WolfSSL
/
wolfssl
mirror of https://github.com/wolfSSL/wolfssl.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Fix basic constraints extension present and CA Boolean not asserted

pull/4180/head
kaleb-himes 2021-07-02 11:58:27 -06:00
parent 197b959916
commit 93a8f36530
7 changed files with 264 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

184
certs/entity-no-ca-bool-cert.pem 100644
View File

@ -0,0 +1,184 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, ST = Montana, L = Bozeman, O = Sawtooth, OU = Consulting, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
Validity
Not Before: Jul 2 15:55:08 2021 GMT
Not After : Mar 28 15:55:08 2024 GMT
Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL, OU = NoCaBool, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:eb:52:8d:b0:d8:01:6b:f7:16:50:fe:34:a3:86:
1b:e8:49:50:b1:6f:6a:3f:af:de:6c:d1:af:25:9c:
ab:21:fc:d1:3f:45:dc:86:1d:57:04:9e:9c:56:ff:
66:af:78:4b:85:7c:71:bc:6b:79:a9:63:21:f4:88:
1e:6f:b9:53:58:b0:4d:93:b5:a7:e5:9c:80:3b:d9:
fb:f4:47:fe:46:f1:e7:7e:59:1d:e7:21:11:6b:96:
a0:d7:3b:de:ba:06:61:eb:03:d4:74:b7:b4:93:f4:
38:34:db:9f:58:dc:d7:fa:ee:fe:56:69:b8:97:af:
5b:ca:56:40:30:11:1c:26:40:a6:1f:1c:bb:d6:e0:
ff:1e:a4:57:35:e3:74:ab:49:a1:87:95:2f:8a:77:
0a:b1:65:a0:8f:d3:5a:ac:04:93:cc:50:83:42:64:
ab:12:fa:2e:af:2b:ea:b1:73:7b:ce:33:c3:68:23:
27:f0:75:f4:0b:82:1e:ae:21:00:4f:fc:26:17:75:
84:9b:e0:31:de:59:83:aa:45:f9:82:cb:3e:dd:22:
ee:ce:7c:0c:06:dc:cc:61:25:7e:7a:64:e9:c5:06:
57:d3:c1:61:53:59:82:32:c6:cf:1d:70:87:44:3d:
b7:52:e5:56:67:e3:16:7b:bb:48:98:8d:54:c1:85:
aa:57
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
EF:F4:8B:86:CE:75:EF:DC:E1:F8:23:1E:1A:B8:3B:8D:98:09:88:E7
X509v3 Authority Key Identifier:
keyid:27:8E:67:11:74:C3:26:1D:3F:ED:33:63:B3:A4:D8:1D:30:E5:E8:D5
DirName:/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
serial:AA:D3:3F:AC:18:0A:37:4D
X509v3 Basic Constraints:
CA:FALSE, pathlen:0
X509v3 Key Usage:
Digital Signature
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
Signature Algorithm: sha256WithRSAEncryption
0a:bc:55:13:b4:2d:a2:39:ca:a9:d0:82:6e:96:f1:c3:d7:91:
13:01:3d:e9:a8:2b:e0:8e:e9:5c:e9:b7:0d:fa:f1:86:84:e4:
1c:0b:75:19:4b:a0:3a:62:e0:32:d2:18:27:d4:3c:55:84:35:
ba:42:db:a0:5e:78:e5:94:26:69:fd:cb:c0:b2:d4:7d:da:b1:
7f:dc:1d:34:22:32:8c:81:e1:9c:1c:99:3a:39:10:62:25:c3:
f2:38:d8:78:ae:09:51:ce:57:1c:8b:b4:23:67:a5:74:59:0d:
68:e6:2b:8b:f0:ba:86:c3:db:f8:b6:fd:0c:21:d6:0b:ab:76:
8a:1a:02:d0:8f:ce:a0:bb:00:38:52:c1:04:f4:6b:0f:27:45:
98:1e:79:e7:07:6a:06:83:ab:2e:f7:5b:72:61:a0:f3:06:26:
36:fc:cc:09:da:fe:de:5a:7d:ca:5f:b0:7f:7a:aa:ef:5f:9d:
ea:f5:79:ed:f3:9a:34:58:1f:ae:6d:10:12:b0:5c:df:e4:6b:
6b:fe:5a:55:53:a0:ca:43:2f:ce:80:9f:d4:39:20:4e:02:ba:
be:40:5c:b4:60:17:49:50:e8:b0:c9:0f:80:c6:3c:99:70:f2:
63:31:d1:b4:5d:b3:df:93:17:b2:51:55:f7:c0:af:02:05:6c:
11:b0:02:d2
-----BEGIN CERTIFICATE-----
MIIEzTCCA7WgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMx
EDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNh
d3Rvb3RoMRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cud29sZnNz
bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjEwNzAy
MTU1NTA4WhcNMjQwMzI4MTU1NTA4WjCBkTELMAkGA1UEBhMCVVMxEDAOBgNVBAgM
B01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xEDAOBgNVBAoMB3dvbGZTU0wxETAP
BgNVBAsMCE5vQ2FCb29sMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkq
hkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDrUo2w2AFr9xZQ/jSjhhvoSVCxb2o/r95s0a8lnKsh/NE/RdyG
HVcEnpxW/2aveEuFfHG8a3mpYyH0iB5vuVNYsE2TtaflnIA72fv0R/5G8ed+WR3n
IRFrlqDXO966BmHrA9R0t7ST9Dg0259Y3Nf67v5WabiXr1vKVkAwERwmQKYfHLvW
4P8epFc143SrSaGHlS+KdwqxZaCP01qsBJPMUINCZKsS+i6vK+qxc3vOM8NoIyfw
dfQLgh6uIQBP/CYXdYSb4DHeWYOqRfmCyz7dIu7OfAwG3MxhJX56ZOnFBlfTwWFT
WYIyxs8dcIdEPbdS5VZn4xZ7u0iYjVTBhapXAgMBAAGjggEpMIIBJTAdBgNVHQ4E
FgQU7/SLhs5179zh+CMeGrg7jZgJiOcwgckGA1UdIwSBwTCBvoAUJ45nEXTDJh0/
7TNjs6TYHTDl6NWhgZqkgZcwgZQxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250
YW5hMRAwDgYDVQQHDAdCb3plbWFuMREwDwYDVQQKDAhTYXd0b290aDETMBEGA1UE
CwwKQ29uc3VsdGluZzEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZI
hvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tggkAqtM/rBgKN00wDAYDVR0TBAUwAwIB
ADALBgNVHQ8EBAMCB4AwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMA0G
CSqGSIb3DQEBCwUAA4IBAQAKvFUTtC2iOcqp0IJulvHD15ETAT3pqCvgjulc6bcN
+vGGhOQcC3UZS6A6YuAy0hgn1DxVhDW6QtugXnjllCZp/cvAstR92rF/3B00IjKM
geGcHJk6ORBiJcPyONh4rglRzlcci7QjZ6V0WQ1o5iuL8LqGw9v4tv0MIdYLq3aK
GgLQj86guwA4UsEE9GsPJ0WYHnnnB2oGg6su91tyYaDzBiY2/MwJ2v7eWn3KX7B/
eqrvX53q9Xnt85o0WB+ubRASsFzf5Gtr/lpVU6DKQy/OgJ/UOSBOArq+QFy0YBdJ
UOiwyQ+AxjyZcPJjMdG0XbPfkxeyUVX3wK8CBWwRsALS
-----END CERTIFICATE-----
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
aa:d3:3f:ac:18:0a:37:4d
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, ST = Montana, L = Bozeman, O = Sawtooth, OU = Consulting, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
Validity
Not Before: Feb 10 19:49:52 2021 GMT
Not After : Nov 7 19:49:52 2023 GMT
Subject: C = US, ST = Montana, L = Bozeman, O = Sawtooth, OU = Consulting, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:bf:0c:ca:2d:14:b2:1e:84:42:5b:cd:38:1f:4a:
f2:4d:75:10:f1:b6:35:9f:df:ca:7d:03:98:d3:ac:
de:03:66:ee:2a:f1:d8:b0:7d:6e:07:54:0b:10:98:
21:4d:80:cb:12:20:e7:cc:4f:de:45:7d:c9:72:77:
32:ea:ca:90:bb:69:52:10:03:2f:a8:f3:95:c5:f1:
8b:62:56:1b:ef:67:6f:a4:10:41:95:ad:0a:9b:e3:
a5:c0:b0:d2:70:76:50:30:5b:a8:e8:08:2c:7c:ed:
a7:a2:7a:8d:38:29:1c:ac:c7:ed:f2:7c:95:b0:95:
82:7d:49:5c:38:cd:77:25:ef:bd:80:75:53:94:3c:
3d:ca:63:5b:9f:15:b5:d3:1d:13:2f:19:d1:3c:db:
76:3a:cc:b8:7d:c9:e5:c2:d7:da:40:6f:d8:21:dc:
73:1b:42:2d:53:9c:fe:1a:fc:7d:ab:7a:36:3f:98:
de:84:7c:05:67:ce:6a:14:38:87:a9:f1:8c:b5:68:
cb:68:7f:71:20:2b:f5:a0:63:f5:56:2f:a3:26:d2:
b7:6f:b1:5a:17:d7:38:99:08:fe:93:58:6f:fe:c3:
13:49:08:16:0b:a7:4d:67:00:52:31:67:23:4e:98:
ed:51:45:1d:b9:04:d9:0b:ec:d8:28:b3:4b:bd:ed:
36:79
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
27:8E:67:11:74:C3:26:1D:3F:ED:33:63:B3:A4:D8:1D:30:E5:E8:D5
X509v3 Authority Key Identifier:
keyid:27:8E:67:11:74:C3:26:1D:3F:ED:33:63:B3:A4:D8:1D:30:E5:E8:D5
DirName:/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
serial:AA:D3:3F:AC:18:0A:37:4D
X509v3 Basic Constraints:
CA:TRUE
X509v3 Subject Alternative Name:
DNS:example.com, IP Address:127.0.0.1
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
Signature Algorithm: sha256WithRSAEncryption
62:98:c8:58:cf:56:03:86:5b:1b:71:49:7d:05:03:5d:e0:08:
86:ad:db:4a:de:ab:22:96:a8:c3:59:68:c1:37:90:40:df:bd:
89:d0:bc:da:8e:ef:87:b2:c2:62:52:e1:1a:29:17:6a:96:99:
c8:4e:d8:32:fe:b8:d1:5c:3b:0a:c2:3c:5f:a1:1e:98:7f:ce:
89:26:21:1f:64:9c:15:7a:9c:ef:fb:1d:85:6a:fa:98:ce:a8:
a9:ab:c3:a2:c0:eb:87:ed:bc:21:df:f3:07:5b:ae:fd:40:d4:
ae:20:d0:76:8a:31:0a:a2:62:7c:61:0d:ce:5d:9a:1e:e4:20:
88:51:49:fb:77:a9:cd:4d:c6:bf:54:99:33:ef:4b:a0:73:70:
6d:2e:d9:3d:08:f6:12:39:31:68:c6:61:5c:41:b5:1b:f4:38:
7d:fc:be:73:66:2d:f7:ca:5b:2c:5b:31:aa:cf:f6:7f:30:e4:
12:2c:8e:d6:38:51:e6:45:ee:d5:da:c3:83:d6:ed:5e:ec:d6:
b6:14:b3:93:59:e1:55:4a:7f:04:df:ce:65:d4:df:18:4f:dd:
b4:45:7f:a6:56:30:c4:05:44:98:9d:4f:26:6d:84:80:a0:5e:
ed:23:d1:48:87:0e:05:06:91:3b:b0:3c:bb:8c:8f:3c:7b:4c:
4f:a1:ca:98
-----BEGIN CERTIFICATE-----
MIIE6TCCA9GgAwIBAgIJAKrTP6wYCjdNMA0GCSqGSIb3DQEBCwUAMIGUMQswCQYD
VQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjERMA8G
A1UECgwIU2F3dG9vdGgxEzARBgNVBAsMCkNvbnN1bHRpbmcxGDAWBgNVBAMMD3d3
dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTAe
Fw0yMTAyMTAxOTQ5NTJaFw0yMzExMDcxOTQ5NTJaMIGUMQswCQYDVQQGEwJVUzEQ
MA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjERMA8GA1UECgwIU2F3
dG9vdGgxEzARBgNVBAsMCkNvbnN1bHRpbmcxGDAWBgNVBAMMD3d3dy53b2xmc3Ns
LmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAL8Myi0Ush6EQlvNOB9K8k11EPG2NZ/fyn0D
mNOs3gNm7irx2LB9bgdUCxCYIU2AyxIg58xP3kV9yXJ3MurKkLtpUhADL6jzlcXx
i2JWG+9nb6QQQZWtCpvjpcCw0nB2UDBbqOgILHztp6J6jTgpHKzH7fJ8lbCVgn1J
XDjNdyXvvYB1U5Q8PcpjW58VtdMdEy8Z0TzbdjrMuH3J5cLX2kBv2CHccxtCLVOc
/hr8fat6Nj+Y3oR8BWfOahQ4h6nxjLVoy2h/cSAr9aBj9VYvoybSt2+xWhfXOJkI
/pNYb/7DE0kIFgunTWcAUjFnI06Y7VFFHbkE2Qvs2CizS73tNnkCAwEAAaOCATow
ggE2MB0GA1UdDgQWBBQnjmcRdMMmHT/tM2OzpNgdMOXo1TCByQYDVR0jBIHBMIG+
gBQnjmcRdMMmHT/tM2OzpNgdMOXo1aGBmqSBlzCBlDELMAkGA1UEBhMCVVMxEDAO
BgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNhd3Rv
b3RoMRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cud29sZnNzbC5j
b20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb22CCQCq0z+sGAo3TTAM
BgNVHRMEBTADAQH/MBwGA1UdEQQVMBOCC2V4YW1wbGUuY29thwR/AAABMB0GA1Ud
JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAYpjI
WM9WA4ZbG3FJfQUDXeAIhq3bSt6rIpaow1lowTeQQN+9idC82o7vh7LCYlLhGikX
apaZyE7YMv640Vw7CsI8X6EemH/OiSYhH2ScFXqc7/sdhWr6mM6oqavDosDrh+28
Id/zB1uu/UDUriDQdooxCqJifGENzl2aHuQgiFFJ+3epzU3Gv1SZM+9LoHNwbS7Z
PQj2EjkxaMZhXEG1G/Q4ffy+c2Yt98pbLFsxqs/2fzDkEiyO1jhR5kXu1drDg9bt
XuzWthSzk1nhVUp/BN/OZdTfGE/dtEV/plYwxAVEmJ1PJm2EgKBe7SPRSIcOBQaR
O7A8u4yPPHtMT6HKmA==
-----END CERTIFICATE-----

27
certs/entity-no-ca-bool-key.pem 100644
View File

@ -0,0 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA61KNsNgBa/cWUP40o4Yb6ElQsW9qP6/ebNGvJZyrIfzRP0Xc
hh1XBJ6cVv9mr3hLhXxxvGt5qWMh9Igeb7lTWLBNk7Wn5ZyAO9n79Ef+RvHnflkd
5yERa5ag1zveugZh6wPUdLe0k/Q4NNufWNzX+u7+Vmm4l69bylZAMBEcJkCmHxy7
1uD/HqRXNeN0q0mhh5UvincKsWWgj9NarASTzFCDQmSrEvouryvqsXN7zjPDaCMn
8HX0C4IeriEAT/wmF3WEm+Ax3lmDqkX5gss+3SLuznwMBtzMYSV+emTpxQZX08Fh
U1mCMsbPHXCHRD23UuVWZ+MWe7tImI1UwYWqVwIDAQABAoIBAQCbAnw3O3JkThSz
MWA3P0Xu0yyGVN/mJ9EaWV1IJ1VLRCAJz9kdtwH1Fw3g+MgJWfJVcc3x0dIIVDav
v2JdMfTG/Qt8+zInu9l0k3i2Rx4mWX6l6coaz9uLxWMZpGRooX+qsZEneUNIGp1T
pD/o50CWGQwMnANuV6LdO8d4YizqvHO7N3QQqYLb80KnvbjOdqR3hApV2B/fehqP
ye+b7ThJpiSSxcY/CA0bBDFU8fZUyDxgaqyu5NbkFnT2m6JUfpQXef3FaYb2934Z
EkvsLMciWYQJ4jNtaUFoFxYADw8ZDp8d9VV6BxxykcdwAbd6F9y5pmYPq8/hkLDJ
9AbXXTLxAoGBAPuyE7i4ktHwFDNLKKp2olF49dYr8onr9JuuIwWihRNnR7I4CyFq
/vcyatLysGwWRZtqwPIjBoqSdN+TvY763fyIn8gtFFlGNk1YLDNb3cXV8MBaaXhm
niJDvVg+mdj8tFUzjQVyv+CJV2Ow9LWVk1wU1wbKIdzIWInchc0aLhI9AoGBAO9Y
y3x+bAsEI4isnbq6J2t9EowJQ7mSUxuSEa7v+GDXeEnIVZ4rWo8mmEq/p9jHM+YF
JVBfI6OhFVpBoUOHL4u2MrMscXhPqGgSB7eSvlhJntpnjwpfF+COel2sNW6MNAbk
WZRGnfs4ImyEI0BBSKXto0mLH5M2ZpXrjEZwTJwjAoGAeTLo+Dw4xsr6jzCT5nG1
+9FpX7ZN1kg+w3B5AM+fkRZcmd8OzQq+t74ZXnbqqUGYRxyCyJZBIh0gFkEIOH9o
wZ/wgO3kLJD4uQnKTvjfs9IvWhCvVQDlCM7hsEqEvs4A8D4gnA0DhFXeNO0TCRV7
ng2S9XwEDlKS/9+mtnry0GkCgYAweWJU52HIZWEw+AzF2ZfMPDt6YxH1Tn5Ici/k
pzM9ocX543n7m7oujdmAIgrDa6zGJDqnaW1VYXVqnyoi/AkUGaVxBkpA3Jk14pjv
g+fLB7YFc73TkujKEPEVcaAssHaFAtBlqFusmnTWV3iwNciZ2mQcq/GMJhNmv5rc
VTge0wKBgQD2abpREDn7GCEwDrE5y/47Hcx/Godd0dkaYt/fZyokypspQS+nFyjp
BkUR7C7slMR4iO7uXWCQO8fw81TvE6ZX5MuAdpmbavORWNhQSfijTyhV4+WvE0E2
KBN8G0ctKOZ3e5RpYIuzYRSzMaj38vAFVtVdiPDpjyiSzbXkjqm+Hw==
-----END RSA PRIVATE KEY-----

4
certs/include.am
View File

@ -56,7 +56,9 @@ EXTRA_DIST += \
certs/csr.attr.der \
certs/csr.dsa.pem \
certs/csr.signed.der \
certs/csr.ext.der
certs/csr.ext.der \
certs/entity-no-ca-bool-cert.pem \
certs/entity-no-ca-bool-key.pem
EXTRA_DIST += \
certs/ca-key.der \

26
certs/renewcerts.sh
View File

@ -25,6 +25,7 @@
# ecc-privOnlyCert.pem
# client-uri-cert.pem
# client-relative-uri.pem
# entity-no-ca-bool-cert.pem
# updates the following crls:
# crl/cliCrl.pem
# crl/crl.pem
@ -483,6 +484,31 @@ run_renewcerts(){
mv digsigku.pem test/digsigku.pem
echo "End of section"
echo "---------------------------------------------------------------------"
###########################################################
#### update and sign entity-no-ca-bool-cert.pem ###########
###########################################################
echo "Updating entity-no-ca-bool-cert.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\\nMontana\\nBozeman\\nwolfSSL\\nNoCaBool\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key entity-no-ca-bool-key.pem -config ./wolfssl.cnf -nodes > entity-no-ca-bool-req.pem
check_result $? "Step 1"
openssl x509 -req -in entity-no-ca-bool-req.pem -extfile ./wolfssl.cnf -extensions "entity_no_CA_BOOL" -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > entity-no-ca-bool-cert.pem
check_result $? "Step 2"
rm entity-no-ca-bool-req.pem
openssl x509 -in ca-cert.pem -text > ca_tmp.pem
check_result $? "Step 3"
openssl x509 -in entity-no-ca-bool-cert.pem -text > entity_tmp.pem
check_result $? "Step 4"
mv entity_tmp.pem entity-no-ca-bool-cert.pem
cat ca_tmp.pem >> entity-no-ca-bool-cert.pem
rm ca_tmp.pem
echo "End of section"
############################################################
########## make .der files from .pem files #################
############################################################

7
certs/renewcerts/wolfssl.cnf
View File

@ -210,6 +210,13 @@ subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints=CA:false
[ entity_no_CA_BOOL ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints=pathlen:0
keyUsage=digitalSignature
extendedKeyUsage=clientAuth,serverAuth
# Extensions to add to a certificate request
[ v3_req ]
basicConstraints = CA:FALSE

12
tests/test.conf
View File

@ -2262,9 +2262,11 @@
-U
# server with bidirectional shutdown
-l ECDHE-RSA-AES128-SHA256
-w
# client with bidirectional shutdown
-l ECDHE-RSA-AES128-SHA256
-w
# server TLSv1.2 No Session ticket
@ -2275,3 +2277,13 @@
# client TLSv1.2 No Session ticket
-v 3
-l ECDHE-RSA-AES128-SHA256
# server load an entity cert without ca boolean set
-c ./certs/entity-no-ca-bool-cert.pem
-k ./certs/entity-no-ca-bool-key.pem
-l ECDHE-RSA-AES128-SHA256
# client checks default ca bool value used when processing the peers chain
-v 3
-l ECDHE-RSA-AES128-SHA256

17
wolfcrypt/src/asn.c
View File

@ -8674,22 +8674,15 @@ static int DecodeBasicCaConstraint(const byte* input, int sz, DecodedCert* cert)
ret = GetBoolean(input, &idx, sz);
#ifndef WOLFSSL_X509_BASICCONS_INT
/* Removed logic for WOLFSSL_X509_BASICCONS_INT which was mistreating the
* pathlen value as if it were the CA Boolean value 7/2/2021 - KH.
* When CA Boolean not asserted use the default value "False" */
if (ret < 0) {
WOLFSSL_MSG("\tfail: constraint not valid BOOLEAN");
return ret;
WOLFSSL_MSG("\tfail: constraint not valid BOOLEAN, set default FALSE");
ret = 0;
}
cert->isCA = (byte)ret;
#else
if (ret < 0) {
if(input[idx] == ASN_INTEGER) {
/* For OpenSSL compatibility, if ASN_INTEGER it is valid format */
cert->isCA = FALSE;
} else return ret;
} else
cert->isCA = (byte)ret;
#endif
/* If there isn't any more data, return. */
if (idx >= (word32)sz) {