Merge pull request #9159 from kareem-wolfssl/zd20378

Allow the keyCertSign bit to be asserted specifically for self-signed CAs.

Author: SparkiDev

.wolfssl_known_macro_extras

@@ -2,6 +2,7 @@ AES_GCM_GMULT_NCT
 AFX_RESOURCE_DLL
 AFX_TARG_ENU
 ALLOW_BINARY_MISMATCH_INTROSPECTION
+ALLOW_SELFSIGNED_INVALID_CERTSIGN
 ALLOW_V1_EXTENSIONS
 ANDROID
 APP_ESP_HTTP_CLIENT

wolfcrypt/src/asn.c

@@ -25810,7 +25810,11 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm,
          *   If the cA boolean is not asserted, then the keyCertSign bit in the
          *   key usage extension MUST NOT be asserted. */
         if (!cert->isCA && cert->extKeyUsageSet &&
-                (cert->extKeyUsage & KEYUSE_KEY_CERT_SIGN) != 0) {
+                (cert->extKeyUsage & KEYUSE_KEY_CERT_SIGN) != 0
+        #ifdef ALLOW_SELFSIGNED_INVALID_CERTSIGN
+                && !cert->selfSigned
+        #endif
+        ) {
             WOLFSSL_ERROR_VERBOSE(KEYUSAGE_E);
             return KEYUSAGE_E;
         }