commit ef7730c6eb1269c0411faa0169848f95ed4caa3a
author Darren Krahn <dkrahn@google.com> Mon Sep 21 17:40:50 2020 -0700
committer Darren Krahn <dkrahn@google.com> Fri Jan 15 16:56:59 2021 -0800
tree d7b87f4a7bbf8cf6df859a719c1af87192428b37
parent 15c39e53e5a9a6aff2f5becc5d9004ce98803155

[Backport 2.16] Mark basic constraints critical as appropriate.

Per RFC 5280 4.2.1.9 if the 'cA' field is set to true, the extension
must be marked critical.

Signed-off-by: Darren Krahn <dkrahn@google.com>

tests/suites/test_suite_x509write.function

diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function
index 40bccd6..f7d686a 100644
--- a/tests/suites/test_suite_x509write.function
+++ b/tests/suites/test_suite_x509write.function
@@ -108,7 +108,7 @@
                      char *serial_str, char *not_before, char *not_after,
                      int md_type, int key_usage, int set_key_usage,
                      int cert_type, int set_cert_type, int auth_ident,
-                     int ver, char *cert_check_file, int rsa_alt )
+                     int ver, char *cert_check_file, int rsa_alt, int is_ca )
 {
     mbedtls_pk_context subject_key, issuer_key, issuer_key_alt;
     mbedtls_pk_context *key = &issuer_key;
@@ -171,7 +171,9 @@
 
     if( crt.version >= MBEDTLS_X509_CRT_VERSION_3 )
     {
-        TEST_ASSERT( mbedtls_x509write_crt_set_basic_constraints( &crt, 0, 0 ) == 0 );
+        /* For the CA case, a path length of -1 means unlimited. */
+        TEST_ASSERT( mbedtls_x509write_crt_set_basic_constraints( &crt, is_ca,
+                                                                  (is_ca ? -1 : 0) ) == 0 );
         TEST_ASSERT( mbedtls_x509write_crt_set_subject_key_identifier( &crt ) == 0 );
         if( auth_ident )
             TEST_ASSERT( mbedtls_x509write_crt_set_authority_key_identifier( &crt ) == 0 );