Allow CA:FALSE on wolftpm

mattia-moffa · mattia-moffa · commit e9e00c47ab5f · 2025-06-25T22:48:53.000+02:00
The Intel CSME fTFM sets this basic constraint on their EK certificates
and by default wolfSSL fails to parse because of this.
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -2085,6 +2085,7 @@ if(WOLFSSL_TPM)
     override_cache(WOLFSSL_CERTEXT  "yes")
     override_cache(WOLFSSL_PKCS7    "yes")
     override_cache(WOLFSSL_AESCFB   "yes")
+    list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_ALLOW_ENCODING_CA_FALSE")
 endif()
 
 if(WOLFSSL_CLU)
diff --git a/configure.ac b/configure.ac
@@ -7243,6 +7243,9 @@ then
 
     # Requires public mp_
     AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_PUBLIC_MP"
+
+    # Requires allowing CA:FALSE in BasicConstraints
+    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ALLOW_ENCODING_CA_FALSE"
 fi
 
 if test "x$ENABLED_SMIME" = "xyes"
