• Registered: 2021-06-14
  • Posts: 10

Topic: Restrictions marked as Critical or Non-critical

Hello,

I am working with wolfSSL to generate some Root, Intermediate and Leaf Certificates. I am trying to mark some restrictions as critical and others as non-critical.

My problem is, in my usce case, the Basic Constraints (OID 2.5.29.19) shall be present and marked as "critical". The CA component shall be false in a Leaf Certificate and true for a non-Leaf Certificate. The problem is that I can't mark this extension as "critical". Also, the Key Usage (OID 2.5.29.15)  shall be present but not marked as "critical". Here is an snippet of a correct certificate that is my goal:

X509v3 extensions:
     X509v3 Basic Constraints: critical
          CA:TRUE
     X509v3 Key Usage:
          Certificate Sign, CRL Sign

But what I could generate so far with wolfSSL was this:

X509v3 extensions:
     X509v3 Basic Constraints:
          CA:TRUE
     X509v3 Key Usage: critical
          Certificate Sign, CRL Sign

I am using the wc_SetKeyUsage() for the Key Usage; and the variable "isCA = true" for the Basic Constraints

Share

  • Registered: 2021-07-06
  • Posts: 138

Re: Restrictions marked as Critical or Non-critical

Hello Messias,

You will need to use our custom OID support to mark extensions as critical/non-critical.
Check out our example here: https://github.com/wolfSSL/wolfssl-exam … ns-example
https://github.com/wolfSSL/wolfssl-exam … stom_ext.c
The second parameter of wc_SetCustomExtension specifies whether the extension is marked as critical or not.

Thanks,
Kareem

Share