Add support for ISRG domain validated certificate policy OID (used by Let's Encrypt). Fixes libspdm test failure.

2025-03-28 12:41:52 -07:00
parent f313edb4cf
commit b803a03ddd
2 changed files with 14 additions and 1 deletions
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -4496,6 +4496,8 @@ static const byte extAuthInfoCaIssuerOid[] = {43, 6, 1, 5, 5, 7, 48, 2};

 /* certPolicyType */
 static const byte extCertPolicyAnyOid[] = {85, 29, 32, 0};
+static const byte extCertPolicyIsrgDomainValid[] =
+    {43, 6, 1, 4, 1, 130, 223, 19, 1, 1, 1};
 #ifdef WOLFSSL_FPKI
 #define CERT_POLICY_TYPE_OID_BASE(num) {96, 134, 72, 1, 101, 3, 2, 1, 3, num}
    static const byte extCertPolicyFpkiHighAssuranceOid[] =
@@ -5549,6 +5551,10 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz)
                    oid = extCertPolicyAnyOid;
                    *oidSz = sizeof(extCertPolicyAnyOid);
                    break;
+                case CP_ISRG_DOMAIN_VALID:
+                    oid = extCertPolicyIsrgDomainValid;
+                    *oidSz = sizeof(extCertPolicyIsrgDomainValid);
+                    break;
                #if defined(WOLFSSL_FPKI)
                case CP_FPKI_HIGH_ASSURANCE_OID:
                    oid = extCertPolicyFpkiHighAssuranceOid;
@@ -6734,6 +6740,12 @@ static word32 fpkiCertPolOid(const byte* oid, word32 oidSz, word32 oidSum) {
            sizeof(extCertPolicyCertipathVarMediumhwOid)) == 0)
                return CP_CERTIPATH_VAR_MEDIUMHW_OID;
            break;
+        case CP_ISRG_DOMAIN_VALID:
+            if ((word32)sizeof(extCertPolicyEcaContentSigningPiviOid) == (word32)oidSz &&
+            XMEMCMP(oid, extCertPolicyEcaContentSigningPiviOid,
+            sizeof(extCertPolicyEcaContentSigningPiviOid)) == 0)
+                return CP_ECA_CONTENT_SIGNING_PIVI_OID;
+            break;
        default:
            break;
    }
--- a/wolfssl/wolfcrypt/asn.h
+++ b/wolfssl/wolfcrypt/asn.h
@@ -1424,6 +1424,7 @@ enum Extensions_Sum {

 enum CertificatePolicy_Sum {
    CP_ANY_OID              = 146, /* id-ce 32 0 */
+    CP_ISRG_DOMAIN_VALID    = 430, /* 1.3.6.1.4.1.44947.1.1.1 */
 #ifdef WOLFSSL_FPKI
    /* Federal PKI OIDs */
    CP_FPKI_HIGH_ASSURANCE_OID       = 417, /* 2.16.840.1.101.3.2.1.3.4 */
@@ -1471,7 +1472,7 @@ enum CertificatePolicy_Sum {
    CP_ECA_MEDIUM_SHA256_OID         = 100426, /* 2.16.840.1.101.3.2.1.12.4 */
    CP_ECA_MEDIUM_TOKEN_SHA256_OID   = 100427, /* 2.16.840.1.101.3.2.1.12.5 */
    CP_ECA_MEDIUM_HARDWARE_PIVI_OID  = 100428, /* 2.16.840.1.101.3.2.1.12.6 */
-    CP_ECA_CONTENT_SIGNING_PIVI_OID  = 430, /* 2.16.840.1.101.3.2.1.12.8 */
+    CP_ECA_CONTENT_SIGNING_PIVI_OID  = 100430, /* 2.16.840.1.101.3.2.1.12.8 */
    CP_ECA_MEDIUM_DEVICE_SHA256_OID  = 431, /* 2.16.840.1.101.3.2.1.12.9 */
    CP_ECA_MEDIUM_HARDWARE_SHA256_OID = 432, /* 2.16.840.1.101.3.2.1.12.10 */