From 6910f80e3d3bfa5e9ec5d83ff468bd7e4adbd110 Mon Sep 17 00:00:00 2001 From: Devin AI Date: Tue, 25 Mar 2025 10:25:23 -0700 Subject: [PATCH 1/9] Add all DoD PKI cert policy OIDs. Co-Authored-By: kareem@wolfssl.com --- wolfcrypt/src/asn.c | 396 ++++++++++++++++++++++++++++++++++++++++ wolfssl/wolfcrypt/asn.h | 191 +++++++++++++++++++ 2 files changed, 587 insertions(+) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 7e0948eee..9ae27ceb8 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -4506,6 +4506,148 @@ static const byte extCertPolicyAnyOid[] = {85, 29, 32, 0}; CERT_POLICY_TYPE_OID_BASE(41); static const byte extCertPolicyFpkiPiviAuthOid[] = CERT_POLICY_TYPE_OID_BASE(45); + /* DoD PKI OIDs - 2.16.840.1.101.2.1.11.X */ + #define DOD_POLICY_TYPE_OID_BASE(num) {96, 134, 72, 1, 101, 2, 1, 11, num} + static const byte extCertPolicyDodMediumOid[] = + DOD_POLICY_TYPE_OID_BASE(5); + static const byte extCertPolicyDodMediumHardwareOid[] = + DOD_POLICY_TYPE_OID_BASE(9); + static const byte extCertPolicyDodPivAuthOid[] = + DOD_POLICY_TYPE_OID_BASE(10); + static const byte extCertPolicyDodMediumNpeOid[] = + DOD_POLICY_TYPE_OID_BASE(17); + static const byte extCertPolicyDodMedium2048Oid[] = + DOD_POLICY_TYPE_OID_BASE(18); + static const byte extCertPolicyDodMediumHardware2048Oid[] = + DOD_POLICY_TYPE_OID_BASE(19); + static const byte extCertPolicyDodPivAuth2048Oid[] = + DOD_POLICY_TYPE_OID_BASE(20); + static const byte extCertPolicyDodPeerInteropOid[] = + DOD_POLICY_TYPE_OID_BASE(31); + static const byte extCertPolicyDodMediumNpe112Oid[] = + DOD_POLICY_TYPE_OID_BASE(36); + static const byte extCertPolicyDodMediumNpe128Oid[] = + DOD_POLICY_TYPE_OID_BASE(37); + static const byte extCertPolicyDodMediumNpe192Oid[] = + DOD_POLICY_TYPE_OID_BASE(38); + static const byte extCertPolicyDodMedium112Oid[] = + DOD_POLICY_TYPE_OID_BASE(39); + static const byte extCertPolicyDodMedium128Oid[] = + DOD_POLICY_TYPE_OID_BASE(40); + static const byte extCertPolicyDodMedium192Oid[] = + DOD_POLICY_TYPE_OID_BASE(41); + static const byte extCertPolicyDodMediumHardware112Oid[] = + DOD_POLICY_TYPE_OID_BASE(42); + static const byte extCertPolicyDodMediumHardware128Oid[] = + DOD_POLICY_TYPE_OID_BASE(43); + static const byte extCertPolicyDodMediumHardware192Oid[] = + DOD_POLICY_TYPE_OID_BASE(44); + static const byte extCertPolicyDodAdminOid[] = + DOD_POLICY_TYPE_OID_BASE(59); + static const byte extCertPolicyDodInternalNpe112Oid[] = + DOD_POLICY_TYPE_OID_BASE(60); + static const byte extCertPolicyDodInternalNpe128Oid[] = + DOD_POLICY_TYPE_OID_BASE(61); + static const byte extCertPolicyDodInternalNpe192Oid[] = + /* ECA PKI OIDs - 2.16.840.1.101.3.2.1.12.X */ + #define ECA_POLICY_TYPE_OID_BASE(num) {96, 134, 72, 1, 101, 3, 2, 1, 12, num} + static const byte extCertPolicyEcaMediumOid[] = + ECA_POLICY_TYPE_OID_BASE(1); + static const byte extCertPolicyEcaMediumHardwareOid[] = + ECA_POLICY_TYPE_OID_BASE(2); + static const byte extCertPolicyEcaMediumTokenOid[] = + ECA_POLICY_TYPE_OID_BASE(3); + static const byte extCertPolicyEcaMediumSha256Oid[] = + ECA_POLICY_TYPE_OID_BASE(4); + static const byte extCertPolicyEcaMediumTokenSha256Oid[] = + ECA_POLICY_TYPE_OID_BASE(5); + static const byte extCertPolicyEcaMediumHardwarePiviOid[] = + ECA_POLICY_TYPE_OID_BASE(6); + static const byte extCertPolicyEcaContentSigningPiviOid[] = + ECA_POLICY_TYPE_OID_BASE(8); + static const byte extCertPolicyEcaMediumDeviceSha256Oid[] = + ECA_POLICY_TYPE_OID_BASE(9); + static const byte extCertPolicyEcaMediumHardwareSha256Oid[] = + ECA_POLICY_TYPE_OID_BASE(10); + DOD_POLICY_TYPE_OID_BASE(62); + /* Verizon/Cybertrust Federal SSP PKI OIDs - 2.16.840.1.101.3.2.1.3.X */ + #define VERIZON_POLICY_TYPE_OID_BASE(num) {96, 134, 72, 1, 101, 3, 2, 1, 3, num} + static const byte extCertPolicyVerizonCommonHwOid[] = + VERIZON_POLICY_TYPE_OID_BASE(7); + static const byte extCertPolicyVerizonCommonAuthOid[] = + VERIZON_POLICY_TYPE_OID_BASE(13); + static const byte extCertPolicyVerizonCommonPivCsOid[] = + VERIZON_POLICY_TYPE_OID_BASE(39); + + /* WidePoint Federal SSP PKI OIDs - 2.16.840.1.101.3.2.1.3.X */ + #define WIDEPOINT_POLICY_TYPE_OID_BASE(num) {96, 134, 72, 1, 101, 3, 2, 1, 3, num} + static const byte extCertPolicyWidepointCommonHwOid[] = + WIDEPOINT_POLICY_TYPE_OID_BASE(7); + static const byte extCertPolicyWidepointCommonAuthOid[] = + WIDEPOINT_POLICY_TYPE_OID_BASE(13); + static const byte extCertPolicyWidepointCommonDevHwOid[] = + WIDEPOINT_POLICY_TYPE_OID_BASE(36); + static const byte extCertPolicyWidepointCommonPivCsOid[] = + WIDEPOINT_POLICY_TYPE_OID_BASE(39); + + /* IdenTrust NFI OIDs - 2.16.840.1.113839.0.100.X.Y */ + #define IDENTRUST_POLICY_TYPE_OID_BASE(num1, num2) {96, 134, 72, 1, 129, 113, 67, 0, 100, num1, num2} + static const byte extCertPolicyIdentrustMediumhwSignOid[] = + IDENTRUST_POLICY_TYPE_OID_BASE(12, 1); + static const byte extCertPolicyIdentrustMediumhwEncOid[] = + IDENTRUST_POLICY_TYPE_OID_BASE(12, 2); + static const byte extCertPolicyIdentrustPiviHwIdOid[] = + IDENTRUST_POLICY_TYPE_OID_BASE(18, 0); + static const byte extCertPolicyIdentrustPiviHwSignOid[] = + IDENTRUST_POLICY_TYPE_OID_BASE(18, 1); + static const byte extCertPolicyIdentrustPiviHwEncOid[] = + IDENTRUST_POLICY_TYPE_OID_BASE(18, 2); + static const byte extCertPolicyIdentrustPiviContentOid[] = + IDENTRUST_POLICY_TYPE_OID_BASE(20, 1); + + /* TSCP Bridge OIDs - 1.3.6.1.4.1.38099.1.1.1.X */ + #define TSCP_POLICY_TYPE_OID_BASE(num) {43, 6, 1, 4, 1, 131, 59, 35, 1, 1, 1, num} + static const byte extCertPolicyTscpMediumhwOid[] = + TSCP_POLICY_TYPE_OID_BASE(2); + static const byte extCertPolicyTscpPiviOid[] = + TSCP_POLICY_TYPE_OID_BASE(5); + static const byte extCertPolicyTscpPiviContentOid[] = + TSCP_POLICY_TYPE_OID_BASE(7); + + /* Carillon Federal Services OIDs - 1.3.6.1.4.1.45606.3.1.X */ + #define CARILLON_POLICY_TYPE_OID_BASE(num) {43, 6, 1, 4, 1, 131, 59, 178, 38, 3, 1, num} + static const byte extCertPolicyCarillonMediumhw256Oid[] = + CARILLON_POLICY_TYPE_OID_BASE(12); + static const byte extCertPolicyCarillonAivhwOid[] = + CARILLON_POLICY_TYPE_OID_BASE(20); + static const byte extCertPolicyCarillonAivcontentOid[] = + CARILLON_POLICY_TYPE_OID_BASE(22); + + /* Carillon Information Security OIDs - 1.3.6.1.4.1.25054.3.1.X */ + #define CIS_POLICY_TYPE_OID_BASE(num) {43, 6, 1, 4, 1, 131, 59, 97, 230, 3, 1, num} + static const byte extCertPolicyCisMediumhw256Oid[] = + CIS_POLICY_TYPE_OID_BASE(12); + static const byte extCertPolicyCisMeddevhw256Oid[] = + CIS_POLICY_TYPE_OID_BASE(14); + static const byte extCertPolicyCisIcecapHwOid[] = + CIS_POLICY_TYPE_OID_BASE(20); + static const byte extCertPolicyCisIcecapContentOid[] = + CIS_POLICY_TYPE_OID_BASE(22); + + /* CertiPath Bridge OIDs - 1.3.6.1.4.1.24019.1.1.1.X */ + #define CERTIPATH_POLICY_TYPE_OID_BASE(num) {43, 6, 1, 4, 1, 131, 59, 93, 227, 1, 1, 1, num} + static const byte extCertPolicyCertipathMediumhwOid[] = + CERTIPATH_POLICY_TYPE_OID_BASE(2); + static const byte extCertPolicyCertipathHighhwOid[] = + CERTIPATH_POLICY_TYPE_OID_BASE(3); + static const byte extCertPolicyCertipathIcecapHwOid[] = + CERTIPATH_POLICY_TYPE_OID_BASE(7); + static const byte extCertPolicyCertipathIcecapContentOid[] = + CERTIPATH_POLICY_TYPE_OID_BASE(9); + static const byte extCertPolicyCertipathVarMediumhwOid[] = + CERTIPATH_POLICY_TYPE_OID_BASE(18); + static const byte extCertPolicyCertipathVarHighhwOid[] = + CERTIPATH_POLICY_TYPE_OID_BASE(19); #endif /* WOLFSSL_FPKI */ /* certAltNameType */ @@ -5313,6 +5455,257 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz) oid = extCertPolicyFpkiPiviAuthOid; *oidSz = sizeof(extCertPolicyFpkiPiviAuthOid); break; + case CP_DOD_MEDIUM_OID: + oid = extCertPolicyDodMediumOid; + *oidSz = sizeof(extCertPolicyDodMediumOid); + break; + case CP_DOD_MEDIUM_HARDWARE_OID: + oid = extCertPolicyDodMediumHardwareOid; + *oidSz = sizeof(extCertPolicyDodMediumHardwareOid); + break; + case CP_DOD_PIV_AUTH_OID: + oid = extCertPolicyDodPivAuthOid; + *oidSz = sizeof(extCertPolicyDodPivAuthOid); + break; + case CP_DOD_MEDIUM_NPE_OID: + oid = extCertPolicyDodMediumNpeOid; + *oidSz = sizeof(extCertPolicyDodMediumNpeOid); + break; + case CP_DOD_MEDIUM_2048_OID: + oid = extCertPolicyDodMedium2048Oid; + *oidSz = sizeof(extCertPolicyDodMedium2048Oid); + break; + case CP_DOD_MEDIUM_HARDWARE_2048_OID: + oid = extCertPolicyDodMediumHardware2048Oid; + *oidSz = sizeof(extCertPolicyDodMediumHardware2048Oid); + break; + case CP_DOD_PIV_AUTH_2048_OID: + oid = extCertPolicyDodPivAuth2048Oid; + *oidSz = sizeof(extCertPolicyDodPivAuth2048Oid); + break; + case CP_DOD_PEER_INTEROP_OID: + oid = extCertPolicyDodPeerInteropOid; + *oidSz = sizeof(extCertPolicyDodPeerInteropOid); + break; + case CP_DOD_MEDIUM_NPE_112_OID: + oid = extCertPolicyDodMediumNpe112Oid; + *oidSz = sizeof(extCertPolicyDodMediumNpe112Oid); + break; + case CP_DOD_MEDIUM_NPE_128_OID: + oid = extCertPolicyDodMediumNpe128Oid; + *oidSz = sizeof(extCertPolicyDodMediumNpe128Oid); + break; + case CP_DOD_MEDIUM_NPE_192_OID: + oid = extCertPolicyDodMediumNpe192Oid; + *oidSz = sizeof(extCertPolicyDodMediumNpe192Oid); + break; + case CP_DOD_MEDIUM_112_OID: + oid = extCertPolicyDodMedium112Oid; + *oidSz = sizeof(extCertPolicyDodMedium112Oid); + break; + case CP_DOD_MEDIUM_128_OID: + oid = extCertPolicyDodMedium128Oid; + *oidSz = sizeof(extCertPolicyDodMedium128Oid); + break; + case CP_DOD_MEDIUM_192_OID: + oid = extCertPolicyDodMedium192Oid; + *oidSz = sizeof(extCertPolicyDodMedium192Oid); + break; + case CP_DOD_MEDIUM_HARDWARE_112_OID: + oid = extCertPolicyDodMediumHardware112Oid; + *oidSz = sizeof(extCertPolicyDodMediumHardware112Oid); + break; + case CP_DOD_MEDIUM_HARDWARE_128_OID: + oid = extCertPolicyDodMediumHardware128Oid; + *oidSz = sizeof(extCertPolicyDodMediumHardware128Oid); + break; + case CP_DOD_MEDIUM_HARDWARE_192_OID: + oid = extCertPolicyDodMediumHardware192Oid; + *oidSz = sizeof(extCertPolicyDodMediumHardware192Oid); + break; + case CP_DOD_ADMIN_OID: + oid = extCertPolicyDodAdminOid; + *oidSz = sizeof(extCertPolicyDodAdminOid); + break; + case CP_DOD_INTERNAL_NPE_112_OID: + oid = extCertPolicyDodInternalNpe112Oid; + *oidSz = sizeof(extCertPolicyDodInternalNpe112Oid); + break; + case CP_DOD_INTERNAL_NPE_128_OID: + oid = extCertPolicyDodInternalNpe128Oid; + *oidSz = sizeof(extCertPolicyDodInternalNpe128Oid); + break; + case CP_DOD_INTERNAL_NPE_192_OID: + oid = extCertPolicyDodInternalNpe192Oid; + *oidSz = sizeof(extCertPolicyDodInternalNpe192Oid); + break; + case CP_ECA_MEDIUM_OID: + oid = extCertPolicyEcaMediumOid; + *oidSz = sizeof(extCertPolicyEcaMediumOid); + break; + case CP_ECA_MEDIUM_HARDWARE_OID: + oid = extCertPolicyEcaMediumHardwareOid; + *oidSz = sizeof(extCertPolicyEcaMediumHardwareOid); + break; + case CP_ECA_MEDIUM_TOKEN_OID: + oid = extCertPolicyEcaMediumTokenOid; + *oidSz = sizeof(extCertPolicyEcaMediumTokenOid); + break; + case CP_ECA_MEDIUM_SHA256_OID: + oid = extCertPolicyEcaMediumSha256Oid; + *oidSz = sizeof(extCertPolicyEcaMediumSha256Oid); + break; + case CP_ECA_MEDIUM_TOKEN_SHA256_OID: + oid = extCertPolicyEcaMediumTokenSha256Oid; + *oidSz = sizeof(extCertPolicyEcaMediumTokenSha256Oid); + break; + case CP_ECA_MEDIUM_HARDWARE_PIVI_OID: + oid = extCertPolicyEcaMediumHardwarePiviOid; + *oidSz = sizeof(extCertPolicyEcaMediumHardwarePiviOid); + break; + case CP_ECA_CONTENT_SIGNING_PIVI_OID: + oid = extCertPolicyEcaContentSigningPiviOid; + *oidSz = sizeof(extCertPolicyEcaContentSigningPiviOid); + break; + case CP_ECA_MEDIUM_DEVICE_SHA256_OID: + oid = extCertPolicyEcaMediumDeviceSha256Oid; + *oidSz = sizeof(extCertPolicyEcaMediumDeviceSha256Oid); + break; + case CP_ECA_MEDIUM_HARDWARE_SHA256_OID: + oid = extCertPolicyEcaMediumHardwareSha256Oid; + *oidSz = sizeof(extCertPolicyEcaMediumHardwareSha256Oid); + break; + + /* New PKI OIDs added below */ + /* Verizon/Cybertrust Federal SSP PKI OIDs */ + case CP_VERIZON_COMMON_HW_OID: + oid = extCertPolicyVerizonCommonHwOid; + *oidSz = sizeof(extCertPolicyVerizonCommonHwOid); + break; + case CP_VERIZON_COMMON_AUTH_OID: + oid = extCertPolicyVerizonCommonAuthOid; + *oidSz = sizeof(extCertPolicyVerizonCommonAuthOid); + break; + case CP_VERIZON_COMMON_PIV_CS_OID: + oid = extCertPolicyVerizonCommonPivCsOid; + *oidSz = sizeof(extCertPolicyVerizonCommonPivCsOid); + break; + + /* WidePoint Federal SSP PKI OIDs */ + case CP_WIDEPOINT_COMMON_HW_OID: + oid = extCertPolicyWidepointCommonHwOid; + *oidSz = sizeof(extCertPolicyWidepointCommonHwOid); + break; + case CP_WIDEPOINT_COMMON_AUTH_OID: + oid = extCertPolicyWidepointCommonAuthOid; + *oidSz = sizeof(extCertPolicyWidepointCommonAuthOid); + break; + case CP_WIDEPOINT_COMMON_DEV_HW_OID: + oid = extCertPolicyWidepointCommonDevHwOid; + *oidSz = sizeof(extCertPolicyWidepointCommonDevHwOid); + break; + case CP_WIDEPOINT_COMMON_PIV_CS_OID: + oid = extCertPolicyWidepointCommonPivCsOid; + *oidSz = sizeof(extCertPolicyWidepointCommonPivCsOid); + break; + + /* IdenTrust NFI OIDs */ + case CP_IDENTRUST_MEDIUMHW_SIGN_OID: + oid = extCertPolicyIdentrustMediumhwSignOid; + *oidSz = sizeof(extCertPolicyIdentrustMediumhwSignOid); + break; + case CP_IDENTRUST_MEDIUMHW_ENC_OID: + oid = extCertPolicyIdentrustMediumhwEncOid; + *oidSz = sizeof(extCertPolicyIdentrustMediumhwEncOid); + break; + case CP_IDENTRUST_PIVI_HW_ID_OID: + oid = extCertPolicyIdentrustPiviHwIdOid; + *oidSz = sizeof(extCertPolicyIdentrustPiviHwIdOid); + break; + case CP_IDENTRUST_PIVI_HW_SIGN_OID: + oid = extCertPolicyIdentrustPiviHwSignOid; + *oidSz = sizeof(extCertPolicyIdentrustPiviHwSignOid); + break; + case CP_IDENTRUST_PIVI_HW_ENC_OID: + oid = extCertPolicyIdentrustPiviHwEncOid; + *oidSz = sizeof(extCertPolicyIdentrustPiviHwEncOid); + break; + case CP_IDENTRUST_PIVI_CONTENT_OID: + oid = extCertPolicyIdentrustPiviContentOid; + *oidSz = sizeof(extCertPolicyIdentrustPiviContentOid); + break; + + /* TSCP Bridge OIDs */ + case CP_TSCP_MEDIUMHW_OID: + oid = extCertPolicyTscpMediumhwOid; + *oidSz = sizeof(extCertPolicyTscpMediumhwOid); + break; + case CP_TSCP_PIVI_OID: + oid = extCertPolicyTscpPiviOid; + *oidSz = sizeof(extCertPolicyTscpPiviOid); + break; + case CP_TSCP_PIVI_CONTENT_OID: + oid = extCertPolicyTscpPiviContentOid; + *oidSz = sizeof(extCertPolicyTscpPiviContentOid); + break; + + /* Carillon Federal Services OIDs */ + case CP_CARILLON_MEDIUMHW_256_OID: + oid = extCertPolicyCarillonMediumhw256Oid; + *oidSz = sizeof(extCertPolicyCarillonMediumhw256Oid); + break; + case CP_CARILLON_AIVHW_OID: + oid = extCertPolicyCarillonAivhwOid; + *oidSz = sizeof(extCertPolicyCarillonAivhwOid); + break; + case CP_CARILLON_AIVCONTENT_OID: + oid = extCertPolicyCarillonAivcontentOid; + *oidSz = sizeof(extCertPolicyCarillonAivcontentOid); + break; + + /* Carillon Information Security OIDs */ + case CP_CIS_MEDIUMHW_256_OID: + oid = extCertPolicyCisMediumhw256Oid; + *oidSz = sizeof(extCertPolicyCisMediumhw256Oid); + break; + case CP_CIS_MEDDEVHW_256_OID: + oid = extCertPolicyCisMeddevhw256Oid; + *oidSz = sizeof(extCertPolicyCisMeddevhw256Oid); + break; + case CP_CIS_ICECAP_HW_OID: + oid = extCertPolicyCisIcecapHwOid; + *oidSz = sizeof(extCertPolicyCisIcecapHwOid); + break; + case CP_CIS_ICECAP_CONTENT_OID: + oid = extCertPolicyCisIcecapContentOid; + *oidSz = sizeof(extCertPolicyCisIcecapContentOid); + break; + + /* CertiPath Bridge OIDs */ + case CP_CERTIPATH_MEDIUMHW_OID: + oid = extCertPolicyCertipathMediumhwOid; + *oidSz = sizeof(extCertPolicyCertipathMediumhwOid); + break; + case CP_CERTIPATH_HIGHHW_OID: + oid = extCertPolicyCertipathHighhwOid; + *oidSz = sizeof(extCertPolicyCertipathHighhwOid); + break; + case CP_CERTIPATH_ICECAP_HW_OID: + oid = extCertPolicyCertipathIcecapHwOid; + *oidSz = sizeof(extCertPolicyCertipathIcecapHwOid); + break; + case CP_CERTIPATH_ICECAP_CONTENT_OID: + oid = extCertPolicyCertipathIcecapContentOid; + *oidSz = sizeof(extCertPolicyCertipathIcecapContentOid); + break; + case CP_CERTIPATH_VAR_MEDIUMHW_OID: + oid = extCertPolicyCertipathVarMediumhwOid; + *oidSz = sizeof(extCertPolicyCertipathVarMediumhwOid); + break; + case CP_CERTIPATH_VAR_HIGHHW_OID: + oid = extCertPolicyCertipathVarHighhwOid; + *oidSz = sizeof(extCertPolicyCertipathVarHighhwOid); + break; #endif /* WOLFSSL_FPKI */ default: break; @@ -6016,6 +6409,9 @@ static int GetOID(const byte* input, word32* inOutIdx, word32* oid, checkOid = blkAes256CbcOid; checkOidSz = sizeof(blkAes256CbcOid); } + if (oidType == oidCertPolicyType) { + checkOid = fpkiCertPolOid(*oid, &checkOidSz, actualOid, actualOidSz); + } #endif /* HAVE_AES_CBC */ #endif /* WOLFSSL_FPKI */ diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index e5ac2d0af..4835386dc 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -1425,10 +1425,201 @@ enum Extensions_Sum { enum CertificatePolicy_Sum { CP_ANY_OID = 146, /* id-ce 32 0 */ #ifdef WOLFSSL_FPKI + /* Federal PKI OIDs */ CP_FPKI_COMMON_AUTH_OID = 426, /* 2.16.840.1.101.3.2.1.3.13 */ CP_FPKI_PIV_AUTH_OID = 453, /* 2.16.840.1.101.3.2.1.3.40 */ CP_FPKI_PIV_AUTH_HW_OID = 454, /* 2.16.840.1.101.3.2.1.3.41 */ CP_FPKI_PIVI_AUTH_OID = 458, /* 2.16.840.1.101.3.2.1.3.45 */ + + /* DoD PKI OIDs */ + CP_DOD_MEDIUM_OID = 423, /* 2.16.840.1.101.2.1.11.5 */ + CP_DOD_MEDIUM_HARDWARE_OID = 427, /* 2.16.840.1.101.2.1.11.9 */ + CP_DOD_PIV_AUTH_OID = 428, /* 2.16.840.1.101.2.1.11.10 */ + CP_DOD_MEDIUM_NPE_OID = 435, /* 2.16.840.1.101.2.1.11.17 */ + CP_DOD_MEDIUM_2048_OID = 436, /* 2.16.840.1.101.2.1.11.18 */ + CP_DOD_MEDIUM_HARDWARE_2048_OID = 437, /* 2.16.840.1.101.2.1.11.19 */ + CP_DOD_PIV_AUTH_2048_OID = 438, /* 2.16.840.1.101.2.1.11.20 */ + CP_DOD_PEER_INTEROP_OID = 449, /* 2.16.840.1.101.2.1.11.31 */ + CP_DOD_MEDIUM_NPE_112_OID = 454, /* 2.16.840.1.101.2.1.11.36 */ + CP_DOD_MEDIUM_NPE_128_OID = 455, /* 2.16.840.1.101.2.1.11.37 */ + CP_DOD_MEDIUM_NPE_192_OID = 456, /* 2.16.840.1.101.2.1.11.38 */ + CP_DOD_MEDIUM_112_OID = 457, /* 2.16.840.1.101.2.1.11.39 */ + CP_DOD_MEDIUM_128_OID = 458, /* 2.16.840.1.101.2.1.11.40 */ + CP_DOD_MEDIUM_192_OID = 459, /* 2.16.840.1.101.2.1.11.41 */ + CP_DOD_MEDIUM_HARDWARE_112_OID = 460, /* 2.16.840.1.101.2.1.11.42 */ + CP_DOD_MEDIUM_HARDWARE_128_OID = 461, /* 2.16.840.1.101.2.1.11.43 */ + CP_DOD_MEDIUM_HARDWARE_192_OID = 462, /* 2.16.840.1.101.2.1.11.44 */ + CP_DOD_ADMIN_OID = 477, /* 2.16.840.1.101.2.1.11.59 */ + CP_DOD_INTERNAL_NPE_112_OID = 478, /* 2.16.840.1.101.2.1.11.60 */ + CP_DOD_INTERNAL_NPE_128_OID = 479, /* 2.16.840.1.101.2.1.11.61 */ + CP_DOD_INTERNAL_NPE_192_OID = 480, /* 2.16.840.1.101.2.1.11.62 */ + + /* ECA PKI OIDs */ + CP_ECA_MEDIUM_OID = 417, /* 2.16.840.1.101.3.2.1.12.1 */ + CP_ECA_MEDIUM_HARDWARE_OID = 418, /* 2.16.840.1.101.3.2.1.12.2 */ + CP_ECA_MEDIUM_TOKEN_OID = 419, /* 2.16.840.1.101.3.2.1.12.3 */ + CP_ECA_MEDIUM_SHA256_OID = 420, /* 2.16.840.1.101.3.2.1.12.4 */ + CP_ECA_MEDIUM_TOKEN_SHA256_OID = 421, /* 2.16.840.1.101.3.2.1.12.5 */ + CP_ECA_MEDIUM_HARDWARE_PIVI_OID = 422, /* 2.16.840.1.101.3.2.1.12.6 */ + CP_ECA_CONTENT_SIGNING_PIVI_OID = 424, /* 2.16.840.1.101.3.2.1.12.8 */ + CP_ECA_MEDIUM_DEVICE_SHA256_OID = 425, /* 2.16.840.1.101.3.2.1.12.9 */ + CP_ECA_MEDIUM_HARDWARE_SHA256_OID = 426, /* 2.16.840.1.101.3.2.1.12.10 */ + + /* Federal PKI OIDs */ + CP_FPKI_HIGH_ASSURANCE_OID = 417, /* 2.16.840.1.101.3.2.1.3.4 */ + CP_FPKI_COMMON_HARDWARE_OID = 420, /* 2.16.840.1.101.3.2.1.3.7 */ + CP_FPKI_MEDIUM_HARDWARE_OID = 425, /* 2.16.840.1.101.3.2.1.3.12 */ + CP_FPKI_COMMON_HIGH_OID = 429, /* 2.16.840.1.101.3.2.1.3.16 */ + CP_FPKI_PIVI_HARDWARE_OID = 431, /* 2.16.840.1.101.3.2.1.3.18 */ + CP_FPKI_PIVI_CONTENT_SIGNING_OID = 433, /* 2.16.840.1.101.3.2.1.3.20 */ + CP_FPKI_COMMON_DEVICES_HARDWARE_OID = 449, /* 2.16.840.1.101.3.2.1.3.36 */ + CP_FPKI_MEDIUM_DEVICE_HARDWARE_OID = 451, /* 2.16.840.1.101.3.2.1.3.38 */ + CP_FPKI_COMMON_PIV_CONTENT_SIGNING_OID = 452, /* 2.16.840.1.101.3.2.1.3.39 */ + CP_FPKI_COMMON_PIV_AUTH_DERIVED_HARDWARE_OID = 454, /* 2.16.840.1.101.3.2.1.3.41 */ + CP_FPKI_COMMON_PIVI_CONTENT_SIGNING_OID = 460, /* 2.16.840.1.101.3.2.1.3.47 */ + + /* Entrust Federal SSP PKI OIDs - shares OIDs with Federal PKI */ + /* DigiCert Federal SSP PKI OIDs - shares OIDs with Federal PKI */ + /* Verizon/Cybertrust Federal SSP PKI OIDs - shares OIDs with Federal PKI */ + /* WidePoint Federal SSP PKI OIDs - shares OIDs with Federal PKI */ + + /* Department of State PKI OIDs */ + CP_STATE_HIGH_OID = 420, /* 2.16.840.1.101.3.2.1.6.4 */ + CP_STATE_MEDHW_OID = 428, /* 2.16.840.1.101.3.2.1.6.12 */ + CP_STATE_MEDDEVHW_OID = 454, /* 2.16.840.1.101.3.2.1.6.38 */ + + /* U.S. Treasury SSP PKI OIDs */ + CP_TREAS_MEDIUMHW_OID = 419, /* 2.16.840.1.101.3.2.1.5.4 */ + CP_TREAS_HIGH_OID = 420, /* 2.16.840.1.101.3.2.1.5.5 */ + CP_TREAS_PIVI_HW_OID = 425, /* 2.16.840.1.101.3.2.1.5.10 */ + CP_TREAS_PIVI_CONTENT_OID = 427, /* 2.16.840.1.101.3.2.1.5.12 */ + + /* Boeing PKI OIDs */ + CP_BOEING_MEDIUMHW_SHA256_OID = 159, /* 1.3.6.1.4.1.73.15.3.1.12 */ + CP_BOEING_MEDIUMHW_CONTENT_SHA256_OID = 164, /* 1.3.6.1.4.1.73.15.3.1.17 */ + + /* Carillon Federal Services OIDs */ + CP_CARILLON_MEDIUMHW_256_OID = 467, /* 1.3.6.1.4.1.45606.3.1.12 */ + CP_CARILLON_AIVHW_OID = 475, /* 1.3.6.1.4.1.45606.3.1.20 */ + CP_CARILLON_AIVCONTENT_OID = 477, /* 1.3.6.1.4.1.45606.3.1.22 */ + + /* Carillon Information Security OIDs */ + CP_CIS_MEDIUMHW_256_OID = 489, /* 1.3.6.1.4.1.25054.3.1.12 */ + CP_CIS_MEDDEVHW_256_OID = 491, /* 1.3.6.1.4.1.25054.3.1.14 */ + CP_CIS_ICECAP_HW_OID = 497, /* 1.3.6.1.4.1.25054.3.1.20 */ + CP_CIS_ICECAP_CONTENT_OID = 499, /* 1.3.6.1.4.1.25054.3.1.22 */ + + /* CertiPath Bridge OIDs */ + CP_CERTIPATH_MEDIUMHW_OID = 459, /* 1.3.6.1.4.1.24019.1.1.1.2 */ + CP_CERTIPATH_HIGHHW_OID = 460, /* 1.3.6.1.4.1.24019.1.1.1.3 */ + CP_CERTIPATH_ICECAP_HW_OID = 464, /* 1.3.6.1.4.1.24019.1.1.1.7 */ + CP_CERTIPATH_ICECAP_CONTENT_OID = 466, /* 1.3.6.1.4.1.24019.1.1.1.9 */ + CP_CERTIPATH_VAR_MEDIUMHW_OID = 475, /* 1.3.6.1.4.1.24019.1.1.1.18 */ + CP_CERTIPATH_VAR_HIGHHW_OID = 476, /* 1.3.6.1.4.1.24019.1.1.1.19 */ + + /* TSCP Bridge OIDs */ + CP_TSCP_MEDIUMHW_OID = 442, /* 1.3.6.1.4.1.38099.1.1.1.2 */ + CP_TSCP_PIVI_OID = 445, /* 1.3.6.1.4.1.38099.1.1.1.5 */ + CP_TSCP_PIVI_CONTENT_OID = 447, /* 1.3.6.1.4.1.38099.1.1.1.7 */ + + /* DigiCert NFI PKI OIDs */ + CP_DIGICERT_NFSSP_MEDIUMHW_OID = 796, /* 2.16.840.1.113733.1.7.23.3.1.7 */ + CP_DIGICERT_NFSSP_AUTH_OID = 802, /* 2.16.840.1.113733.1.7.23.3.1.13 */ + CP_DIGICERT_NFSSP_PIVI_HW_OID = 807, /* 2.16.840.1.113733.1.7.23.3.1.18 */ + CP_DIGICERT_NFSSP_PIVI_CONTENT_OID = 809, /* 2.16.840.1.113733.1.7.23.3.1.20 */ + CP_DIGICERT_NFSSP_MEDDEVHW_OID = 825, /* 2.16.840.1.113733.1.7.23.3.1.36 */ + + /* Entrust Managed Services NFI PKI OIDs */ + CP_ENTRUST_NFSSP_MEDIUMHW_OID = 1017, /* 2.16.840.1.114027.200.3.10.7.2 */ + CP_ENTRUST_NFSSP_MEDAUTH_OID = 1019, /* 2.16.840.1.114027.200.3.10.7.4 */ + CP_ENTRUST_NFSSP_PIVI_HW_OID = 1021, /* 2.16.840.1.114027.200.3.10.7.6 */ + CP_ENTRUST_NFSSP_PIVI_CONTENT_OID = 1024, /* 2.16.840.1.114027.200.3.10.7.9 */ + CP_ENTRUST_NFSSP_MEDDEVHW_OID = 1031, /* 2.16.840.1.114027.200.3.10.7.16 */ + + /* Exostar LLC PKI OIDs */ + CP_EXOSTAR_MEDIUMHW_SHA2_OID = 424, /* 1.3.6.1.4.1.13948.1.1.1.6 */ + + /* IdenTrust NFI OIDs */ + CP_IDENTRUST_MEDIUMHW_SIGN_OID = 846, /* 2.16.840.1.113839.0.100.12.1 */ + CP_IDENTRUST_MEDIUMHW_ENC_OID = 847, /* 2.16.840.1.113839.0.100.12.2 */ + CP_IDENTRUST_PIVI_HW_ID_OID = 851, /* 2.16.840.1.113839.0.100.18.0 */ + CP_IDENTRUST_PIVI_HW_SIGN_OID = 852, /* 2.16.840.1.113839.0.100.18.1 */ + CP_IDENTRUST_PIVI_HW_ENC_OID = 853, /* 2.16.840.1.113839.0.100.18.2 */ + CP_IDENTRUST_PIVI_CONTENT_OID = 854, /* 2.16.840.1.113839.0.100.20.1 */ + + /* Lockheed Martin PKI OIDs */ + CP_LOCKHEED_MEDIUMHW_OID = 266, /* 1.3.6.1.4.1.103.100.1.1.3.3 */ + + /* Northrop Grumman PKI OIDs */ + CP_NORTHROP_MEDIUM_256_HW_OID = 654, /* 1.3.6.1.4.1.16334.509.2.8 */ + CP_NORTHROP_PIVI_256_HW_OID = 655, /* 1.3.6.1.4.1.16334.509.2.9 */ + CP_NORTHROP_PIVI_256_CONTENT_OID = 657, /* 1.3.6.1.4.1.16334.509.2.11 */ + CP_NORTHROP_MEDIUM_384_HW_OID = 660, /* 1.3.6.1.4.1.16334.509.2.14 */ + + /* Raytheon PKI OIDs */ + CP_RAYTHEON_MEDIUMHW_OID = 251, /* 1.3.6.1.4.1.1569.10.1.12 */ + CP_RAYTHEON_MEDDEVHW_OID = 257, /* 1.3.6.1.4.1.1569.10.1.18 */ + CP_RAYTHEON_SHA2_MEDIUMHW_OID = 433, /* 1.3.6.1.4.1.26769.10.1.12 */ + CP_RAYTHEON_SHA2_MEDDEVHW_OID = 439, /* 1.3.6.1.4.1.26769.10.1.18 */ + + /* WidePoint NFI PKI OIDs */ + CP_WIDEPOINT_MEDIUMHW_OID = 310, /* 1.3.6.1.4.1.3922.1.1.1.12 */ + CP_WIDEPOINT_PIVI_HW_OID = 316, /* 1.3.6.1.4.1.3922.1.1.1.18 */ + CP_WIDEPOINT_PIVI_CONTENT_OID = 318, /* 1.3.6.1.4.1.3922.1.1.1.20 */ + CP_WIDEPOINT_MEDDEVHW_OID = 336, /* 1.3.6.1.4.1.3922.1.1.1.38 */ + + /* Australian Defence Organisation PKI OIDs */ + CP_ADO_MEDIUM_OID = 293, /* 1.2.36.1.334.1.2.1.2 */ + CP_ADO_HIGH_OID = 294, /* 1.2.36.1.334.1.2.1.3 */ + CP_ADO_RESOURCE_MEDIUM_OID = 294, /* 1.2.36.1.334.1.2.2.2 */ + + /* Netherlands Ministry of Defence PKI OIDs */ + CP_NL_MOD_AUTH_OID = 1001, /* 2.16.528.1.1003.1.2.5.1 */ + CP_NL_MOD_IRREFUT_OID = 1002, /* 2.16.528.1.1003.1.2.5.2 */ + CP_NL_MOD_CONFID_OID = 1003, /* 2.16.528.1.1003.1.2.5.3 */ + + /* Verizon/Cybertrust Federal SSP PKI OIDs */ + CP_VERIZON_COMMON_HW_OID = 420, /* 2.16.840.1.101.3.2.1.3.7 */ + CP_VERIZON_COMMON_AUTH_OID = 426, /* 2.16.840.1.101.3.2.1.3.13 */ + CP_VERIZON_COMMON_PIV_CS_OID = 452, /* 2.16.840.1.101.3.2.1.3.39 */ + + /* WidePoint Federal SSP PKI OIDs */ + CP_WIDEPOINT_COMMON_HW_OID = 420, /* 2.16.840.1.101.3.2.1.3.7 */ + CP_WIDEPOINT_COMMON_AUTH_OID = 426, /* 2.16.840.1.101.3.2.1.3.13 */ + CP_WIDEPOINT_COMMON_DEV_HW_OID = 449, /* 2.16.840.1.101.3.2.1.3.36 */ + CP_WIDEPOINT_COMMON_PIV_CS_OID = 452, /* 2.16.840.1.101.3.2.1.3.39 */ + + /* IdenTrust NFI OIDs */ + CP_IDENTRUST_MEDIUMHW_SIGN_OID = 846, /* 2.16.840.1.113839.0.100.12.1 */ + CP_IDENTRUST_MEDIUMHW_ENC_OID = 847, /* 2.16.840.1.113839.0.100.12.2 */ + CP_IDENTRUST_PIVI_HW_ID_OID = 851, /* 2.16.840.1.113839.0.100.18.0 */ + CP_IDENTRUST_PIVI_HW_SIGN_OID = 852, /* 2.16.840.1.113839.0.100.18.1 */ + CP_IDENTRUST_PIVI_HW_ENC_OID = 853, /* 2.16.840.1.113839.0.100.18.2 */ + CP_IDENTRUST_PIVI_CONTENT_OID = 854, /* 2.16.840.1.113839.0.100.20.1 */ + + /* TSCP Bridge OIDs */ + CP_TSCP_MEDIUMHW_OID = 348, /* 1.3.6.1.4.1.38099.1.1.1.2 */ + CP_TSCP_PIVI_OID = 351, /* 1.3.6.1.4.1.38099.1.1.1.5 */ + CP_TSCP_PIVI_CONTENT_OID = 353, /* 1.3.6.1.4.1.38099.1.1.1.7 */ + + /* Carillon Federal Services OIDs */ + CP_CARILLON_MEDIUMHW_256_OID = 358, /* 1.3.6.1.4.1.45606.3.1.12 */ + CP_CARILLON_AIVHW_OID = 366, /* 1.3.6.1.4.1.45606.3.1.20 */ + CP_CARILLON_AIVCONTENT_OID = 368, /* 1.3.6.1.4.1.45606.3.1.22 */ + + /* Carillon Information Security OIDs */ + CP_CIS_MEDIUMHW_256_OID = 358, /* 1.3.6.1.4.1.25054.3.1.12 */ + CP_CIS_MEDDEVHW_256_OID = 360, /* 1.3.6.1.4.1.25054.3.1.14 */ + CP_CIS_ICECAP_HW_OID = 366, /* 1.3.6.1.4.1.25054.3.1.20 */ + CP_CIS_ICECAP_CONTENT_OID = 368, /* 1.3.6.1.4.1.25054.3.1.22 */ + + /* CertiPath Bridge OIDs */ + CP_CERTIPATH_MEDIUMHW_OID = 348, /* 1.3.6.1.4.1.24019.1.1.1.2 */ + CP_CERTIPATH_HIGHHW_OID = 349, /* 1.3.6.1.4.1.24019.1.1.1.3 */ + CP_CERTIPATH_ICECAP_HW_OID = 353, /* 1.3.6.1.4.1.24019.1.1.1.7 */ + CP_CERTIPATH_ICECAP_CONTENT_OID = 355, /* 1.3.6.1.4.1.24019.1.1.1.9 */ + CP_CERTIPATH_VAR_MEDIUMHW_OID = 364, /* 1.3.6.1.4.1.24019.1.1.1.18 */ + CP_CERTIPATH_VAR_HIGHHW_OID = 365, /* 1.3.6.1.4.1.24019.1.1.1.19 */ #endif /* WOLFSSL_FPKI */ WOLF_ENUM_DUMMY_LAST_ELEMENT(CertificatePolicy_Sum) }; From a911f70049b9c7f3bf7fc1a3884826712e379b18 Mon Sep 17 00:00:00 2001 From: Devin AI Date: Tue, 25 Mar 2025 13:38:52 -0700 Subject: [PATCH 2/9] Add other federal PKI OIDs. Co-Authored-By: kareem@wolfssl.com --- wolfcrypt/src/asn.c | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 9ae27ceb8..8f292520b 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -4498,8 +4498,20 @@ static const byte extAuthInfoCaIssuerOid[] = {43, 6, 1, 5, 5, 7, 48, 2}; static const byte extCertPolicyAnyOid[] = {85, 29, 32, 0}; #ifdef WOLFSSL_FPKI #define CERT_POLICY_TYPE_OID_BASE(num) {96, 134, 72, 1, 101, 3, 2, 1, 3, num} + static const byte extCertPolicyFpkiHighAssuranceOid[] = + CERT_POLICY_TYPE_OID_BASE(4); + static const byte extCertPolicyFpkiCommonHardwareOid[] = + CERT_POLICY_TYPE_OID_BASE(7); + static const byte extCertPolicyFpkiMediumHardwareOid[] = + CERT_POLICY_TYPE_OID_BASE(12); static const byte extCertPolicyFpkiCommonAuthOid[] = CERT_POLICY_TYPE_OID_BASE(13); + static const byte extCertPolicyFpkiCommonHighOid[] = + CERT_POLICY_TYPE_OID_BASE(16); + static const byte extCertPolicyFpkiCommonDevicesHardwareOid[] = + CERT_POLICY_TYPE_OID_BASE(36); + static const byte extCertPolicyFpkiCommonPivContentSigningOid[] = + CERT_POLICY_TYPE_OID_BASE(39); static const byte extCertPolicyFpkiPivAuthOid[] = CERT_POLICY_TYPE_OID_BASE(40); static const byte extCertPolicyFpkiPivAuthHwOid[] = @@ -5439,6 +5451,30 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz) *oidSz = sizeof(extCertPolicyAnyOid); break; #if defined(WOLFSSL_FPKI) + case CP_FPKI_HIGH_ASSURANCE_OID: + oid = extCertPolicyFpkiHighAssuranceOid; + *oidSz = sizeof(extCertPolicyFpkiHighAssuranceOid); + break; + case CP_FPKI_COMMON_HARDWARE_OID: + oid = extCertPolicyFpkiCommonHardwareOid; + *oidSz = sizeof(extCertPolicyFpkiCommonHardwareOid); + break; + case CP_FPKI_MEDIUM_HARDWARE_OID: + oid = extCertPolicyFpkiMediumHardwareOid; + *oidSz = sizeof(extCertPolicyFpkiMediumHardwareOid); + break; + case CP_FPKI_COMMON_HIGH_OID: + oid = extCertPolicyFpkiCommonHighOid; + *oidSz = sizeof(extCertPolicyFpkiCommonHighOid); + break; + case CP_FPKI_COMMON_DEVICES_HARDWARE_OID: + oid = extCertPolicyFpkiCommonDevicesHardwareOid; + *oidSz = sizeof(extCertPolicyFpkiCommonDevicesHardwareOid); + break; + case CP_FPKI_COMMON_PIV_CONTENT_SIGNING_OID: + oid = extCertPolicyFpkiCommonPivContentSigningOid; + *oidSz = sizeof(extCertPolicyFpkiCommonPivContentSigningOid); + break; case CP_FPKI_COMMON_AUTH_OID: oid = extCertPolicyFpkiCommonAuthOid; *oidSz = sizeof(extCertPolicyFpkiCommonAuthOid); From 6daaaec6e2e9210c38389ad12fb50aa4695d6854 Mon Sep 17 00:00:00 2001 From: Kareem Date: Tue, 25 Mar 2025 13:39:38 -0700 Subject: [PATCH 3/9] WIP: clean up Devin's work, remove duplicate OIDs, handle OID sum collisions --- wolfcrypt/src/asn.c | 104 +++++++++++----------------------------- wolfssl/wolfcrypt/asn.h | 64 ++++--------------------- 2 files changed, 37 insertions(+), 131 deletions(-) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 8f292520b..459e82edc 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -4518,6 +4518,7 @@ static const byte extCertPolicyAnyOid[] = {85, 29, 32, 0}; CERT_POLICY_TYPE_OID_BASE(41); static const byte extCertPolicyFpkiPiviAuthOid[] = CERT_POLICY_TYPE_OID_BASE(45); + /* DoD PKI OIDs - 2.16.840.1.101.2.1.11.X */ #define DOD_POLICY_TYPE_OID_BASE(num) {96, 134, 72, 1, 101, 2, 1, 11, num} static const byte extCertPolicyDodMediumOid[] = @@ -4561,6 +4562,8 @@ static const byte extCertPolicyAnyOid[] = {85, 29, 32, 0}; static const byte extCertPolicyDodInternalNpe128Oid[] = DOD_POLICY_TYPE_OID_BASE(61); static const byte extCertPolicyDodInternalNpe192Oid[] = + DOD_POLICY_TYPE_OID_BASE(62); + /* ECA PKI OIDs - 2.16.840.1.101.3.2.1.12.X */ #define ECA_POLICY_TYPE_OID_BASE(num) {96, 134, 72, 1, 101, 3, 2, 1, 12, num} static const byte extCertPolicyEcaMediumOid[] = @@ -4581,50 +4584,6 @@ static const byte extCertPolicyAnyOid[] = {85, 29, 32, 0}; ECA_POLICY_TYPE_OID_BASE(9); static const byte extCertPolicyEcaMediumHardwareSha256Oid[] = ECA_POLICY_TYPE_OID_BASE(10); - DOD_POLICY_TYPE_OID_BASE(62); - /* Verizon/Cybertrust Federal SSP PKI OIDs - 2.16.840.1.101.3.2.1.3.X */ - #define VERIZON_POLICY_TYPE_OID_BASE(num) {96, 134, 72, 1, 101, 3, 2, 1, 3, num} - static const byte extCertPolicyVerizonCommonHwOid[] = - VERIZON_POLICY_TYPE_OID_BASE(7); - static const byte extCertPolicyVerizonCommonAuthOid[] = - VERIZON_POLICY_TYPE_OID_BASE(13); - static const byte extCertPolicyVerizonCommonPivCsOid[] = - VERIZON_POLICY_TYPE_OID_BASE(39); - - /* WidePoint Federal SSP PKI OIDs - 2.16.840.1.101.3.2.1.3.X */ - #define WIDEPOINT_POLICY_TYPE_OID_BASE(num) {96, 134, 72, 1, 101, 3, 2, 1, 3, num} - static const byte extCertPolicyWidepointCommonHwOid[] = - WIDEPOINT_POLICY_TYPE_OID_BASE(7); - static const byte extCertPolicyWidepointCommonAuthOid[] = - WIDEPOINT_POLICY_TYPE_OID_BASE(13); - static const byte extCertPolicyWidepointCommonDevHwOid[] = - WIDEPOINT_POLICY_TYPE_OID_BASE(36); - static const byte extCertPolicyWidepointCommonPivCsOid[] = - WIDEPOINT_POLICY_TYPE_OID_BASE(39); - - /* IdenTrust NFI OIDs - 2.16.840.1.113839.0.100.X.Y */ - #define IDENTRUST_POLICY_TYPE_OID_BASE(num1, num2) {96, 134, 72, 1, 129, 113, 67, 0, 100, num1, num2} - static const byte extCertPolicyIdentrustMediumhwSignOid[] = - IDENTRUST_POLICY_TYPE_OID_BASE(12, 1); - static const byte extCertPolicyIdentrustMediumhwEncOid[] = - IDENTRUST_POLICY_TYPE_OID_BASE(12, 2); - static const byte extCertPolicyIdentrustPiviHwIdOid[] = - IDENTRUST_POLICY_TYPE_OID_BASE(18, 0); - static const byte extCertPolicyIdentrustPiviHwSignOid[] = - IDENTRUST_POLICY_TYPE_OID_BASE(18, 1); - static const byte extCertPolicyIdentrustPiviHwEncOid[] = - IDENTRUST_POLICY_TYPE_OID_BASE(18, 2); - static const byte extCertPolicyIdentrustPiviContentOid[] = - IDENTRUST_POLICY_TYPE_OID_BASE(20, 1); - - /* TSCP Bridge OIDs - 1.3.6.1.4.1.38099.1.1.1.X */ - #define TSCP_POLICY_TYPE_OID_BASE(num) {43, 6, 1, 4, 1, 131, 59, 35, 1, 1, 1, num} - static const byte extCertPolicyTscpMediumhwOid[] = - TSCP_POLICY_TYPE_OID_BASE(2); - static const byte extCertPolicyTscpPiviOid[] = - TSCP_POLICY_TYPE_OID_BASE(5); - static const byte extCertPolicyTscpPiviContentOid[] = - TSCP_POLICY_TYPE_OID_BASE(7); /* Carillon Federal Services OIDs - 1.3.6.1.4.1.45606.3.1.X */ #define CARILLON_POLICY_TYPE_OID_BASE(num) {43, 6, 1, 4, 1, 131, 59, 178, 38, 3, 1, num} @@ -4660,6 +4619,30 @@ static const byte extCertPolicyAnyOid[] = {85, 29, 32, 0}; CERTIPATH_POLICY_TYPE_OID_BASE(18); static const byte extCertPolicyCertipathVarHighhwOid[] = CERTIPATH_POLICY_TYPE_OID_BASE(19); + + /* TSCP Bridge OIDs - 1.3.6.1.4.1.38099.1.1.1.X */ + #define TSCP_POLICY_TYPE_OID_BASE(num) {43, 6, 1, 4, 1, 131, 59, 35, 1, 1, 1, num} + static const byte extCertPolicyTscpMediumhwOid[] = + TSCP_POLICY_TYPE_OID_BASE(2); + static const byte extCertPolicyTscpPiviOid[] = + TSCP_POLICY_TYPE_OID_BASE(5); + static const byte extCertPolicyTscpPiviContentOid[] = + TSCP_POLICY_TYPE_OID_BASE(7); + + /* IdenTrust NFI OIDs - 2.16.840.1.113839.0.100.X.Y */ + #define IDENTRUST_POLICY_TYPE_OID_BASE(num1, num2) {96, 134, 72, 1, 129, 113, 67, 0, 100, num1, num2} + static const byte extCertPolicyIdentrustMediumhwSignOid[] = + IDENTRUST_POLICY_TYPE_OID_BASE(12, 1); + static const byte extCertPolicyIdentrustMediumhwEncOid[] = + IDENTRUST_POLICY_TYPE_OID_BASE(12, 2); + static const byte extCertPolicyIdentrustPiviHwIdOid[] = + IDENTRUST_POLICY_TYPE_OID_BASE(18, 0); + static const byte extCertPolicyIdentrustPiviHwSignOid[] = + IDENTRUST_POLICY_TYPE_OID_BASE(18, 1); + static const byte extCertPolicyIdentrustPiviHwEncOid[] = + IDENTRUST_POLICY_TYPE_OID_BASE(18, 2); + static const byte extCertPolicyIdentrustPiviContentOid[] = + IDENTRUST_POLICY_TYPE_OID_BASE(20, 1); #endif /* WOLFSSL_FPKI */ /* certAltNameType */ @@ -5612,39 +5595,6 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz) *oidSz = sizeof(extCertPolicyEcaMediumHardwareSha256Oid); break; - /* New PKI OIDs added below */ - /* Verizon/Cybertrust Federal SSP PKI OIDs */ - case CP_VERIZON_COMMON_HW_OID: - oid = extCertPolicyVerizonCommonHwOid; - *oidSz = sizeof(extCertPolicyVerizonCommonHwOid); - break; - case CP_VERIZON_COMMON_AUTH_OID: - oid = extCertPolicyVerizonCommonAuthOid; - *oidSz = sizeof(extCertPolicyVerizonCommonAuthOid); - break; - case CP_VERIZON_COMMON_PIV_CS_OID: - oid = extCertPolicyVerizonCommonPivCsOid; - *oidSz = sizeof(extCertPolicyVerizonCommonPivCsOid); - break; - - /* WidePoint Federal SSP PKI OIDs */ - case CP_WIDEPOINT_COMMON_HW_OID: - oid = extCertPolicyWidepointCommonHwOid; - *oidSz = sizeof(extCertPolicyWidepointCommonHwOid); - break; - case CP_WIDEPOINT_COMMON_AUTH_OID: - oid = extCertPolicyWidepointCommonAuthOid; - *oidSz = sizeof(extCertPolicyWidepointCommonAuthOid); - break; - case CP_WIDEPOINT_COMMON_DEV_HW_OID: - oid = extCertPolicyWidepointCommonDevHwOid; - *oidSz = sizeof(extCertPolicyWidepointCommonDevHwOid); - break; - case CP_WIDEPOINT_COMMON_PIV_CS_OID: - oid = extCertPolicyWidepointCommonPivCsOid; - *oidSz = sizeof(extCertPolicyWidepointCommonPivCsOid); - break; - /* IdenTrust NFI OIDs */ case CP_IDENTRUST_MEDIUMHW_SIGN_OID: oid = extCertPolicyIdentrustMediumhwSignOid; diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index 4835386dc..77eaea995 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -1475,7 +1475,6 @@ enum CertificatePolicy_Sum { CP_FPKI_COMMON_DEVICES_HARDWARE_OID = 449, /* 2.16.840.1.101.3.2.1.3.36 */ CP_FPKI_MEDIUM_DEVICE_HARDWARE_OID = 451, /* 2.16.840.1.101.3.2.1.3.38 */ CP_FPKI_COMMON_PIV_CONTENT_SIGNING_OID = 452, /* 2.16.840.1.101.3.2.1.3.39 */ - CP_FPKI_COMMON_PIV_AUTH_DERIVED_HARDWARE_OID = 454, /* 2.16.840.1.101.3.2.1.3.41 */ CP_FPKI_COMMON_PIVI_CONTENT_SIGNING_OID = 460, /* 2.16.840.1.101.3.2.1.3.47 */ /* Entrust Federal SSP PKI OIDs - shares OIDs with Federal PKI */ @@ -1504,18 +1503,18 @@ enum CertificatePolicy_Sum { CP_CARILLON_AIVCONTENT_OID = 477, /* 1.3.6.1.4.1.45606.3.1.22 */ /* Carillon Information Security OIDs */ - CP_CIS_MEDIUMHW_256_OID = 489, /* 1.3.6.1.4.1.25054.3.1.12 */ - CP_CIS_MEDDEVHW_256_OID = 491, /* 1.3.6.1.4.1.25054.3.1.14 */ - CP_CIS_ICECAP_HW_OID = 497, /* 1.3.6.1.4.1.25054.3.1.20 */ - CP_CIS_ICECAP_CONTENT_OID = 499, /* 1.3.6.1.4.1.25054.3.1.22 */ + CP_CIS_MEDIUMHW_256_OID = 358, /* 1.3.6.1.4.1.25054.3.1.12 */ + CP_CIS_MEDDEVHW_256_OID = 360, /* 1.3.6.1.4.1.25054.3.1.14 */ + CP_CIS_ICECAP_HW_OID = 366, /* 1.3.6.1.4.1.25054.3.1.20 */ + CP_CIS_ICECAP_CONTENT_OID = 368, /* 1.3.6.1.4.1.25054.3.1.22 */ /* CertiPath Bridge OIDs */ - CP_CERTIPATH_MEDIUMHW_OID = 459, /* 1.3.6.1.4.1.24019.1.1.1.2 */ - CP_CERTIPATH_HIGHHW_OID = 460, /* 1.3.6.1.4.1.24019.1.1.1.3 */ - CP_CERTIPATH_ICECAP_HW_OID = 464, /* 1.3.6.1.4.1.24019.1.1.1.7 */ - CP_CERTIPATH_ICECAP_CONTENT_OID = 466, /* 1.3.6.1.4.1.24019.1.1.1.9 */ - CP_CERTIPATH_VAR_MEDIUMHW_OID = 475, /* 1.3.6.1.4.1.24019.1.1.1.18 */ - CP_CERTIPATH_VAR_HIGHHW_OID = 476, /* 1.3.6.1.4.1.24019.1.1.1.19 */ + CP_CERTIPATH_MEDIUMHW_OID = 348, /* 1.3.6.1.4.1.24019.1.1.1.2 */ + CP_CERTIPATH_HIGHHW_OID = 349, /* 1.3.6.1.4.1.24019.1.1.1.3 */ + CP_CERTIPATH_ICECAP_HW_OID = 353, /* 1.3.6.1.4.1.24019.1.1.1.7 */ + CP_CERTIPATH_ICECAP_CONTENT_OID = 355, /* 1.3.6.1.4.1.24019.1.1.1.9 */ + CP_CERTIPATH_VAR_MEDIUMHW_OID = 364, /* 1.3.6.1.4.1.24019.1.1.1.18 */ + CP_CERTIPATH_VAR_HIGHHW_OID = 365, /* 1.3.6.1.4.1.24019.1.1.1.19 */ /* TSCP Bridge OIDs */ CP_TSCP_MEDIUMHW_OID = 442, /* 1.3.6.1.4.1.38099.1.1.1.2 */ @@ -1577,49 +1576,6 @@ enum CertificatePolicy_Sum { CP_NL_MOD_AUTH_OID = 1001, /* 2.16.528.1.1003.1.2.5.1 */ CP_NL_MOD_IRREFUT_OID = 1002, /* 2.16.528.1.1003.1.2.5.2 */ CP_NL_MOD_CONFID_OID = 1003, /* 2.16.528.1.1003.1.2.5.3 */ - - /* Verizon/Cybertrust Federal SSP PKI OIDs */ - CP_VERIZON_COMMON_HW_OID = 420, /* 2.16.840.1.101.3.2.1.3.7 */ - CP_VERIZON_COMMON_AUTH_OID = 426, /* 2.16.840.1.101.3.2.1.3.13 */ - CP_VERIZON_COMMON_PIV_CS_OID = 452, /* 2.16.840.1.101.3.2.1.3.39 */ - - /* WidePoint Federal SSP PKI OIDs */ - CP_WIDEPOINT_COMMON_HW_OID = 420, /* 2.16.840.1.101.3.2.1.3.7 */ - CP_WIDEPOINT_COMMON_AUTH_OID = 426, /* 2.16.840.1.101.3.2.1.3.13 */ - CP_WIDEPOINT_COMMON_DEV_HW_OID = 449, /* 2.16.840.1.101.3.2.1.3.36 */ - CP_WIDEPOINT_COMMON_PIV_CS_OID = 452, /* 2.16.840.1.101.3.2.1.3.39 */ - - /* IdenTrust NFI OIDs */ - CP_IDENTRUST_MEDIUMHW_SIGN_OID = 846, /* 2.16.840.1.113839.0.100.12.1 */ - CP_IDENTRUST_MEDIUMHW_ENC_OID = 847, /* 2.16.840.1.113839.0.100.12.2 */ - CP_IDENTRUST_PIVI_HW_ID_OID = 851, /* 2.16.840.1.113839.0.100.18.0 */ - CP_IDENTRUST_PIVI_HW_SIGN_OID = 852, /* 2.16.840.1.113839.0.100.18.1 */ - CP_IDENTRUST_PIVI_HW_ENC_OID = 853, /* 2.16.840.1.113839.0.100.18.2 */ - CP_IDENTRUST_PIVI_CONTENT_OID = 854, /* 2.16.840.1.113839.0.100.20.1 */ - - /* TSCP Bridge OIDs */ - CP_TSCP_MEDIUMHW_OID = 348, /* 1.3.6.1.4.1.38099.1.1.1.2 */ - CP_TSCP_PIVI_OID = 351, /* 1.3.6.1.4.1.38099.1.1.1.5 */ - CP_TSCP_PIVI_CONTENT_OID = 353, /* 1.3.6.1.4.1.38099.1.1.1.7 */ - - /* Carillon Federal Services OIDs */ - CP_CARILLON_MEDIUMHW_256_OID = 358, /* 1.3.6.1.4.1.45606.3.1.12 */ - CP_CARILLON_AIVHW_OID = 366, /* 1.3.6.1.4.1.45606.3.1.20 */ - CP_CARILLON_AIVCONTENT_OID = 368, /* 1.3.6.1.4.1.45606.3.1.22 */ - - /* Carillon Information Security OIDs */ - CP_CIS_MEDIUMHW_256_OID = 358, /* 1.3.6.1.4.1.25054.3.1.12 */ - CP_CIS_MEDDEVHW_256_OID = 360, /* 1.3.6.1.4.1.25054.3.1.14 */ - CP_CIS_ICECAP_HW_OID = 366, /* 1.3.6.1.4.1.25054.3.1.20 */ - CP_CIS_ICECAP_CONTENT_OID = 368, /* 1.3.6.1.4.1.25054.3.1.22 */ - - /* CertiPath Bridge OIDs */ - CP_CERTIPATH_MEDIUMHW_OID = 348, /* 1.3.6.1.4.1.24019.1.1.1.2 */ - CP_CERTIPATH_HIGHHW_OID = 349, /* 1.3.6.1.4.1.24019.1.1.1.3 */ - CP_CERTIPATH_ICECAP_HW_OID = 353, /* 1.3.6.1.4.1.24019.1.1.1.7 */ - CP_CERTIPATH_ICECAP_CONTENT_OID = 355, /* 1.3.6.1.4.1.24019.1.1.1.9 */ - CP_CERTIPATH_VAR_MEDIUMHW_OID = 364, /* 1.3.6.1.4.1.24019.1.1.1.18 */ - CP_CERTIPATH_VAR_HIGHHW_OID = 365, /* 1.3.6.1.4.1.24019.1.1.1.19 */ #endif /* WOLFSSL_FPKI */ WOLF_ENUM_DUMMY_LAST_ELEMENT(CertificatePolicy_Sum) }; From 53f30b3c478bbf747c26f4ffac2dabbf961e92c1 Mon Sep 17 00:00:00 2001 From: Devin AI Date: Tue, 25 Mar 2025 15:59:19 -0700 Subject: [PATCH 4/9] Add remaining FPKI cert policy OIDs. Co-Authored-By: kareem@wolfssl.com --- wolfcrypt/src/asn.c | 296 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 296 insertions(+) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 459e82edc..a1cf45ed4 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -4585,6 +4585,33 @@ static const byte extCertPolicyAnyOid[] = {85, 29, 32, 0}; static const byte extCertPolicyEcaMediumHardwareSha256Oid[] = ECA_POLICY_TYPE_OID_BASE(10); + /* Department of State PKI OIDs - 2.16.840.1.101.3.2.1.6.X */ + #define STATE_POLICY_TYPE_OID_BASE(num) {96, 134, 72, 1, 101, 3, 2, 1, 6, num} + static const byte extCertPolicyStateHighOid[] = + STATE_POLICY_TYPE_OID_BASE(4); + static const byte extCertPolicyStateMedHwOid[] = + STATE_POLICY_TYPE_OID_BASE(12); + static const byte extCertPolicyStateMediumDeviceHardwareOid[] = + STATE_POLICY_TYPE_OID_BASE(38); + + /* U.S. Treasury SSP PKI OIDs - 2.16.840.1.101.3.2.1.5.X */ + #define TREASURY_POLICY_TYPE_OID_BASE(num) {96, 134, 72, 1, 101, 3, 2, 1, 5, num} + static const byte extCertPolicyTreasuryMediumHardwareOid[] = + TREASURY_POLICY_TYPE_OID_BASE(4); + static const byte extCertPolicyTreasuryHighOid[] = + TREASURY_POLICY_TYPE_OID_BASE(5); + static const byte extCertPolicyTreasuryPiviHardwareOid[] = + TREASURY_POLICY_TYPE_OID_BASE(10); + static const byte extCertPolicyTreasuryPiviContentSigningOid[] = + TREASURY_POLICY_TYPE_OID_BASE(12); + + /* Boeing PKI OIDs - 1.3.6.1.4.1.73.15.3.1.X */ + #define BOEING_POLICY_TYPE_OID_BASE(num) {43, 6, 1, 4, 1, 73, 15, 3, 1, num} + static const byte extCertPolicyBoeingMediumHardwareSha256Oid[] = + BOEING_POLICY_TYPE_OID_BASE(12); + static const byte extCertPolicyBoeingMediumHardwareContentSigningSha256Oid[] = + BOEING_POLICY_TYPE_OID_BASE(17); + /* Carillon Federal Services OIDs - 1.3.6.1.4.1.45606.3.1.X */ #define CARILLON_POLICY_TYPE_OID_BASE(num) {43, 6, 1, 4, 1, 131, 59, 178, 38, 3, 1, num} static const byte extCertPolicyCarillonMediumhw256Oid[] = @@ -4629,6 +4656,37 @@ static const byte extCertPolicyAnyOid[] = {85, 29, 32, 0}; static const byte extCertPolicyTscpPiviContentOid[] = TSCP_POLICY_TYPE_OID_BASE(7); + /* DigiCert NFI PKI OIDs - 2.16.840.1.113733.1.7.23.3.1.X */ + #define DIGICERT_NFI_POLICY_TYPE_OID_BASE(num) {96, 134, 72, 1, 113733, 1, 7, 23, 3, 1, num} + static const byte extCertPolicyDigicertNfiMediumHardwareOid[] = + DIGICERT_NFI_POLICY_TYPE_OID_BASE(7); + static const byte extCertPolicyDigicertNfiAuthOid[] = + DIGICERT_NFI_POLICY_TYPE_OID_BASE(13); + static const byte extCertPolicyDigicertNfiPiviHardwareOid[] = + DIGICERT_NFI_POLICY_TYPE_OID_BASE(18); + static const byte extCertPolicyDigicertNfiPiviContentSigningOid[] = + DIGICERT_NFI_POLICY_TYPE_OID_BASE(20); + static const byte extCertPolicyDigicertNfiMediumDevicesHardwareOid[] = + DIGICERT_NFI_POLICY_TYPE_OID_BASE(36); + + /* Entrust Managed Services NFI PKI OIDs - 2.16.840.1.114027.200.3.10.7.X */ + #define ENTRUST_NFI_POLICY_TYPE_OID_BASE(num) {96, 134, 72, 1, 114027, 200, 3, 10, 7, num} + static const byte extCertPolicyEntrustNfiMediumHardwareOid[] = + ENTRUST_NFI_POLICY_TYPE_OID_BASE(2); + static const byte extCertPolicyEntrustNfiMediumAuthenticationOid[] = + ENTRUST_NFI_POLICY_TYPE_OID_BASE(4); + static const byte extCertPolicyEntrustNfiPiviHardwareOid[] = + ENTRUST_NFI_POLICY_TYPE_OID_BASE(6); + static const byte extCertPolicyEntrustNfiPiviContentSigningOid[] = + ENTRUST_NFI_POLICY_TYPE_OID_BASE(9); + static const byte extCertPolicyEntrustNfiMediumDevicesHwOid[] = + ENTRUST_NFI_POLICY_TYPE_OID_BASE(16); + + /* Exostar LLC PKI OIDs - 1.3.6.1.4.1.13948.1.1.1.X */ + #define EXOSTAR_POLICY_TYPE_OID_BASE(num) {43, 6, 1, 4, 1, 13948, 1, 1, 1, num} + static const byte extCertPolicyExostarMediumHardwareSha2Oid[] = + EXOSTAR_POLICY_TYPE_OID_BASE(6); + /* IdenTrust NFI OIDs - 2.16.840.1.113839.0.100.X.Y */ #define IDENTRUST_POLICY_TYPE_OID_BASE(num1, num2) {96, 134, 72, 1, 129, 113, 67, 0, 100, num1, num2} static const byte extCertPolicyIdentrustMediumhwSignOid[] = @@ -4643,6 +4701,64 @@ static const byte extCertPolicyAnyOid[] = {85, 29, 32, 0}; IDENTRUST_POLICY_TYPE_OID_BASE(18, 2); static const byte extCertPolicyIdentrustPiviContentOid[] = IDENTRUST_POLICY_TYPE_OID_BASE(20, 1); + + /* Lockheed Martin PKI OIDs - 1.3.6.1.4.1.103.100.1.1.3.X */ + #define LOCKHEED_POLICY_TYPE_OID_BASE(num) {43, 6, 1, 4, 1, 103, 100, 1, 1, 3, num} + static const byte extCertPolicyLockheedMediumAssuranceHardwareOid[] = + LOCKHEED_POLICY_TYPE_OID_BASE(3); + + /* Northrop Grumman PKI OIDs - 1.3.6.1.4.1.16334.509.2.X */ + #define NORTHROP_POLICY_TYPE_OID_BASE(num) {43, 6, 1, 4, 1, 16334, 509, 2, num} + static const byte extCertPolicyNorthropMediumAssurance256HardwareTokenOid[] = + NORTHROP_POLICY_TYPE_OID_BASE(8); + static const byte extCertPolicyNorthropPiviAssurance256HardwareTokenOid[] = + NORTHROP_POLICY_TYPE_OID_BASE(9); + static const byte extCertPolicyNorthropPiviAssurance256ContentSigningOid[] = + NORTHROP_POLICY_TYPE_OID_BASE(11); + static const byte extCertPolicyNorthropMediumAssurance384HardwareTokenOid[] = + NORTHROP_POLICY_TYPE_OID_BASE(14); + + /* Raytheon PKI OIDs - 1.3.6.1.4.1.1569.10.1.X and 1.3.6.1.4.1.26769.10.1.X */ + #define RAYTHEON_POLICY_TYPE_OID_BASE(num) {43, 6, 1, 4, 1, 1569, 10, 1, num} + static const byte extCertPolicyRaytheonMediumHardwareOid[] = + RAYTHEON_POLICY_TYPE_OID_BASE(12); + static const byte extCertPolicyRaytheonMediumDeviceHardwareOid[] = + RAYTHEON_POLICY_TYPE_OID_BASE(18); + + #define RAYTHEON_SHA2_POLICY_TYPE_OID_BASE(num) {43, 6, 1, 4, 1, 26769, 10, 1, num} + static const byte extCertPolicyRaytheonSha2MediumHardwareOid[] = + RAYTHEON_SHA2_POLICY_TYPE_OID_BASE(12); + static const byte extCertPolicyRaytheonSha2MediumDeviceHardwareOid[] = + RAYTHEON_SHA2_POLICY_TYPE_OID_BASE(18); + + /* WidePoint NFI PKI OIDs - 1.3.6.1.4.1.3922.1.1.1.X */ + #define WIDEPOINT_NFI_POLICY_TYPE_OID_BASE(num) {43, 6, 1, 4, 1, 3922, 1, 1, 1, num} + static const byte extCertPolicyWidepointNfiMediumHardwareOid[] = + WIDEPOINT_NFI_POLICY_TYPE_OID_BASE(12); + static const byte extCertPolicyWidepointNfiPiviHardwareOid[] = + WIDEPOINT_NFI_POLICY_TYPE_OID_BASE(18); + static const byte extCertPolicyWidepointNfiPiviContentSigningOid[] = + WIDEPOINT_NFI_POLICY_TYPE_OID_BASE(20); + static const byte extCertPolicyWidepointNfiMediumDevicesHardwareOid[] = + WIDEPOINT_NFI_POLICY_TYPE_OID_BASE(38); + + /* Australian Defence Organisation PKI OIDs - 1.2.36.1.334.1.2.X.X */ + #define ADO_POLICY_TYPE_OID_BASE(type, num) {42, 36, 1, 334, 1, 2, type, num} + static const byte extCertPolicyAdoIndividualMediumAssuranceOid[] = + ADO_POLICY_TYPE_OID_BASE(1, 2); + static const byte extCertPolicyAdoIndividualHighAssuranceOid[] = + ADO_POLICY_TYPE_OID_BASE(1, 3); + static const byte extCertPolicyAdoResourceMediumAssuranceOid[] = + ADO_POLICY_TYPE_OID_BASE(2, 2); + + /* Netherlands Ministry of Defence PKI OIDs - 2.16.528.1.1003.1.2.5.X */ + #define NL_MOD_POLICY_TYPE_OID_BASE(num) {96, 134, 528, 1, 1003, 1, 2, 5, num} + static const byte extCertPolicyNlModAuthenticityOid[] = + NL_MOD_POLICY_TYPE_OID_BASE(1); + static const byte extCertPolicyNlModIrrefutabilityOid[] = + NL_MOD_POLICY_TYPE_OID_BASE(2); + static const byte extCertPolicyNlModConfidentialityOid[] = + NL_MOD_POLICY_TYPE_OID_BASE(3); #endif /* WOLFSSL_FPKI */ /* certAltNameType */ @@ -5595,6 +5711,186 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz) *oidSz = sizeof(extCertPolicyEcaMediumHardwareSha256Oid); break; + /* Department of State PKI OIDs */ + case CP_STATE_HIGH_OID: + oid = extCertPolicyStateHighOid; + *oidSz = sizeof(extCertPolicyStateHighOid); + break; + case CP_STATE_MEDHW_OID: + oid = extCertPolicyStateMedHwOid; + *oidSz = sizeof(extCertPolicyStateMedHwOid); + break; + case CP_STATE_MEDDEVHW_OID: + oid = extCertPolicyStateMediumDeviceHardwareOid; + *oidSz = sizeof(extCertPolicyStateMediumDeviceHardwareOid); + break; + + /* U.S. Treasury SSP PKI OIDs */ + case CP_TREAS_MEDIUMHW_OID: + oid = extCertPolicyTreasuryMediumHardwareOid; + *oidSz = sizeof(extCertPolicyTreasuryMediumHardwareOid); + break; + case CP_TREAS_HIGH_OID: + oid = extCertPolicyTreasuryHighOid; + *oidSz = sizeof(extCertPolicyTreasuryHighOid); + break; + case CP_TREAS_PIVI_HW_OID: + oid = extCertPolicyTreasuryPiviHardwareOid; + *oidSz = sizeof(extCertPolicyTreasuryPiviHardwareOid); + break; + case CP_TREAS_PIVI_CONTENT_OID: + oid = extCertPolicyTreasuryPiviContentSigningOid; + *oidSz = sizeof(extCertPolicyTreasuryPiviContentSigningOid); + break; + + /* Boeing PKI OIDs */ + case CP_BOEING_MEDIUMHW_SHA256_OID: + oid = extCertPolicyBoeingMediumHardwareSha256Oid; + *oidSz = sizeof(extCertPolicyBoeingMediumHardwareSha256Oid); + break; + case CP_BOEING_MEDIUMHW_CONTENT_SHA256_OID: + oid = extCertPolicyBoeingMediumHardwareContentSigningSha256Oid; + *oidSz = sizeof(extCertPolicyBoeingMediumHardwareContentSigningSha256Oid); + break; + + /* DigiCert NFI PKI OIDs */ + case CP_DIGICERT_NFSSP_MEDIUMHW_OID: + oid = extCertPolicyDigicertNfiMediumHardwareOid; + *oidSz = sizeof(extCertPolicyDigicertNfiMediumHardwareOid); + break; + case CP_DIGICERT_NFSSP_AUTH_OID: + oid = extCertPolicyDigicertNfiAuthOid; + *oidSz = sizeof(extCertPolicyDigicertNfiAuthOid); + break; + case CP_DIGICERT_NFSSP_PIVI_HW_OID: + oid = extCertPolicyDigicertNfiPiviHardwareOid; + *oidSz = sizeof(extCertPolicyDigicertNfiPiviHardwareOid); + break; + case CP_DIGICERT_NFSSP_PIVI_CONTENT_OID: + oid = extCertPolicyDigicertNfiPiviContentSigningOid; + *oidSz = sizeof(extCertPolicyDigicertNfiPiviContentSigningOid); + break; + case CP_DIGICERT_NFSSP_MEDDEVHW_OID: + oid = extCertPolicyDigicertNfiMediumDevicesHardwareOid; + *oidSz = sizeof(extCertPolicyDigicertNfiMediumDevicesHardwareOid); + break; + + /* Entrust Managed Services NFI PKI OIDs */ + case CP_ENTRUST_NFSSP_MEDIUMHW_OID: + oid = extCertPolicyEntrustNfiMediumHardwareOid; + *oidSz = sizeof(extCertPolicyEntrustNfiMediumHardwareOid); + break; + case CP_ENTRUST_NFSSP_MEDAUTH_OID: + oid = extCertPolicyEntrustNfiMediumAuthenticationOid; + *oidSz = sizeof(extCertPolicyEntrustNfiMediumAuthenticationOid); + break; + case CP_ENTRUST_NFSSP_PIVI_HW_OID: + oid = extCertPolicyEntrustNfiPiviHardwareOid; + *oidSz = sizeof(extCertPolicyEntrustNfiPiviHardwareOid); + break; + case CP_ENTRUST_NFSSP_PIVI_CONTENT_OID: + oid = extCertPolicyEntrustNfiPiviContentSigningOid; + *oidSz = sizeof(extCertPolicyEntrustNfiPiviContentSigningOid); + break; + case CP_ENTRUST_NFSSP_MEDDEVHW_OID: + oid = extCertPolicyEntrustNfiMediumDevicesHwOid; + *oidSz = sizeof(extCertPolicyEntrustNfiMediumDevicesHwOid); + break; + + /* Exostar LLC PKI OIDs */ + case CP_EXOSTAR_MEDIUMHW_SHA2_OID: + oid = extCertPolicyExostarMediumHardwareSha2Oid; + *oidSz = sizeof(extCertPolicyExostarMediumHardwareSha2Oid); + break; + + /* Lockheed Martin PKI OIDs */ + case CP_LOCKHEED_MEDIUMHW_OID: + oid = extCertPolicyLockheedMediumAssuranceHardwareOid; + *oidSz = sizeof(extCertPolicyLockheedMediumAssuranceHardwareOid); + break; + + /* Northrop Grumman PKI OIDs */ + case CP_NORTHROP_MEDIUM_256_HW_OID: + oid = extCertPolicyNorthropMediumAssurance256HardwareTokenOid; + *oidSz = sizeof(extCertPolicyNorthropMediumAssurance256HardwareTokenOid); + break; + case CP_NORTHROP_PIVI_256_HW_OID: + oid = extCertPolicyNorthropPiviAssurance256HardwareTokenOid; + *oidSz = sizeof(extCertPolicyNorthropPiviAssurance256HardwareTokenOid); + break; + case CP_NORTHROP_PIVI_256_CONTENT_OID: + oid = extCertPolicyNorthropPiviAssurance256ContentSigningOid; + *oidSz = sizeof(extCertPolicyNorthropPiviAssurance256ContentSigningOid); + break; + case CP_NORTHROP_MEDIUM_384_HW_OID: + oid = extCertPolicyNorthropMediumAssurance384HardwareTokenOid; + *oidSz = sizeof(extCertPolicyNorthropMediumAssurance384HardwareTokenOid); + break; + + /* Raytheon PKI OIDs */ + case CP_RAYTHEON_MEDIUMHW_OID: + oid = extCertPolicyRaytheonMediumHardwareOid; + *oidSz = sizeof(extCertPolicyRaytheonMediumHardwareOid); + break; + case CP_RAYTHEON_MEDDEVHW_OID: + oid = extCertPolicyRaytheonMediumDeviceHardwareOid; + *oidSz = sizeof(extCertPolicyRaytheonMediumDeviceHardwareOid); + break; + case CP_RAYTHEON_SHA2_MEDIUMHW_OID: + oid = extCertPolicyRaytheonSha2MediumHardwareOid; + *oidSz = sizeof(extCertPolicyRaytheonSha2MediumHardwareOid); + break; + case CP_RAYTHEON_SHA2_MEDDEVHW_OID: + oid = extCertPolicyRaytheonSha2MediumDeviceHardwareOid; + *oidSz = sizeof(extCertPolicyRaytheonSha2MediumDeviceHardwareOid); + break; + + /* WidePoint NFI PKI OIDs */ + case CP_WIDEPOINT_MEDIUMHW_OID: + oid = extCertPolicyWidepointNfiMediumHardwareOid; + *oidSz = sizeof(extCertPolicyWidepointNfiMediumHardwareOid); + break; + case CP_WIDEPOINT_PIVI_HW_OID: + oid = extCertPolicyWidepointNfiPiviHardwareOid; + *oidSz = sizeof(extCertPolicyWidepointNfiPiviHardwareOid); + break; + case CP_WIDEPOINT_PIVI_CONTENT_OID: + oid = extCertPolicyWidepointNfiPiviContentSigningOid; + *oidSz = sizeof(extCertPolicyWidepointNfiPiviContentSigningOid); + break; + case CP_WIDEPOINT_MEDDEVHW_OID: + oid = extCertPolicyWidepointNfiMediumDevicesHardwareOid; + *oidSz = sizeof(extCertPolicyWidepointNfiMediumDevicesHardwareOid); + break; + + /* Australian Defence Organisation PKI OIDs */ + case CP_ADO_MEDIUM_OID: + oid = extCertPolicyAdoIndividualMediumAssuranceOid; + *oidSz = sizeof(extCertPolicyAdoIndividualMediumAssuranceOid); + break; + case CP_ADO_HIGH_OID: + oid = extCertPolicyAdoIndividualHighAssuranceOid; + *oidSz = sizeof(extCertPolicyAdoIndividualHighAssuranceOid); + break; + case CP_ADO_RESOURCE_MEDIUM_OID: + oid = extCertPolicyAdoResourceMediumAssuranceOid; + *oidSz = sizeof(extCertPolicyAdoResourceMediumAssuranceOid); + break; + + /* Netherlands Ministry of Defence PKI OIDs */ + case CP_NL_MOD_AUTH_OID: + oid = extCertPolicyNlModAuthenticityOid; + *oidSz = sizeof(extCertPolicyNlModAuthenticityOid); + break; + case CP_NL_MOD_IRREFUT_OID: + oid = extCertPolicyNlModIrrefutabilityOid; + *oidSz = sizeof(extCertPolicyNlModIrrefutabilityOid); + break; + case CP_NL_MOD_CONFID_OID: + oid = extCertPolicyNlModConfidentialityOid; + *oidSz = sizeof(extCertPolicyNlModConfidentialityOid); + break; + /* IdenTrust NFI OIDs */ case CP_IDENTRUST_MEDIUMHW_SIGN_OID: oid = extCertPolicyIdentrustMediumhwSignOid; From ac2df1420befe8fcdb9ca8691ff102b14763c92f Mon Sep 17 00:00:00 2001 From: Kareem Date: Tue, 25 Mar 2025 16:40:15 -0700 Subject: [PATCH 5/9] Checked and corrected all OIDs and OID sums. --- wolfcrypt/src/asn.c | 28 +++++++-------- wolfssl/wolfcrypt/asn.h | 79 +++++++++++++++++++---------------------- 2 files changed, 50 insertions(+), 57 deletions(-) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index a1cf45ed4..506baf58b 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -4613,7 +4613,7 @@ static const byte extCertPolicyAnyOid[] = {85, 29, 32, 0}; BOEING_POLICY_TYPE_OID_BASE(17); /* Carillon Federal Services OIDs - 1.3.6.1.4.1.45606.3.1.X */ - #define CARILLON_POLICY_TYPE_OID_BASE(num) {43, 6, 1, 4, 1, 131, 59, 178, 38, 3, 1, num} + #define CARILLON_POLICY_TYPE_OID_BASE(num) {43, 6, 1, 4, 1, 130, 228, 38, 3, 1, num} static const byte extCertPolicyCarillonMediumhw256Oid[] = CARILLON_POLICY_TYPE_OID_BASE(12); static const byte extCertPolicyCarillonAivhwOid[] = @@ -4622,7 +4622,7 @@ static const byte extCertPolicyAnyOid[] = {85, 29, 32, 0}; CARILLON_POLICY_TYPE_OID_BASE(22); /* Carillon Information Security OIDs - 1.3.6.1.4.1.25054.3.1.X */ - #define CIS_POLICY_TYPE_OID_BASE(num) {43, 6, 1, 4, 1, 131, 59, 97, 230, 3, 1, num} + #define CIS_POLICY_TYPE_OID_BASE(num) {43, 6, 1, 4, 1, 129, 195, 94, 3, 1, num} static const byte extCertPolicyCisMediumhw256Oid[] = CIS_POLICY_TYPE_OID_BASE(12); static const byte extCertPolicyCisMeddevhw256Oid[] = @@ -4633,7 +4633,7 @@ static const byte extCertPolicyAnyOid[] = {85, 29, 32, 0}; CIS_POLICY_TYPE_OID_BASE(22); /* CertiPath Bridge OIDs - 1.3.6.1.4.1.24019.1.1.1.X */ - #define CERTIPATH_POLICY_TYPE_OID_BASE(num) {43, 6, 1, 4, 1, 131, 59, 93, 227, 1, 1, 1, num} + #define CERTIPATH_POLICY_TYPE_OID_BASE(num) {43, 6, 1, 4, 1, 129, 187, 83, 1, 1, 1, num} static const byte extCertPolicyCertipathMediumhwOid[] = CERTIPATH_POLICY_TYPE_OID_BASE(2); static const byte extCertPolicyCertipathHighhwOid[] = @@ -4648,7 +4648,7 @@ static const byte extCertPolicyAnyOid[] = {85, 29, 32, 0}; CERTIPATH_POLICY_TYPE_OID_BASE(19); /* TSCP Bridge OIDs - 1.3.6.1.4.1.38099.1.1.1.X */ - #define TSCP_POLICY_TYPE_OID_BASE(num) {43, 6, 1, 4, 1, 131, 59, 35, 1, 1, 1, num} + #define TSCP_POLICY_TYPE_OID_BASE(num) {43, 6, 1, 4, 1, 130, 169, 83, 1, 1, 1, num} static const byte extCertPolicyTscpMediumhwOid[] = TSCP_POLICY_TYPE_OID_BASE(2); static const byte extCertPolicyTscpPiviOid[] = @@ -4657,7 +4657,7 @@ static const byte extCertPolicyAnyOid[] = {85, 29, 32, 0}; TSCP_POLICY_TYPE_OID_BASE(7); /* DigiCert NFI PKI OIDs - 2.16.840.1.113733.1.7.23.3.1.X */ - #define DIGICERT_NFI_POLICY_TYPE_OID_BASE(num) {96, 134, 72, 1, 113733, 1, 7, 23, 3, 1, num} + #define DIGICERT_NFI_POLICY_TYPE_OID_BASE(num) {96, 134, 72, 1, 134, 248, 69, 1, 7, 23, 3, 1, num} static const byte extCertPolicyDigicertNfiMediumHardwareOid[] = DIGICERT_NFI_POLICY_TYPE_OID_BASE(7); static const byte extCertPolicyDigicertNfiAuthOid[] = @@ -4670,7 +4670,7 @@ static const byte extCertPolicyAnyOid[] = {85, 29, 32, 0}; DIGICERT_NFI_POLICY_TYPE_OID_BASE(36); /* Entrust Managed Services NFI PKI OIDs - 2.16.840.1.114027.200.3.10.7.X */ - #define ENTRUST_NFI_POLICY_TYPE_OID_BASE(num) {96, 134, 72, 1, 114027, 200, 3, 10, 7, num} + #define ENTRUST_NFI_POLICY_TYPE_OID_BASE(num) {96, 134, 72, 1, 134, 250, 107, 129, 72, 3, 10, 7, num} static const byte extCertPolicyEntrustNfiMediumHardwareOid[] = ENTRUST_NFI_POLICY_TYPE_OID_BASE(2); static const byte extCertPolicyEntrustNfiMediumAuthenticationOid[] = @@ -4683,12 +4683,12 @@ static const byte extCertPolicyAnyOid[] = {85, 29, 32, 0}; ENTRUST_NFI_POLICY_TYPE_OID_BASE(16); /* Exostar LLC PKI OIDs - 1.3.6.1.4.1.13948.1.1.1.X */ - #define EXOSTAR_POLICY_TYPE_OID_BASE(num) {43, 6, 1, 4, 1, 13948, 1, 1, 1, num} + #define EXOSTAR_POLICY_TYPE_OID_BASE(num) {43, 6, 1, 4, 1, 236, 124, 1, 1, 1, num} static const byte extCertPolicyExostarMediumHardwareSha2Oid[] = EXOSTAR_POLICY_TYPE_OID_BASE(6); /* IdenTrust NFI OIDs - 2.16.840.1.113839.0.100.X.Y */ - #define IDENTRUST_POLICY_TYPE_OID_BASE(num1, num2) {96, 134, 72, 1, 129, 113, 67, 0, 100, num1, num2} + #define IDENTRUST_POLICY_TYPE_OID_BASE(num1, num2) {96, 134, 72, 1, 134, 249, 47, 0, 100, num1, num2} static const byte extCertPolicyIdentrustMediumhwSignOid[] = IDENTRUST_POLICY_TYPE_OID_BASE(12, 1); static const byte extCertPolicyIdentrustMediumhwEncOid[] = @@ -4708,7 +4708,7 @@ static const byte extCertPolicyAnyOid[] = {85, 29, 32, 0}; LOCKHEED_POLICY_TYPE_OID_BASE(3); /* Northrop Grumman PKI OIDs - 1.3.6.1.4.1.16334.509.2.X */ - #define NORTHROP_POLICY_TYPE_OID_BASE(num) {43, 6, 1, 4, 1, 16334, 509, 2, num} + #define NORTHROP_POLICY_TYPE_OID_BASE(num) {43, 6, 1, 4, 1, 255, 78, 131, 125, 2, num} static const byte extCertPolicyNorthropMediumAssurance256HardwareTokenOid[] = NORTHROP_POLICY_TYPE_OID_BASE(8); static const byte extCertPolicyNorthropPiviAssurance256HardwareTokenOid[] = @@ -4719,20 +4719,20 @@ static const byte extCertPolicyAnyOid[] = {85, 29, 32, 0}; NORTHROP_POLICY_TYPE_OID_BASE(14); /* Raytheon PKI OIDs - 1.3.6.1.4.1.1569.10.1.X and 1.3.6.1.4.1.26769.10.1.X */ - #define RAYTHEON_POLICY_TYPE_OID_BASE(num) {43, 6, 1, 4, 1, 1569, 10, 1, num} + #define RAYTHEON_POLICY_TYPE_OID_BASE(num) {43, 6, 1, 4, 1, 140, 33, 10, 1, num} static const byte extCertPolicyRaytheonMediumHardwareOid[] = RAYTHEON_POLICY_TYPE_OID_BASE(12); static const byte extCertPolicyRaytheonMediumDeviceHardwareOid[] = RAYTHEON_POLICY_TYPE_OID_BASE(18); - #define RAYTHEON_SHA2_POLICY_TYPE_OID_BASE(num) {43, 6, 1, 4, 1, 26769, 10, 1, num} + #define RAYTHEON_SHA2_POLICY_TYPE_OID_BASE(num) {43, 6, 1, 4, 1, 129, 209, 17, 10, 1, num} static const byte extCertPolicyRaytheonSha2MediumHardwareOid[] = RAYTHEON_SHA2_POLICY_TYPE_OID_BASE(12); static const byte extCertPolicyRaytheonSha2MediumDeviceHardwareOid[] = RAYTHEON_SHA2_POLICY_TYPE_OID_BASE(18); /* WidePoint NFI PKI OIDs - 1.3.6.1.4.1.3922.1.1.1.X */ - #define WIDEPOINT_NFI_POLICY_TYPE_OID_BASE(num) {43, 6, 1, 4, 1, 3922, 1, 1, 1, num} + #define WIDEPOINT_NFI_POLICY_TYPE_OID_BASE(num) {43, 6, 1, 4, 1, 158, 82, 1, 1, 1, num} static const byte extCertPolicyWidepointNfiMediumHardwareOid[] = WIDEPOINT_NFI_POLICY_TYPE_OID_BASE(12); static const byte extCertPolicyWidepointNfiPiviHardwareOid[] = @@ -4743,7 +4743,7 @@ static const byte extCertPolicyAnyOid[] = {85, 29, 32, 0}; WIDEPOINT_NFI_POLICY_TYPE_OID_BASE(38); /* Australian Defence Organisation PKI OIDs - 1.2.36.1.334.1.2.X.X */ - #define ADO_POLICY_TYPE_OID_BASE(type, num) {42, 36, 1, 334, 1, 2, type, num} + #define ADO_POLICY_TYPE_OID_BASE(type, num) {42, 36, 1, 130, 78, 1, 2, type, num} static const byte extCertPolicyAdoIndividualMediumAssuranceOid[] = ADO_POLICY_TYPE_OID_BASE(1, 2); static const byte extCertPolicyAdoIndividualHighAssuranceOid[] = @@ -4752,7 +4752,7 @@ static const byte extCertPolicyAnyOid[] = {85, 29, 32, 0}; ADO_POLICY_TYPE_OID_BASE(2, 2); /* Netherlands Ministry of Defence PKI OIDs - 2.16.528.1.1003.1.2.5.X */ - #define NL_MOD_POLICY_TYPE_OID_BASE(num) {96, 134, 528, 1, 1003, 1, 2, 5, num} + #define NL_MOD_POLICY_TYPE_OID_BASE(num) {96, 132, 16, 1, 135, 107, 1, 2, 5, num} static const byte extCertPolicyNlModAuthenticityOid[] = NL_MOD_POLICY_TYPE_OID_BASE(1); static const byte extCertPolicyNlModIrrefutabilityOid[] = diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index 77eaea995..3920d5faf 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -1426,10 +1426,20 @@ enum CertificatePolicy_Sum { CP_ANY_OID = 146, /* id-ce 32 0 */ #ifdef WOLFSSL_FPKI /* Federal PKI OIDs */ - CP_FPKI_COMMON_AUTH_OID = 426, /* 2.16.840.1.101.3.2.1.3.13 */ - CP_FPKI_PIV_AUTH_OID = 453, /* 2.16.840.1.101.3.2.1.3.40 */ - CP_FPKI_PIV_AUTH_HW_OID = 454, /* 2.16.840.1.101.3.2.1.3.41 */ - CP_FPKI_PIVI_AUTH_OID = 458, /* 2.16.840.1.101.3.2.1.3.45 */ + CP_FPKI_HIGH_ASSURANCE_OID = 417, /* 2.16.840.1.101.3.2.1.3.4 */ + CP_FPKI_COMMON_HARDWARE_OID = 420, /* 2.16.840.1.101.3.2.1.3.7 */ + CP_FPKI_MEDIUM_HARDWARE_OID = 425, /* 2.16.840.1.101.3.2.1.3.12 */ + CP_FPKI_COMMON_AUTH_OID = 426, /* 2.16.840.1.101.3.2.1.3.13 */ + CP_FPKI_COMMON_HIGH_OID = 429, /* 2.16.840.1.101.3.2.1.3.16 */ + CP_FPKI_PIVI_HARDWARE_OID = 431, /* 2.16.840.1.101.3.2.1.3.18 */ + CP_FPKI_PIVI_CONTENT_SIGNING_OID = 433, /* 2.16.840.1.101.3.2.1.3.20 */ + CP_FPKI_COMMON_DEVICES_HARDWARE_OID = 449, /* 2.16.840.1.101.3.2.1.3.36 */ + CP_FPKI_MEDIUM_DEVICE_HARDWARE_OID = 451, /* 2.16.840.1.101.3.2.1.3.38 */ + CP_FPKI_COMMON_PIV_CONTENT_SIGNING_OID = 452, /* 2.16.840.1.101.3.2.1.3.39 */ + CP_FPKI_PIV_AUTH_OID = 453, /* 2.16.840.1.101.3.2.1.3.40 */ + CP_FPKI_PIV_AUTH_HW_OID = 454, /* 2.16.840.1.101.3.2.1.3.41 */ + CP_FPKI_PIVI_AUTH_OID = 458, /* 2.16.840.1.101.3.2.1.3.45 */ + CP_FPKI_COMMON_PIVI_CONTENT_SIGNING_OID = 460, /* 2.16.840.1.101.3.2.1.3.47 */ /* DoD PKI OIDs */ CP_DOD_MEDIUM_OID = 423, /* 2.16.840.1.101.2.1.11.5 */ @@ -1455,32 +1465,15 @@ enum CertificatePolicy_Sum { CP_DOD_INTERNAL_NPE_192_OID = 480, /* 2.16.840.1.101.2.1.11.62 */ /* ECA PKI OIDs */ - CP_ECA_MEDIUM_OID = 417, /* 2.16.840.1.101.3.2.1.12.1 */ - CP_ECA_MEDIUM_HARDWARE_OID = 418, /* 2.16.840.1.101.3.2.1.12.2 */ - CP_ECA_MEDIUM_TOKEN_OID = 419, /* 2.16.840.1.101.3.2.1.12.3 */ - CP_ECA_MEDIUM_SHA256_OID = 420, /* 2.16.840.1.101.3.2.1.12.4 */ - CP_ECA_MEDIUM_TOKEN_SHA256_OID = 421, /* 2.16.840.1.101.3.2.1.12.5 */ - CP_ECA_MEDIUM_HARDWARE_PIVI_OID = 422, /* 2.16.840.1.101.3.2.1.12.6 */ - CP_ECA_CONTENT_SIGNING_PIVI_OID = 424, /* 2.16.840.1.101.3.2.1.12.8 */ - CP_ECA_MEDIUM_DEVICE_SHA256_OID = 425, /* 2.16.840.1.101.3.2.1.12.9 */ - CP_ECA_MEDIUM_HARDWARE_SHA256_OID = 426, /* 2.16.840.1.101.3.2.1.12.10 */ - - /* Federal PKI OIDs */ - CP_FPKI_HIGH_ASSURANCE_OID = 417, /* 2.16.840.1.101.3.2.1.3.4 */ - CP_FPKI_COMMON_HARDWARE_OID = 420, /* 2.16.840.1.101.3.2.1.3.7 */ - CP_FPKI_MEDIUM_HARDWARE_OID = 425, /* 2.16.840.1.101.3.2.1.3.12 */ - CP_FPKI_COMMON_HIGH_OID = 429, /* 2.16.840.1.101.3.2.1.3.16 */ - CP_FPKI_PIVI_HARDWARE_OID = 431, /* 2.16.840.1.101.3.2.1.3.18 */ - CP_FPKI_PIVI_CONTENT_SIGNING_OID = 433, /* 2.16.840.1.101.3.2.1.3.20 */ - CP_FPKI_COMMON_DEVICES_HARDWARE_OID = 449, /* 2.16.840.1.101.3.2.1.3.36 */ - CP_FPKI_MEDIUM_DEVICE_HARDWARE_OID = 451, /* 2.16.840.1.101.3.2.1.3.38 */ - CP_FPKI_COMMON_PIV_CONTENT_SIGNING_OID = 452, /* 2.16.840.1.101.3.2.1.3.39 */ - CP_FPKI_COMMON_PIVI_CONTENT_SIGNING_OID = 460, /* 2.16.840.1.101.3.2.1.3.47 */ - - /* Entrust Federal SSP PKI OIDs - shares OIDs with Federal PKI */ - /* DigiCert Federal SSP PKI OIDs - shares OIDs with Federal PKI */ - /* Verizon/Cybertrust Federal SSP PKI OIDs - shares OIDs with Federal PKI */ - /* WidePoint Federal SSP PKI OIDs - shares OIDs with Federal PKI */ + CP_ECA_MEDIUM_OID = 423, /* 2.16.840.1.101.3.2.1.12.1 */ + CP_ECA_MEDIUM_HARDWARE_OID = 424, /* 2.16.840.1.101.3.2.1.12.2 */ + CP_ECA_MEDIUM_TOKEN_OID = 425, /* 2.16.840.1.101.3.2.1.12.3 */ + CP_ECA_MEDIUM_SHA256_OID = 426, /* 2.16.840.1.101.3.2.1.12.4 */ + CP_ECA_MEDIUM_TOKEN_SHA256_OID = 427, /* 2.16.840.1.101.3.2.1.12.5 */ + CP_ECA_MEDIUM_HARDWARE_PIVI_OID = 428, /* 2.16.840.1.101.3.2.1.12.6 */ + CP_ECA_CONTENT_SIGNING_PIVI_OID = 430, /* 2.16.840.1.101.3.2.1.12.8 */ + CP_ECA_MEDIUM_DEVICE_SHA256_OID = 431, /* 2.16.840.1.101.3.2.1.12.9 */ + CP_ECA_MEDIUM_HARDWARE_SHA256_OID = 432, /* 2.16.840.1.101.3.2.1.12.10 */ /* Department of State PKI OIDs */ CP_STATE_HIGH_OID = 420, /* 2.16.840.1.101.3.2.1.6.4 */ @@ -1503,18 +1496,18 @@ enum CertificatePolicy_Sum { CP_CARILLON_AIVCONTENT_OID = 477, /* 1.3.6.1.4.1.45606.3.1.22 */ /* Carillon Information Security OIDs */ - CP_CIS_MEDIUMHW_256_OID = 358, /* 1.3.6.1.4.1.25054.3.1.12 */ - CP_CIS_MEDDEVHW_256_OID = 360, /* 1.3.6.1.4.1.25054.3.1.14 */ - CP_CIS_ICECAP_HW_OID = 366, /* 1.3.6.1.4.1.25054.3.1.20 */ - CP_CIS_ICECAP_CONTENT_OID = 368, /* 1.3.6.1.4.1.25054.3.1.22 */ + CP_CIS_MEDIUMHW_256_OID = 489, /* 1.3.6.1.4.1.25054.3.1.12 */ + CP_CIS_MEDDEVHW_256_OID = 491, /* 1.3.6.1.4.1.25054.3.1.14 */ + CP_CIS_ICECAP_HW_OID = 497, /* 1.3.6.1.4.1.25054.3.1.20 */ + CP_CIS_ICECAP_CONTENT_OID = 499, /* 1.3.6.1.4.1.25054.3.1.22 */ /* CertiPath Bridge OIDs */ - CP_CERTIPATH_MEDIUMHW_OID = 348, /* 1.3.6.1.4.1.24019.1.1.1.2 */ - CP_CERTIPATH_HIGHHW_OID = 349, /* 1.3.6.1.4.1.24019.1.1.1.3 */ - CP_CERTIPATH_ICECAP_HW_OID = 353, /* 1.3.6.1.4.1.24019.1.1.1.7 */ - CP_CERTIPATH_ICECAP_CONTENT_OID = 355, /* 1.3.6.1.4.1.24019.1.1.1.9 */ - CP_CERTIPATH_VAR_MEDIUMHW_OID = 364, /* 1.3.6.1.4.1.24019.1.1.1.18 */ - CP_CERTIPATH_VAR_HIGHHW_OID = 365, /* 1.3.6.1.4.1.24019.1.1.1.19 */ + CP_CERTIPATH_MEDIUMHW_OID = 459, /* 1.3.6.1.4.1.24019.1.1.1.2 */ + CP_CERTIPATH_HIGHHW_OID = 460, /* 1.3.6.1.4.1.24019.1.1.1.3 */ + CP_CERTIPATH_ICECAP_HW_OID = 464, /* 1.3.6.1.4.1.24019.1.1.1.7 */ + CP_CERTIPATH_ICECAP_CONTENT_OID = 466, /* 1.3.6.1.4.1.24019.1.1.1.9 */ + CP_CERTIPATH_VAR_MEDIUMHW_OID = 475, /* 1.3.6.1.4.1.24019.1.1.1.18 */ + CP_CERTIPATH_VAR_HIGHHW_OID = 476, /* 1.3.6.1.4.1.24019.1.1.1.19 */ /* TSCP Bridge OIDs */ CP_TSCP_MEDIUMHW_OID = 442, /* 1.3.6.1.4.1.38099.1.1.1.2 */ @@ -1573,9 +1566,9 @@ enum CertificatePolicy_Sum { CP_ADO_RESOURCE_MEDIUM_OID = 294, /* 1.2.36.1.334.1.2.2.2 */ /* Netherlands Ministry of Defence PKI OIDs */ - CP_NL_MOD_AUTH_OID = 1001, /* 2.16.528.1.1003.1.2.5.1 */ - CP_NL_MOD_IRREFUT_OID = 1002, /* 2.16.528.1.1003.1.2.5.2 */ - CP_NL_MOD_CONFID_OID = 1003, /* 2.16.528.1.1003.1.2.5.3 */ + CP_NL_MOD_AUTH_OID = 496, /* 2.16.528.1.1003.1.2.5.1 */ + CP_NL_MOD_IRREFUT_OID = 497, /* 2.16.528.1.1003.1.2.5.2 */ + CP_NL_MOD_CONFID_OID = 498, /* 2.16.528.1.1003.1.2.5.3 */ #endif /* WOLFSSL_FPKI */ WOLF_ENUM_DUMMY_LAST_ELEMENT(CertificatePolicy_Sum) }; From eb3b4751ac12de0f51d4a47d64ce7b17745bc000 Mon Sep 17 00:00:00 2001 From: Kareem Date: Thu, 27 Mar 2025 11:49:34 -0700 Subject: [PATCH 6/9] Handle collisions in FPKI cert policy OID sums. --- wolfcrypt/src/asn.c | 157 ++++++++++++++++++++++++++++++++++++++-- wolfssl/wolfcrypt/asn.h | 44 +++++------ 2 files changed, 173 insertions(+), 28 deletions(-) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 506baf58b..af3636fd2 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -6603,6 +6603,145 @@ static int DumpOID(const byte* oidData, word32 oidSz, word32 oid, } #endif /* ASN_DUMP_OID */ +#ifdef WOLFSSL_FPKI +/* Handles the large number of collisions from FPKI certificate policy + * OID sums. Returns a special value (100000 + actual sum) if a + * collision is detected. + * @param [in] oid Buffer holding OID. + * @param [in] oidSz Length of OID data in buffer. + * @param [in] oidSum The sum of the OID being passed in. + */ +static word32 fpkiCertPolOid(const byte* oid, word32 oidSz, word32 oidSum) { + + switch (oidSum) { + case CP_FPKI_COMMON_DEVICES_HARDWARE_OID: + if ((word32)sizeof(extCertPolicyDodPeerInteropOid) == (word32)oidSz && + XMEMCMP(oid, extCertPolicyDodPeerInteropOid, + sizeof(extCertPolicyDodPeerInteropOid)) == 0) + return CP_DOD_PEER_INTEROP_OID; + break; + case CP_FPKI_PIV_AUTH_HW_OID: + if ((word32)sizeof(extCertPolicyDodMediumNpe112Oid) == (word32)oidSz && + XMEMCMP(oid, extCertPolicyDodMediumNpe112Oid, + sizeof(extCertPolicyDodMediumNpe112Oid)) == 0) + return CP_DOD_MEDIUM_NPE_112_OID; + else if ((word32)sizeof(extCertPolicyStateMediumDeviceHardwareOid) == (word32)oidSz && + XMEMCMP(oid, extCertPolicyStateMediumDeviceHardwareOid, + sizeof(extCertPolicyStateMediumDeviceHardwareOid)) == 0) + return CP_STATE_MEDDEVHW_OID; + break; + case CP_FPKI_PIVI_AUTH_OID: + if ((word32)sizeof(extCertPolicyDodMedium128Oid) == (word32)oidSz && + XMEMCMP(oid, extCertPolicyDodMedium128Oid, + sizeof(extCertPolicyDodMedium128Oid)) == 0) + return CP_DOD_MEDIUM_128_OID; + break; + case CP_FPKI_COMMON_PIVI_CONTENT_SIGNING_OID: + if ((word32)sizeof(extCertPolicyDodMediumHardware112Oid) == (word32)oidSz && + XMEMCMP(oid, extCertPolicyDodMediumHardware112Oid, + sizeof(extCertPolicyDodMediumHardware112Oid)) == 0) + return CP_DOD_MEDIUM_HARDWARE_112_OID; + if ((word32)sizeof(extCertPolicyCertipathHighhwOid) == (word32)oidSz && + XMEMCMP(oid, extCertPolicyCertipathHighhwOid, + sizeof(extCertPolicyCertipathHighhwOid)) == 0) + return CP_CERTIPATH_HIGHHW_OID; + break; + case CP_DOD_MEDIUM_OID: + if ((word32)sizeof(extCertPolicyEcaMediumOid) == (word32)oidSz && + XMEMCMP(oid, extCertPolicyEcaMediumOid, + sizeof(extCertPolicyEcaMediumOid)) == 0) + return CP_ECA_MEDIUM_OID; + break; + case CP_FPKI_COMMON_AUTH_OID: + if ((word32)sizeof(extCertPolicyEcaMediumSha256Oid) == (word32)oidSz && + XMEMCMP(oid, extCertPolicyEcaMediumSha256Oid, + sizeof(extCertPolicyEcaMediumSha256Oid)) == 0) + return CP_ECA_MEDIUM_SHA256_OID; + break; + case CP_FPKI_MEDIUM_HARDWARE_OID: + if ((word32)sizeof(extCertPolicyEcaMediumTokenOid) == (word32)oidSz && + XMEMCMP(oid, extCertPolicyEcaMediumTokenOid, + sizeof(extCertPolicyEcaMediumTokenOid)) == 0) + return CP_ECA_MEDIUM_TOKEN_OID; + else if ((word32)sizeof(extCertPolicyTreasuryPiviHardwareOid) == (word32)oidSz && + XMEMCMP(oid, extCertPolicyTreasuryPiviHardwareOid, + sizeof(extCertPolicyTreasuryPiviHardwareOid)) == 0) + return CP_TREAS_PIVI_HW_OID; + break; + case CP_DOD_MEDIUM_HARDWARE_OID: + if ((word32)sizeof(extCertPolicyEcaMediumTokenSha256Oid) == (word32)oidSz && + XMEMCMP(oid, extCertPolicyEcaMediumTokenSha256Oid, + sizeof(extCertPolicyEcaMediumTokenSha256Oid)) == 0) + return CP_ECA_MEDIUM_TOKEN_SHA256_OID; + else if ((word32)sizeof(extCertPolicyTreasuryPiviContentSigningOid) == (word32)oidSz && + XMEMCMP(oid, extCertPolicyTreasuryPiviContentSigningOid, + sizeof(extCertPolicyTreasuryPiviContentSigningOid)) == 0) + return CP_TREAS_PIVI_CONTENT_OID; + break; + case CP_DOD_PIV_AUTH_OID: + if ((word32)sizeof(extCertPolicyEcaMediumHardwarePiviOid) == (word32)oidSz && + XMEMCMP(oid, extCertPolicyEcaMediumHardwarePiviOid, + sizeof(extCertPolicyEcaMediumHardwarePiviOid)) == 0) + return CP_ECA_MEDIUM_HARDWARE_PIVI_OID; + else if ((word32)sizeof(extCertPolicyStateMedHwOid) == (word32)oidSz && + XMEMCMP(oid, extCertPolicyStateMedHwOid, + sizeof(extCertPolicyStateMedHwOid)) == 0) + return CP_STATE_MEDHW_OID; + break; + case CP_FPKI_COMMON_HARDWARE_OID: + if ((word32)sizeof(extCertPolicyStateHighOid) == (word32)oidSz && + XMEMCMP(oid, extCertPolicyStateHighOid, + sizeof(extCertPolicyStateHighOid)) == 0) + return CP_STATE_HIGH_OID; + else if ((word32)sizeof(extCertPolicyTreasuryHighOid) == (word32)oidSz && + XMEMCMP(oid, extCertPolicyTreasuryHighOid, + sizeof(extCertPolicyTreasuryHighOid)) == 0) + return CP_TREAS_HIGH_OID; + break; + case CP_ECA_MEDIUM_HARDWARE_OID: + if ((word32)sizeof(extCertPolicyExostarMediumHardwareSha2Oid) == (word32)oidSz && + XMEMCMP(oid, extCertPolicyExostarMediumHardwareSha2Oid, + sizeof(extCertPolicyExostarMediumHardwareSha2Oid)) == 0) + return CP_EXOSTAR_MEDIUMHW_SHA2_OID; + break; + case CP_ADO_HIGH_OID: + if ((word32)sizeof(extCertPolicyAdoResourceMediumAssuranceOid) == (word32)oidSz && + XMEMCMP(oid, extCertPolicyAdoResourceMediumAssuranceOid, + sizeof(extCertPolicyAdoResourceMediumAssuranceOid)) == 0) + return CP_ADO_RESOURCE_MEDIUM_OID; + break; + case CP_DOD_ADMIN_OID: + if ((word32)sizeof(extCertPolicyCarillonAivcontentOid) == (word32)oidSz && + XMEMCMP(oid, extCertPolicyCarillonAivcontentOid, + sizeof(extCertPolicyCarillonAivcontentOid)) == 0) + return CP_CARILLON_AIVCONTENT_OID; + break; + case CP_CIS_ICECAP_HW_OID: + if ((word32)sizeof(extCertPolicyNlModIrrefutabilityOid) == (word32)oidSz && + XMEMCMP(oid, extCertPolicyNlModIrrefutabilityOid, + sizeof(extCertPolicyNlModIrrefutabilityOid)) == 0) + return CP_NL_MOD_IRREFUT_OID; + break; + case CP_DOD_MEDIUM_192_OID: + if ((word32)sizeof(extCertPolicyCertipathMediumhwOid) == (word32)oidSz && + XMEMCMP(oid, extCertPolicyCertipathMediumhwOid, + sizeof(extCertPolicyCertipathMediumhwOid)) == 0) + return CP_CERTIPATH_MEDIUMHW_OID; + break; + case CP_CARILLON_AIVHW_OID: + if ((word32)sizeof(extCertPolicyCertipathVarMediumhwOid) == (word32)oidSz && + XMEMCMP(oid, extCertPolicyCertipathVarMediumhwOid, + sizeof(extCertPolicyCertipathVarMediumhwOid)) == 0) + return CP_CERTIPATH_VAR_MEDIUMHW_OID; + break; + default: + break; + } + + return 0; +} +#endif + /* Get the OID data and verify it is of the type specified when compiled in. * * @param [in] input Buffer holding OID. @@ -6628,13 +6767,13 @@ static int GetOID(const byte* input, word32* inOutIdx, word32* oid, const byte* checkOid = NULL; word32 checkOidSz; #endif /* NO_VERIFY_OID */ -#if defined(HAVE_SPHINCS) +#if defined(HAVE_SPHINCS) || defined(WOLFSSL_FPKI) word32 found_collision = 0; #endif (void)oidType; *oid = 0; -#ifndef NO_VERIFY_OID +#if !defined(NO_VERIFY_OID) || defined(WOLFSSL_FPKI) /* Keep references to OID data and length for check. */ actualOid = &input[idx]; actualOidSz = (word32)length; @@ -6663,7 +6802,16 @@ static int GetOID(const byte* input, word32* inOutIdx, word32* oid, idx++; } -#ifdef HAVE_SPHINCS +#ifdef WOLFSSL_FPKI + /* Due to the large number of OIDs for FPKI certificate policy, there + are multiple collsisions. Handle them in a dedicated function, + if a collision is detected, the OID is adjusted. */ + if (oidType == oidCertPolicyType) { + found_collision = fpkiCertPolOid(actualOid, actualOidSz, *oid); + } +#endif + +#if defined(HAVE_SPHINCS) || defined(WOLFSSL_FPKI) if (found_collision) { *oid = found_collision; } @@ -6691,9 +6839,6 @@ static int GetOID(const byte* input, word32* inOutIdx, word32* oid, checkOid = blkAes256CbcOid; checkOidSz = sizeof(blkAes256CbcOid); } - if (oidType == oidCertPolicyType) { - checkOid = fpkiCertPolOid(*oid, &checkOidSz, actualOid, actualOidSz); - } #endif /* HAVE_AES_CBC */ #endif /* WOLFSSL_FPKI */ diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index 3920d5faf..d303ab5c8 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -1449,14 +1449,14 @@ enum CertificatePolicy_Sum { CP_DOD_MEDIUM_2048_OID = 436, /* 2.16.840.1.101.2.1.11.18 */ CP_DOD_MEDIUM_HARDWARE_2048_OID = 437, /* 2.16.840.1.101.2.1.11.19 */ CP_DOD_PIV_AUTH_2048_OID = 438, /* 2.16.840.1.101.2.1.11.20 */ - CP_DOD_PEER_INTEROP_OID = 449, /* 2.16.840.1.101.2.1.11.31 */ - CP_DOD_MEDIUM_NPE_112_OID = 454, /* 2.16.840.1.101.2.1.11.36 */ + CP_DOD_PEER_INTEROP_OID = 100449, /* 2.16.840.1.101.2.1.11.31 */ + CP_DOD_MEDIUM_NPE_112_OID = 100454, /* 2.16.840.1.101.2.1.11.36 */ CP_DOD_MEDIUM_NPE_128_OID = 455, /* 2.16.840.1.101.2.1.11.37 */ CP_DOD_MEDIUM_NPE_192_OID = 456, /* 2.16.840.1.101.2.1.11.38 */ CP_DOD_MEDIUM_112_OID = 457, /* 2.16.840.1.101.2.1.11.39 */ - CP_DOD_MEDIUM_128_OID = 458, /* 2.16.840.1.101.2.1.11.40 */ + CP_DOD_MEDIUM_128_OID = 100458, /* 2.16.840.1.101.2.1.11.40 */ CP_DOD_MEDIUM_192_OID = 459, /* 2.16.840.1.101.2.1.11.41 */ - CP_DOD_MEDIUM_HARDWARE_112_OID = 460, /* 2.16.840.1.101.2.1.11.42 */ + CP_DOD_MEDIUM_HARDWARE_112_OID = 100460, /* 2.16.840.1.101.2.1.11.42 */ CP_DOD_MEDIUM_HARDWARE_128_OID = 461, /* 2.16.840.1.101.2.1.11.43 */ CP_DOD_MEDIUM_HARDWARE_192_OID = 462, /* 2.16.840.1.101.2.1.11.44 */ CP_DOD_ADMIN_OID = 477, /* 2.16.840.1.101.2.1.11.59 */ @@ -1465,26 +1465,26 @@ enum CertificatePolicy_Sum { CP_DOD_INTERNAL_NPE_192_OID = 480, /* 2.16.840.1.101.2.1.11.62 */ /* ECA PKI OIDs */ - CP_ECA_MEDIUM_OID = 423, /* 2.16.840.1.101.3.2.1.12.1 */ + CP_ECA_MEDIUM_OID = 100423, /* 2.16.840.1.101.3.2.1.12.1 */ CP_ECA_MEDIUM_HARDWARE_OID = 424, /* 2.16.840.1.101.3.2.1.12.2 */ - CP_ECA_MEDIUM_TOKEN_OID = 425, /* 2.16.840.1.101.3.2.1.12.3 */ - CP_ECA_MEDIUM_SHA256_OID = 426, /* 2.16.840.1.101.3.2.1.12.4 */ - CP_ECA_MEDIUM_TOKEN_SHA256_OID = 427, /* 2.16.840.1.101.3.2.1.12.5 */ - CP_ECA_MEDIUM_HARDWARE_PIVI_OID = 428, /* 2.16.840.1.101.3.2.1.12.6 */ + CP_ECA_MEDIUM_TOKEN_OID = 100425, /* 2.16.840.1.101.3.2.1.12.3 */ + CP_ECA_MEDIUM_SHA256_OID = 100426, /* 2.16.840.1.101.3.2.1.12.4 */ + CP_ECA_MEDIUM_TOKEN_SHA256_OID = 100427, /* 2.16.840.1.101.3.2.1.12.5 */ + CP_ECA_MEDIUM_HARDWARE_PIVI_OID = 100428, /* 2.16.840.1.101.3.2.1.12.6 */ CP_ECA_CONTENT_SIGNING_PIVI_OID = 430, /* 2.16.840.1.101.3.2.1.12.8 */ CP_ECA_MEDIUM_DEVICE_SHA256_OID = 431, /* 2.16.840.1.101.3.2.1.12.9 */ CP_ECA_MEDIUM_HARDWARE_SHA256_OID = 432, /* 2.16.840.1.101.3.2.1.12.10 */ /* Department of State PKI OIDs */ - CP_STATE_HIGH_OID = 420, /* 2.16.840.1.101.3.2.1.6.4 */ - CP_STATE_MEDHW_OID = 428, /* 2.16.840.1.101.3.2.1.6.12 */ - CP_STATE_MEDDEVHW_OID = 454, /* 2.16.840.1.101.3.2.1.6.38 */ + CP_STATE_HIGH_OID = 100420, /* 2.16.840.1.101.3.2.1.6.4 */ + CP_STATE_MEDHW_OID = 101428, /* 2.16.840.1.101.3.2.1.6.12 */ + CP_STATE_MEDDEVHW_OID = 101454, /* 2.16.840.1.101.3.2.1.6.38 */ /* U.S. Treasury SSP PKI OIDs */ CP_TREAS_MEDIUMHW_OID = 419, /* 2.16.840.1.101.3.2.1.5.4 */ - CP_TREAS_HIGH_OID = 420, /* 2.16.840.1.101.3.2.1.5.5 */ - CP_TREAS_PIVI_HW_OID = 425, /* 2.16.840.1.101.3.2.1.5.10 */ - CP_TREAS_PIVI_CONTENT_OID = 427, /* 2.16.840.1.101.3.2.1.5.12 */ + CP_TREAS_HIGH_OID = 101420, /* 2.16.840.1.101.3.2.1.5.5 */ + CP_TREAS_PIVI_HW_OID = 101425, /* 2.16.840.1.101.3.2.1.5.10 */ + CP_TREAS_PIVI_CONTENT_OID = 101427, /* 2.16.840.1.101.3.2.1.5.12 */ /* Boeing PKI OIDs */ CP_BOEING_MEDIUMHW_SHA256_OID = 159, /* 1.3.6.1.4.1.73.15.3.1.12 */ @@ -1493,7 +1493,7 @@ enum CertificatePolicy_Sum { /* Carillon Federal Services OIDs */ CP_CARILLON_MEDIUMHW_256_OID = 467, /* 1.3.6.1.4.1.45606.3.1.12 */ CP_CARILLON_AIVHW_OID = 475, /* 1.3.6.1.4.1.45606.3.1.20 */ - CP_CARILLON_AIVCONTENT_OID = 477, /* 1.3.6.1.4.1.45606.3.1.22 */ + CP_CARILLON_AIVCONTENT_OID = 100477, /* 1.3.6.1.4.1.45606.3.1.22 */ /* Carillon Information Security OIDs */ CP_CIS_MEDIUMHW_256_OID = 489, /* 1.3.6.1.4.1.25054.3.1.12 */ @@ -1502,11 +1502,11 @@ enum CertificatePolicy_Sum { CP_CIS_ICECAP_CONTENT_OID = 499, /* 1.3.6.1.4.1.25054.3.1.22 */ /* CertiPath Bridge OIDs */ - CP_CERTIPATH_MEDIUMHW_OID = 459, /* 1.3.6.1.4.1.24019.1.1.1.2 */ - CP_CERTIPATH_HIGHHW_OID = 460, /* 1.3.6.1.4.1.24019.1.1.1.3 */ + CP_CERTIPATH_MEDIUMHW_OID = 100459, /* 1.3.6.1.4.1.24019.1.1.1.2 */ + CP_CERTIPATH_HIGHHW_OID = 101460, /* 1.3.6.1.4.1.24019.1.1.1.3 */ CP_CERTIPATH_ICECAP_HW_OID = 464, /* 1.3.6.1.4.1.24019.1.1.1.7 */ CP_CERTIPATH_ICECAP_CONTENT_OID = 466, /* 1.3.6.1.4.1.24019.1.1.1.9 */ - CP_CERTIPATH_VAR_MEDIUMHW_OID = 475, /* 1.3.6.1.4.1.24019.1.1.1.18 */ + CP_CERTIPATH_VAR_MEDIUMHW_OID = 100475, /* 1.3.6.1.4.1.24019.1.1.1.18 */ CP_CERTIPATH_VAR_HIGHHW_OID = 476, /* 1.3.6.1.4.1.24019.1.1.1.19 */ /* TSCP Bridge OIDs */ @@ -1529,7 +1529,7 @@ enum CertificatePolicy_Sum { CP_ENTRUST_NFSSP_MEDDEVHW_OID = 1031, /* 2.16.840.1.114027.200.3.10.7.16 */ /* Exostar LLC PKI OIDs */ - CP_EXOSTAR_MEDIUMHW_SHA2_OID = 424, /* 1.3.6.1.4.1.13948.1.1.1.6 */ + CP_EXOSTAR_MEDIUMHW_SHA2_OID = 100424, /* 1.3.6.1.4.1.13948.1.1.1.6 */ /* IdenTrust NFI OIDs */ CP_IDENTRUST_MEDIUMHW_SIGN_OID = 846, /* 2.16.840.1.113839.0.100.12.1 */ @@ -1563,11 +1563,11 @@ enum CertificatePolicy_Sum { /* Australian Defence Organisation PKI OIDs */ CP_ADO_MEDIUM_OID = 293, /* 1.2.36.1.334.1.2.1.2 */ CP_ADO_HIGH_OID = 294, /* 1.2.36.1.334.1.2.1.3 */ - CP_ADO_RESOURCE_MEDIUM_OID = 294, /* 1.2.36.1.334.1.2.2.2 */ + CP_ADO_RESOURCE_MEDIUM_OID = 100294, /* 1.2.36.1.334.1.2.2.2 */ /* Netherlands Ministry of Defence PKI OIDs */ CP_NL_MOD_AUTH_OID = 496, /* 2.16.528.1.1003.1.2.5.1 */ - CP_NL_MOD_IRREFUT_OID = 497, /* 2.16.528.1.1003.1.2.5.2 */ + CP_NL_MOD_IRREFUT_OID = 100497, /* 2.16.528.1.1003.1.2.5.2 */ CP_NL_MOD_CONFID_OID = 498, /* 2.16.528.1.1003.1.2.5.3 */ #endif /* WOLFSSL_FPKI */ WOLF_ENUM_DUMMY_LAST_ELEMENT(CertificatePolicy_Sum) From f313edb4cfa7227f1bd1bf4fa40bf51162ee2f15 Mon Sep 17 00:00:00 2001 From: Kareem Date: Thu, 27 Mar 2025 12:13:57 -0700 Subject: [PATCH 7/9] Add a test certificate for all of the FPKI certificate policy OIDs. --- certs/fpki-certpol-cert.der | Bin 0 -> 2874 bytes certs/include.am | 1 + certs/renewcerts.sh | 14 ++++++++++++++ certs/renewcerts/wolfssl.cnf | 12 ++++++++++++ tests/api.c | 24 ++++++++++++++++++++++++ wolfcrypt/src/asn.c | 20 ++++++++++---------- 6 files changed, 61 insertions(+), 10 deletions(-) create mode 100644 certs/fpki-certpol-cert.der diff --git a/certs/fpki-certpol-cert.der b/certs/fpki-certpol-cert.der new file mode 100644 index 0000000000000000000000000000000000000000..f3fe08341769a6fb92fde97bae3d8c7c99133de6 GIT binary patch literal 2874 zcmXqL;x;pA;*wjy%*4pV#K>sC%f_kI=F#?@mywa1mBFBKiXpcFCmVAp3!5-gXt1Gx z0UwCN!NcyGpI4HYmk1MK=V5osuS(5L%rg`;;0LMU;^7EREHBB=FUc?zHV^~}ar1CF z=jRod=9FaSr5j2Zh=Bx|dHBoA%k|3hbJB{7bM%t)a}DJUWZ}->WE2y~%uCC6KvG~J zC(dhRYG7<+ZfI#>ZekK8&TC|DXk=srk`xx>XaDyDk&BNjr z;O$9?dz%=QkVBS{m4Ug5k)Oe!iIIz`iII`vz*LTh;f|jQbGKh|byR0eJ?6UZ(;gLr z9aGQg`(67c)3K*!{_hp(_5Wh#1eSj9I>r9nRKNe>-s%JTHLFuri2peiTfOUn;?p9% ze7&|CQ;Tn{kq+J&Z+~5qSJnSva&lldcZ&U5=N(IBVoWx#V_1-U^jkf5WJX2tvL1<* zOu6e1OET*15O{p-jKh}9#csx#?RiIbi!b~9;_lkwJ=OY(TmPm7^6U-S{4h6OW{-05 zMNZ~UkxK$QQx0ogSUAmV&%-NH(Z?4YIG9|)?_zFXG_Ao%dFsOQUBZ{97e9(sJ(eAVkC51%DAAH6i~{>=;iYp*jgGcqtPZepKi(8NB; zfQOAaR92XU)qt6ak-KK4WMHgm7Xsl-vXj|0s-16}2Hr>*qJgd^u z%oM9M3&RwXw8T_h^OV$NT|>hZ1KmV(GgDmygG7U5OT$#Nq%<>wCN?#YI}})&*klcw z*dz^j*tj4TF)=dpqVP0Oc$z3YT?1}5POv^EMs8MQ4kt2)3z;K`%n?H72qSYukU8?m z92I1aDl$h6nWK)((Lm;CB6GBmIoik^9b}F*GRFp)V~fnOLk=DuMid?s3Xd6u$AZFR zMd7ib@HkL-oG3glWF9k$nau1cay%$J)Cdzf)zMn*Oe7wqt#`V1*NpvDF_g3E*=E5v}xMO7?>s#pXp3yz}n6h=m7W{_Sm_rG6r zEfWVSmlKuCjmqT%C2FwV9z`ysBnRRN!Id^%6a-1ak{p5~&!vrabS_Bx|vl*FKA*B?IhbqTxAPuS~I9WstgbV~= z^%y6MAq%J-2dQFJKvir5BZGlFv@T#~<6>kHG61!NAe93%8z&R9J|nR68*-?z9oVtG&8n{jWpaUd6RHgWWEEx6x!DA{k(ohu fpki-certpol-req.pem + check_result $? "Step 1" + + openssl x509 -req -in fpki-certpol-req.pem -extfile wolfssl.cnf -extensions fpki_ext_certpol -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out fpki-certpol-cert.der -outform DER + check_result $? "Step 2" + rm fpki-certpol-req.pem + echo "End of section" + echo "---------------------------------------------------------------------" + ########################################################### ########## update and sign rid-cert.der ################ ########################################################### echo "Updating rid-cert.der" diff --git a/certs/renewcerts/wolfssl.cnf b/certs/renewcerts/wolfssl.cnf index e955ba59c..5738bf768 100644 --- a/certs/renewcerts/wolfssl.cnf +++ b/certs/renewcerts/wolfssl.cnf @@ -355,6 +355,18 @@ subjectDirectoryAttributes = ASN1:SEQUENCE:SubjDirAttr policyConstraints = requireExplicitPolicy:0 2.16.840.1.101.3.6.10.1 = ASN1:SEQUENCE:PIVCertExt +[fpki_ext_certpol] +basicConstraints = CA:FALSE,pathlen:0 +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid +keyUsage = critical, digitalSignature +extendedKeyUsage = critical, clientAuth, 1.3.6.1.4.1.311.20.2.2, 1.3.6.1.5.2.3.4, 1.3.6.1.5.5.7.3.21 +subjectAltName = @FASC_UUID_altname +certificatePolicies = 2.16.840.1.101.3.2.1.3.13, 2.16.840.1.101.3.2.1.3.40, 2.16.840.1.101.3.2.1.3.41, 2.16.840.1.101.3.2.1.3.45, 2.16.840.1.101.2.1.11.5, 2.16.840.1.101.2.1.11.9, 2.16.840.1.101.2.1.11.10, 2.16.840.1.101.2.1.11.17, 2.16.840.1.101.2.1.11.18, 2.16.840.1.101.2.1.11.19, 2.16.840.1.101.2.1.11.20, 2.16.840.1.101.2.1.11.31, 2.16.840.1.101.2.1.11.36, 2.16.840.1.101.2.1.11.37, 2.16.840.1.101.2.1.11.38, 2.16.840.1.101.2.1.11.39, 2.16.840.1.101.2.1.11.40, 2.16.840.1.101.2.1.11.41, 2.16.840.1.101.2.1.11.42, 2.16.840.1.101.2.1.11.43, 2.16.840.1.101.2.1.11.44, 2.16.840.1.101.2.1.11.59, 2.16.840.1.101.2.1.11.60, 2.16.840.1.101.2.1.11.61, 2.16.840.1.101.2.1.11.62, 2.16.840.1.101.3.2.1.12.1, 2.16.840.1.101.3.2.1.12.2, 2.16.840.1.101.3.2.1.12.3, 2.16.840.1.101.3.2.1.12.4, 2.16.840.1.101.3.2.1.12.5, 2.16.840.1.101.3.2.1.12.6, 2.16.840.1.101.3.2.1.12.8, 2.16.840.1.101.3.2.1.12.9, 2.16.840.1.101.3.2.1.12.10, 2.16.840.1.101.3.2.1.3.4, 2.16.840.1.101.3.2.1.3.7, 2.16.840.1.101.3.2.1.3.12, 2.16.840.1.101.3.2.1.3.13, 2.16.840.1.101.3.2.1.3.16, 2.16.840.1.101.3.2.1.3.18, 2.16.840.1.101.3.2.1.3.20, 2.16.840.1.101.3.2.1.3.36, 2.16.840.1.101.3.2.1.3.38, 2.16.840.1.101.3.2.1.3.39, 2.16.840.1.101.3.2.1.3.41, 2.16.840.1.101.3.2.1.3.45, 2.16.840.1.101.3.2.1.3.47, 2.16.840.1.101.3.2.1.6.4, 2.16.840.1.101.3.2.1.6.12, 2.16.840.1.101.3.2.1.6.38, 2.16.840.1.101.3.2.1.5.4, 2.16.840.1.101.3.2.1.5.5, 2.16.840.1.101.3.2.1.5.10, 2.16.840.1.101.3.2.1.5.12, 1.3.6.1.4.1.73.15.3.1.12, 1.3.6.1.4.1.73.15.3.1.17, 1.3.6.1.4.1.45606.3.1.12, 1.3.6.1.4.1.45606.3.1.20, 1.3.6.1.4.1.45606.3.1.22, 1.3.6.1.4.1.25054.3.1.12, 1.3.6.1.4.1.25054.3.1.14, 1.3.6.1.4.1.25054.3.1.20, 1.3.6.1.4.1.25054.3.1.22, 1.3.6.1.4.1.24019.1.1.1.2, 1.3.6.1.4.1.24019.1.1.1.3, 1.3.6.1.4.1.24019.1.1.1.7, 1.3.6.1.4.1.24019.1.1.1.9, 1.3.6.1.4.1.24019.1.1.1.18, 1.3.6.1.4.1.24019.1.1.1.19, 1.3.6.1.4.1.38099.1.1.1.2, 1.3.6.1.4.1.38099.1.1.1.5, 1.3.6.1.4.1.38099.1.1.1.7, 2.16.840.1.113733.1.7.23.3.1.7, 2.16.840.1.113733.1.7.23.3.1.13, 2.16.840.1.113733.1.7.23.3.1.18, 2.16.840.1.113733.1.7.23.3.1.20, 2.16.840.1.113733.1.7.23.3.1.36, 2.16.840.1.114027.200.3.10.7.2, 2.16.840.1.114027.200.3.10.7.4, 2.16.840.1.114027.200.3.10.7.6, 2.16.840.1.114027.200.3.10.7.9, 2.16.840.1.114027.200.3.10.7.16, 1.3.6.1.4.1.13948.1.1.1.6, 2.16.840.1.113839.0.100.12.1, 2.16.840.1.113839.0.100.12.2, 2.16.840.1.113839.0.100.18.0, 2.16.840.1.113839.0.100.18.1, 2.16.840.1.113839.0.100.18.2, 2.16.840.1.113839.0.100.20.1, 1.3.6.1.4.1.103.100.1.1.3.3, 1.3.6.1.4.1.16334.509.2.8, 1.3.6.1.4.1.16334.509.2.9, 1.3.6.1.4.1.16334.509.2.11, 1.3.6.1.4.1.16334.509.2.14, 1.3.6.1.4.1.1569.10.1.12, 1.3.6.1.4.1.1569.10.1.18, 1.3.6.1.4.1.26769.10.1.12, 1.3.6.1.4.1.26769.10.1.18, 1.3.6.1.4.1.3922.1.1.1.12, 1.3.6.1.4.1.3922.1.1.1.18, 1.3.6.1.4.1.3922.1.1.1.20, 1.3.6.1.4.1.3922.1.1.1.38, 1.2.36.1.334.1.2.1.2, 1.2.36.1.334.1.2.1.3, 1.2.36.1.334.1.2.2.2, 2.16.528.1.1003.1.2.5.1, 2.16.528.1.1003.1.2.5.2, 2.16.528.1.1003.1.2.5.3 +subjectDirectoryAttributes = ASN1:SEQUENCE:SubjDirAttr +policyConstraints = requireExplicitPolicy:0 +2.16.840.1.101.3.6.10.1 = ASN1:SEQUENCE:PIVCertExt + # using example UUID from RFC4122 [FASC_UUID_altname] otherName.1 = 1.3.6.1.4.1.311.20.2.3;UTF8:facts@wolfssl.com diff --git a/tests/api.c b/tests/api.c index 3d6ad8284..c0ebce887 100644 --- a/tests/api.c +++ b/tests/api.c @@ -4908,6 +4908,7 @@ static int test_wolfSSL_FPKI(void) #if defined(WOLFSSL_FPKI) && !defined(NO_RSA) && !defined(NO_FILESYSTEM) XFILE f = XBADFILE; const char* fpkiCert = "./certs/fpki-cert.der"; + const char* fpkiCertPolCert = "./certs/fpki-certpol-cert.der"; DecodedCert cert; byte buf[4096]; byte* uuid = NULL; @@ -4934,6 +4935,29 @@ static int test_wolfSSL_FPKI(void) ExpectIntEQ(wc_GetUUIDFromCert(&cert, uuid, &uuidSz), 0); XFREE(uuid, NULL, DYNAMIC_TYPE_TMP_BUFFER); wc_FreeDecodedCert(&cert); + + XMEMSET(buf, 0, 4096); + fascnSz = uuidSz = bytes = 0; + f = XBADFILE; + + ExpectTrue((f = XFOPEN(fpkiCertPolCert, "rb")) != XBADFILE); + ExpectIntGT(bytes = (int)XFREAD(buf, 1, sizeof(buf), f), 0); + if (f != XBADFILE) + XFCLOSE(f); + + wc_InitDecodedCert(&cert, buf, (word32)bytes, NULL); + ExpectIntEQ(wc_ParseCert(&cert, CERT_TYPE, 0, NULL), 0); + ExpectIntEQ(wc_GetFASCNFromCert(&cert, NULL, &fascnSz), WC_NO_ERR_TRACE(LENGTH_ONLY_E)); + ExpectNotNull(fascn = (byte*)XMALLOC(fascnSz, NULL, + DYNAMIC_TYPE_TMP_BUFFER)); + ExpectIntEQ(wc_GetFASCNFromCert(&cert, fascn, &fascnSz), 0); + XFREE(fascn, NULL, DYNAMIC_TYPE_TMP_BUFFER); + + ExpectIntEQ(wc_GetUUIDFromCert(&cert, NULL, &uuidSz), WC_NO_ERR_TRACE(LENGTH_ONLY_E)); + ExpectNotNull(uuid = (byte*)XMALLOC(uuidSz, NULL, DYNAMIC_TYPE_TMP_BUFFER)); + ExpectIntEQ(wc_GetUUIDFromCert(&cert, uuid, &uuidSz), 0); + XFREE(uuid, NULL, DYNAMIC_TYPE_TMP_BUFFER); + wc_FreeDecodedCert(&cert); #endif return EXPECT_RESULT(); diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index af3636fd2..4c65ee4b8 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -5724,7 +5724,7 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz) oid = extCertPolicyStateMediumDeviceHardwareOid; *oidSz = sizeof(extCertPolicyStateMediumDeviceHardwareOid); break; - + /* U.S. Treasury SSP PKI OIDs */ case CP_TREAS_MEDIUMHW_OID: oid = extCertPolicyTreasuryMediumHardwareOid; @@ -5742,7 +5742,7 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz) oid = extCertPolicyTreasuryPiviContentSigningOid; *oidSz = sizeof(extCertPolicyTreasuryPiviContentSigningOid); break; - + /* Boeing PKI OIDs */ case CP_BOEING_MEDIUMHW_SHA256_OID: oid = extCertPolicyBoeingMediumHardwareSha256Oid; @@ -5752,7 +5752,7 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz) oid = extCertPolicyBoeingMediumHardwareContentSigningSha256Oid; *oidSz = sizeof(extCertPolicyBoeingMediumHardwareContentSigningSha256Oid); break; - + /* DigiCert NFI PKI OIDs */ case CP_DIGICERT_NFSSP_MEDIUMHW_OID: oid = extCertPolicyDigicertNfiMediumHardwareOid; @@ -5774,7 +5774,7 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz) oid = extCertPolicyDigicertNfiMediumDevicesHardwareOid; *oidSz = sizeof(extCertPolicyDigicertNfiMediumDevicesHardwareOid); break; - + /* Entrust Managed Services NFI PKI OIDs */ case CP_ENTRUST_NFSSP_MEDIUMHW_OID: oid = extCertPolicyEntrustNfiMediumHardwareOid; @@ -5796,19 +5796,19 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz) oid = extCertPolicyEntrustNfiMediumDevicesHwOid; *oidSz = sizeof(extCertPolicyEntrustNfiMediumDevicesHwOid); break; - + /* Exostar LLC PKI OIDs */ case CP_EXOSTAR_MEDIUMHW_SHA2_OID: oid = extCertPolicyExostarMediumHardwareSha2Oid; *oidSz = sizeof(extCertPolicyExostarMediumHardwareSha2Oid); break; - + /* Lockheed Martin PKI OIDs */ case CP_LOCKHEED_MEDIUMHW_OID: oid = extCertPolicyLockheedMediumAssuranceHardwareOid; *oidSz = sizeof(extCertPolicyLockheedMediumAssuranceHardwareOid); break; - + /* Northrop Grumman PKI OIDs */ case CP_NORTHROP_MEDIUM_256_HW_OID: oid = extCertPolicyNorthropMediumAssurance256HardwareTokenOid; @@ -5826,7 +5826,7 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz) oid = extCertPolicyNorthropMediumAssurance384HardwareTokenOid; *oidSz = sizeof(extCertPolicyNorthropMediumAssurance384HardwareTokenOid); break; - + /* Raytheon PKI OIDs */ case CP_RAYTHEON_MEDIUMHW_OID: oid = extCertPolicyRaytheonMediumHardwareOid; @@ -5844,7 +5844,7 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz) oid = extCertPolicyRaytheonSha2MediumDeviceHardwareOid; *oidSz = sizeof(extCertPolicyRaytheonSha2MediumDeviceHardwareOid); break; - + /* WidePoint NFI PKI OIDs */ case CP_WIDEPOINT_MEDIUMHW_OID: oid = extCertPolicyWidepointNfiMediumHardwareOid; @@ -5862,7 +5862,7 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz) oid = extCertPolicyWidepointNfiMediumDevicesHardwareOid; *oidSz = sizeof(extCertPolicyWidepointNfiMediumDevicesHardwareOid); break; - + /* Australian Defence Organisation PKI OIDs */ case CP_ADO_MEDIUM_OID: oid = extCertPolicyAdoIndividualMediumAssuranceOid; From b803a03ddd102e98747f231b2d45836700915745 Mon Sep 17 00:00:00 2001 From: Kareem Date: Fri, 28 Mar 2025 12:41:52 -0700 Subject: [PATCH 8/9] Add support for ISRG domain validated certificate policy OID (used by Let's Encrypt). Fixes libspdm test failure. --- wolfcrypt/src/asn.c | 12 ++++++++++++ wolfssl/wolfcrypt/asn.h | 3 ++- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 4c65ee4b8..e31d30582 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -4496,6 +4496,8 @@ static const byte extAuthInfoCaIssuerOid[] = {43, 6, 1, 5, 5, 7, 48, 2}; /* certPolicyType */ static const byte extCertPolicyAnyOid[] = {85, 29, 32, 0}; +static const byte extCertPolicyIsrgDomainValid[] = + {43, 6, 1, 4, 1, 130, 223, 19, 1, 1, 1}; #ifdef WOLFSSL_FPKI #define CERT_POLICY_TYPE_OID_BASE(num) {96, 134, 72, 1, 101, 3, 2, 1, 3, num} static const byte extCertPolicyFpkiHighAssuranceOid[] = @@ -5549,6 +5551,10 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz) oid = extCertPolicyAnyOid; *oidSz = sizeof(extCertPolicyAnyOid); break; + case CP_ISRG_DOMAIN_VALID: + oid = extCertPolicyIsrgDomainValid; + *oidSz = sizeof(extCertPolicyIsrgDomainValid); + break; #if defined(WOLFSSL_FPKI) case CP_FPKI_HIGH_ASSURANCE_OID: oid = extCertPolicyFpkiHighAssuranceOid; @@ -6734,6 +6740,12 @@ static word32 fpkiCertPolOid(const byte* oid, word32 oidSz, word32 oidSum) { sizeof(extCertPolicyCertipathVarMediumhwOid)) == 0) return CP_CERTIPATH_VAR_MEDIUMHW_OID; break; + case CP_ISRG_DOMAIN_VALID: + if ((word32)sizeof(extCertPolicyEcaContentSigningPiviOid) == (word32)oidSz && + XMEMCMP(oid, extCertPolicyEcaContentSigningPiviOid, + sizeof(extCertPolicyEcaContentSigningPiviOid)) == 0) + return CP_ECA_CONTENT_SIGNING_PIVI_OID; + break; default: break; } diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index d303ab5c8..17804eb7d 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -1424,6 +1424,7 @@ enum Extensions_Sum { enum CertificatePolicy_Sum { CP_ANY_OID = 146, /* id-ce 32 0 */ + CP_ISRG_DOMAIN_VALID = 430, /* 1.3.6.1.4.1.44947.1.1.1 */ #ifdef WOLFSSL_FPKI /* Federal PKI OIDs */ CP_FPKI_HIGH_ASSURANCE_OID = 417, /* 2.16.840.1.101.3.2.1.3.4 */ @@ -1471,7 +1472,7 @@ enum CertificatePolicy_Sum { CP_ECA_MEDIUM_SHA256_OID = 100426, /* 2.16.840.1.101.3.2.1.12.4 */ CP_ECA_MEDIUM_TOKEN_SHA256_OID = 100427, /* 2.16.840.1.101.3.2.1.12.5 */ CP_ECA_MEDIUM_HARDWARE_PIVI_OID = 100428, /* 2.16.840.1.101.3.2.1.12.6 */ - CP_ECA_CONTENT_SIGNING_PIVI_OID = 430, /* 2.16.840.1.101.3.2.1.12.8 */ + CP_ECA_CONTENT_SIGNING_PIVI_OID = 100430, /* 2.16.840.1.101.3.2.1.12.8 */ CP_ECA_MEDIUM_DEVICE_SHA256_OID = 431, /* 2.16.840.1.101.3.2.1.12.9 */ CP_ECA_MEDIUM_HARDWARE_SHA256_OID = 432, /* 2.16.840.1.101.3.2.1.12.10 */ From 8e9a986e0ba3605cd4993fc02ec945150bd9cfcb Mon Sep 17 00:00:00 2001 From: Kareem Date: Mon, 31 Mar 2025 14:37:19 -0700 Subject: [PATCH 9/9] Add comment clarifying that DoD certificate policy OIDs are not currently being parsed in the code, they are just recognized as valid OIDs. --- wolfcrypt/src/asn.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index e31d30582..5e544d013 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -4875,6 +4875,11 @@ static const byte dcOid[] = {9, 146, 38, 137, 147, 242, 44, 100, 1, 25}; /* doma * * Use oidIgnoreType to autofail. * + * Note that while this function currently handles a large + * number of FPKI certificate policy OIDs, these OIDs are not + * currently being handled in the code, they are just recognized + * as valid OIDs. + * * @param [in] id OID id. * @param [in] type Type of OID (enum Oid_Types). * @param [out] oidSz Length of OID byte array returned.