From b803a03ddd102e98747f231b2d45836700915745 Mon Sep 17 00:00:00 2001 From: Kareem Date: Fri, 28 Mar 2025 12:41:52 -0700 Subject: [PATCH] Add support for ISRG domain validated certificate policy OID (used by Let's Encrypt). Fixes libspdm test failure. --- wolfcrypt/src/asn.c | 12 ++++++++++++ wolfssl/wolfcrypt/asn.h | 3 ++- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 4c65ee4b8..e31d30582 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -4496,6 +4496,8 @@ static const byte extAuthInfoCaIssuerOid[] = {43, 6, 1, 5, 5, 7, 48, 2}; /* certPolicyType */ static const byte extCertPolicyAnyOid[] = {85, 29, 32, 0}; +static const byte extCertPolicyIsrgDomainValid[] = + {43, 6, 1, 4, 1, 130, 223, 19, 1, 1, 1}; #ifdef WOLFSSL_FPKI #define CERT_POLICY_TYPE_OID_BASE(num) {96, 134, 72, 1, 101, 3, 2, 1, 3, num} static const byte extCertPolicyFpkiHighAssuranceOid[] = @@ -5549,6 +5551,10 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz) oid = extCertPolicyAnyOid; *oidSz = sizeof(extCertPolicyAnyOid); break; + case CP_ISRG_DOMAIN_VALID: + oid = extCertPolicyIsrgDomainValid; + *oidSz = sizeof(extCertPolicyIsrgDomainValid); + break; #if defined(WOLFSSL_FPKI) case CP_FPKI_HIGH_ASSURANCE_OID: oid = extCertPolicyFpkiHighAssuranceOid; @@ -6734,6 +6740,12 @@ static word32 fpkiCertPolOid(const byte* oid, word32 oidSz, word32 oidSum) { sizeof(extCertPolicyCertipathVarMediumhwOid)) == 0) return CP_CERTIPATH_VAR_MEDIUMHW_OID; break; + case CP_ISRG_DOMAIN_VALID: + if ((word32)sizeof(extCertPolicyEcaContentSigningPiviOid) == (word32)oidSz && + XMEMCMP(oid, extCertPolicyEcaContentSigningPiviOid, + sizeof(extCertPolicyEcaContentSigningPiviOid)) == 0) + return CP_ECA_CONTENT_SIGNING_PIVI_OID; + break; default: break; } diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index d303ab5c8..17804eb7d 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -1424,6 +1424,7 @@ enum Extensions_Sum { enum CertificatePolicy_Sum { CP_ANY_OID = 146, /* id-ce 32 0 */ + CP_ISRG_DOMAIN_VALID = 430, /* 1.3.6.1.4.1.44947.1.1.1 */ #ifdef WOLFSSL_FPKI /* Federal PKI OIDs */ CP_FPKI_HIGH_ASSURANCE_OID = 417, /* 2.16.840.1.101.3.2.1.3.4 */ @@ -1471,7 +1472,7 @@ enum CertificatePolicy_Sum { CP_ECA_MEDIUM_SHA256_OID = 100426, /* 2.16.840.1.101.3.2.1.12.4 */ CP_ECA_MEDIUM_TOKEN_SHA256_OID = 100427, /* 2.16.840.1.101.3.2.1.12.5 */ CP_ECA_MEDIUM_HARDWARE_PIVI_OID = 100428, /* 2.16.840.1.101.3.2.1.12.6 */ - CP_ECA_CONTENT_SIGNING_PIVI_OID = 430, /* 2.16.840.1.101.3.2.1.12.8 */ + CP_ECA_CONTENT_SIGNING_PIVI_OID = 100430, /* 2.16.840.1.101.3.2.1.12.8 */ CP_ECA_MEDIUM_DEVICE_SHA256_OID = 431, /* 2.16.840.1.101.3.2.1.12.9 */ CP_ECA_MEDIUM_HARDWARE_SHA256_OID = 432, /* 2.16.840.1.101.3.2.1.12.10 */