSL_CERT_GEN) && defined(HAVE_ECC)
     const byte expectedIsCaSet = 1;
     const byte expectedIsCa = 0;
     Cert cert;
diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index eb7bd2abe..b1b86ebfb 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -96,6 +96,9 @@ ASN Options:
     cost of taking up more memory. Adds initials, givenname, dnQualifer for
     example.
  * WC_ASN_HASH_SHA256: Force use of SHA2-256 for the internal hash ID calcs.
+ * WOLFSSL_ALLOW_ENCODING_CA_FALSE: Allow encoding BasicConstraints CA:FALSE
+ *  which is discouraged by X.690 (DER) specification - default values shall not
+ *  be encoded.
 */
 
 #include <wolfssl/wolfcrypt/error-crypt.h>
@@ -18548,7 +18551,7 @@ static int DecodeBasicCaConstraint(const byte* input, int sz, DecodedCert* cert)
         WOLFSSL_MSG("\tfail: constraint not valid BOOLEAN, set default FALSE");
         ret = 0;
     }
-#if defined(OPENSSL_EXTRA)  || defined(OPENSSL_EXTRA_X509_SMALL)
+#ifdef WOLFSSL_ALLOW_ENCODING_CA_FALSE
     else {
         /* CA Boolean asserted, GetBoolean didn't return error. */
         cert->isCaSet = 1;
@@ -18590,18 +18593,15 @@ static int DecodeBasicCaConstraint(const byte* input, int sz, DecodedCert* cert)
 
     /* Empty SEQUENCE is OK - nothing to store. */
     if ((ret == 0) && (dataASN[BASICCONSASN_IDX_SEQ].length != 0)) {
-    #if !defined(OPENSSL_EXTRA) && !defined(OPENSSL_EXTRA_X509_SMALL)
         /* Bad encoding when CA Boolean is false
          * (default when not present). */
+#if !defined(ASN_TEMPLATE_SKIP_ISCA_CHECK) && \
+    !defined(WOLFSSL_ALLOW_ENCODING_CA_FALSE)
         if ((dataASN[BASICCONSASN_IDX_CA].length != 0) && (!isCA)) {
             WOLFSSL_ERROR_VERBOSE(ASN_PARSE_E);
             ret = ASN_PARSE_E;
         }
-    #else
-        if (dataASN[BASICCONSASN_IDX_CA].length != 0) {
-            cert->isCaSet = 1;
-        }
-    #endif
+#endif
         /* Path length must be a 7-bit value. */
         if ((ret == 0) && (cert->pathLength >= (1 << 7))) {
             WOLFSSL_ERROR_VERBOSE(ASN_PARSE_E);
@@ -27811,7 +27811,7 @@ static int EncodeExtensions(Cert* cert, byte* output, word32 maxSz,
                 dataASN[CERTEXTSASN_IDX_BC_PATHLEN].noOut = 1;
             }
         }
-    #if defined(OPENSSL_EXTRA)  || defined(OPENSSL_EXTRA_X509_SMALL)
+    #ifdef WOLFSSL_ALLOW_ENCODING_CA_FALSE
         else if (cert->isCaSet) {
             SetASN_Boolean(&dataASN[CERTEXTSASN_IDX_BC_CA], 0);
             SetASN_Buffer(&dataASN[CERTEXTSASN_IDX_BC_OID], bcOID, sizeof(bcOID));
@@ -28466,7 +28466,7 @@ static int EncodeCert(Cert* cert, DerCert* der, RsaKey* rsaKey, ecc_key* eccKey,
 
         der->extensionsSz += der->caSz;
     }
-#if defined(OPENSSL_EXTRA)  || defined(OPENSSL_EXTRA_X509_SMALL)
+#ifdef WOLFSSL_ALLOW_ENCODING_CA_FALSE
     /* Set CA */
     else if (cert->isCaSet) {
         der->caSz = SetCaEx(der->ca, sizeof(der->ca), cert->isCA);
@@ -29874,7 +29874,7 @@ static int EncodeCertReq(Cert* cert, DerCert* der, RsaKey* rsaKey,
 
         der->extensionsSz += der->caSz;
     }
-#if defined(OPENSSL_EXTRA)  || defined(OPENSSL_EXTRA_X509_SMALL)
+#ifdef WOLFSSL_ALLOW_ENCODING_CA_FALSE
     /* Set CA */
     else if (cert->isCaSet) {
         der->caSz = SetCaEx(der->ca, sizeof(der->ca), cert->isCA);
diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h
index b33463d5a..6837ffa65 100644
--- a/wolfssl/wolfcrypt/asn.h
+++ b/wolfssl/wolfcrypt/asn.h
@@ -1882,9 +1882,6 @@ struct DecodedCert {
     byte extNameConstraintSet : 1;
 #endif
     byte isCA : 1;                 /* CA basic constraint true */
-#if defined(OPENSSL_EXTRA)  || defined(OPENSSL_EXTRA_X509_SMALL)
-    byte isCaSet : 1;              /* CA basic constraint set */
-#endif
     byte pathLengthSet : 1;        /* CA basic const path length set */
     byte weOwnAltNames : 1;        /* altNames haven't been given to copy */
     byte extKeyUsageSet : 1;
diff --git a/wolfssl/wolfcrypt/asn_public.h b/wolfssl/wolfcrypt/asn_public.h
index d4438b428..a4395ed0c 100644
--- a/wolfssl/wolfcrypt/asn_public.h
+++ b/wolfssl/wolfcrypt/asn_public.h
@@ -530,7 +530,7 @@ typedef struct Cert {
     byte*   der;              /* Pointer to buffer of current DecodedCert cache */
     void*   heap;             /* heap hint */
     byte    basicConstSet:1;  /* Indicator for when Basic Constraint is set */
-#if defined(OPENSSL_EXTRA)  || defined(OPENSSL_EXTRA_X509_SMALL)
+#ifdef WOLFSSL_ALLOW_ENCODING_CA_FALSE
     byte    isCaSet:1;        /* Indicator for when isCA is set */
 #endif
     byte    pathLenSet:1;     /* Indicator for when path length is set */