diff --git a/certs/fpki-certpol-cert.der b/certs/fpki-certpol-cert.der new file mode 100644 index 000000000..f3fe08341 Binary files /dev/null and b/certs/fpki-certpol-cert.der differ diff --git a/certs/include.am b/certs/include.am index 1c622e8c3..d9cb8f314 100644 --- a/certs/include.am +++ b/certs/include.am @@ -75,6 +75,7 @@ EXTRA_DIST += \ certs/x942dh2048.der \ certs/x942dh2048.pem \ certs/fpki-cert.der \ + certs/fpki-certpol-cert.der \ certs/rid-cert.der \ certs/dh-priv-2048.der \ certs/dh-priv-2048.pem \ diff --git a/certs/renewcerts.sh b/certs/renewcerts.sh index cf5154217..49c03f189 100755 --- a/certs/renewcerts.sh +++ b/certs/renewcerts.sh @@ -373,6 +373,20 @@ run_renewcerts(){ echo "End of section" echo "---------------------------------------------------------------------" ########################################################### + ########## update and sign fpki-certpol-cert.der ################ + ########################################################### + echo "Updating fpki-certpol-cert.der" + echo "" + #pipe the following arguments to openssl req... + echo -e "US\\nMontana\\nBozeman\\nwolfSSL\\nFPKI\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key server-key.pem -config ./wolfssl.cnf -nodes > fpki-certpol-req.pem + check_result $? "Step 1" + + openssl x509 -req -in fpki-certpol-req.pem -extfile wolfssl.cnf -extensions fpki_ext_certpol -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out fpki-certpol-cert.der -outform DER + check_result $? "Step 2" + rm fpki-certpol-req.pem + echo "End of section" + echo "---------------------------------------------------------------------" + ########################################################### ########## update and sign rid-cert.der ################ ########################################################### echo "Updating rid-cert.der" diff --git a/certs/renewcerts/wolfssl.cnf b/certs/renewcerts/wolfssl.cnf index e955ba59c..5738bf768 100644 --- a/certs/renewcerts/wolfssl.cnf +++ b/certs/renewcerts/wolfssl.cnf @@ -355,6 +355,18 @@ subjectDirectoryAttributes = ASN1:SEQUENCE:SubjDirAttr policyConstraints = requireExplicitPolicy:0 2.16.840.1.101.3.6.10.1 = ASN1:SEQUENCE:PIVCertExt +[fpki_ext_certpol] +basicConstraints = CA:FALSE,pathlen:0 +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid +keyUsage = critical, digitalSignature +extendedKeyUsage = critical, clientAuth, 1.3.6.1.4.1.311.20.2.2, 1.3.6.1.5.2.3.4, 1.3.6.1.5.5.7.3.21 +subjectAltName = @FASC_UUID_altname +certificatePolicies = 2.16.840.1.101.3.2.1.3.13, 2.16.840.1.101.3.2.1.3.40, 2.16.840.1.101.3.2.1.3.41, 2.16.840.1.101.3.2.1.3.45, 2.16.840.1.101.2.1.11.5, 2.16.840.1.101.2.1.11.9, 2.16.840.1.101.2.1.11.10, 2.16.840.1.101.2.1.11.17, 2.16.840.1.101.2.1.11.18, 2.16.840.1.101.2.1.11.19, 2.16.840.1.101.2.1.11.20, 2.16.840.1.101.2.1.11.31, 2.16.840.1.101.2.1.11.36, 2.16.840.1.101.2.1.11.37, 2.16.840.1.101.2.1.11.38, 2.16.840.1.101.2.1.11.39, 2.16.840.1.101.2.1.11.40, 2.16.840.1.101.2.1.11.41, 2.16.840.1.101.2.1.11.42, 2.16.840.1.101.2.1.11.43, 2.16.840.1.101.2.1.11.44, 2.16.840.1.101.2.1.11.59, 2.16.840.1.101.2.1.11.60, 2.16.840.1.101.2.1.11.61, 2.16.840.1.101.2.1.11.62, 2.16.840.1.101.3.2.1.12.1, 2.16.840.1.101.3.2.1.12.2, 2.16.840.1.101.3.2.1.12.3, 2.16.840.1.101.3.2.1.12.4, 2.16.840.1.101.3.2.1.12.5, 2.16.840.1.101.3.2.1.12.6, 2.16.840.1.101.3.2.1.12.8, 2.16.840.1.101.3.2.1.12.9, 2.16.840.1.101.3.2.1.12.10, 2.16.840.1.101.3.2.1.3.4, 2.16.840.1.101.3.2.1.3.7, 2.16.840.1.101.3.2.1.3.12, 2.16.840.1.101.3.2.1.3.13, 2.16.840.1.101.3.2.1.3.16, 2.16.840.1.101.3.2.1.3.18, 2.16.840.1.101.3.2.1.3.20, 2.16.840.1.101.3.2.1.3.36, 2.16.840.1.101.3.2.1.3.38, 2.16.840.1.101.3.2.1.3.39, 2.16.840.1.101.3.2.1.3.41, 2.16.840.1.101.3.2.1.3.45, 2.16.840.1.101.3.2.1.3.47, 2.16.840.1.101.3.2.1.6.4, 2.16.840.1.101.3.2.1.6.12, 2.16.840.1.101.3.2.1.6.38, 2.16.840.1.101.3.2.1.5.4, 2.16.840.1.101.3.2.1.5.5, 2.16.840.1.101.3.2.1.5.10, 2.16.840.1.101.3.2.1.5.12, 1.3.6.1.4.1.73.15.3.1.12, 1.3.6.1.4.1.73.15.3.1.17, 1.3.6.1.4.1.45606.3.1.12, 1.3.6.1.4.1.45606.3.1.20, 1.3.6.1.4.1.45606.3.1.22, 1.3.6.1.4.1.25054.3.1.12, 1.3.6.1.4.1.25054.3.1.14, 1.3.6.1.4.1.25054.3.1.20, 1.3.6.1.4.1.25054.3.1.22, 1.3.6.1.4.1.24019.1.1.1.2, 1.3.6.1.4.1.24019.1.1.1.3, 1.3.6.1.4.1.24019.1.1.1.7, 1.3.6.1.4.1.24019.1.1.1.9, 1.3.6.1.4.1.24019.1.1.1.18, 1.3.6.1.4.1.24019.1.1.1.19, 1.3.6.1.4.1.38099.1.1.1.2, 1.3.6.1.4.1.38099.1.1.1.5, 1.3.6.1.4.1.38099.1.1.1.7, 2.16.840.1.113733.1.7.23.3.1.7, 2.16.840.1.113733.1.7.23.3.1.13, 2.16.840.1.113733.1.7.23.3.1.18, 2.16.840.1.113733.1.7.23.3.1.20, 2.16.840.1.113733.1.7.23.3.1.36, 2.16.840.1.114027.200.3.10.7.2, 2.16.840.1.114027.200.3.10.7.4, 2.16.840.1.114027.200.3.10.7.6, 2.16.840.1.114027.200.3.10.7.9, 2.16.840.1.114027.200.3.10.7.16, 1.3.6.1.4.1.13948.1.1.1.6, 2.16.840.1.113839.0.100.12.1, 2.16.840.1.113839.0.100.12.2, 2.16.840.1.113839.0.100.18.0, 2.16.840.1.113839.0.100.18.1, 2.16.840.1.113839.0.100.18.2, 2.16.840.1.113839.0.100.20.1, 1.3.6.1.4.1.103.100.1.1.3.3, 1.3.6.1.4.1.16334.509.2.8, 1.3.6.1.4.1.16334.509.2.9, 1.3.6.1.4.1.16334.509.2.11, 1.3.6.1.4.1.16334.509.2.14, 1.3.6.1.4.1.1569.10.1.12, 1.3.6.1.4.1.1569.10.1.18, 1.3.6.1.4.1.26769.10.1.12, 1.3.6.1.4.1.26769.10.1.18, 1.3.6.1.4.1.3922.1.1.1.12, 1.3.6.1.4.1.3922.1.1.1.18, 1.3.6.1.4.1.3922.1.1.1.20, 1.3.6.1.4.1.3922.1.1.1.38, 1.2.36.1.334.1.2.1.2, 1.2.36.1.334.1.2.1.3, 1.2.36.1.334.1.2.2.2, 2.16.528.1.1003.1.2.5.1, 2.16.528.1.1003.1.2.5.2, 2.16.528.1.1003.1.2.5.3 +subjectDirectoryAttributes = ASN1:SEQUENCE:SubjDirAttr +policyConstraints = requireExplicitPolicy:0 +2.16.840.1.101.3.6.10.1 = ASN1:SEQUENCE:PIVCertExt + # using example UUID from RFC4122 [FASC_UUID_altname] otherName.1 = 1.3.6.1.4.1.311.20.2.3;UTF8:facts@wolfssl.com diff --git a/tests/api.c b/tests/api.c index 3d6ad8284..c0ebce887 100644 --- a/tests/api.c +++ b/tests/api.c @@ -4908,6 +4908,7 @@ static int test_wolfSSL_FPKI(void) #if defined(WOLFSSL_FPKI) && !defined(NO_RSA) && !defined(NO_FILESYSTEM) XFILE f = XBADFILE; const char* fpkiCert = "./certs/fpki-cert.der"; + const char* fpkiCertPolCert = "./certs/fpki-certpol-cert.der"; DecodedCert cert; byte buf[4096]; byte* uuid = NULL; @@ -4934,6 +4935,29 @@ static int test_wolfSSL_FPKI(void) ExpectIntEQ(wc_GetUUIDFromCert(&cert, uuid, &uuidSz), 0); XFREE(uuid, NULL, DYNAMIC_TYPE_TMP_BUFFER); wc_FreeDecodedCert(&cert); + + XMEMSET(buf, 0, 4096); + fascnSz = uuidSz = bytes = 0; + f = XBADFILE; + + ExpectTrue((f = XFOPEN(fpkiCertPolCert, "rb")) != XBADFILE); + ExpectIntGT(bytes = (int)XFREAD(buf, 1, sizeof(buf), f), 0); + if (f != XBADFILE) + XFCLOSE(f); + + wc_InitDecodedCert(&cert, buf, (word32)bytes, NULL); + ExpectIntEQ(wc_ParseCert(&cert, CERT_TYPE, 0, NULL), 0); + ExpectIntEQ(wc_GetFASCNFromCert(&cert, NULL, &fascnSz), WC_NO_ERR_TRACE(LENGTH_ONLY_E)); + ExpectNotNull(fascn = (byte*)XMALLOC(fascnSz, NULL, + DYNAMIC_TYPE_TMP_BUFFER)); + ExpectIntEQ(wc_GetFASCNFromCert(&cert, fascn, &fascnSz), 0); + XFREE(fascn, NULL, DYNAMIC_TYPE_TMP_BUFFER); + + ExpectIntEQ(wc_GetUUIDFromCert(&cert, NULL, &uuidSz), WC_NO_ERR_TRACE(LENGTH_ONLY_E)); + ExpectNotNull(uuid = (byte*)XMALLOC(uuidSz, NULL, DYNAMIC_TYPE_TMP_BUFFER)); + ExpectIntEQ(wc_GetUUIDFromCert(&cert, uuid, &uuidSz), 0); + XFREE(uuid, NULL, DYNAMIC_TYPE_TMP_BUFFER); + wc_FreeDecodedCert(&cert); #endif return EXPECT_RESULT(); diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 7e0948eee..5e544d013 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -4496,16 +4496,271 @@ static const byte extAuthInfoCaIssuerOid[] = {43, 6, 1, 5, 5, 7, 48, 2}; /* certPolicyType */ static const byte extCertPolicyAnyOid[] = {85, 29, 32, 0}; +static const byte extCertPolicyIsrgDomainValid[] = + {43, 6, 1, 4, 1, 130, 223, 19, 1, 1, 1}; #ifdef WOLFSSL_FPKI #define CERT_POLICY_TYPE_OID_BASE(num) {96, 134, 72, 1, 101, 3, 2, 1, 3, num} + static const byte extCertPolicyFpkiHighAssuranceOid[] = + CERT_POLICY_TYPE_OID_BASE(4); + static const byte extCertPolicyFpkiCommonHardwareOid[] = + CERT_POLICY_TYPE_OID_BASE(7); + static const byte extCertPolicyFpkiMediumHardwareOid[] = + CERT_POLICY_TYPE_OID_BASE(12); static const byte extCertPolicyFpkiCommonAuthOid[] = CERT_POLICY_TYPE_OID_BASE(13); + static const byte extCertPolicyFpkiCommonHighOid[] = + CERT_POLICY_TYPE_OID_BASE(16); + static const byte extCertPolicyFpkiCommonDevicesHardwareOid[] = + CERT_POLICY_TYPE_OID_BASE(36); + static const byte extCertPolicyFpkiCommonPivContentSigningOid[] = + CERT_POLICY_TYPE_OID_BASE(39); static const byte extCertPolicyFpkiPivAuthOid[] = CERT_POLICY_TYPE_OID_BASE(40); static const byte extCertPolicyFpkiPivAuthHwOid[] = CERT_POLICY_TYPE_OID_BASE(41); static const byte extCertPolicyFpkiPiviAuthOid[] = CERT_POLICY_TYPE_OID_BASE(45); + + /* DoD PKI OIDs - 2.16.840.1.101.2.1.11.X */ + #define DOD_POLICY_TYPE_OID_BASE(num) {96, 134, 72, 1, 101, 2, 1, 11, num} + static const byte extCertPolicyDodMediumOid[] = + DOD_POLICY_TYPE_OID_BASE(5); + static const byte extCertPolicyDodMediumHardwareOid[] = + DOD_POLICY_TYPE_OID_BASE(9); + static const byte extCertPolicyDodPivAuthOid[] = + DOD_POLICY_TYPE_OID_BASE(10); + static const byte extCertPolicyDodMediumNpeOid[] = + DOD_POLICY_TYPE_OID_BASE(17); + static const byte extCertPolicyDodMedium2048Oid[] = + DOD_POLICY_TYPE_OID_BASE(18); + static const byte extCertPolicyDodMediumHardware2048Oid[] = + DOD_POLICY_TYPE_OID_BASE(19); + static const byte extCertPolicyDodPivAuth2048Oid[] = + DOD_POLICY_TYPE_OID_BASE(20); + static const byte extCertPolicyDodPeerInteropOid[] = + DOD_POLICY_TYPE_OID_BASE(31); + static const byte extCertPolicyDodMediumNpe112Oid[] = + DOD_POLICY_TYPE_OID_BASE(36); + static const byte extCertPolicyDodMediumNpe128Oid[] = + DOD_POLICY_TYPE_OID_BASE(37); + static const byte extCertPolicyDodMediumNpe192Oid[] = + DOD_POLICY_TYPE_OID_BASE(38); + static const byte extCertPolicyDodMedium112Oid[] = + DOD_POLICY_TYPE_OID_BASE(39); + static const byte extCertPolicyDodMedium128Oid[] = + DOD_POLICY_TYPE_OID_BASE(40); + static const byte extCertPolicyDodMedium192Oid[] = + DOD_POLICY_TYPE_OID_BASE(41); + static const byte extCertPolicyDodMediumHardware112Oid[] = + DOD_POLICY_TYPE_OID_BASE(42); + static const byte extCertPolicyDodMediumHardware128Oid[] = + DOD_POLICY_TYPE_OID_BASE(43); + static const byte extCertPolicyDodMediumHardware192Oid[] = + DOD_POLICY_TYPE_OID_BASE(44); + static const byte extCertPolicyDodAdminOid[] = + DOD_POLICY_TYPE_OID_BASE(59); + static const byte extCertPolicyDodInternalNpe112Oid[] = + DOD_POLICY_TYPE_OID_BASE(60); + static const byte extCertPolicyDodInternalNpe128Oid[] = + DOD_POLICY_TYPE_OID_BASE(61); + static const byte extCertPolicyDodInternalNpe192Oid[] = + DOD_POLICY_TYPE_OID_BASE(62); + + /* ECA PKI OIDs - 2.16.840.1.101.3.2.1.12.X */ + #define ECA_POLICY_TYPE_OID_BASE(num) {96, 134, 72, 1, 101, 3, 2, 1, 12, num} + static const byte extCertPolicyEcaMediumOid[] = + ECA_POLICY_TYPE_OID_BASE(1); + static const byte extCertPolicyEcaMediumHardwareOid[] = + ECA_POLICY_TYPE_OID_BASE(2); + static const byte extCertPolicyEcaMediumTokenOid[] = + ECA_POLICY_TYPE_OID_BASE(3); + static const byte extCertPolicyEcaMediumSha256Oid[] = + ECA_POLICY_TYPE_OID_BASE(4); + static const byte extCertPolicyEcaMediumTokenSha256Oid[] = + ECA_POLICY_TYPE_OID_BASE(5); + static const byte extCertPolicyEcaMediumHardwarePiviOid[] = + ECA_POLICY_TYPE_OID_BASE(6); + static const byte extCertPolicyEcaContentSigningPiviOid[] = + ECA_POLICY_TYPE_OID_BASE(8); + static const byte extCertPolicyEcaMediumDeviceSha256Oid[] = + ECA_POLICY_TYPE_OID_BASE(9); + static const byte extCertPolicyEcaMediumHardwareSha256Oid[] = + ECA_POLICY_TYPE_OID_BASE(10); + + /* Department of State PKI OIDs - 2.16.840.1.101.3.2.1.6.X */ + #define STATE_POLICY_TYPE_OID_BASE(num) {96, 134, 72, 1, 101, 3, 2, 1, 6, num} + static const byte extCertPolicyStateHighOid[] = + STATE_POLICY_TYPE_OID_BASE(4); + static const byte extCertPolicyStateMedHwOid[] = + STATE_POLICY_TYPE_OID_BASE(12); + static const byte extCertPolicyStateMediumDeviceHardwareOid[] = + STATE_POLICY_TYPE_OID_BASE(38); + + /* U.S. Treasury SSP PKI OIDs - 2.16.840.1.101.3.2.1.5.X */ + #define TREASURY_POLICY_TYPE_OID_BASE(num) {96, 134, 72, 1, 101, 3, 2, 1, 5, num} + static const byte extCertPolicyTreasuryMediumHardwareOid[] = + TREASURY_POLICY_TYPE_OID_BASE(4); + static const byte extCertPolicyTreasuryHighOid[] = + TREASURY_POLICY_TYPE_OID_BASE(5); + static const byte extCertPolicyTreasuryPiviHardwareOid[] = + TREASURY_POLICY_TYPE_OID_BASE(10); + static const byte extCertPolicyTreasuryPiviContentSigningOid[] = + TREASURY_POLICY_TYPE_OID_BASE(12); + + /* Boeing PKI OIDs - 1.3.6.1.4.1.73.15.3.1.X */ + #define BOEING_POLICY_TYPE_OID_BASE(num) {43, 6, 1, 4, 1, 73, 15, 3, 1, num} + static const byte extCertPolicyBoeingMediumHardwareSha256Oid[] = + BOEING_POLICY_TYPE_OID_BASE(12); + static const byte extCertPolicyBoeingMediumHardwareContentSigningSha256Oid[] = + BOEING_POLICY_TYPE_OID_BASE(17); + + /* Carillon Federal Services OIDs - 1.3.6.1.4.1.45606.3.1.X */ + #define CARILLON_POLICY_TYPE_OID_BASE(num) {43, 6, 1, 4, 1, 130, 228, 38, 3, 1, num} + static const byte extCertPolicyCarillonMediumhw256Oid[] = + CARILLON_POLICY_TYPE_OID_BASE(12); + static const byte extCertPolicyCarillonAivhwOid[] = + CARILLON_POLICY_TYPE_OID_BASE(20); + static const byte extCertPolicyCarillonAivcontentOid[] = + CARILLON_POLICY_TYPE_OID_BASE(22); + + /* Carillon Information Security OIDs - 1.3.6.1.4.1.25054.3.1.X */ + #define CIS_POLICY_TYPE_OID_BASE(num) {43, 6, 1, 4, 1, 129, 195, 94, 3, 1, num} + static const byte extCertPolicyCisMediumhw256Oid[] = + CIS_POLICY_TYPE_OID_BASE(12); + static const byte extCertPolicyCisMeddevhw256Oid[] = + CIS_POLICY_TYPE_OID_BASE(14); + static const byte extCertPolicyCisIcecapHwOid[] = + CIS_POLICY_TYPE_OID_BASE(20); + static const byte extCertPolicyCisIcecapContentOid[] = + CIS_POLICY_TYPE_OID_BASE(22); + + /* CertiPath Bridge OIDs - 1.3.6.1.4.1.24019.1.1.1.X */ + #define CERTIPATH_POLICY_TYPE_OID_BASE(num) {43, 6, 1, 4, 1, 129, 187, 83, 1, 1, 1, num} + static const byte extCertPolicyCertipathMediumhwOid[] = + CERTIPATH_POLICY_TYPE_OID_BASE(2); + static const byte extCertPolicyCertipathHighhwOid[] = + CERTIPATH_POLICY_TYPE_OID_BASE(3); + static const byte extCertPolicyCertipathIcecapHwOid[] = + CERTIPATH_POLICY_TYPE_OID_BASE(7); + static const byte extCertPolicyCertipathIcecapContentOid[] = + CERTIPATH_POLICY_TYPE_OID_BASE(9); + static const byte extCertPolicyCertipathVarMediumhwOid[] = + CERTIPATH_POLICY_TYPE_OID_BASE(18); + static const byte extCertPolicyCertipathVarHighhwOid[] = + CERTIPATH_POLICY_TYPE_OID_BASE(19); + + /* TSCP Bridge OIDs - 1.3.6.1.4.1.38099.1.1.1.X */ + #define TSCP_POLICY_TYPE_OID_BASE(num) {43, 6, 1, 4, 1, 130, 169, 83, 1, 1, 1, num} + static const byte extCertPolicyTscpMediumhwOid[] = + TSCP_POLICY_TYPE_OID_BASE(2); + static const byte extCertPolicyTscpPiviOid[] = + TSCP_POLICY_TYPE_OID_BASE(5); + static const byte extCertPolicyTscpPiviContentOid[] = + TSCP_POLICY_TYPE_OID_BASE(7); + + /* DigiCert NFI PKI OIDs - 2.16.840.1.113733.1.7.23.3.1.X */ + #define DIGICERT_NFI_POLICY_TYPE_OID_BASE(num) {96, 134, 72, 1, 134, 248, 69, 1, 7, 23, 3, 1, num} + static const byte extCertPolicyDigicertNfiMediumHardwareOid[] = + DIGICERT_NFI_POLICY_TYPE_OID_BASE(7); + static const byte extCertPolicyDigicertNfiAuthOid[] = + DIGICERT_NFI_POLICY_TYPE_OID_BASE(13); + static const byte extCertPolicyDigicertNfiPiviHardwareOid[] = + DIGICERT_NFI_POLICY_TYPE_OID_BASE(18); + static const byte extCertPolicyDigicertNfiPiviContentSigningOid[] = + DIGICERT_NFI_POLICY_TYPE_OID_BASE(20); + static const byte extCertPolicyDigicertNfiMediumDevicesHardwareOid[] = + DIGICERT_NFI_POLICY_TYPE_OID_BASE(36); + + /* Entrust Managed Services NFI PKI OIDs - 2.16.840.1.114027.200.3.10.7.X */ + #define ENTRUST_NFI_POLICY_TYPE_OID_BASE(num) {96, 134, 72, 1, 134, 250, 107, 129, 72, 3, 10, 7, num} + static const byte extCertPolicyEntrustNfiMediumHardwareOid[] = + ENTRUST_NFI_POLICY_TYPE_OID_BASE(2); + static const byte extCertPolicyEntrustNfiMediumAuthenticationOid[] = + ENTRUST_NFI_POLICY_TYPE_OID_BASE(4); + static const byte extCertPolicyEntrustNfiPiviHardwareOid[] = + ENTRUST_NFI_POLICY_TYPE_OID_BASE(6); + static const byte extCertPolicyEntrustNfiPiviContentSigningOid[] = + ENTRUST_NFI_POLICY_TYPE_OID_BASE(9); + static const byte extCertPolicyEntrustNfiMediumDevicesHwOid[] = + ENTRUST_NFI_POLICY_TYPE_OID_BASE(16); + + /* Exostar LLC PKI OIDs - 1.3.6.1.4.1.13948.1.1.1.X */ + #define EXOSTAR_POLICY_TYPE_OID_BASE(num) {43, 6, 1, 4, 1, 236, 124, 1, 1, 1, num} + static const byte extCertPolicyExostarMediumHardwareSha2Oid[] = + EXOSTAR_POLICY_TYPE_OID_BASE(6); + + /* IdenTrust NFI OIDs - 2.16.840.1.113839.0.100.X.Y */ + #define IDENTRUST_POLICY_TYPE_OID_BASE(num1, num2) {96, 134, 72, 1, 134, 249, 47, 0, 100, num1, num2} + static const byte extCertPolicyIdentrustMediumhwSignOid[] = + IDENTRUST_POLICY_TYPE_OID_BASE(12, 1); + static const byte extCertPolicyIdentrustMediumhwEncOid[] = + IDENTRUST_POLICY_TYPE_OID_BASE(12, 2); + static const byte extCertPolicyIdentrustPiviHwIdOid[] = + IDENTRUST_POLICY_TYPE_OID_BASE(18, 0); + static const byte extCertPolicyIdentrustPiviHwSignOid[] = + IDENTRUST_POLICY_TYPE_OID_BASE(18, 1); + static const byte extCertPolicyIdentrustPiviHwEncOid[] = + IDENTRUST_POLICY_TYPE_OID_BASE(18, 2); + static const byte extCertPolicyIdentrustPiviContentOid[] = + IDENTRUST_POLICY_TYPE_OID_BASE(20, 1); + + /* Lockheed Martin PKI OIDs - 1.3.6.1.4.1.103.100.1.1.3.X */ + #define LOCKHEED_POLICY_TYPE_OID_BASE(num) {43, 6, 1, 4, 1, 103, 100, 1, 1, 3, num} + static const byte extCertPolicyLockheedMediumAssuranceHardwareOid[] = + LOCKHEED_POLICY_TYPE_OID_BASE(3); + + /* Northrop Grumman PKI OIDs - 1.3.6.1.4.1.16334.509.2.X */ + #define NORTHROP_POLICY_TYPE_OID_BASE(num) {43, 6, 1, 4, 1, 255, 78, 131, 125, 2, num} + static const byte extCertPolicyNorthropMediumAssurance256HardwareTokenOid[] = + NORTHROP_POLICY_TYPE_OID_BASE(8); + static const byte extCertPolicyNorthropPiviAssurance256HardwareTokenOid[] = + NORTHROP_POLICY_TYPE_OID_BASE(9); + static const byte extCertPolicyNorthropPiviAssurance256ContentSigningOid[] = + NORTHROP_POLICY_TYPE_OID_BASE(11); + static const byte extCertPolicyNorthropMediumAssurance384HardwareTokenOid[] = + NORTHROP_POLICY_TYPE_OID_BASE(14); + + /* Raytheon PKI OIDs - 1.3.6.1.4.1.1569.10.1.X and 1.3.6.1.4.1.26769.10.1.X */ + #define RAYTHEON_POLICY_TYPE_OID_BASE(num) {43, 6, 1, 4, 1, 140, 33, 10, 1, num} + static const byte extCertPolicyRaytheonMediumHardwareOid[] = + RAYTHEON_POLICY_TYPE_OID_BASE(12); + static const byte extCertPolicyRaytheonMediumDeviceHardwareOid[] = + RAYTHEON_POLICY_TYPE_OID_BASE(18); + + #define RAYTHEON_SHA2_POLICY_TYPE_OID_BASE(num) {43, 6, 1, 4, 1, 129, 209, 17, 10, 1, num} + static const byte extCertPolicyRaytheonSha2MediumHardwareOid[] = + RAYTHEON_SHA2_POLICY_TYPE_OID_BASE(12); + static const byte extCertPolicyRaytheonSha2MediumDeviceHardwareOid[] = + RAYTHEON_SHA2_POLICY_TYPE_OID_BASE(18); + + /* WidePoint NFI PKI OIDs - 1.3.6.1.4.1.3922.1.1.1.X */ + #define WIDEPOINT_NFI_POLICY_TYPE_OID_BASE(num) {43, 6, 1, 4, 1, 158, 82, 1, 1, 1, num} + static const byte extCertPolicyWidepointNfiMediumHardwareOid[] = + WIDEPOINT_NFI_POLICY_TYPE_OID_BASE(12); + static const byte extCertPolicyWidepointNfiPiviHardwareOid[] = + WIDEPOINT_NFI_POLICY_TYPE_OID_BASE(18); + static const byte extCertPolicyWidepointNfiPiviContentSigningOid[] = + WIDEPOINT_NFI_POLICY_TYPE_OID_BASE(20); + static const byte extCertPolicyWidepointNfiMediumDevicesHardwareOid[] = + WIDEPOINT_NFI_POLICY_TYPE_OID_BASE(38); + + /* Australian Defence Organisation PKI OIDs - 1.2.36.1.334.1.2.X.X */ + #define ADO_POLICY_TYPE_OID_BASE(type, num) {42, 36, 1, 130, 78, 1, 2, type, num} + static const byte extCertPolicyAdoIndividualMediumAssuranceOid[] = + ADO_POLICY_TYPE_OID_BASE(1, 2); + static const byte extCertPolicyAdoIndividualHighAssuranceOid[] = + ADO_POLICY_TYPE_OID_BASE(1, 3); + static const byte extCertPolicyAdoResourceMediumAssuranceOid[] = + ADO_POLICY_TYPE_OID_BASE(2, 2); + + /* Netherlands Ministry of Defence PKI OIDs - 2.16.528.1.1003.1.2.5.X */ + #define NL_MOD_POLICY_TYPE_OID_BASE(num) {96, 132, 16, 1, 135, 107, 1, 2, 5, num} + static const byte extCertPolicyNlModAuthenticityOid[] = + NL_MOD_POLICY_TYPE_OID_BASE(1); + static const byte extCertPolicyNlModIrrefutabilityOid[] = + NL_MOD_POLICY_TYPE_OID_BASE(2); + static const byte extCertPolicyNlModConfidentialityOid[] = + NL_MOD_POLICY_TYPE_OID_BASE(3); #endif /* WOLFSSL_FPKI */ /* certAltNameType */ @@ -4620,6 +4875,11 @@ static const byte dcOid[] = {9, 146, 38, 137, 147, 242, 44, 100, 1, 25}; /* doma * * Use oidIgnoreType to autofail. * + * Note that while this function currently handles a large + * number of FPKI certificate policy OIDs, these OIDs are not + * currently being handled in the code, they are just recognized + * as valid OIDs. + * * @param [in] id OID id. * @param [in] type Type of OID (enum Oid_Types). * @param [out] oidSz Length of OID byte array returned. @@ -5296,7 +5556,35 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz) oid = extCertPolicyAnyOid; *oidSz = sizeof(extCertPolicyAnyOid); break; + case CP_ISRG_DOMAIN_VALID: + oid = extCertPolicyIsrgDomainValid; + *oidSz = sizeof(extCertPolicyIsrgDomainValid); + break; #if defined(WOLFSSL_FPKI) + case CP_FPKI_HIGH_ASSURANCE_OID: + oid = extCertPolicyFpkiHighAssuranceOid; + *oidSz = sizeof(extCertPolicyFpkiHighAssuranceOid); + break; + case CP_FPKI_COMMON_HARDWARE_OID: + oid = extCertPolicyFpkiCommonHardwareOid; + *oidSz = sizeof(extCertPolicyFpkiCommonHardwareOid); + break; + case CP_FPKI_MEDIUM_HARDWARE_OID: + oid = extCertPolicyFpkiMediumHardwareOid; + *oidSz = sizeof(extCertPolicyFpkiMediumHardwareOid); + break; + case CP_FPKI_COMMON_HIGH_OID: + oid = extCertPolicyFpkiCommonHighOid; + *oidSz = sizeof(extCertPolicyFpkiCommonHighOid); + break; + case CP_FPKI_COMMON_DEVICES_HARDWARE_OID: + oid = extCertPolicyFpkiCommonDevicesHardwareOid; + *oidSz = sizeof(extCertPolicyFpkiCommonDevicesHardwareOid); + break; + case CP_FPKI_COMMON_PIV_CONTENT_SIGNING_OID: + oid = extCertPolicyFpkiCommonPivContentSigningOid; + *oidSz = sizeof(extCertPolicyFpkiCommonPivContentSigningOid); + break; case CP_FPKI_COMMON_AUTH_OID: oid = extCertPolicyFpkiCommonAuthOid; *oidSz = sizeof(extCertPolicyFpkiCommonAuthOid); @@ -5313,6 +5601,404 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz) oid = extCertPolicyFpkiPiviAuthOid; *oidSz = sizeof(extCertPolicyFpkiPiviAuthOid); break; + case CP_DOD_MEDIUM_OID: + oid = extCertPolicyDodMediumOid; + *oidSz = sizeof(extCertPolicyDodMediumOid); + break; + case CP_DOD_MEDIUM_HARDWARE_OID: + oid = extCertPolicyDodMediumHardwareOid; + *oidSz = sizeof(extCertPolicyDodMediumHardwareOid); + break; + case CP_DOD_PIV_AUTH_OID: + oid = extCertPolicyDodPivAuthOid; + *oidSz = sizeof(extCertPolicyDodPivAuthOid); + break; + case CP_DOD_MEDIUM_NPE_OID: + oid = extCertPolicyDodMediumNpeOid; + *oidSz = sizeof(extCertPolicyDodMediumNpeOid); + break; + case CP_DOD_MEDIUM_2048_OID: + oid = extCertPolicyDodMedium2048Oid; + *oidSz = sizeof(extCertPolicyDodMedium2048Oid); + break; + case CP_DOD_MEDIUM_HARDWARE_2048_OID: + oid = extCertPolicyDodMediumHardware2048Oid; + *oidSz = sizeof(extCertPolicyDodMediumHardware2048Oid); + break; + case CP_DOD_PIV_AUTH_2048_OID: + oid = extCertPolicyDodPivAuth2048Oid; + *oidSz = sizeof(extCertPolicyDodPivAuth2048Oid); + break; + case CP_DOD_PEER_INTEROP_OID: + oid = extCertPolicyDodPeerInteropOid; + *oidSz = sizeof(extCertPolicyDodPeerInteropOid); + break; + case CP_DOD_MEDIUM_NPE_112_OID: + oid = extCertPolicyDodMediumNpe112Oid; + *oidSz = sizeof(extCertPolicyDodMediumNpe112Oid); + break; + case CP_DOD_MEDIUM_NPE_128_OID: + oid = extCertPolicyDodMediumNpe128Oid; + *oidSz = sizeof(extCertPolicyDodMediumNpe128Oid); + break; + case CP_DOD_MEDIUM_NPE_192_OID: + oid = extCertPolicyDodMediumNpe192Oid; + *oidSz = sizeof(extCertPolicyDodMediumNpe192Oid); + break; + case CP_DOD_MEDIUM_112_OID: + oid = extCertPolicyDodMedium112Oid; + *oidSz = sizeof(extCertPolicyDodMedium112Oid); + break; + case CP_DOD_MEDIUM_128_OID: + oid = extCertPolicyDodMedium128Oid; + *oidSz = sizeof(extCertPolicyDodMedium128Oid); + break; + case CP_DOD_MEDIUM_192_OID: + oid = extCertPolicyDodMedium192Oid; + *oidSz = sizeof(extCertPolicyDodMedium192Oid); + break; + case CP_DOD_MEDIUM_HARDWARE_112_OID: + oid = extCertPolicyDodMediumHardware112Oid; + *oidSz = sizeof(extCertPolicyDodMediumHardware112Oid); + break; + case CP_DOD_MEDIUM_HARDWARE_128_OID: + oid = extCertPolicyDodMediumHardware128Oid; + *oidSz = sizeof(extCertPolicyDodMediumHardware128Oid); + break; + case CP_DOD_MEDIUM_HARDWARE_192_OID: + oid = extCertPolicyDodMediumHardware192Oid; + *oidSz = sizeof(extCertPolicyDodMediumHardware192Oid); + break; + case CP_DOD_ADMIN_OID: + oid = extCertPolicyDodAdminOid; + *oidSz = sizeof(extCertPolicyDodAdminOid); + break; + case CP_DOD_INTERNAL_NPE_112_OID: + oid = extCertPolicyDodInternalNpe112Oid; + *oidSz = sizeof(extCertPolicyDodInternalNpe112Oid); + break; + case CP_DOD_INTERNAL_NPE_128_OID: + oid = extCertPolicyDodInternalNpe128Oid; + *oidSz = sizeof(extCertPolicyDodInternalNpe128Oid); + break; + case CP_DOD_INTERNAL_NPE_192_OID: + oid = extCertPolicyDodInternalNpe192Oid; + *oidSz = sizeof(extCertPolicyDodInternalNpe192Oid); + break; + case CP_ECA_MEDIUM_OID: + oid = extCertPolicyEcaMediumOid; + *oidSz = sizeof(extCertPolicyEcaMediumOid); + break; + case CP_ECA_MEDIUM_HARDWARE_OID: + oid = extCertPolicyEcaMediumHardwareOid; + *oidSz = sizeof(extCertPolicyEcaMediumHardwareOid); + break; + case CP_ECA_MEDIUM_TOKEN_OID: + oid = extCertPolicyEcaMediumTokenOid; + *oidSz = sizeof(extCertPolicyEcaMediumTokenOid); + break; + case CP_ECA_MEDIUM_SHA256_OID: + oid = extCertPolicyEcaMediumSha256Oid; + *oidSz = sizeof(extCertPolicyEcaMediumSha256Oid); + break; + case CP_ECA_MEDIUM_TOKEN_SHA256_OID: + oid = extCertPolicyEcaMediumTokenSha256Oid; + *oidSz = sizeof(extCertPolicyEcaMediumTokenSha256Oid); + break; + case CP_ECA_MEDIUM_HARDWARE_PIVI_OID: + oid = extCertPolicyEcaMediumHardwarePiviOid; + *oidSz = sizeof(extCertPolicyEcaMediumHardwarePiviOid); + break; + case CP_ECA_CONTENT_SIGNING_PIVI_OID: + oid = extCertPolicyEcaContentSigningPiviOid; + *oidSz = sizeof(extCertPolicyEcaContentSigningPiviOid); + break; + case CP_ECA_MEDIUM_DEVICE_SHA256_OID: + oid = extCertPolicyEcaMediumDeviceSha256Oid; + *oidSz = sizeof(extCertPolicyEcaMediumDeviceSha256Oid); + break; + case CP_ECA_MEDIUM_HARDWARE_SHA256_OID: + oid = extCertPolicyEcaMediumHardwareSha256Oid; + *oidSz = sizeof(extCertPolicyEcaMediumHardwareSha256Oid); + break; + + /* Department of State PKI OIDs */ + case CP_STATE_HIGH_OID: + oid = extCertPolicyStateHighOid; + *oidSz = sizeof(extCertPolicyStateHighOid); + break; + case CP_STATE_MEDHW_OID: + oid = extCertPolicyStateMedHwOid; + *oidSz = sizeof(extCertPolicyStateMedHwOid); + break; + case CP_STATE_MEDDEVHW_OID: + oid = extCertPolicyStateMediumDeviceHardwareOid; + *oidSz = sizeof(extCertPolicyStateMediumDeviceHardwareOid); + break; + + /* U.S. Treasury SSP PKI OIDs */ + case CP_TREAS_MEDIUMHW_OID: + oid = extCertPolicyTreasuryMediumHardwareOid; + *oidSz = sizeof(extCertPolicyTreasuryMediumHardwareOid); + break; + case CP_TREAS_HIGH_OID: + oid = extCertPolicyTreasuryHighOid; + *oidSz = sizeof(extCertPolicyTreasuryHighOid); + break; + case CP_TREAS_PIVI_HW_OID: + oid = extCertPolicyTreasuryPiviHardwareOid; + *oidSz = sizeof(extCertPolicyTreasuryPiviHardwareOid); + break; + case CP_TREAS_PIVI_CONTENT_OID: + oid = extCertPolicyTreasuryPiviContentSigningOid; + *oidSz = sizeof(extCertPolicyTreasuryPiviContentSigningOid); + break; + + /* Boeing PKI OIDs */ + case CP_BOEING_MEDIUMHW_SHA256_OID: + oid = extCertPolicyBoeingMediumHardwareSha256Oid; + *oidSz = sizeof(extCertPolicyBoeingMediumHardwareSha256Oid); + break; + case CP_BOEING_MEDIUMHW_CONTENT_SHA256_OID: + oid = extCertPolicyBoeingMediumHardwareContentSigningSha256Oid; + *oidSz = sizeof(extCertPolicyBoeingMediumHardwareContentSigningSha256Oid); + break; + + /* DigiCert NFI PKI OIDs */ + case CP_DIGICERT_NFSSP_MEDIUMHW_OID: + oid = extCertPolicyDigicertNfiMediumHardwareOid; + *oidSz = sizeof(extCertPolicyDigicertNfiMediumHardwareOid); + break; + case CP_DIGICERT_NFSSP_AUTH_OID: + oid = extCertPolicyDigicertNfiAuthOid; + *oidSz = sizeof(extCertPolicyDigicertNfiAuthOid); + break; + case CP_DIGICERT_NFSSP_PIVI_HW_OID: + oid = extCertPolicyDigicertNfiPiviHardwareOid; + *oidSz = sizeof(extCertPolicyDigicertNfiPiviHardwareOid); + break; + case CP_DIGICERT_NFSSP_PIVI_CONTENT_OID: + oid = extCertPolicyDigicertNfiPiviContentSigningOid; + *oidSz = sizeof(extCertPolicyDigicertNfiPiviContentSigningOid); + break; + case CP_DIGICERT_NFSSP_MEDDEVHW_OID: + oid = extCertPolicyDigicertNfiMediumDevicesHardwareOid; + *oidSz = sizeof(extCertPolicyDigicertNfiMediumDevicesHardwareOid); + break; + + /* Entrust Managed Services NFI PKI OIDs */ + case CP_ENTRUST_NFSSP_MEDIUMHW_OID: + oid = extCertPolicyEntrustNfiMediumHardwareOid; + *oidSz = sizeof(extCertPolicyEntrustNfiMediumHardwareOid); + break; + case CP_ENTRUST_NFSSP_MEDAUTH_OID: + oid = extCertPolicyEntrustNfiMediumAuthenticationOid; + *oidSz = sizeof(extCertPolicyEntrustNfiMediumAuthenticationOid); + break; + case CP_ENTRUST_NFSSP_PIVI_HW_OID: + oid = extCertPolicyEntrustNfiPiviHardwareOid; + *oidSz = sizeof(extCertPolicyEntrustNfiPiviHardwareOid); + break; + case CP_ENTRUST_NFSSP_PIVI_CONTENT_OID: + oid = extCertPolicyEntrustNfiPiviContentSigningOid; + *oidSz = sizeof(extCertPolicyEntrustNfiPiviContentSigningOid); + break; + case CP_ENTRUST_NFSSP_MEDDEVHW_OID: + oid = extCertPolicyEntrustNfiMediumDevicesHwOid; + *oidSz = sizeof(extCertPolicyEntrustNfiMediumDevicesHwOid); + break; + + /* Exostar LLC PKI OIDs */ + case CP_EXOSTAR_MEDIUMHW_SHA2_OID: + oid = extCertPolicyExostarMediumHardwareSha2Oid; + *oidSz = sizeof(extCertPolicyExostarMediumHardwareSha2Oid); + break; + + /* Lockheed Martin PKI OIDs */ + case CP_LOCKHEED_MEDIUMHW_OID: + oid = extCertPolicyLockheedMediumAssuranceHardwareOid; + *oidSz = sizeof(extCertPolicyLockheedMediumAssuranceHardwareOid); + break; + + /* Northrop Grumman PKI OIDs */ + case CP_NORTHROP_MEDIUM_256_HW_OID: + oid = extCertPolicyNorthropMediumAssurance256HardwareTokenOid; + *oidSz = sizeof(extCertPolicyNorthropMediumAssurance256HardwareTokenOid); + break; + case CP_NORTHROP_PIVI_256_HW_OID: + oid = extCertPolicyNorthropPiviAssurance256HardwareTokenOid; + *oidSz = sizeof(extCertPolicyNorthropPiviAssurance256HardwareTokenOid); + break; + case CP_NORTHROP_PIVI_256_CONTENT_OID: + oid = extCertPolicyNorthropPiviAssurance256ContentSigningOid; + *oidSz = sizeof(extCertPolicyNorthropPiviAssurance256ContentSigningOid); + break; + case CP_NORTHROP_MEDIUM_384_HW_OID: + oid = extCertPolicyNorthropMediumAssurance384HardwareTokenOid; + *oidSz = sizeof(extCertPolicyNorthropMediumAssurance384HardwareTokenOid); + break; + + /* Raytheon PKI OIDs */ + case CP_RAYTHEON_MEDIUMHW_OID: + oid = extCertPolicyRaytheonMediumHardwareOid; + *oidSz = sizeof(extCertPolicyRaytheonMediumHardwareOid); + break; + case CP_RAYTHEON_MEDDEVHW_OID: + oid = extCertPolicyRaytheonMediumDeviceHardwareOid; + *oidSz = sizeof(extCertPolicyRaytheonMediumDeviceHardwareOid); + break; + case CP_RAYTHEON_SHA2_MEDIUMHW_OID: + oid = extCertPolicyRaytheonSha2MediumHardwareOid; + *oidSz = sizeof(extCertPolicyRaytheonSha2MediumHardwareOid); + break; + case CP_RAYTHEON_SHA2_MEDDEVHW_OID: + oid = extCertPolicyRaytheonSha2MediumDeviceHardwareOid; + *oidSz = sizeof(extCertPolicyRaytheonSha2MediumDeviceHardwareOid); + break; + + /* WidePoint NFI PKI OIDs */ + case CP_WIDEPOINT_MEDIUMHW_OID: + oid = extCertPolicyWidepointNfiMediumHardwareOid; + *oidSz = sizeof(extCertPolicyWidepointNfiMediumHardwareOid); + break; + case CP_WIDEPOINT_PIVI_HW_OID: + oid = extCertPolicyWidepointNfiPiviHardwareOid; + *oidSz = sizeof(extCertPolicyWidepointNfiPiviHardwareOid); + break; + case CP_WIDEPOINT_PIVI_CONTENT_OID: + oid = extCertPolicyWidepointNfiPiviContentSigningOid; + *oidSz = sizeof(extCertPolicyWidepointNfiPiviContentSigningOid); + break; + case CP_WIDEPOINT_MEDDEVHW_OID: + oid = extCertPolicyWidepointNfiMediumDevicesHardwareOid; + *oidSz = sizeof(extCertPolicyWidepointNfiMediumDevicesHardwareOid); + break; + + /* Australian Defence Organisation PKI OIDs */ + case CP_ADO_MEDIUM_OID: + oid = extCertPolicyAdoIndividualMediumAssuranceOid; + *oidSz = sizeof(extCertPolicyAdoIndividualMediumAssuranceOid); + break; + case CP_ADO_HIGH_OID: + oid = extCertPolicyAdoIndividualHighAssuranceOid; + *oidSz = sizeof(extCertPolicyAdoIndividualHighAssuranceOid); + break; + case CP_ADO_RESOURCE_MEDIUM_OID: + oid = extCertPolicyAdoResourceMediumAssuranceOid; + *oidSz = sizeof(extCertPolicyAdoResourceMediumAssuranceOid); + break; + + /* Netherlands Ministry of Defence PKI OIDs */ + case CP_NL_MOD_AUTH_OID: + oid = extCertPolicyNlModAuthenticityOid; + *oidSz = sizeof(extCertPolicyNlModAuthenticityOid); + break; + case CP_NL_MOD_IRREFUT_OID: + oid = extCertPolicyNlModIrrefutabilityOid; + *oidSz = sizeof(extCertPolicyNlModIrrefutabilityOid); + break; + case CP_NL_MOD_CONFID_OID: + oid = extCertPolicyNlModConfidentialityOid; + *oidSz = sizeof(extCertPolicyNlModConfidentialityOid); + break; + + /* IdenTrust NFI OIDs */ + case CP_IDENTRUST_MEDIUMHW_SIGN_OID: + oid = extCertPolicyIdentrustMediumhwSignOid; + *oidSz = sizeof(extCertPolicyIdentrustMediumhwSignOid); + break; + case CP_IDENTRUST_MEDIUMHW_ENC_OID: + oid = extCertPolicyIdentrustMediumhwEncOid; + *oidSz = sizeof(extCertPolicyIdentrustMediumhwEncOid); + break; + case CP_IDENTRUST_PIVI_HW_ID_OID: + oid = extCertPolicyIdentrustPiviHwIdOid; + *oidSz = sizeof(extCertPolicyIdentrustPiviHwIdOid); + break; + case CP_IDENTRUST_PIVI_HW_SIGN_OID: + oid = extCertPolicyIdentrustPiviHwSignOid; + *oidSz = sizeof(extCertPolicyIdentrustPiviHwSignOid); + break; + case CP_IDENTRUST_PIVI_HW_ENC_OID: + oid = extCertPolicyIdentrustPiviHwEncOid; + *oidSz = sizeof(extCertPolicyIdentrustPiviHwEncOid); + break; + case CP_IDENTRUST_PIVI_CONTENT_OID: + oid = extCertPolicyIdentrustPiviContentOid; + *oidSz = sizeof(extCertPolicyIdentrustPiviContentOid); + break; + + /* TSCP Bridge OIDs */ + case CP_TSCP_MEDIUMHW_OID: + oid = extCertPolicyTscpMediumhwOid; + *oidSz = sizeof(extCertPolicyTscpMediumhwOid); + break; + case CP_TSCP_PIVI_OID: + oid = extCertPolicyTscpPiviOid; + *oidSz = sizeof(extCertPolicyTscpPiviOid); + break; + case CP_TSCP_PIVI_CONTENT_OID: + oid = extCertPolicyTscpPiviContentOid; + *oidSz = sizeof(extCertPolicyTscpPiviContentOid); + break; + + /* Carillon Federal Services OIDs */ + case CP_CARILLON_MEDIUMHW_256_OID: + oid = extCertPolicyCarillonMediumhw256Oid; + *oidSz = sizeof(extCertPolicyCarillonMediumhw256Oid); + break; + case CP_CARILLON_AIVHW_OID: + oid = extCertPolicyCarillonAivhwOid; + *oidSz = sizeof(extCertPolicyCarillonAivhwOid); + break; + case CP_CARILLON_AIVCONTENT_OID: + oid = extCertPolicyCarillonAivcontentOid; + *oidSz = sizeof(extCertPolicyCarillonAivcontentOid); + break; + + /* Carillon Information Security OIDs */ + case CP_CIS_MEDIUMHW_256_OID: + oid = extCertPolicyCisMediumhw256Oid; + *oidSz = sizeof(extCertPolicyCisMediumhw256Oid); + break; + case CP_CIS_MEDDEVHW_256_OID: + oid = extCertPolicyCisMeddevhw256Oid; + *oidSz = sizeof(extCertPolicyCisMeddevhw256Oid); + break; + case CP_CIS_ICECAP_HW_OID: + oid = extCertPolicyCisIcecapHwOid; + *oidSz = sizeof(extCertPolicyCisIcecapHwOid); + break; + case CP_CIS_ICECAP_CONTENT_OID: + oid = extCertPolicyCisIcecapContentOid; + *oidSz = sizeof(extCertPolicyCisIcecapContentOid); + break; + + /* CertiPath Bridge OIDs */ + case CP_CERTIPATH_MEDIUMHW_OID: + oid = extCertPolicyCertipathMediumhwOid; + *oidSz = sizeof(extCertPolicyCertipathMediumhwOid); + break; + case CP_CERTIPATH_HIGHHW_OID: + oid = extCertPolicyCertipathHighhwOid; + *oidSz = sizeof(extCertPolicyCertipathHighhwOid); + break; + case CP_CERTIPATH_ICECAP_HW_OID: + oid = extCertPolicyCertipathIcecapHwOid; + *oidSz = sizeof(extCertPolicyCertipathIcecapHwOid); + break; + case CP_CERTIPATH_ICECAP_CONTENT_OID: + oid = extCertPolicyCertipathIcecapContentOid; + *oidSz = sizeof(extCertPolicyCertipathIcecapContentOid); + break; + case CP_CERTIPATH_VAR_MEDIUMHW_OID: + oid = extCertPolicyCertipathVarMediumhwOid; + *oidSz = sizeof(extCertPolicyCertipathVarMediumhwOid); + break; + case CP_CERTIPATH_VAR_HIGHHW_OID: + oid = extCertPolicyCertipathVarHighhwOid; + *oidSz = sizeof(extCertPolicyCertipathVarHighhwOid); + break; #endif /* WOLFSSL_FPKI */ default: break; @@ -5928,6 +6614,151 @@ static int DumpOID(const byte* oidData, word32 oidSz, word32 oid, } #endif /* ASN_DUMP_OID */ +#ifdef WOLFSSL_FPKI +/* Handles the large number of collisions from FPKI certificate policy + * OID sums. Returns a special value (100000 + actual sum) if a + * collision is detected. + * @param [in] oid Buffer holding OID. + * @param [in] oidSz Length of OID data in buffer. + * @param [in] oidSum The sum of the OID being passed in. + */ +static word32 fpkiCertPolOid(const byte* oid, word32 oidSz, word32 oidSum) { + + switch (oidSum) { + case CP_FPKI_COMMON_DEVICES_HARDWARE_OID: + if ((word32)sizeof(extCertPolicyDodPeerInteropOid) == (word32)oidSz && + XMEMCMP(oid, extCertPolicyDodPeerInteropOid, + sizeof(extCertPolicyDodPeerInteropOid)) == 0) + return CP_DOD_PEER_INTEROP_OID; + break; + case CP_FPKI_PIV_AUTH_HW_OID: + if ((word32)sizeof(extCertPolicyDodMediumNpe112Oid) == (word32)oidSz && + XMEMCMP(oid, extCertPolicyDodMediumNpe112Oid, + sizeof(extCertPolicyDodMediumNpe112Oid)) == 0) + return CP_DOD_MEDIUM_NPE_112_OID; + else if ((word32)sizeof(extCertPolicyStateMediumDeviceHardwareOid) == (word32)oidSz && + XMEMCMP(oid, extCertPolicyStateMediumDeviceHardwareOid, + sizeof(extCertPolicyStateMediumDeviceHardwareOid)) == 0) + return CP_STATE_MEDDEVHW_OID; + break; + case CP_FPKI_PIVI_AUTH_OID: + if ((word32)sizeof(extCertPolicyDodMedium128Oid) == (word32)oidSz && + XMEMCMP(oid, extCertPolicyDodMedium128Oid, + sizeof(extCertPolicyDodMedium128Oid)) == 0) + return CP_DOD_MEDIUM_128_OID; + break; + case CP_FPKI_COMMON_PIVI_CONTENT_SIGNING_OID: + if ((word32)sizeof(extCertPolicyDodMediumHardware112Oid) == (word32)oidSz && + XMEMCMP(oid, extCertPolicyDodMediumHardware112Oid, + sizeof(extCertPolicyDodMediumHardware112Oid)) == 0) + return CP_DOD_MEDIUM_HARDWARE_112_OID; + if ((word32)sizeof(extCertPolicyCertipathHighhwOid) == (word32)oidSz && + XMEMCMP(oid, extCertPolicyCertipathHighhwOid, + sizeof(extCertPolicyCertipathHighhwOid)) == 0) + return CP_CERTIPATH_HIGHHW_OID; + break; + case CP_DOD_MEDIUM_OID: + if ((word32)sizeof(extCertPolicyEcaMediumOid) == (word32)oidSz && + XMEMCMP(oid, extCertPolicyEcaMediumOid, + sizeof(extCertPolicyEcaMediumOid)) == 0) + return CP_ECA_MEDIUM_OID; + break; + case CP_FPKI_COMMON_AUTH_OID: + if ((word32)sizeof(extCertPolicyEcaMediumSha256Oid) == (word32)oidSz && + XMEMCMP(oid, extCertPolicyEcaMediumSha256Oid, + sizeof(extCertPolicyEcaMediumSha256Oid)) == 0) + return CP_ECA_MEDIUM_SHA256_OID; + break; + case CP_FPKI_MEDIUM_HARDWARE_OID: + if ((word32)sizeof(extCertPolicyEcaMediumTokenOid) == (word32)oidSz && + XMEMCMP(oid, extCertPolicyEcaMediumTokenOid, + sizeof(extCertPolicyEcaMediumTokenOid)) == 0) + return CP_ECA_MEDIUM_TOKEN_OID; + else if ((word32)sizeof(extCertPolicyTreasuryPiviHardwareOid) == (word32)oidSz && + XMEMCMP(oid, extCertPolicyTreasuryPiviHardwareOid, + sizeof(extCertPolicyTreasuryPiviHardwareOid)) == 0) + return CP_TREAS_PIVI_HW_OID; + break; + case CP_DOD_MEDIUM_HARDWARE_OID: + if ((word32)sizeof(extCertPolicyEcaMediumTokenSha256Oid) == (word32)oidSz && + XMEMCMP(oid, extCertPolicyEcaMediumTokenSha256Oid, + sizeof(extCertPolicyEcaMediumTokenSha256Oid)) == 0) + return CP_ECA_MEDIUM_TOKEN_SHA256_OID; + else if ((word32)sizeof(extCertPolicyTreasuryPiviContentSigningOid) == (word32)oidSz && + XMEMCMP(oid, extCertPolicyTreasuryPiviContentSigningOid, + sizeof(extCertPolicyTreasuryPiviContentSigningOid)) == 0) + return CP_TREAS_PIVI_CONTENT_OID; + break; + case CP_DOD_PIV_AUTH_OID: + if ((word32)sizeof(extCertPolicyEcaMediumHardwarePiviOid) == (word32)oidSz && + XMEMCMP(oid, extCertPolicyEcaMediumHardwarePiviOid, + sizeof(extCertPolicyEcaMediumHardwarePiviOid)) == 0) + return CP_ECA_MEDIUM_HARDWARE_PIVI_OID; + else if ((word32)sizeof(extCertPolicyStateMedHwOid) == (word32)oidSz && + XMEMCMP(oid, extCertPolicyStateMedHwOid, + sizeof(extCertPolicyStateMedHwOid)) == 0) + return CP_STATE_MEDHW_OID; + break; + case CP_FPKI_COMMON_HARDWARE_OID: + if ((word32)sizeof(extCertPolicyStateHighOid) == (word32)oidSz && + XMEMCMP(oid, extCertPolicyStateHighOid, + sizeof(extCertPolicyStateHighOid)) == 0) + return CP_STATE_HIGH_OID; + else if ((word32)sizeof(extCertPolicyTreasuryHighOid) == (word32)oidSz && + XMEMCMP(oid, extCertPolicyTreasuryHighOid, + sizeof(extCertPolicyTreasuryHighOid)) == 0) + return CP_TREAS_HIGH_OID; + break; + case CP_ECA_MEDIUM_HARDWARE_OID: + if ((word32)sizeof(extCertPolicyExostarMediumHardwareSha2Oid) == (word32)oidSz && + XMEMCMP(oid, extCertPolicyExostarMediumHardwareSha2Oid, + sizeof(extCertPolicyExostarMediumHardwareSha2Oid)) == 0) + return CP_EXOSTAR_MEDIUMHW_SHA2_OID; + break; + case CP_ADO_HIGH_OID: + if ((word32)sizeof(extCertPolicyAdoResourceMediumAssuranceOid) == (word32)oidSz && + XMEMCMP(oid, extCertPolicyAdoResourceMediumAssuranceOid, + sizeof(extCertPolicyAdoResourceMediumAssuranceOid)) == 0) + return CP_ADO_RESOURCE_MEDIUM_OID; + break; + case CP_DOD_ADMIN_OID: + if ((word32)sizeof(extCertPolicyCarillonAivcontentOid) == (word32)oidSz && + XMEMCMP(oid, extCertPolicyCarillonAivcontentOid, + sizeof(extCertPolicyCarillonAivcontentOid)) == 0) + return CP_CARILLON_AIVCONTENT_OID; + break; + case CP_CIS_ICECAP_HW_OID: + if ((word32)sizeof(extCertPolicyNlModIrrefutabilityOid) == (word32)oidSz && + XMEMCMP(oid, extCertPolicyNlModIrrefutabilityOid, + sizeof(extCertPolicyNlModIrrefutabilityOid)) == 0) + return CP_NL_MOD_IRREFUT_OID; + break; + case CP_DOD_MEDIUM_192_OID: + if ((word32)sizeof(extCertPolicyCertipathMediumhwOid) == (word32)oidSz && + XMEMCMP(oid, extCertPolicyCertipathMediumhwOid, + sizeof(extCertPolicyCertipathMediumhwOid)) == 0) + return CP_CERTIPATH_MEDIUMHW_OID; + break; + case CP_CARILLON_AIVHW_OID: + if ((word32)sizeof(extCertPolicyCertipathVarMediumhwOid) == (word32)oidSz && + XMEMCMP(oid, extCertPolicyCertipathVarMediumhwOid, + sizeof(extCertPolicyCertipathVarMediumhwOid)) == 0) + return CP_CERTIPATH_VAR_MEDIUMHW_OID; + break; + case CP_ISRG_DOMAIN_VALID: + if ((word32)sizeof(extCertPolicyEcaContentSigningPiviOid) == (word32)oidSz && + XMEMCMP(oid, extCertPolicyEcaContentSigningPiviOid, + sizeof(extCertPolicyEcaContentSigningPiviOid)) == 0) + return CP_ECA_CONTENT_SIGNING_PIVI_OID; + break; + default: + break; + } + + return 0; +} +#endif + /* Get the OID data and verify it is of the type specified when compiled in. * * @param [in] input Buffer holding OID. @@ -5953,13 +6784,13 @@ static int GetOID(const byte* input, word32* inOutIdx, word32* oid, const byte* checkOid = NULL; word32 checkOidSz; #endif /* NO_VERIFY_OID */ -#if defined(HAVE_SPHINCS) +#if defined(HAVE_SPHINCS) || defined(WOLFSSL_FPKI) word32 found_collision = 0; #endif (void)oidType; *oid = 0; -#ifndef NO_VERIFY_OID +#if !defined(NO_VERIFY_OID) || defined(WOLFSSL_FPKI) /* Keep references to OID data and length for check. */ actualOid = &input[idx]; actualOidSz = (word32)length; @@ -5988,7 +6819,16 @@ static int GetOID(const byte* input, word32* inOutIdx, word32* oid, idx++; } -#ifdef HAVE_SPHINCS +#ifdef WOLFSSL_FPKI + /* Due to the large number of OIDs for FPKI certificate policy, there + are multiple collsisions. Handle them in a dedicated function, + if a collision is detected, the OID is adjusted. */ + if (oidType == oidCertPolicyType) { + found_collision = fpkiCertPolOid(actualOid, actualOidSz, *oid); + } +#endif + +#if defined(HAVE_SPHINCS) || defined(WOLFSSL_FPKI) if (found_collision) { *oid = found_collision; } diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index e5ac2d0af..17804eb7d 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -1424,11 +1424,152 @@ enum Extensions_Sum { enum CertificatePolicy_Sum { CP_ANY_OID = 146, /* id-ce 32 0 */ + CP_ISRG_DOMAIN_VALID = 430, /* 1.3.6.1.4.1.44947.1.1.1 */ #ifdef WOLFSSL_FPKI - CP_FPKI_COMMON_AUTH_OID = 426, /* 2.16.840.1.101.3.2.1.3.13 */ - CP_FPKI_PIV_AUTH_OID = 453, /* 2.16.840.1.101.3.2.1.3.40 */ - CP_FPKI_PIV_AUTH_HW_OID = 454, /* 2.16.840.1.101.3.2.1.3.41 */ - CP_FPKI_PIVI_AUTH_OID = 458, /* 2.16.840.1.101.3.2.1.3.45 */ + /* Federal PKI OIDs */ + CP_FPKI_HIGH_ASSURANCE_OID = 417, /* 2.16.840.1.101.3.2.1.3.4 */ + CP_FPKI_COMMON_HARDWARE_OID = 420, /* 2.16.840.1.101.3.2.1.3.7 */ + CP_FPKI_MEDIUM_HARDWARE_OID = 425, /* 2.16.840.1.101.3.2.1.3.12 */ + CP_FPKI_COMMON_AUTH_OID = 426, /* 2.16.840.1.101.3.2.1.3.13 */ + CP_FPKI_COMMON_HIGH_OID = 429, /* 2.16.840.1.101.3.2.1.3.16 */ + CP_FPKI_PIVI_HARDWARE_OID = 431, /* 2.16.840.1.101.3.2.1.3.18 */ + CP_FPKI_PIVI_CONTENT_SIGNING_OID = 433, /* 2.16.840.1.101.3.2.1.3.20 */ + CP_FPKI_COMMON_DEVICES_HARDWARE_OID = 449, /* 2.16.840.1.101.3.2.1.3.36 */ + CP_FPKI_MEDIUM_DEVICE_HARDWARE_OID = 451, /* 2.16.840.1.101.3.2.1.3.38 */ + CP_FPKI_COMMON_PIV_CONTENT_SIGNING_OID = 452, /* 2.16.840.1.101.3.2.1.3.39 */ + CP_FPKI_PIV_AUTH_OID = 453, /* 2.16.840.1.101.3.2.1.3.40 */ + CP_FPKI_PIV_AUTH_HW_OID = 454, /* 2.16.840.1.101.3.2.1.3.41 */ + CP_FPKI_PIVI_AUTH_OID = 458, /* 2.16.840.1.101.3.2.1.3.45 */ + CP_FPKI_COMMON_PIVI_CONTENT_SIGNING_OID = 460, /* 2.16.840.1.101.3.2.1.3.47 */ + + /* DoD PKI OIDs */ + CP_DOD_MEDIUM_OID = 423, /* 2.16.840.1.101.2.1.11.5 */ + CP_DOD_MEDIUM_HARDWARE_OID = 427, /* 2.16.840.1.101.2.1.11.9 */ + CP_DOD_PIV_AUTH_OID = 428, /* 2.16.840.1.101.2.1.11.10 */ + CP_DOD_MEDIUM_NPE_OID = 435, /* 2.16.840.1.101.2.1.11.17 */ + CP_DOD_MEDIUM_2048_OID = 436, /* 2.16.840.1.101.2.1.11.18 */ + CP_DOD_MEDIUM_HARDWARE_2048_OID = 437, /* 2.16.840.1.101.2.1.11.19 */ + CP_DOD_PIV_AUTH_2048_OID = 438, /* 2.16.840.1.101.2.1.11.20 */ + CP_DOD_PEER_INTEROP_OID = 100449, /* 2.16.840.1.101.2.1.11.31 */ + CP_DOD_MEDIUM_NPE_112_OID = 100454, /* 2.16.840.1.101.2.1.11.36 */ + CP_DOD_MEDIUM_NPE_128_OID = 455, /* 2.16.840.1.101.2.1.11.37 */ + CP_DOD_MEDIUM_NPE_192_OID = 456, /* 2.16.840.1.101.2.1.11.38 */ + CP_DOD_MEDIUM_112_OID = 457, /* 2.16.840.1.101.2.1.11.39 */ + CP_DOD_MEDIUM_128_OID = 100458, /* 2.16.840.1.101.2.1.11.40 */ + CP_DOD_MEDIUM_192_OID = 459, /* 2.16.840.1.101.2.1.11.41 */ + CP_DOD_MEDIUM_HARDWARE_112_OID = 100460, /* 2.16.840.1.101.2.1.11.42 */ + CP_DOD_MEDIUM_HARDWARE_128_OID = 461, /* 2.16.840.1.101.2.1.11.43 */ + CP_DOD_MEDIUM_HARDWARE_192_OID = 462, /* 2.16.840.1.101.2.1.11.44 */ + CP_DOD_ADMIN_OID = 477, /* 2.16.840.1.101.2.1.11.59 */ + CP_DOD_INTERNAL_NPE_112_OID = 478, /* 2.16.840.1.101.2.1.11.60 */ + CP_DOD_INTERNAL_NPE_128_OID = 479, /* 2.16.840.1.101.2.1.11.61 */ + CP_DOD_INTERNAL_NPE_192_OID = 480, /* 2.16.840.1.101.2.1.11.62 */ + + /* ECA PKI OIDs */ + CP_ECA_MEDIUM_OID = 100423, /* 2.16.840.1.101.3.2.1.12.1 */ + CP_ECA_MEDIUM_HARDWARE_OID = 424, /* 2.16.840.1.101.3.2.1.12.2 */ + CP_ECA_MEDIUM_TOKEN_OID = 100425, /* 2.16.840.1.101.3.2.1.12.3 */ + CP_ECA_MEDIUM_SHA256_OID = 100426, /* 2.16.840.1.101.3.2.1.12.4 */ + CP_ECA_MEDIUM_TOKEN_SHA256_OID = 100427, /* 2.16.840.1.101.3.2.1.12.5 */ + CP_ECA_MEDIUM_HARDWARE_PIVI_OID = 100428, /* 2.16.840.1.101.3.2.1.12.6 */ + CP_ECA_CONTENT_SIGNING_PIVI_OID = 100430, /* 2.16.840.1.101.3.2.1.12.8 */ + CP_ECA_MEDIUM_DEVICE_SHA256_OID = 431, /* 2.16.840.1.101.3.2.1.12.9 */ + CP_ECA_MEDIUM_HARDWARE_SHA256_OID = 432, /* 2.16.840.1.101.3.2.1.12.10 */ + + /* Department of State PKI OIDs */ + CP_STATE_HIGH_OID = 100420, /* 2.16.840.1.101.3.2.1.6.4 */ + CP_STATE_MEDHW_OID = 101428, /* 2.16.840.1.101.3.2.1.6.12 */ + CP_STATE_MEDDEVHW_OID = 101454, /* 2.16.840.1.101.3.2.1.6.38 */ + + /* U.S. Treasury SSP PKI OIDs */ + CP_TREAS_MEDIUMHW_OID = 419, /* 2.16.840.1.101.3.2.1.5.4 */ + CP_TREAS_HIGH_OID = 101420, /* 2.16.840.1.101.3.2.1.5.5 */ + CP_TREAS_PIVI_HW_OID = 101425, /* 2.16.840.1.101.3.2.1.5.10 */ + CP_TREAS_PIVI_CONTENT_OID = 101427, /* 2.16.840.1.101.3.2.1.5.12 */ + + /* Boeing PKI OIDs */ + CP_BOEING_MEDIUMHW_SHA256_OID = 159, /* 1.3.6.1.4.1.73.15.3.1.12 */ + CP_BOEING_MEDIUMHW_CONTENT_SHA256_OID = 164, /* 1.3.6.1.4.1.73.15.3.1.17 */ + + /* Carillon Federal Services OIDs */ + CP_CARILLON_MEDIUMHW_256_OID = 467, /* 1.3.6.1.4.1.45606.3.1.12 */ + CP_CARILLON_AIVHW_OID = 475, /* 1.3.6.1.4.1.45606.3.1.20 */ + CP_CARILLON_AIVCONTENT_OID = 100477, /* 1.3.6.1.4.1.45606.3.1.22 */ + + /* Carillon Information Security OIDs */ + CP_CIS_MEDIUMHW_256_OID = 489, /* 1.3.6.1.4.1.25054.3.1.12 */ + CP_CIS_MEDDEVHW_256_OID = 491, /* 1.3.6.1.4.1.25054.3.1.14 */ + CP_CIS_ICECAP_HW_OID = 497, /* 1.3.6.1.4.1.25054.3.1.20 */ + CP_CIS_ICECAP_CONTENT_OID = 499, /* 1.3.6.1.4.1.25054.3.1.22 */ + + /* CertiPath Bridge OIDs */ + CP_CERTIPATH_MEDIUMHW_OID = 100459, /* 1.3.6.1.4.1.24019.1.1.1.2 */ + CP_CERTIPATH_HIGHHW_OID = 101460, /* 1.3.6.1.4.1.24019.1.1.1.3 */ + CP_CERTIPATH_ICECAP_HW_OID = 464, /* 1.3.6.1.4.1.24019.1.1.1.7 */ + CP_CERTIPATH_ICECAP_CONTENT_OID = 466, /* 1.3.6.1.4.1.24019.1.1.1.9 */ + CP_CERTIPATH_VAR_MEDIUMHW_OID = 100475, /* 1.3.6.1.4.1.24019.1.1.1.18 */ + CP_CERTIPATH_VAR_HIGHHW_OID = 476, /* 1.3.6.1.4.1.24019.1.1.1.19 */ + + /* TSCP Bridge OIDs */ + CP_TSCP_MEDIUMHW_OID = 442, /* 1.3.6.1.4.1.38099.1.1.1.2 */ + CP_TSCP_PIVI_OID = 445, /* 1.3.6.1.4.1.38099.1.1.1.5 */ + CP_TSCP_PIVI_CONTENT_OID = 447, /* 1.3.6.1.4.1.38099.1.1.1.7 */ + + /* DigiCert NFI PKI OIDs */ + CP_DIGICERT_NFSSP_MEDIUMHW_OID = 796, /* 2.16.840.1.113733.1.7.23.3.1.7 */ + CP_DIGICERT_NFSSP_AUTH_OID = 802, /* 2.16.840.1.113733.1.7.23.3.1.13 */ + CP_DIGICERT_NFSSP_PIVI_HW_OID = 807, /* 2.16.840.1.113733.1.7.23.3.1.18 */ + CP_DIGICERT_NFSSP_PIVI_CONTENT_OID = 809, /* 2.16.840.1.113733.1.7.23.3.1.20 */ + CP_DIGICERT_NFSSP_MEDDEVHW_OID = 825, /* 2.16.840.1.113733.1.7.23.3.1.36 */ + + /* Entrust Managed Services NFI PKI OIDs */ + CP_ENTRUST_NFSSP_MEDIUMHW_OID = 1017, /* 2.16.840.1.114027.200.3.10.7.2 */ + CP_ENTRUST_NFSSP_MEDAUTH_OID = 1019, /* 2.16.840.1.114027.200.3.10.7.4 */ + CP_ENTRUST_NFSSP_PIVI_HW_OID = 1021, /* 2.16.840.1.114027.200.3.10.7.6 */ + CP_ENTRUST_NFSSP_PIVI_CONTENT_OID = 1024, /* 2.16.840.1.114027.200.3.10.7.9 */ + CP_ENTRUST_NFSSP_MEDDEVHW_OID = 1031, /* 2.16.840.1.114027.200.3.10.7.16 */ + + /* Exostar LLC PKI OIDs */ + CP_EXOSTAR_MEDIUMHW_SHA2_OID = 100424, /* 1.3.6.1.4.1.13948.1.1.1.6 */ + + /* IdenTrust NFI OIDs */ + CP_IDENTRUST_MEDIUMHW_SIGN_OID = 846, /* 2.16.840.1.113839.0.100.12.1 */ + CP_IDENTRUST_MEDIUMHW_ENC_OID = 847, /* 2.16.840.1.113839.0.100.12.2 */ + CP_IDENTRUST_PIVI_HW_ID_OID = 851, /* 2.16.840.1.113839.0.100.18.0 */ + CP_IDENTRUST_PIVI_HW_SIGN_OID = 852, /* 2.16.840.1.113839.0.100.18.1 */ + CP_IDENTRUST_PIVI_HW_ENC_OID = 853, /* 2.16.840.1.113839.0.100.18.2 */ + CP_IDENTRUST_PIVI_CONTENT_OID = 854, /* 2.16.840.1.113839.0.100.20.1 */ + + /* Lockheed Martin PKI OIDs */ + CP_LOCKHEED_MEDIUMHW_OID = 266, /* 1.3.6.1.4.1.103.100.1.1.3.3 */ + + /* Northrop Grumman PKI OIDs */ + CP_NORTHROP_MEDIUM_256_HW_OID = 654, /* 1.3.6.1.4.1.16334.509.2.8 */ + CP_NORTHROP_PIVI_256_HW_OID = 655, /* 1.3.6.1.4.1.16334.509.2.9 */ + CP_NORTHROP_PIVI_256_CONTENT_OID = 657, /* 1.3.6.1.4.1.16334.509.2.11 */ + CP_NORTHROP_MEDIUM_384_HW_OID = 660, /* 1.3.6.1.4.1.16334.509.2.14 */ + + /* Raytheon PKI OIDs */ + CP_RAYTHEON_MEDIUMHW_OID = 251, /* 1.3.6.1.4.1.1569.10.1.12 */ + CP_RAYTHEON_MEDDEVHW_OID = 257, /* 1.3.6.1.4.1.1569.10.1.18 */ + CP_RAYTHEON_SHA2_MEDIUMHW_OID = 433, /* 1.3.6.1.4.1.26769.10.1.12 */ + CP_RAYTHEON_SHA2_MEDDEVHW_OID = 439, /* 1.3.6.1.4.1.26769.10.1.18 */ + + /* WidePoint NFI PKI OIDs */ + CP_WIDEPOINT_MEDIUMHW_OID = 310, /* 1.3.6.1.4.1.3922.1.1.1.12 */ + CP_WIDEPOINT_PIVI_HW_OID = 316, /* 1.3.6.1.4.1.3922.1.1.1.18 */ + CP_WIDEPOINT_PIVI_CONTENT_OID = 318, /* 1.3.6.1.4.1.3922.1.1.1.20 */ + CP_WIDEPOINT_MEDDEVHW_OID = 336, /* 1.3.6.1.4.1.3922.1.1.1.38 */ + + /* Australian Defence Organisation PKI OIDs */ + CP_ADO_MEDIUM_OID = 293, /* 1.2.36.1.334.1.2.1.2 */ + CP_ADO_HIGH_OID = 294, /* 1.2.36.1.334.1.2.1.3 */ + CP_ADO_RESOURCE_MEDIUM_OID = 100294, /* 1.2.36.1.334.1.2.2.2 */ + + /* Netherlands Ministry of Defence PKI OIDs */ + CP_NL_MOD_AUTH_OID = 496, /* 2.16.528.1.1003.1.2.5.1 */ + CP_NL_MOD_IRREFUT_OID = 100497, /* 2.16.528.1.1003.1.2.5.2 */ + CP_NL_MOD_CONFID_OID = 498, /* 2.16.528.1.1003.1.2.5.3 */ #endif /* WOLFSSL_FPKI */ WOLF_ENUM_DUMMY_LAST_ELEMENT(CertificatePolicy_Sum) };