Mark basic constraints critical as appropriate.

Per RFC 5280 4.2.1.9 if the 'cA' field is set to true, the extension must be marked critical. Signed-off-by: Darren Krahn <dkrahn@google.com>
2025-07-29 11:41:15 +03:00 · 2020-09-21 17:40:50 -07:00
parent 5cb54f7b27
commit e560be3ab4
5 changed files with 59 additions and 11 deletions
--- a/library/x509write_crt.c
+++ b/library/x509write_crt.c
@ -163,7 +163,7 @@ int mbedtls_x509write_crt_set_basic_constraints( mbedtls_x509write_cert *ctx,
    return(
        mbedtls_x509write_crt_set_extension( ctx, MBEDTLS_OID_BASIC_CONSTRAINTS,
                             MBEDTLS_OID_SIZE( MBEDTLS_OID_BASIC_CONSTRAINTS ),
-                             0, buf + sizeof(buf) - len, len ) );
+                             is_ca, buf + sizeof(buf) - len, len ) );
 }

 #if defined(MBEDTLS_SHA1_C)