From 96ece3ac7d2840ddb0a5874a5e03cbc28fefb0b4 Mon Sep 17 00:00:00 2001 From: Hayden Roche Date: Mon, 4 Jan 2021 10:29:27 -0600 Subject: [PATCH] Modify ParseCertRelative to ensure issuerKeyHash gets parsed and copied into the decoded cert for self-signed CA certs. The bit of code that does this copy was previously inside a conditional that's only entered if the certificate is not self-signed. The primary purpose of this conditional is to set the maxPathLen field. It's possible that the copying of the issuerKeyHash was mistakenly included in the "else" block here, when it should be outside. --- wolfcrypt/src/asn.c | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 12ada17af..8714f054c 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -9903,18 +9903,18 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm) } } } - #ifdef HAVE_OCSP - if (verify != NO_VERIFY && type != CA_TYPE && - type != TRUSTED_PEER_TYPE) { - if (cert->ca) { - /* Need the CA's public key hash for OCSP */ - XMEMCPY(cert->issuerKeyHash, cert->ca->subjectKeyHash, - KEYID_SIZE); - } - - } - #endif /* HAVE_OCSP */ } + + #ifdef HAVE_OCSP + if (verify != NO_VERIFY && type != CA_TYPE && + type != TRUSTED_PEER_TYPE) { + if (cert->ca) { + /* Need the CA's public key hash for OCSP */ + XMEMCPY(cert->issuerKeyHash, cert->ca->subjectKeyHash, + KEYID_SIZE); + } + } + #endif /* HAVE_OCSP */ } #if defined(WOLFSSL_RENESAS_TSIP) /* prepare for TSIP TLS cert verification API use */