diff --git a/certs/renewcerts/wolfssl.cnf b/certs/renewcerts/wolfssl.cnf index 8a735f690..6c5efb25f 100644 --- a/certs/renewcerts/wolfssl.cnf +++ b/certs/renewcerts/wolfssl.cnf @@ -278,7 +278,7 @@ keyUsage=critical, digitalSignature, keyEncipherment, keyAgreement extendedKeyUsage=serverAuth nsCertType=server -# server-ecc extensions +# client-ecc extensions [ client_ecc ] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always diff --git a/certs/test/cert-ext-ia.der b/certs/test/cert-ext-ia.der index 1893b5cd1..9ece2e7be 100644 Binary files a/certs/test/cert-ext-ia.der and b/certs/test/cert-ext-ia.der differ diff --git a/certs/test/cert-ext-ia.pem b/certs/test/cert-ext-ia.pem new file mode 100644 index 000000000..29c0df39d --- /dev/null +++ b/certs/test/cert-ext-ia.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEBTCCAu2gAwIBAgIUA89RcLeZzk3/nwjVthGOpD1o1C0wDQYJKoZIhvcNAQEL +BQAwgaAxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApRdWVlbnNsYW5kMREwDwYDVQQH +DAhCcmlzYmFuZTEUMBIGA1UECgwLd29sZlNTTCBJbmMxFDASBgNVBAsMC0VuZ2lu +ZWVyaW5nMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xIzAhBgkqhkiG9w0BCQEW +FHN1cHBvcnRAd29sZnNzc2wuY29tMB4XDTIxMTAwNjEyMjYwNFoXDTI0MDcwMjEy +MjYwNFowgaAxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApRdWVlbnNsYW5kMREwDwYD +VQQHDAhCcmlzYmFuZTEUMBIGA1UECgwLd29sZlNTTCBJbmMxFDASBgNVBAsMC0Vu +Z2luZWVyaW5nMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xIzAhBgkqhkiG9w0B +CQEWFHN1cHBvcnRAd29sZnNzc2wuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A +MIIBCgKCAQEAwJUI4VdB8nFtt9JFQScBZcZFrvK8JDC4lc4vTtb2HIi8fJ/7qGd/ +/lycUXX3isoH5zUvj+G9e8AvfKtkqBf8yl17uuAh5XIuby6G2JVz2qwbU7lfP9cZ +DSVP4WNjUYsLZD+tQ7ilHFw0s64AoGPF9n8LWWh4c6aMGKkCba/DGQEuuBDjxsxA +tGmjRjNph27Euxem8+jdrXO8ey8htf1mUQy9VLPhbV8cvCNz0QkDiRTSELlkwyrQ +oZZKvOHUGlvHoMDBY3gPRDcwMpaAMiOVoXe6E9KXc+JdJclqDcM5YKS0sGlCQgnp +2Ai8MyCzWCKnquvE4eZhg8XSlt/Z0E+t1wIDAQABozUwMzANBgNVHTYBAf8EAwIB +ATAiBglghkgBhvhCAQ0EFRYTVGVzdGluZyBpbmhpYml0IGFueTANBgkqhkiG9w0B +AQsFAAOCAQEAt+GCSAzHQ4rIf9jrmImZU9gP0vmqKr4BKqHpnJSYcAp094MPUFgT +6L5q7qY2umH3DERkiduAqJBFjH8dDcso5d9G6EZNOZ5dn8fquVCjL611dJCqD4wN +L2EGfdP/AMSi/ze7k9QRXDj2NdcR4WE/EXNiQYWV+bdEQKujgkEcVUPS4CI00GRW +WNsVGjA2lSFv8x+jTEmwr56m76B0wAeHrKFjQ8qoxnJtVxx2baMdzF9Gd+JSMwk4 +ew06RsGpCoxaoPwoYwj624ZRumAyCtqppB1A8VQYZ6Zs1M76gWrIkm3qSypm2VT/ +hyvumoY7uJWA3evI2RDNFrlgzI/hnJ/ymA== +-----END CERTIFICATE----- diff --git a/certs/test/cert-ext-joi.der b/certs/test/cert-ext-joi.der index ec32d755b..90458025a 100644 Binary files a/certs/test/cert-ext-joi.der and b/certs/test/cert-ext-joi.der differ diff --git a/certs/test/cert-ext-joi.pem b/certs/test/cert-ext-joi.pem new file mode 100644 index 000000000..9faf68fc9 --- /dev/null +++ b/certs/test/cert-ext-joi.pem @@ -0,0 +1,31 @@ +-----BEGIN CERTIFICATE----- +MIIFXDCCBESgAwIBAgIUew7lLcN3cnN8wi3WWIgFLwDnp7owDQYJKoZIhvcNAQEL +BQAwgccxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdC +b3plbWFuMREwDwYDVQQKDAhTYXd0b290aDETMBEGA1UECwwKQ29uc3VsdGluZzEY +MBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMSAwHgYJKoZIhvcNAQkBFhFpbmZvQHdv +bGZzc3NsLmNvbTETMBEGCysGAQQBgjc8AgEDEwJVUzEbMBkGCysGAQQBgjc8AgEC +DApDYWxpZm9ybmlhMB4XDTIxMTAwNjEyMjYwNFoXDTI0MDcwMjEyMjYwNFowgccx +CzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFu +MREwDwYDVQQKDAhTYXd0b290aDETMBEGA1UECwwKQ29uc3VsdGluZzEYMBYGA1UE +AwwPd3d3LndvbGZzc2wuY29tMSAwHgYJKoZIhvcNAQkBFhFpbmZvQHdvbGZzc3Ns +LmNvbTETMBEGCysGAQQBgjc8AgEDEwJVUzEbMBkGCysGAQQBgjc8AgECDApDYWxp +Zm9ybmlhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvwzKLRSyHoRC +W804H0ryTXUQ8bY1n9/KfQOY06zeA2buKvHYsH1uB1QLEJghTYDLEiDnzE/eRX3J +cncy6sqQu2lSEAMvqPOVxfGLYlYb72dvpBBBla0Km+OlwLDScHZQMFuo6AgsfO2n +onqNOCkcrMft8nyVsJWCfUlcOM13Je+9gHVTlDw9ymNbnxW10x0TLxnRPNt2Osy4 +fcnlwtfaQG/YIdxzG0ItU5z+Gvx9q3o2P5jehHwFZ85qFDiHqfGMtWjLaH9xICv1 +oGP1Vi+jJtK3b7FaF9c4mQj+k1hv/sMTSQgWC6dNZwBSMWcjTpjtUUUduQTZC+zY +KLNLve02eQIDAQABo4IBPDCCATgwHQYDVR0OBBYEFCeOZxF0wyYdP+0zY7Ok2B0w +5ejVMIIBBwYDVR0jBIH/MIH8gBQnjmcRdMMmHT/tM2OzpNgdMOXo1aGBzaSByjCB +xzELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVt +YW4xETAPBgNVBAoMCFNhd3Rvb3RoMRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYD +VQQDDA93d3cud29sZnNzbC5jb20xIDAeBgkqhkiG9w0BCQEWEWluZm9Ad29sZnNz +c2wuY29tMRMwEQYLKwYBBAGCNzwCAQMTAlVTMRswGQYLKwYBBAGCNzwCAQIMCkNh +bGlmb3JuaWGCFHsO5S3Dd3JzfMIt1liIBS8A56e6MAwGA1UdEwQFMAMBAf8wDQYJ +KoZIhvcNAQELBQADggEBAJV/akWWtWlplTSMz1YDUMZAYB8DoTGtC34cB2ZJ+i41 +j8vkviPCExIaNyXvEPHsbreaQrkx8PfyPXPzmTa1UbIpZF1UpvIidjpl0QFog0tu +3I+gmpX1XJAgDgWxy9NUUFCfMhIEzBztabz10OKmAZHRTNeQMb/8HB6W8D/dbqH8 +BIomaeXUGqPrY4QTBXAqTRDieGYk1lfex3faani4oxf1jtvIrYiRnCbXLHQRV7ql +Jz1Ws9/UOSp9Uw32ZnD5WCLNAopzwq9QydQ4/SmhoFhi00vBpaht7POuCqHH/F5K +mMaZcgJ8ZpQVG1pvZ054icOSnN1EABocFzxGoIvh3jo= +-----END CERTIFICATE----- diff --git a/certs/test/cert-ext-multiple.cfg b/certs/test/cert-ext-multiple.cfg new file mode 100644 index 000000000..94fb7adc4 --- /dev/null +++ b/certs/test/cert-ext-multiple.cfg @@ -0,0 +1,24 @@ +[ req ] +distinguished_name = req_distinguished_name +prompt = no +x509_extensions = v3_ca + +[ req_distinguished_name ] +C = AU +ST = Queensland +L = Brisbane +O = wolfSSL Inc +OU = Engineering +CN = www.wolfssl.com +emailAddress = support@wolfsssl.com +postalCode = 56-131 +street = Main St + +[ v3_ca ] +nsCertType = server +crlDistributionPoints = URI:http://www.wolfssl.com/crl.pem +extendedKeyUsage = serverAuth +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always + + diff --git a/certs/test/cert-ext-multiple.der b/certs/test/cert-ext-multiple.der new file mode 100644 index 000000000..6fb01c2fd Binary files /dev/null and b/certs/test/cert-ext-multiple.der differ diff --git a/certs/test/cert-ext-multiple.pem b/certs/test/cert-ext-multiple.pem new file mode 100644 index 000000000..bb7e71ab3 --- /dev/null +++ b/certs/test/cert-ext-multiple.pem @@ -0,0 +1,32 @@ +-----BEGIN CERTIFICATE----- +MIIFmzCCBIOgAwIBAgIUXBMehhk3xIm8q5A8IA6Su/5KcFQwDQYJKoZIhvcNAQEL +BQAwgcMxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApRdWVlbnNsYW5kMREwDwYDVQQH +DAhCcmlzYmFuZTEUMBIGA1UECgwLd29sZlNTTCBJbmMxFDASBgNVBAsMC0VuZ2lu +ZWVyaW5nMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xIzAhBgkqhkiG9w0BCQEW +FHN1cHBvcnRAd29sZnNzc2wuY29tMQ8wDQYDVQQRDAY1Ni0xMzExEDAOBgNVBAkM +B01haW4gU3QwHhcNMjExMDA2MTIyNjA0WhcNMjQwNzAyMTIyNjA0WjCBwzELMAkG +A1UEBhMCQVUxEzARBgNVBAgMClF1ZWVuc2xhbmQxETAPBgNVBAcMCEJyaXNiYW5l +MRQwEgYDVQQKDAt3b2xmU1NMIEluYzEUMBIGA1UECwwLRW5naW5lZXJpbmcxGDAW +BgNVBAMMD3d3dy53b2xmc3NsLmNvbTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEB3 +b2xmc3NzbC5jb20xDzANBgNVBBEMBjU2LTEzMTEQMA4GA1UECQwHTWFpbiBTdDCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL8Myi0Ush6EQlvNOB9K8k11 +EPG2NZ/fyn0DmNOs3gNm7irx2LB9bgdUCxCYIU2AyxIg58xP3kV9yXJ3MurKkLtp +UhADL6jzlcXxi2JWG+9nb6QQQZWtCpvjpcCw0nB2UDBbqOgILHztp6J6jTgpHKzH +7fJ8lbCVgn1JXDjNdyXvvYB1U5Q8PcpjW58VtdMdEy8Z0TzbdjrMuH3J5cLX2kBv +2CHccxtCLVOc/hr8fat6Nj+Y3oR8BWfOahQ4h6nxjLVoy2h/cSAr9aBj9VYvoybS +t2+xWhfXOJkI/pNYb/7DE0kIFgunTWcAUjFnI06Y7VFFHbkE2Qvs2CizS73tNnkC +AwEAAaOCAYMwggF/MBEGCWCGSAGG+EIBAQQEAwIGQDAvBgNVHR8EKDAmMCSgIqAg +hh5odHRwOi8vd3d3LndvbGZzc2wuY29tL2NybC5wZW0wEwYDVR0lBAwwCgYIKwYB +BQUHAwEwHQYDVR0OBBYEFCeOZxF0wyYdP+0zY7Ok2B0w5ejVMIIBAwYDVR0jBIH7 +MIH4gBQnjmcRdMMmHT/tM2OzpNgdMOXo1aGByaSBxjCBwzELMAkGA1UEBhMCQVUx +EzARBgNVBAgMClF1ZWVuc2xhbmQxETAPBgNVBAcMCEJyaXNiYW5lMRQwEgYDVQQK +DAt3b2xmU1NMIEluYzEUMBIGA1UECwwLRW5naW5lZXJpbmcxGDAWBgNVBAMMD3d3 +dy53b2xmc3NsLmNvbTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEB3b2xmc3NzbC5j +b20xDzANBgNVBBEMBjU2LTEzMTEQMA4GA1UECQwHTWFpbiBTdIIUXBMehhk3xIm8 +q5A8IA6Su/5KcFQwDQYJKoZIhvcNAQELBQADggEBAClFWcqt8yjuaNoHoB5ugpRi +t44U1y1/twWFuVdhzGiIex/FeUXY1LFT7HkBscyLQLVPk+4HxnM2gSSm/TSH17n4 +u4hSr1nWM34VhOonwIm1eyN8aQmYTSLU2ukoU9tRYwHGHD2zphFW1laWalpsEx4o +Bv0HHlOLLJMyqzWrY927R2sd4U/c09LVMkXe1ZqpglAgMqUvDe+nrlCdGgOqUEdm +Ed1Cr5pwPxorpYz39HHkNa4XVRLk/BwtXAFUW/XpGtbUNciHsujnrRL8ZzV/PipY +EgFOi3ZEt8T3I8AtWIG99Nve7YCfsjgmN3XJrKUWVv47KooXq167arPVCOPOMBA= +-----END CERTIFICATE----- diff --git a/certs/test/cert-ext-nc.der b/certs/test/cert-ext-nc.der index a390dbfd3..2819f6f68 100644 Binary files a/certs/test/cert-ext-nc.der and b/certs/test/cert-ext-nc.der differ diff --git a/certs/test/cert-ext-nc.pem b/certs/test/cert-ext-nc.pem new file mode 100644 index 000000000..90b26ac8b --- /dev/null +++ b/certs/test/cert-ext-nc.pem @@ -0,0 +1,27 @@ +-----BEGIN CERTIFICATE----- +MIIEgTCCA2mgAwIBAgIUTT801Rb2AUDHoZhAiituiPxyJgUwDQYJKoZIhvcNAQEL +BQAwgaAxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApRdWVlbnNsYW5kMREwDwYDVQQH +DAhCcmlzYmFuZTEUMBIGA1UECgwLd29sZlNTTCBJbmMxFDASBgNVBAsMC0VuZ2lu +ZWVyaW5nMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xIzAhBgkqhkiG9w0BCQEW +FHN1cHBvcnRAd29sZnNzc2wuY29tMB4XDTIxMTAwNjEyMjYwNFoXDTI0MDcwMjEy +MjYwNFowgaAxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApRdWVlbnNsYW5kMREwDwYD +VQQHDAhCcmlzYmFuZTEUMBIGA1UECgwLd29sZlNTTCBJbmMxFDASBgNVBAsMC0Vu +Z2luZWVyaW5nMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xIzAhBgkqhkiG9w0B +CQEWFHN1cHBvcnRAd29sZnNzc2wuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A +MIIBCgKCAQEAwJUI4VdB8nFtt9JFQScBZcZFrvK8JDC4lc4vTtb2HIi8fJ/7qGd/ +/lycUXX3isoH5zUvj+G9e8AvfKtkqBf8yl17uuAh5XIuby6G2JVz2qwbU7lfP9cZ +DSVP4WNjUYsLZD+tQ7ilHFw0s64AoGPF9n8LWWh4c6aMGKkCba/DGQEuuBDjxsxA +tGmjRjNph27Euxem8+jdrXO8ey8htf1mUQy9VLPhbV8cvCNz0QkDiRTSELlkwyrQ +oZZKvOHUGlvHoMDBY3gPRDcwMpaAMiOVoXe6E9KXc+JdJclqDcM5YKS0sGlCQgnp +2Ai8MyCzWCKnquvE4eZhg8XSlt/Z0E+t1wIDAQABo4GwMIGtMB0GA1UdDgQWBBSz +ETLJkpiE4sn40DtuA0LKHw6OPDAfBgNVHSMEGDAWgBSzETLJkpiE4sn40DtuA0LK +Hw6OPDASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBhjAeBgNVHR4B +Af8EFDASoBAwDoEMLndvbGZzc2wuY29tMCcGCWCGSAGG+EIBDQQaFhhUZXN0aW5n +IG5hbWUgY29uc3RyYWludHMwDQYJKoZIhvcNAQELBQADggEBACiFWGDK333MJVsU +vtpTWoY76P/T6IdY03IM/1/tcDyRVjiHl2m031Cz1D8q1d3i+zzLxxz/Gzw+L2uh +RYuQDTC2kDLFVpN/7CIVSkAmrG2C2lm0gWYeBgVUp8XJSXl7LA04npGf7isN5Ut4 +cMefVc64m9amM2iFCU/MNjVDzw8nt7V4uJygFVc9DXijoC/ZBl+ZEmCUDFMm5q6g +6ZJ5x2c5CmfhbvkltpZsHtNexpMn/OlxBy6mQtox1X9Xkatd0ReOGUBMxKMWnwfa +gNRCaFxsv/22ZdY49OsH3OKwHcFAyCMLEVqzSZFZX7a8LJHGQOy3Y3YG56t3EaJd +b35YGGg= +-----END CERTIFICATE----- diff --git a/certs/test/cert-ext-nct.der b/certs/test/cert-ext-nct.der index fb6ddacee..43851bb17 100644 Binary files a/certs/test/cert-ext-nct.der and b/certs/test/cert-ext-nct.der differ diff --git a/certs/test/cert-ext-nct.pem b/certs/test/cert-ext-nct.pem new file mode 100644 index 000000000..355548016 --- /dev/null +++ b/certs/test/cert-ext-nct.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEGjCCAwKgAwIBAgIUAk4+yIZ3S7BdgUTUopeUVK7oAgAwDQYJKoZIhvcNAQEL +BQAwgaAxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApRdWVlbnNsYW5kMREwDwYDVQQH +DAhCcmlzYmFuZTEUMBIGA1UECgwLd29sZlNTTCBJbmMxFDASBgNVBAsMC0VuZ2lu +ZWVyaW5nMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xIzAhBgkqhkiG9w0BCQEW +FHN1cHBvcnRAd29sZnNzc2wuY29tMB4XDTIxMTAwNjEyMjYwNFoXDTI0MDcwMjEy +MjYwNFowgaAxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApRdWVlbnNsYW5kMREwDwYD +VQQHDAhCcmlzYmFuZTEUMBIGA1UECgwLd29sZlNTTCBJbmMxFDASBgNVBAsMC0Vu +Z2luZWVyaW5nMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xIzAhBgkqhkiG9w0B +CQEWFHN1cHBvcnRAd29sZnNzc2wuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A +MIIBCgKCAQEAwJUI4VdB8nFtt9JFQScBZcZFrvK8JDC4lc4vTtb2HIi8fJ/7qGd/ +/lycUXX3isoH5zUvj+G9e8AvfKtkqBf8yl17uuAh5XIuby6G2JVz2qwbU7lfP9cZ +DSVP4WNjUYsLZD+tQ7ilHFw0s64AoGPF9n8LWWh4c6aMGKkCba/DGQEuuBDjxsxA +tGmjRjNph27Euxem8+jdrXO8ey8htf1mUQy9VLPhbV8cvCNz0QkDiRTSELlkwyrQ +oZZKvOHUGlvHoMDBY3gPRDcwMpaAMiOVoXe6E9KXc+JdJclqDcM5YKS0sGlCQgnp +2Ai8MyCzWCKnquvE4eZhg8XSlt/Z0E+t1wIDAQABo0owSDAUBglghkgBhvhCAQEB +Af8EBAMCBkAwMAYJYIZIAYb4QgENBCMWIVRlc3RpbmcgTmV0c2NhcGUgQ2VydGlm +aWNhdGUgVHlwZTANBgkqhkiG9w0BAQsFAAOCAQEAgo2UG9wBBhmnTzf8k/dJ529S +AlK8hC+2QM1zzxcD58Z7R/8NaStMMgJI0UdCeibxJOkhRfjCIlqWQ1dCBNvMPf2Y +nXZmZ1vSkVDoRFqQDwjKi383Dz2+zQTir7Ewa0OKhevhVfdqwJYZHKNsHVVCSIXf +8PzF5quPTUfqUBBX/KfBr6uSpqKdNyXW1FE57HHyyY3m1fctof2KdqnEVrDixbe7 +piCXf+w2MOdxla0hOjiRuaBMoaEwseiBcXKnhTxv3TTHpADAViqYm42JjbZk+oXH +0R+oP0GrCjI/IMWL5l9VFV9IDVkBTrJAYaAdBDxdkhxlzdZx+zi2O4WGjt2CUQ== +-----END CERTIFICATE----- diff --git a/certs/test/cert-ext-ndir-exc.der b/certs/test/cert-ext-ndir-exc.der index 25507a9d5..1ef41bc32 100644 Binary files a/certs/test/cert-ext-ndir-exc.der and b/certs/test/cert-ext-ndir-exc.der differ diff --git a/certs/test/cert-ext-ndir-exc.pem b/certs/test/cert-ext-ndir-exc.pem new file mode 100644 index 000000000..73abfdfac --- /dev/null +++ b/certs/test/cert-ext-ndir-exc.pem @@ -0,0 +1,29 @@ +-----BEGIN CERTIFICATE----- +MIIE/TCCA+WgAwIBAgIUDyeuOpJhkA5iuOA+yt9w0Pxh8KYwDQYJKoZIhvcNAQEL +BQAwgZUxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdC +b3plbWFuMREwDwYDVQQKDAhTYXd0b290aDETMBEGA1UECwwKQ29uc3VsdGluZzEY +MBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMSAwHgYJKoZIhvcNAQkBFhFpbmZvQHdv +bGZzc3NsLmNvbTAeFw0yMTEwMDYxMjI2MDRaFw0yNDA3MDIxMjI2MDRaMIGVMQsw +CQYDVQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjER +MA8GA1UECgwIU2F3dG9vdGgxEzARBgNVBAsMCkNvbnN1bHRpbmcxGDAWBgNVBAMM +D3d3dy53b2xmc3NsLmNvbTEgMB4GCSqGSIb3DQEJARYRaW5mb0B3b2xmc3NzbC5j +b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/DMotFLIehEJbzTgf +SvJNdRDxtjWf38p9A5jTrN4DZu4q8diwfW4HVAsQmCFNgMsSIOfMT95FfclydzLq +ypC7aVIQAy+o85XF8YtiVhvvZ2+kEEGVrQqb46XAsNJwdlAwW6joCCx87aeieo04 +KRysx+3yfJWwlYJ9SVw4zXcl772AdVOUPD3KY1ufFbXTHRMvGdE823Y6zLh9yeXC +19pAb9gh3HMbQi1TnP4a/H2rejY/mN6EfAVnzmoUOIep8Yy1aMtof3EgK/WgY/VW +L6Mm0rdvsVoX1ziZCP6TWG/+wxNJCBYLp01nAFIxZyNOmO1RRR25BNkL7Ngos0u9 +7TZ5AgMBAAGjggFBMIIBPTAdBgNVHQ4EFgQUJ45nEXTDJh0/7TNjs6TYHTDl6NUw +gdUGA1UdIwSBzTCByoAUJ45nEXTDJh0/7TNjs6TYHTDl6NWhgZukgZgwgZUxCzAJ +BgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMREw +DwYDVQQKDAhTYXd0b290aDETMBEGA1UECwwKQ29uc3VsdGluZzEYMBYGA1UEAwwP +d3d3LndvbGZzc2wuY29tMSAwHgYJKoZIhvcNAQkBFhFpbmZvQHdvbGZzc3NsLmNv +bYIUDyeuOpJhkA5iuOA+yt9w0Pxh8KYwDAYDVR0TBAUwAwEB/zA2BgNVHR4BAf8E +LDAqoSgwJqQkMCIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMA0G +CSqGSIb3DQEBCwUAA4IBAQBgGzWKEdxe7BftJBBBVUOXd8FCFwwgvX2gx1egOFun +PfUliAz68lHUc9qh6d5NPjB4YgOBHnKs03Za1eBkRkIPTU5AyFbu2GQHkgJl6abt +YY2IiKQ+FCoZ7HCYo+VQKjvtKTbyExLSxWFZONBJQ2Ac1wyBLhTpZnxfMugWy9u8 +mllvwQd6h+3Lkd3mVaVpyvoVQGGBzt/Ny/PwmfX+AwWsTJKhocE8xTvGmKexed5E +M4IAKJffmFBCd+pELRYRqQL6oVxclbsAPDLH+BXFKl1DNyoqTFSJSa/m/U9aBILZ +M6V63k8RPzbyHOw5GXM5j1ulItdwQ1fEEKPMu2o2u1dp +-----END CERTIFICATE----- diff --git a/certs/test/cert-ext-ndir.der b/certs/test/cert-ext-ndir.der index a2549860c..0a5b35e44 100644 Binary files a/certs/test/cert-ext-ndir.der and b/certs/test/cert-ext-ndir.der differ diff --git a/certs/test/cert-ext-ndir.pem b/certs/test/cert-ext-ndir.pem new file mode 100644 index 000000000..d7b8716bc --- /dev/null +++ b/certs/test/cert-ext-ndir.pem @@ -0,0 +1,29 @@ +-----BEGIN CERTIFICATE----- +MIIE6DCCA9CgAwIBAgIUf/jV/P1olEjAao7TEGdZx5xTD/EwDQYJKoZIhvcNAQEL +BQAwgZUxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdC +b3plbWFuMREwDwYDVQQKDAhTYXd0b290aDETMBEGA1UECwwKQ29uc3VsdGluZzEY +MBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMSAwHgYJKoZIhvcNAQkBFhFpbmZvQHdv +bGZzc3NsLmNvbTAeFw0yMTEwMDYxMjI2MDRaFw0yNDA3MDIxMjI2MDRaMIGVMQsw +CQYDVQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjER +MA8GA1UECgwIU2F3dG9vdGgxEzARBgNVBAsMCkNvbnN1bHRpbmcxGDAWBgNVBAMM +D3d3dy53b2xmc3NsLmNvbTEgMB4GCSqGSIb3DQEJARYRaW5mb0B3b2xmc3NzbC5j +b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/DMotFLIehEJbzTgf +SvJNdRDxtjWf38p9A5jTrN4DZu4q8diwfW4HVAsQmCFNgMsSIOfMT95FfclydzLq +ypC7aVIQAy+o85XF8YtiVhvvZ2+kEEGVrQqb46XAsNJwdlAwW6joCCx87aeieo04 +KRysx+3yfJWwlYJ9SVw4zXcl772AdVOUPD3KY1ufFbXTHRMvGdE823Y6zLh9yeXC +19pAb9gh3HMbQi1TnP4a/H2rejY/mN6EfAVnzmoUOIep8Yy1aMtof3EgK/WgY/VW +L6Mm0rdvsVoX1ziZCP6TWG/+wxNJCBYLp01nAFIxZyNOmO1RRR25BNkL7Ngos0u9 +7TZ5AgMBAAGjggEsMIIBKDAdBgNVHQ4EFgQUJ45nEXTDJh0/7TNjs6TYHTDl6NUw +gdUGA1UdIwSBzTCByoAUJ45nEXTDJh0/7TNjs6TYHTDl6NWhgZukgZgwgZUxCzAJ +BgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMREw +DwYDVQQKDAhTYXd0b290aDETMBEGA1UECwwKQ29uc3VsdGluZzEYMBYGA1UEAwwP +d3d3LndvbGZzc2wuY29tMSAwHgYJKoZIhvcNAQkBFhFpbmZvQHdvbGZzc3NsLmNv +bYIUf/jV/P1olEjAao7TEGdZx5xTD/EwDAYDVR0TBAUwAwEB/zAhBgNVHR4BAf8E +FzAVoBMwEaQPMA0xCzAJBgNVBAYTAlVTMA0GCSqGSIb3DQEBCwUAA4IBAQBnnFq7 +5O1NpE3jttFAtEdGUXhwIzuxwDCJ4SNyUGnFww06NE7mRpvN22vzqi/UwlViuCbE +Sl9MkBD2FEYM/raKyHiO1ZFne4FTzqjuQMsvng9vdHknPpBEKcpOrjxGSWJWRtXM +xFVTD2vg7jBsgOHSWyfhKQDk3ibDzHSS7/7gdOLxWs7rbKpnHDx5P2oCeOEqVikF +WqrBy8RMdGrTBw/NkAwNdLwPwWXGqD4rFltlZl3mxrcsgKeAsoHiaIqKm8F/gYx5 ++xP1bgNnnJHRv3Pu0wQ+Y5JXIaRm42CBUBa34KvSDeC/xk5nMhUPadenIwizQCXW +LHrK/Ja95/QKWbPa +-----END CERTIFICATE----- diff --git a/certs/test/gen-ext-certs.sh b/certs/test/gen-ext-certs.sh index aa77314b0..320973501 100755 --- a/certs/test/gen-ext-certs.sh +++ b/certs/test/gen-ext-certs.sh @@ -5,20 +5,22 @@ TMP="/tmp/`basename $0`" KEY=certs/server-key.der gen_cert() { openssl req -x509 -keyform DER -key $KEY \ - -days 1000 -new -outform DER -out $OUT -config $CONFIG \ + -days 1000 -new -outform DER -out $OUT.der -config $CONFIG \ >$TMP 2>&1 - if [ "$?" = "0" -a -f $OUT ]; then + if [ "$?" = "0" -a -f $OUT.der ]; then echo "Created: $OUT" else cat $TMP echo "Failed: $OUT" fi + openssl x509 -in $OUT.der -inform DER -outform PEM > $OUT.pem + rm $TMP } -OUT=certs/test/cert-ext-nc.der +OUT=certs/test/cert-ext-nc KEYFILE=certs/test/cert-ext-nc-key.der CONFIG=certs/test/cert-ext-nc.cfg tee >$CONFIG <$CONFIG <$CONFIG <$CONFIG <$CONFIG <$CONFIG <$CONFIG <$CONFIG <$CONFIG <$CONFIG <sig.buffer, x509->heap, DYNAMIC_TYPE_SIGNATURE); x509->sig.buffer = NULL; #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) - XFREE(x509->authKeyId, x509->heap, DYNAMIC_TYPE_X509_EXT); + if (x509->authKeyIdSrc != NULL) { + XFREE(x509->authKeyIdSrc, x509->heap, DYNAMIC_TYPE_X509_EXT); + } + else { + XFREE(x509->authKeyId, x509->heap, DYNAMIC_TYPE_X509_EXT); + } + x509->authKeyIdSrc = NULL; x509->authKeyId = NULL; XFREE(x509->subjKeyId, x509->heap, DYNAMIC_TYPE_X509_EXT); x509->subjKeyId = NULL; @@ -3903,6 +3909,10 @@ void FreeX509(WOLFSSL_X509* x509) XFREE(x509->authInfo, x509->heap, DYNAMIC_TYPE_X509_EXT); x509->authInfo = NULL; } + if (x509->rawCRLInfo != NULL) { + XFREE(x509->rawCRLInfo, x509->heap, DYNAMIC_TYPE_X509_EXT); + x509->rawCRLInfo = NULL; + } if (x509->CRLInfo != NULL) { XFREE(x509->CRLInfo, x509->heap, DYNAMIC_TYPE_X509_EXT); x509->CRLInfo = NULL; @@ -10649,6 +10659,17 @@ int CopyDecodedToX509(WOLFSSL_X509* x509, DecodedCert* dCert) x509->CRLdistSet = dCert->extCRLdistSet; x509->CRLdistCrit = dCert->extCRLdistCrit; + if (dCert->extCrlInfoRaw != NULL && dCert->extCrlInfoRawSz > 0) { + x509->rawCRLInfo = (byte*)XMALLOC(dCert->extCrlInfoRawSz, x509->heap, + DYNAMIC_TYPE_X509_EXT); + if (x509->rawCRLInfo != NULL) { + XMEMCPY(x509->rawCRLInfo, dCert->extCrlInfoRaw, dCert->extCrlInfoRawSz); + x509->rawCRLInfoSz = dCert->extCrlInfoRawSz; + } + else { + ret = MEMORY_E; + } + } if (dCert->extCrlInfo != NULL && dCert->extCrlInfoSz > 0) { x509->CRLInfo = (byte*)XMALLOC(dCert->extCrlInfoSz, x509->heap, DYNAMIC_TYPE_X509_EXT); @@ -10694,12 +10715,24 @@ int CopyDecodedToX509(WOLFSSL_X509* x509, DecodedCert* dCert) x509->authKeyIdSet = dCert->extAuthKeyIdSet; x509->authKeyIdCrit = dCert->extAuthKeyIdCrit; if (dCert->extAuthKeyIdSrc != NULL && dCert->extAuthKeyIdSz != 0) { - x509->authKeyId = (byte*)XMALLOC(dCert->extAuthKeyIdSz, x509->heap, - DYNAMIC_TYPE_X509_EXT); - if (x509->authKeyId != NULL) { - XMEMCPY(x509->authKeyId, - dCert->extAuthKeyIdSrc, dCert->extAuthKeyIdSz); - x509->authKeyIdSz = dCert->extAuthKeyIdSz; + if (dCert->extRawAuthKeyIdSrc != NULL && + dCert->extAuthKeyIdSrc > dCert->extRawAuthKeyIdSrc && + dCert->extAuthKeyIdSrc < + (dCert->extRawAuthKeyIdSrc + dCert->extRawAuthKeyIdSz)) { + /* Confirmed: extAuthKeyIdSrc points inside extRawAuthKeyIdSrc */ + x509->authKeyIdSrc = (byte*)XMALLOC(dCert->extRawAuthKeyIdSz, + x509->heap, DYNAMIC_TYPE_X509_EXT); + if (x509->authKeyIdSrc != NULL) { + XMEMCPY(x509->authKeyIdSrc, dCert->extRawAuthKeyIdSrc, + dCert->extRawAuthKeyIdSz); + x509->authKeyIdSrcSz = dCert->extRawAuthKeyIdSz; + /* Set authKeyId to same offset inside authKeyIdSrc */ + x509->authKeyId = x509->authKeyIdSrc + + (dCert->extAuthKeyIdSrc - dCert->extRawAuthKeyIdSrc); + x509->authKeyIdSz = dCert->extAuthKeyIdSz; + } + else + ret = MEMORY_E; } else ret = MEMORY_E; @@ -10725,6 +10758,7 @@ int CopyDecodedToX509(WOLFSSL_X509* x509, DecodedCert* dCert) if (x509->extKeyUsageSrc != NULL) { XMEMCPY(x509->extKeyUsageSrc, dCert->extExtKeyUsageSrc, dCert->extExtKeyUsageSz); + x509->extKeyUsage = dCert->extExtKeyUsage; x509->extKeyUsageSz = dCert->extExtKeyUsageSz; x509->extKeyUsageCrit = dCert->extExtKeyUsageCrit; x509->extKeyUsageCount = dCert->extExtKeyUsageCount; @@ -10733,6 +10767,9 @@ int CopyDecodedToX509(WOLFSSL_X509* x509, DecodedCert* dCert) ret = MEMORY_E; } } + #ifndef IGNORE_NETSCAPE_CERT_TYPE + x509->nsCertType = dCert->nsCertType; + #endif #if defined(WOLFSSL_SEP) || defined(WOLFSSL_QT) x509->certPolicySet = dCert->extCertPolicySet; x509->certPolicyCrit = dCert->extCertPolicyCrit; diff --git a/src/ssl.c b/src/ssl.c index b6f8872e8..eae102b9e 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -8839,58 +8839,24 @@ unsigned int wolfSSL_X509_get_key_usage(WOLFSSL_X509* x509) unsigned int wolfSSL_X509_get_extended_key_usage(WOLFSSL_X509* x509) { int ret = 0; - int rc; - word32 idx = 0; - word32 oid; WOLFSSL_ENTER("wolfSSL_X509_get_extended_key_usage"); - if (x509 == NULL) { - WOLFSSL_MSG("x509 is NULL"); - } - else if (x509->extKeyUsageSrc != NULL) { - while (idx < x509->extKeyUsageSz) { - rc = GetObjectId(x509->extKeyUsageSrc, &idx, &oid, - oidCertKeyUseType, x509->extKeyUsageSz); - if (rc == ASN_UNKNOWN_OID_E) { - continue; - } - else if (rc < 0) { - WOLFSSL_MSG("GetObjectId failed"); - ret = -1; - break; - } - - switch (oid) { - case EKU_ANY_OID: - ret |= XKU_ANYEKU; - break; - case EKU_SERVER_AUTH_OID: - ret |= XKU_SSL_SERVER; - break; - case EKU_CLIENT_AUTH_OID: - ret |= XKU_SSL_CLIENT; - break; - case EKU_CODESIGNING_OID: - ret |= XKU_CODE_SIGN; - break; - case EKU_EMAILPROTECT_OID: - ret |= XKU_SMIME; - break; - case EKU_TIMESTAMP_OID: - ret |= XKU_TIMESTAMP; - break; - case EKU_OCSP_SIGN_OID: - ret |= XKU_OCSP_SIGN; - break; - default: - break; - } - } - } - else { - WOLFSSL_MSG("x509->extKeyUsageSrc is NULL"); - ret = -1; + if (x509 != NULL) { + if (x509->extKeyUsage & EXTKEYUSE_OCSP_SIGN) + ret |= XKU_OCSP_SIGN; + if (x509->extKeyUsage & EXTKEYUSE_TIMESTAMP) + ret |= XKU_TIMESTAMP; + if (x509->extKeyUsage & EXTKEYUSE_EMAILPROT) + ret |= XKU_SMIME; + if (x509->extKeyUsage & EXTKEYUSE_CODESIGN) + ret |= XKU_CODE_SIGN; + if (x509->extKeyUsage & EXTKEYUSE_CLIENT_AUTH) + ret |= XKU_SSL_CLIENT; + if (x509->extKeyUsage & EXTKEYUSE_SERVER_AUTH) + ret |= XKU_SSL_SERVER; + if (x509->extKeyUsage & EXTKEYUSE_ANY) + ret |= XKU_ANYEKU; } WOLFSSL_LEAVE("wolfSSL_X509_get_extended_key_usage", ret); @@ -9792,6 +9758,13 @@ int wolfSSL_X509_add_ext(WOLFSSL_X509 *x509, WOLFSSL_X509_EXTENSION *ext, int lo switch (ext->obj->type) { case NID_authority_key_identifier: + if (x509->authKeyIdSrc != NULL) { + /* If authKeyId points into authKeyIdSrc then free it and + * revert to old functionality */ + XFREE(x509->authKeyIdSrc, x509->heap, DYNAMIC_TYPE_X509_EXT); + x509->authKeyIdSrc = NULL; + x509->authKeyId = NULL; + } if (asn1_string_copy_to_buffer(&ext->value, &x509->authKeyId, &x509->authKeyIdSz, x509->heap) != WOLFSSL_SUCCESS) { WOLFSSL_MSG("asn1_string_copy_to_buffer error"); @@ -31420,6 +31393,8 @@ const WOLFSSL_ObjectInfo wolfssl_object_info[] = { { NID_localityName, NID_localityName, oidCertNameType, "L", "localityName"}, { NID_stateOrProvinceName, NID_stateOrProvinceName, oidCertNameType, "ST", "stateOrProvinceName"}, + { NID_streetAddress, NID_streetAddress, oidCertNameType, "street", + "streetAddress"}, { NID_organizationName, NID_organizationName, oidCertNameType, "O", "organizationName"}, { NID_organizationalUnitName, NID_organizationalUnitName, oidCertNameType, @@ -31436,6 +31411,7 @@ const WOLFSSL_ObjectInfo wolfssl_object_info[] = { "jurisdictionCountryName"}, { NID_jurisdictionStateOrProvinceName, NID_jurisdictionStateOrProvinceName, oidCertNameType, "jurisdictionST", "jurisdictionStateOrProvinceName"}, + { NID_postalCode, NID_postalCode, oidCertNameType, "postalCode", "postalCode"}, #ifdef WOLFSSL_CERT_REQ { NID_pkcs9_challengePassword, CHALLENGE_PASSWORD_OID, @@ -41881,11 +41857,21 @@ void* wolfSSL_GetDhAgreeCtx(WOLFSSL* ssl) return WOLFSSL_FAILURE; } - if (x509->authKeyIdSz < CTC_MAX_AKID_SIZE) { + if (x509->authKeyIdSz < sizeof(cert->akid)) { + #ifndef WOLFSSL_ASN_TEMPLATE + /* Not supported with WOLFSSL_ASN_TEMPLATE at the moment. */ + if (x509->authKeyIdSrc) { + XMEMCPY(cert->akid, x509->authKeyIdSrc, x509->authKeyIdSrcSz); + cert->akidSz = (int)x509->authKeyIdSrcSz; + cert->rawAkid = 1; + } + else + #endif if (x509->authKeyId) { XMEMCPY(cert->akid, x509->authKeyId, x509->authKeyIdSz); + cert->akidSz = (int)x509->authKeyIdSz; + cert->rawAkid = 0; } - cert->akidSz = (int)x509->authKeyIdSz; } else { WOLFSSL_MSG("Auth Key ID too large"); @@ -41906,6 +41892,17 @@ void* wolfSSL_GetDhAgreeCtx(WOLFSSL* ssl) cert->certPoliciesNb = (word16)x509->certPoliciesNb; cert->keyUsage = x509->keyUsage; + cert->extKeyUsage = x509->extKeyUsage; + cert->nsCertType = x509->nsCertType; + + if (x509->rawCRLInfo != NULL) { + if (x509->rawCRLInfoSz > CTC_MAX_CRLINFO_SZ) { + WOLFSSL_MSG("CRL Info too large"); + return WOLFSSL_FAILURE; + } + XMEMCPY(cert->crlInfo, x509->rawCRLInfo, x509->rawCRLInfoSz); + cert->crlInfoSz = x509->rawCRLInfoSz; + } #endif /* WOLFSSL_CERT_EXT */ #ifdef WOLFSSL_CERT_REQ @@ -42445,12 +42442,14 @@ static int ConvertNIDToWolfSSL(int nid) case NID_countryName: return ASN_COUNTRY_NAME; case NID_localityName: return ASN_LOCALITY_NAME; case NID_stateOrProvinceName: return ASN_STATE_NAME; + case NID_streetAddress: return ASN_STREET_ADDR; case NID_organizationName: return ASN_ORG_NAME; case NID_organizationalUnitName: return ASN_ORGUNIT_NAME; case NID_emailAddress: return ASN_EMAIL_NAME; case NID_serialNumber: return ASN_SERIAL_NUMBER; case NID_businessCategory: return ASN_BUS_CAT; case NID_domainComponent: return ASN_DOMAIN_COMPONENT; + case NID_postalCode: return ASN_POSTAL_CODE; default: WOLFSSL_MSG("Attribute NID not found"); return -1; diff --git a/tests/api.c b/tests/api.c index 43f2ca73e..3d0eec56e 100644 --- a/tests/api.c +++ b/tests/api.c @@ -343,8 +343,11 @@ #endif #if (defined(SESSION_CERTS) && defined(TEST_PEER_CERT_CHAIN)) || \ - defined(HAVE_SESSION_TICKET) - /* for testing SSL_get_peer_cert_chain, or SESSION_TICKET_HINT_DEFAULT */ + defined(HAVE_SESSION_TICKET) || (defined(OPENSSL_EXTRA) && \ + defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_CERT_GEN) && \ + !defined(WOLFSSL_ASN_TEMPLATE)) + /* for testing SSL_get_peer_cert_chain, or SESSION_TICKET_HINT_DEFAULT, + * or for setting authKeyIdSrc in WOLFSSL_X509 */ #include "wolfssl/internal.h" #endif @@ -35677,140 +35680,208 @@ static void test_wolfSSL_X509_sign2(void) time_t t; const unsigned char expected[] = { - 0x30, 0x82, 0x04, 0x25, 0x30, 0x82, 0x03, 0x0D, - 0xA0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x09, 0x00, - 0xF1, 0x5C, 0x99, 0x43, 0x66, 0x3D, 0x96, 0x04, - 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, - 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00, 0x30, - 0x81, 0x94, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, - 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, - 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x08, - 0x0C, 0x07, 0x4D, 0x6F, 0x6E, 0x74, 0x61, 0x6E, - 0x61, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, - 0x04, 0x07, 0x0C, 0x07, 0x42, 0x6F, 0x7A, 0x65, - 0x6D, 0x61, 0x6E, 0x31, 0x11, 0x30, 0x0F, 0x06, - 0x03, 0x55, 0x04, 0x0A, 0x0C, 0x08, 0x53, 0x61, - 0x77, 0x74, 0x6F, 0x6F, 0x74, 0x68, 0x31, 0x13, - 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x0C, - 0x0A, 0x43, 0x6F, 0x6E, 0x73, 0x75, 0x6C, 0x74, - 0x69, 0x6E, 0x67, 0x31, 0x18, 0x30, 0x16, 0x06, - 0x03, 0x55, 0x04, 0x03, 0x0C, 0x0F, 0x77, 0x77, - 0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, - 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F, 0x30, - 0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, - 0x0D, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, - 0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, 0x66, 0x73, - 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x30, 0x1E, - 0x17, 0x0D, 0x30, 0x30, 0x30, 0x32, 0x31, 0x35, - 0x32, 0x30, 0x33, 0x30, 0x30, 0x30, 0x5A, 0x17, - 0x0D, 0x30, 0x31, 0x30, 0x32, 0x31, 0x34, 0x32, - 0x30, 0x33, 0x30, 0x30, 0x30, 0x5A, 0x30, 0x81, - 0x9E, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, - 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, - 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, - 0x07, 0x4D, 0x6F, 0x6E, 0x74, 0x61, 0x6E, 0x61, - 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, - 0x07, 0x0C, 0x07, 0x42, 0x6F, 0x7A, 0x65, 0x6D, - 0x61, 0x6E, 0x31, 0x15, 0x30, 0x13, 0x06, 0x03, - 0x55, 0x04, 0x0A, 0x0C, 0x0C, 0x77, 0x6F, 0x6C, - 0x66, 0x53, 0x53, 0x4C, 0x5F, 0x32, 0x30, 0x34, - 0x38, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, - 0x04, 0x0B, 0x0C, 0x10, 0x50, 0x72, 0x6F, 0x67, - 0x72, 0x61, 0x6D, 0x6D, 0x69, 0x6E, 0x67, 0x2D, - 0x32, 0x30, 0x34, 0x38, 0x31, 0x18, 0x30, 0x16, - 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x0F, 0x77, - 0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66, 0x73, - 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F, - 0x30, 0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, - 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, - 0x6E, 0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, 0x66, - 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x30, - 0x82, 0x01, 0x22, 0x30, 0x0D, 0x06, 0x09, 0x2A, - 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01, - 0x05, 0x00, 0x03, 0x82, 0x01, 0x0F, 0x00, 0x30, - 0x82, 0x01, 0x0A, 0x02, 0x82, 0x01, 0x01, 0x00, - 0xC3, 0x03, 0xD1, 0x2B, 0xFE, 0x39, 0xA4, 0x32, - 0x45, 0x3B, 0x53, 0xC8, 0x84, 0x2B, 0x2A, 0x7C, - 0x74, 0x9A, 0xBD, 0xAA, 0x2A, 0x52, 0x07, 0x47, - 0xD6, 0xA6, 0x36, 0xB2, 0x07, 0x32, 0x8E, 0xD0, - 0xBA, 0x69, 0x7B, 0xC6, 0xC3, 0x44, 0x9E, 0xD4, - 0x81, 0x48, 0xFD, 0x2D, 0x68, 0xA2, 0x8B, 0x67, - 0xBB, 0xA1, 0x75, 0xC8, 0x36, 0x2C, 0x4A, 0xD2, - 0x1B, 0xF7, 0x8B, 0xBA, 0xCF, 0x0D, 0xF9, 0xEF, - 0xEC, 0xF1, 0x81, 0x1E, 0x7B, 0x9B, 0x03, 0x47, - 0x9A, 0xBF, 0x65, 0xCC, 0x7F, 0x65, 0x24, 0x69, - 0xA6, 0xE8, 0x14, 0x89, 0x5B, 0xE4, 0x34, 0xF7, - 0xC5, 0xB0, 0x14, 0x93, 0xF5, 0x67, 0x7B, 0x3A, - 0x7A, 0x78, 0xE1, 0x01, 0x56, 0x56, 0x91, 0xA6, - 0x13, 0x42, 0x8D, 0xD2, 0x3C, 0x40, 0x9C, 0x4C, - 0xEF, 0xD1, 0x86, 0xDF, 0x37, 0x51, 0x1B, 0x0C, - 0xA1, 0x3B, 0xF5, 0xF1, 0xA3, 0x4A, 0x35, 0xE4, - 0xE1, 0xCE, 0x96, 0xDF, 0x1B, 0x7E, 0xBF, 0x4E, - 0x97, 0xD0, 0x10, 0xE8, 0xA8, 0x08, 0x30, 0x81, - 0xAF, 0x20, 0x0B, 0x43, 0x14, 0xC5, 0x74, 0x67, - 0xB4, 0x32, 0x82, 0x6F, 0x8D, 0x86, 0xC2, 0x88, - 0x40, 0x99, 0x36, 0x83, 0xBA, 0x1E, 0x40, 0x72, - 0x22, 0x17, 0xD7, 0x52, 0x65, 0x24, 0x73, 0xB0, - 0xCE, 0xEF, 0x19, 0xCD, 0xAE, 0xFF, 0x78, 0x6C, - 0x7B, 0xC0, 0x12, 0x03, 0xD4, 0x4E, 0x72, 0x0D, - 0x50, 0x6D, 0x3B, 0xA3, 0x3B, 0xA3, 0x99, 0x5E, - 0x9D, 0xC8, 0xD9, 0x0C, 0x85, 0xB3, 0xD9, 0x8A, - 0xD9, 0x54, 0x26, 0xDB, 0x6D, 0xFA, 0xAC, 0xBB, - 0xFF, 0x25, 0x4C, 0xC4, 0xD1, 0x79, 0xF4, 0x71, - 0xD3, 0x86, 0x40, 0x18, 0x13, 0xB0, 0x63, 0xB5, - 0x72, 0x4E, 0x30, 0xC4, 0x97, 0x84, 0x86, 0x2D, - 0x56, 0x2F, 0xD7, 0x15, 0xF7, 0x7F, 0xC0, 0xAE, - 0xF5, 0xFC, 0x5B, 0xE5, 0xFB, 0xA1, 0xBA, 0xD3, - 0x02, 0x03, 0x01, 0x00, 0x01, 0xA3, 0x6E, 0x30, - 0x6C, 0x30, 0x0C, 0x06, 0x03, 0x55, 0x1D, 0x13, - 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xFF, 0x30, - 0x1C, 0x06, 0x03, 0x55, 0x1D, 0x11, 0x04, 0x15, - 0x30, 0x13, 0x82, 0x0B, 0x65, 0x78, 0x61, 0x6D, - 0x70, 0x6C, 0x65, 0x2E, 0x63, 0x6F, 0x6D, 0x87, - 0x04, 0x7F, 0x00, 0x00, 0x01, 0x30, 0x1D, 0x06, - 0x03, 0x55, 0x1D, 0x0E, 0x04, 0x16, 0x04, 0x14, - 0x33, 0xD8, 0x45, 0x66, 0xD7, 0x68, 0x87, 0x18, - 0x7E, 0x54, 0x0D, 0x70, 0x27, 0x91, 0xC7, 0x26, - 0xD7, 0x85, 0x65, 0xC0, 0x30, 0x1F, 0x06, 0x03, - 0x55, 0x1D, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, - 0x14, 0x33, 0xD8, 0x45, 0x66, 0xD7, 0x68, 0x87, - 0x18, 0x7E, 0x54, 0x0D, 0x70, 0x27, 0x91, 0xC7, - 0x26, 0xD7, 0x85, 0x65, 0xC0, 0x30, 0x0D, 0x06, - 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, - 0x01, 0x0B, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, - 0x00, 0x79, 0x81, 0x5D, 0xAB, 0xDB, 0x44, 0x70, - 0xD6, 0x39, 0x4F, 0xA6, 0xBA, 0x09, 0x99, 0xBB, - 0xCB, 0x82, 0xF9, 0x17, 0x34, 0xBD, 0x3E, 0xB1, - 0x18, 0xA8, 0xF9, 0x10, 0x16, 0x2A, 0xE0, 0x74, - 0xC6, 0xCF, 0xB3, 0x5F, 0xC6, 0x2C, 0xFB, 0xE3, - 0x5D, 0x38, 0x2B, 0x99, 0x02, 0x98, 0x9D, 0x55, - 0x95, 0x65, 0xC3, 0xEB, 0x77, 0x13, 0xA0, 0x75, - 0x35, 0x68, 0x1F, 0x08, 0xE8, 0x82, 0x3E, 0xF1, - 0xEF, 0x4B, 0xE7, 0x6E, 0xAD, 0xC1, 0x7C, 0x57, - 0xCE, 0xF5, 0x24, 0x4E, 0x2F, 0xC4, 0xF7, 0x46, - 0xED, 0x0E, 0x27, 0x1D, 0xD2, 0x12, 0x5D, 0x9A, - 0xE5, 0x82, 0xB8, 0x92, 0x42, 0x8F, 0x9E, 0x4D, - 0x9B, 0x31, 0x85, 0x2E, 0xE0, 0x5E, 0x83, 0xFB, - 0xA4, 0x33, 0x32, 0x34, 0x2A, 0xAD, 0x38, 0x7A, - 0x6D, 0xD5, 0x02, 0xAE, 0x77, 0xCB, 0x26, 0x76, - 0x7B, 0xFA, 0xE0, 0x91, 0x9B, 0x6F, 0xF4, 0xC4, - 0xA1, 0x54, 0xB1, 0x13, 0x80, 0x6E, 0xFB, 0x70, - 0x4C, 0x7F, 0x4F, 0x58, 0x39, 0xFA, 0x5B, 0x3D, - 0x60, 0x63, 0xDF, 0xEF, 0x90, 0xB3, 0x9B, 0x9A, - 0xEE, 0x8E, 0x34, 0xFB, 0x8B, 0x75, 0x5F, 0xC7, - 0xE4, 0xDB, 0x7C, 0x63, 0x84, 0xE4, 0x6C, 0xC7, - 0xD8, 0xC8, 0xA9, 0xA4, 0x42, 0x64, 0x93, 0x65, - 0x17, 0x58, 0xC2, 0x51, 0x3E, 0x8E, 0x2A, 0x68, - 0x37, 0xC6, 0x59, 0x75, 0x68, 0xD4, 0x16, 0x6A, - 0x17, 0x87, 0xC0, 0xA8, 0x9A, 0x1F, 0x07, 0xCF, - 0x43, 0x58, 0xF4, 0xEA, 0xFE, 0xFB, 0xB2, 0x3F, - 0x7E, 0xC0, 0xF4, 0x83, 0x67, 0x85, 0x30, 0xF2, - 0xE1, 0x60, 0x37, 0x39, 0x45, 0x2A, 0x21, 0x51, - 0x0C, 0x4F, 0xFB, 0x0C, 0x0A, 0xFA, 0x7D, 0xD9, - 0xB4, 0x72, 0x86, 0x9C, 0x0D, 0x2A, 0x25, 0x0E, - 0xBB, 0x45, 0xEC, 0x5D, 0xFB, 0x7A, 0xAA, 0x67, - 0x49, 0x4F, 0x36, 0xAB, 0xDE, 0x4B, 0x57, 0x35, - 0xF3 +#ifndef WOLFSSL_ASN_TEMPLATE + 0x30, 0x82, 0x04, 0xfd, 0x30, 0x82, 0x03, 0xe5, 0xa0, 0x03, 0x02, 0x01, + 0x02, 0x02, 0x09, 0x00, 0xf1, 0x5c, 0x99, 0x43, 0x66, 0x3d, 0x96, 0x04, + 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, + 0x0b, 0x05, 0x00, 0x30, 0x81, 0x94, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, + 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0e, 0x06, + 0x03, 0x55, 0x04, 0x08, 0x0c, 0x07, 0x4d, 0x6f, 0x6e, 0x74, 0x61, 0x6e, + 0x61, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x07, + 0x42, 0x6f, 0x7a, 0x65, 0x6d, 0x61, 0x6e, 0x31, 0x11, 0x30, 0x0f, 0x06, + 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x53, 0x61, 0x77, 0x74, 0x6f, 0x6f, + 0x74, 0x68, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, + 0x0a, 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x74, 0x69, 0x6e, 0x67, 0x31, + 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, 0x77, 0x77, + 0x77, 0x2e, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, + 0x6d, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, + 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6e, 0x66, 0x6f, 0x40, 0x77, + 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e, + 0x17, 0x0d, 0x30, 0x30, 0x30, 0x32, 0x31, 0x35, 0x32, 0x30, 0x33, 0x30, + 0x30, 0x30, 0x5a, 0x17, 0x0d, 0x30, 0x31, 0x30, 0x32, 0x31, 0x34, 0x32, + 0x30, 0x33, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x81, 0x9e, 0x31, 0x0b, 0x30, + 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, + 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x07, 0x4d, 0x6f, 0x6e, + 0x74, 0x61, 0x6e, 0x61, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, + 0x07, 0x0c, 0x07, 0x42, 0x6f, 0x7a, 0x65, 0x6d, 0x61, 0x6e, 0x31, 0x15, + 0x30, 0x13, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0c, 0x77, 0x6f, 0x6c, + 0x66, 0x53, 0x53, 0x4c, 0x5f, 0x32, 0x30, 0x34, 0x38, 0x31, 0x19, 0x30, + 0x17, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x10, 0x50, 0x72, 0x6f, 0x67, + 0x72, 0x61, 0x6d, 0x6d, 0x69, 0x6e, 0x67, 0x2d, 0x32, 0x30, 0x34, 0x38, + 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, 0x77, + 0x77, 0x77, 0x2e, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, + 0x6f, 0x6d, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, + 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6e, 0x66, 0x6f, 0x40, + 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x30, + 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, + 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, + 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xc3, 0x03, 0xd1, 0x2b, + 0xfe, 0x39, 0xa4, 0x32, 0x45, 0x3b, 0x53, 0xc8, 0x84, 0x2b, 0x2a, 0x7c, + 0x74, 0x9a, 0xbd, 0xaa, 0x2a, 0x52, 0x07, 0x47, 0xd6, 0xa6, 0x36, 0xb2, + 0x07, 0x32, 0x8e, 0xd0, 0xba, 0x69, 0x7b, 0xc6, 0xc3, 0x44, 0x9e, 0xd4, + 0x81, 0x48, 0xfd, 0x2d, 0x68, 0xa2, 0x8b, 0x67, 0xbb, 0xa1, 0x75, 0xc8, + 0x36, 0x2c, 0x4a, 0xd2, 0x1b, 0xf7, 0x8b, 0xba, 0xcf, 0x0d, 0xf9, 0xef, + 0xec, 0xf1, 0x81, 0x1e, 0x7b, 0x9b, 0x03, 0x47, 0x9a, 0xbf, 0x65, 0xcc, + 0x7f, 0x65, 0x24, 0x69, 0xa6, 0xe8, 0x14, 0x89, 0x5b, 0xe4, 0x34, 0xf7, + 0xc5, 0xb0, 0x14, 0x93, 0xf5, 0x67, 0x7b, 0x3a, 0x7a, 0x78, 0xe1, 0x01, + 0x56, 0x56, 0x91, 0xa6, 0x13, 0x42, 0x8d, 0xd2, 0x3c, 0x40, 0x9c, 0x4c, + 0xef, 0xd1, 0x86, 0xdf, 0x37, 0x51, 0x1b, 0x0c, 0xa1, 0x3b, 0xf5, 0xf1, + 0xa3, 0x4a, 0x35, 0xe4, 0xe1, 0xce, 0x96, 0xdf, 0x1b, 0x7e, 0xbf, 0x4e, + 0x97, 0xd0, 0x10, 0xe8, 0xa8, 0x08, 0x30, 0x81, 0xaf, 0x20, 0x0b, 0x43, + 0x14, 0xc5, 0x74, 0x67, 0xb4, 0x32, 0x82, 0x6f, 0x8d, 0x86, 0xc2, 0x88, + 0x40, 0x99, 0x36, 0x83, 0xba, 0x1e, 0x40, 0x72, 0x22, 0x17, 0xd7, 0x52, + 0x65, 0x24, 0x73, 0xb0, 0xce, 0xef, 0x19, 0xcd, 0xae, 0xff, 0x78, 0x6c, + 0x7b, 0xc0, 0x12, 0x03, 0xd4, 0x4e, 0x72, 0x0d, 0x50, 0x6d, 0x3b, 0xa3, + 0x3b, 0xa3, 0x99, 0x5e, 0x9d, 0xc8, 0xd9, 0x0c, 0x85, 0xb3, 0xd9, 0x8a, + 0xd9, 0x54, 0x26, 0xdb, 0x6d, 0xfa, 0xac, 0xbb, 0xff, 0x25, 0x4c, 0xc4, + 0xd1, 0x79, 0xf4, 0x71, 0xd3, 0x86, 0x40, 0x18, 0x13, 0xb0, 0x63, 0xb5, + 0x72, 0x4e, 0x30, 0xc4, 0x97, 0x84, 0x86, 0x2d, 0x56, 0x2f, 0xd7, 0x15, + 0xf7, 0x7f, 0xc0, 0xae, 0xf5, 0xfc, 0x5b, 0xe5, 0xfb, 0xa1, 0xba, 0xd3, + 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x44, 0x30, 0x82, 0x01, + 0x40, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x05, 0x30, 0x03, + 0x01, 0x01, 0xff, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x1d, 0x11, 0x04, 0x15, + 0x30, 0x13, 0x82, 0x0b, 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x2e, + 0x63, 0x6f, 0x6d, 0x87, 0x04, 0x7f, 0x00, 0x00, 0x01, 0x30, 0x1d, 0x06, + 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x33, 0xd8, 0x45, 0x66, + 0xd7, 0x68, 0x87, 0x18, 0x7e, 0x54, 0x0d, 0x70, 0x27, 0x91, 0xc7, 0x26, + 0xd7, 0x85, 0x65, 0xc0, 0x30, 0x81, 0xd3, 0x06, 0x03, 0x55, 0x1d, 0x23, + 0x04, 0x81, 0xcb, 0x30, 0x81, 0xc8, 0x80, 0x14, 0x33, 0xd8, 0x45, 0x66, + 0xd7, 0x68, 0x87, 0x18, 0x7e, 0x54, 0x0d, 0x70, 0x27, 0x91, 0xc7, 0x26, + 0xd7, 0x85, 0x65, 0xc0, 0xa1, 0x81, 0xa4, 0xa4, 0x81, 0xa1, 0x30, 0x81, + 0x9e, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, + 0x55, 0x53, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, + 0x07, 0x4d, 0x6f, 0x6e, 0x74, 0x61, 0x6e, 0x61, 0x31, 0x10, 0x30, 0x0e, + 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x07, 0x42, 0x6f, 0x7a, 0x65, 0x6d, + 0x61, 0x6e, 0x31, 0x15, 0x30, 0x13, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, + 0x0c, 0x77, 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x5f, 0x32, 0x30, 0x34, + 0x38, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x10, + 0x50, 0x72, 0x6f, 0x67, 0x72, 0x61, 0x6d, 0x6d, 0x69, 0x6e, 0x67, 0x2d, + 0x32, 0x30, 0x34, 0x38, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, + 0x03, 0x0c, 0x0f, 0x77, 0x77, 0x77, 0x2e, 0x77, 0x6f, 0x6c, 0x66, 0x73, + 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, + 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, + 0x6e, 0x66, 0x6f, 0x40, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, + 0x63, 0x6f, 0x6d, 0x82, 0x09, 0x00, 0xf1, 0x5c, 0x99, 0x43, 0x66, 0x3d, + 0x96, 0x04, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x25, 0x04, 0x16, 0x30, + 0x14, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x01, 0x06, + 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x02, 0x30, 0x0d, 0x06, + 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, + 0x03, 0x82, 0x01, 0x01, 0x00, 0x59, 0x2e, 0xd1, 0xec, 0xbc, 0x99, 0xfe, + 0x50, 0x38, 0x47, 0x47, 0x88, 0x51, 0xcf, 0xe4, 0x88, 0x76, 0xdf, 0x89, + 0x8f, 0xea, 0x91, 0xbc, 0xd6, 0xc6, 0x91, 0xc9, 0xcc, 0x33, 0x77, 0x5d, + 0xdd, 0x4b, 0xc9, 0xf6, 0x10, 0x54, 0xe2, 0x04, 0x89, 0x51, 0xdb, 0xe1, + 0x00, 0x0c, 0x61, 0x03, 0x26, 0x86, 0x35, 0xac, 0x96, 0x23, 0x9d, 0xef, + 0xd9, 0x95, 0xe4, 0xb4, 0x83, 0x9e, 0x0f, 0x47, 0x30, 0x08, 0x96, 0x28, + 0x7f, 0x2d, 0xe3, 0x23, 0x30, 0x3b, 0xb0, 0x46, 0xe8, 0x21, 0x78, 0xb4, + 0xc0, 0xbc, 0x9f, 0x60, 0x02, 0xd4, 0x16, 0x2d, 0xe5, 0x5a, 0x00, 0x65, + 0x15, 0x95, 0x81, 0x93, 0x80, 0x06, 0x3e, 0xf7, 0xdf, 0x0c, 0x2b, 0x3f, + 0x14, 0xfc, 0xc3, 0x79, 0xfd, 0x59, 0x5c, 0xa7, 0xc3, 0xe0, 0xa8, 0xd4, + 0x53, 0x4f, 0x13, 0x0a, 0xa3, 0xfe, 0x1d, 0x63, 0x4e, 0x84, 0xb2, 0x98, + 0x19, 0x06, 0xe0, 0x60, 0x3a, 0xc9, 0x49, 0x73, 0x00, 0xe3, 0x72, 0x2f, + 0x68, 0x27, 0x9f, 0x14, 0x18, 0xb7, 0x57, 0xb9, 0x1d, 0xa8, 0xb3, 0x05, + 0x6c, 0xf5, 0x4b, 0x0e, 0xac, 0x26, 0x7a, 0xfe, 0xc1, 0xab, 0x1f, 0x27, + 0xf1, 0x1e, 0x21, 0x33, 0x31, 0xb6, 0x43, 0xb0, 0xf8, 0x74, 0x69, 0x6a, + 0xb1, 0x9b, 0xcb, 0xe4, 0xd3, 0xa2, 0x8e, 0x8a, 0x55, 0xef, 0x81, 0xf3, + 0x4a, 0x44, 0x90, 0x4d, 0x08, 0xb8, 0x31, 0x90, 0x1a, 0x82, 0x52, 0x56, + 0xeb, 0xf0, 0x50, 0x5b, 0x9f, 0x87, 0x98, 0x54, 0xfe, 0x6a, 0x60, 0x41, + 0x16, 0xdb, 0xdc, 0xff, 0x89, 0x4c, 0x98, 0x00, 0xb1, 0x87, 0x6c, 0xe7, + 0xec, 0xba, 0x3b, 0xa4, 0xfe, 0xa1, 0xfd, 0x26, 0x19, 0x7c, 0x2d, 0x14, + 0x91, 0x91, 0x61, 0x30, 0x3e, 0xf4, 0x5c, 0x97, 0x4c, 0x06, 0x84, 0xab, + 0x94, 0xa8, 0x17, 0x6c, 0xec, 0x19, 0xc0, 0x87, 0xd0 +#else + 0x30, 0x82, 0x04, 0x46, 0x30, 0x82, 0x03, 0x2e, 0xa0, 0x03, 0x02, 0x01, + 0x02, 0x02, 0x09, 0x00, 0xf1, 0x5c, 0x99, 0x43, 0x66, 0x3d, 0x96, 0x04, + 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, + 0x0b, 0x05, 0x00, 0x30, 0x81, 0x94, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, + 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0e, 0x06, + 0x03, 0x55, 0x04, 0x08, 0x0c, 0x07, 0x4d, 0x6f, 0x6e, 0x74, 0x61, 0x6e, + 0x61, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x07, + 0x42, 0x6f, 0x7a, 0x65, 0x6d, 0x61, 0x6e, 0x31, 0x11, 0x30, 0x0f, 0x06, + 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x53, 0x61, 0x77, 0x74, 0x6f, 0x6f, + 0x74, 0x68, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, + 0x0a, 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x74, 0x69, 0x6e, 0x67, 0x31, + 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, 0x77, 0x77, + 0x77, 0x2e, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, + 0x6d, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, + 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6e, 0x66, 0x6f, 0x40, 0x77, + 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e, + 0x17, 0x0d, 0x30, 0x30, 0x30, 0x32, 0x31, 0x35, 0x32, 0x30, 0x33, 0x30, + 0x30, 0x30, 0x5a, 0x17, 0x0d, 0x30, 0x31, 0x30, 0x32, 0x31, 0x34, 0x32, + 0x30, 0x33, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x81, 0x9e, 0x31, 0x0b, 0x30, + 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, + 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x07, 0x4d, 0x6f, 0x6e, + 0x74, 0x61, 0x6e, 0x61, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, + 0x07, 0x0c, 0x07, 0x42, 0x6f, 0x7a, 0x65, 0x6d, 0x61, 0x6e, 0x31, 0x15, + 0x30, 0x13, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0c, 0x77, 0x6f, 0x6c, + 0x66, 0x53, 0x53, 0x4c, 0x5f, 0x32, 0x30, 0x34, 0x38, 0x31, 0x19, 0x30, + 0x17, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x10, 0x50, 0x72, 0x6f, 0x67, + 0x72, 0x61, 0x6d, 0x6d, 0x69, 0x6e, 0x67, 0x2d, 0x32, 0x30, 0x34, 0x38, + 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, 0x77, + 0x77, 0x77, 0x2e, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, + 0x6f, 0x6d, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, + 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6e, 0x66, 0x6f, 0x40, + 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x30, + 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, + 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, + 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xc3, 0x03, 0xd1, 0x2b, + 0xfe, 0x39, 0xa4, 0x32, 0x45, 0x3b, 0x53, 0xc8, 0x84, 0x2b, 0x2a, 0x7c, + 0x74, 0x9a, 0xbd, 0xaa, 0x2a, 0x52, 0x07, 0x47, 0xd6, 0xa6, 0x36, 0xb2, + 0x07, 0x32, 0x8e, 0xd0, 0xba, 0x69, 0x7b, 0xc6, 0xc3, 0x44, 0x9e, 0xd4, + 0x81, 0x48, 0xfd, 0x2d, 0x68, 0xa2, 0x8b, 0x67, 0xbb, 0xa1, 0x75, 0xc8, + 0x36, 0x2c, 0x4a, 0xd2, 0x1b, 0xf7, 0x8b, 0xba, 0xcf, 0x0d, 0xf9, 0xef, + 0xec, 0xf1, 0x81, 0x1e, 0x7b, 0x9b, 0x03, 0x47, 0x9a, 0xbf, 0x65, 0xcc, + 0x7f, 0x65, 0x24, 0x69, 0xa6, 0xe8, 0x14, 0x89, 0x5b, 0xe4, 0x34, 0xf7, + 0xc5, 0xb0, 0x14, 0x93, 0xf5, 0x67, 0x7b, 0x3a, 0x7a, 0x78, 0xe1, 0x01, + 0x56, 0x56, 0x91, 0xa6, 0x13, 0x42, 0x8d, 0xd2, 0x3c, 0x40, 0x9c, 0x4c, + 0xef, 0xd1, 0x86, 0xdf, 0x37, 0x51, 0x1b, 0x0c, 0xa1, 0x3b, 0xf5, 0xf1, + 0xa3, 0x4a, 0x35, 0xe4, 0xe1, 0xce, 0x96, 0xdf, 0x1b, 0x7e, 0xbf, 0x4e, + 0x97, 0xd0, 0x10, 0xe8, 0xa8, 0x08, 0x30, 0x81, 0xaf, 0x20, 0x0b, 0x43, + 0x14, 0xc5, 0x74, 0x67, 0xb4, 0x32, 0x82, 0x6f, 0x8d, 0x86, 0xc2, 0x88, + 0x40, 0x99, 0x36, 0x83, 0xba, 0x1e, 0x40, 0x72, 0x22, 0x17, 0xd7, 0x52, + 0x65, 0x24, 0x73, 0xb0, 0xce, 0xef, 0x19, 0xcd, 0xae, 0xff, 0x78, 0x6c, + 0x7b, 0xc0, 0x12, 0x03, 0xd4, 0x4e, 0x72, 0x0d, 0x50, 0x6d, 0x3b, 0xa3, + 0x3b, 0xa3, 0x99, 0x5e, 0x9d, 0xc8, 0xd9, 0x0c, 0x85, 0xb3, 0xd9, 0x8a, + 0xd9, 0x54, 0x26, 0xdb, 0x6d, 0xfa, 0xac, 0xbb, 0xff, 0x25, 0x4c, 0xc4, + 0xd1, 0x79, 0xf4, 0x71, 0xd3, 0x86, 0x40, 0x18, 0x13, 0xb0, 0x63, 0xb5, + 0x72, 0x4e, 0x30, 0xc4, 0x97, 0x84, 0x86, 0x2d, 0x56, 0x2f, 0xd7, 0x15, + 0xf7, 0x7f, 0xc0, 0xae, 0xf5, 0xfc, 0x5b, 0xe5, 0xfb, 0xa1, 0xba, 0xd3, + 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x81, 0x8e, 0x30, 0x81, 0x8b, 0x30, + 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, + 0xff, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x1d, 0x11, 0x04, 0x15, 0x30, 0x13, + 0x87, 0x04, 0x7f, 0x00, 0x00, 0x01, 0x82, 0x0b, 0x65, 0x78, 0x61, 0x6d, + 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1d, 0x06, 0x03, 0x55, + 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x33, 0xd8, 0x45, 0x66, 0xd7, 0x68, + 0x87, 0x18, 0x7e, 0x54, 0x0d, 0x70, 0x27, 0x91, 0xc7, 0x26, 0xd7, 0x85, + 0x65, 0xc0, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, + 0x16, 0x80, 0x14, 0x33, 0xd8, 0x45, 0x66, 0xd7, 0x68, 0x87, 0x18, 0x7e, + 0x54, 0x0d, 0x70, 0x27, 0x91, 0xc7, 0x26, 0xd7, 0x85, 0x65, 0xc0, 0x30, + 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x25, 0x04, 0x16, 0x30, 0x14, 0x06, 0x08, + 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x01, 0x06, 0x08, 0x2b, 0x06, + 0x01, 0x05, 0x05, 0x07, 0x03, 0x02, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, + 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, + 0x01, 0x00, 0x74, 0x83, 0x39, 0xc0, 0x03, 0x76, 0xfa, 0xdd, 0x8b, 0x00, + 0xfa, 0xaa, 0x5b, 0xdb, 0x56, 0xef, 0x2c, 0x26, 0x9a, 0xc2, 0x07, 0xdb, + 0xfd, 0x10, 0xd0, 0x55, 0xb9, 0xe2, 0x9e, 0xe7, 0x34, 0x26, 0x8b, 0xd2, + 0x62, 0x49, 0x86, 0x93, 0x8c, 0x6c, 0x41, 0x02, 0xdf, 0x7e, 0x99, 0xf7, + 0x7e, 0x1f, 0xda, 0x08, 0xad, 0x4d, 0x91, 0xdf, 0x11, 0x39, 0x6d, 0x90, + 0xf5, 0xfe, 0x91, 0xee, 0xc7, 0x44, 0xd2, 0x0f, 0xd1, 0x2d, 0xe2, 0xb8, + 0xf2, 0x89, 0x50, 0x9f, 0x55, 0xf3, 0x44, 0x44, 0x07, 0xd9, 0xd9, 0x71, + 0x68, 0xe6, 0xd6, 0xa8, 0x09, 0x01, 0xe6, 0x03, 0xd4, 0x5a, 0x57, 0xf3, + 0x8a, 0xab, 0x53, 0xe7, 0x71, 0x03, 0x65, 0xe3, 0x20, 0x57, 0xaf, 0x2a, + 0xbb, 0xc0, 0x1f, 0xe3, 0x2a, 0xcf, 0xbd, 0x39, 0x26, 0x4d, 0x58, 0x18, + 0x8c, 0x98, 0x22, 0x42, 0xf0, 0xaa, 0x20, 0x8f, 0xa2, 0x4c, 0x81, 0x8b, + 0xe1, 0x4a, 0xa4, 0xb1, 0x4e, 0x22, 0x8f, 0x09, 0xd9, 0x4c, 0x9d, 0x35, + 0xc7, 0x92, 0xc7, 0x77, 0xaf, 0x42, 0x0b, 0x38, 0x2c, 0xeb, 0xb8, 0xd4, + 0x67, 0xa6, 0xd4, 0x70, 0x79, 0x0f, 0x9a, 0xf9, 0xad, 0xd4, 0x7b, 0x21, + 0x25, 0xb5, 0xa6, 0xa1, 0x7b, 0xf5, 0xb4, 0x1d, 0x06, 0x9a, 0xad, 0xeb, + 0xc5, 0xe4, 0x39, 0xd6, 0xea, 0xd9, 0x15, 0xbf, 0x49, 0x32, 0x97, 0xe5, + 0x52, 0x52, 0x11, 0x7e, 0x2b, 0x32, 0x07, 0x44, 0x81, 0x37, 0x2e, 0xd4, + 0xa4, 0x1e, 0x32, 0xbf, 0x2f, 0xbd, 0xac, 0xcc, 0xb3, 0x77, 0x82, 0xae, + 0xbb, 0xf0, 0x37, 0xc0, 0x10, 0x4b, 0x64, 0xcf, 0x8e, 0xd7, 0x25, 0x59, + 0xf8, 0xaa, 0x83, 0xad, 0xeb, 0x7d, 0x00, 0x8b, 0x3e, 0xb8, 0x91, 0x3c, + 0x6c, 0x4c, 0x35, 0x53, 0x36, 0xa4, 0x02, 0xb8, 0xbe, 0x2d, 0x34, 0xb4, + 0x26, 0x03, 0x6b, 0x92, 0x2e, 0xd6 +#endif }; printf(testingFmt, "wolfSSL_X509_sign2"); @@ -37526,6 +37597,79 @@ static void test_wolfSSL_i2t_ASN1_OBJECT(void) #endif /* OPENSSL_EXTRA && WOLFSSL_CERT_EXT && WOLFSSL_CERT_GEN */ } +static void test_wolfSSL_PEM_write_bio_X509(void) +{ +#if defined(OPENSSL_EXTRA) && \ + defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_CERT_GEN) + /* This test contains the hard coded expected + * lengths. Update if necessary */ + + BIO* input; + BIO* output; + X509* x509 = NULL; + + printf(testingFmt, "wolfSSL_PEM_write_bio_X509()"); + + AssertNotNull(input = BIO_new_file( + "certs/test/cert-ext-multiple.pem", "rb")); + AssertIntEQ(wolfSSL_BIO_get_len(input), 2004); + + AssertNotNull(output = BIO_new(wolfSSL_BIO_s_mem())); + + AssertNotNull(PEM_read_bio_X509(input, &x509, NULL, NULL)); + + AssertIntEQ(PEM_write_bio_X509(output, x509), WOLFSSL_SUCCESS); + +#ifndef WOLFSSL_ASN_TEMPLATE + /* WOLFSSL_ASN_TEMPLATE doesn't support writing the full AKID */ + /* Check that we generate the same output as was the input. */ + AssertIntEQ(wolfSSL_BIO_get_len(output), +#ifdef WOLFSSL_ALT_NAMES + /* Here we copy the validity struct from the original */ + 2004 +#else + /* Only difference is that we generate the validity in generalized + * time. Generating UTCTime vs Generalized time should be fixed in + * the future */ + 2009 +#endif + ); + + /* Reset output buffer */ + BIO_free(output); + AssertNotNull(output = BIO_new(wolfSSL_BIO_s_mem())); + + /* Test forcing the AKID to be generated just from KeyIdentifier */ + if (x509->authKeyIdSrc != NULL) { + XMEMMOVE(x509->authKeyIdSrc, x509->authKeyId, x509->authKeyIdSz); + x509->authKeyId = x509->authKeyIdSrc; + x509->authKeyIdSrc = NULL; + x509->authKeyIdSrcSz = 0; + } + + AssertIntEQ(PEM_write_bio_X509(output, x509), WOLFSSL_SUCCESS); +#endif + + /* Check that we generate a smaller output since the AKID will + * only contain the KeyIdentifier without any additional + * information */ + AssertIntEQ(wolfSSL_BIO_get_len(output), +#ifdef WOLFSSL_ALT_NAMES + /* Here we copy the validity struct from the original */ + 1692 +#else + /* UTCTime vs Generalized time */ + 1696 +#endif + ); + + BIO_free(input); + BIO_free(output); + + printf(resultFmt, passed); +#endif +} + static void test_wolfSSL_X509_NAME_ENTRY(void) { #if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_FILESYSTEM) && \ @@ -51454,6 +51598,7 @@ void ApiTest(void) test_wolfSSL_OBJ_txt2nid(); test_wolfSSL_OBJ_txt2obj(); test_wolfSSL_i2t_ASN1_OBJECT(); + test_wolfSSL_PEM_write_bio_X509(); test_wolfSSL_X509_NAME_ENTRY(); test_wolfSSL_X509_set_name(); test_wolfSSL_X509_set_notAfter(); diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 6ffca63ac..850bbf83a 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -3239,7 +3239,7 @@ word32 SetBitString(word32 len, byte unusedBits, byte* output) idx += ASN_TAG_SZ; /* Encode length - passing NULL for output will not encode. - * Add one to length for unsued bits. */ + * Add one to length for unused bits. */ idx += SetLength(len + 1, output ? output + idx : NULL); if (output) { /* Write out unused bits. */ @@ -10113,8 +10113,6 @@ static int GetHashId(const byte* id, int length, byte* hash) #endif /* !NO_CERTS */ #ifdef WOLFSSL_ASN_TEMPLATE -/* Id for street address - not used. */ -#define ASN_STREET 9 /* Id for email address. */ #define ASN_EMAIL 0x100 /* Id for user id. */ @@ -10146,6 +10144,10 @@ static int GetHashId(const byte* id, int length, byte* hash) #define GetCertNameSubjectNID(id) \ (certNameSubject[(id) - 3].nid) +#define ValidCertNameSubject(id) \ + ((id - 3) >= 0 && (id - 3) < certNameSubjectSz && \ + (certNameSubject[(id) - 3].strLen > 0)) + /* Mapping of certificate name component to useful information. */ typedef struct CertNameData { /* Type string of name component. */ @@ -10240,16 +10242,16 @@ static const CertNameData certNameSubject[] = { NID_stateOrProvinceName #endif }, - /* Undefined - Street */ + /* Street Address */ { - NULL, 0, + "/street=", 8, #ifdef WOLFSSL_CERT_GEN - 0, - 0, - 0, + OFFSETOF(DecodedCert, subjectStreet), + OFFSETOF(DecodedCert, subjectStreetLen), + OFFSETOF(DecodedCert, subjectStreetEnc), #endif #ifdef WOLFSSL_X509_NAME_AVAILABLE - 0, + NID_streetAddress #endif }, /* Organization Name */ @@ -10328,10 +10330,43 @@ static const CertNameData certNameSubject[] = { #endif #ifdef WOLFSSL_X509_NAME_AVAILABLE NID_businessCategory +#endif + }, + /* Undefined */ + { + NULL, 0, +#ifdef WOLFSSL_CERT_GEN + 0, + 0, + 0, +#endif +#ifdef WOLFSSL_X509_NAME_AVAILABLE + 0, +#endif + }, + /* Postal Code */ + { + "/postalCode=", 12, +#ifdef WOLFSSL_CERT_GEN +#ifdef WOLFSSL_CERT_EXT + OFFSETOF(DecodedCert, subjectPC), + OFFSETOF(DecodedCert, subjectPCLen), + OFFSETOF(DecodedCert, subjectPCEnc), +#else + 0, + 0, + 0, +#endif +#endif +#ifdef WOLFSSL_X509_NAME_AVAILABLE + NID_postalCode #endif }, }; +static const int certNameSubjectSz = + sizeof(certNameSubject) / sizeof(CertNameData); + /* Full email OID. */ static const byte emailOid[] = { 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01 @@ -10527,8 +10562,7 @@ static int GetRDN(DecodedCert* cert, char* full, word32* idx, int* nid, if ((oidSz == 3) && (oid[0] == 0x55) && (oid[1] == 0x04)) { id = oid[2]; /* Check range of supported ids in table. */ - if (((id >= ASN_COMMON_NAME) && (id <= ASN_ORGUNIT_NAME) && - (id != ASN_STREET)) || (id == ASN_BUS_CAT)) { + if (ValidCertNameSubject(id)) { /* Get the type string, length and NID from table. */ typeStr = GetCertNameSubjectStr(id); typeStrLen = GetCertNameSubjectStrLen(id); @@ -10593,6 +10627,9 @@ static int GetRDN(DecodedCert* cert, char* full, word32* idx, int* nid, WOLFSSL_MSG("Unknown Jurisdiction, skipping"); } } + else { + ret = 0; + } if ((ret == 0) && (typeStr != NULL)) { /* OID type to store for subject name and add to full string. */ @@ -10838,6 +10875,22 @@ static int GetCertName(DecodedCert* cert, char* full, byte* hash, int nameType, nid = NID_stateOrProvinceName; #endif /* OPENSSL_EXTRA */ } + else if (id == ASN_STREET_ADDR) { + copy = WOLFSSL_STREET_ADDR_NAME; + copyLen = sizeof(WOLFSSL_STREET_ADDR_NAME) - 1; + #ifdef WOLFSSL_CERT_GEN + if (nameType == SUBJECT) { + cert->subjectStreet = (char*)&input[srcIdx]; + cert->subjectStreetLen = strLen; + cert->subjectStreetEnc = b; + } + #endif /* WOLFSSL_CERT_GEN */ + #if (defined(OPENSSL_EXTRA) || \ + defined(OPENSSL_EXTRA_X509_SMALL)) \ + && !defined(WOLFCRYPT_ONLY) + nid = NID_streetAddress; + #endif /* OPENSSL_EXTRA */ + } else if (id == ASN_ORG_NAME) { copy = WOLFSSL_ORG_NAME; copyLen = sizeof(WOLFSSL_ORG_NAME) - 1; @@ -10903,6 +10956,22 @@ static int GetCertName(DecodedCert* cert, char* full, byte* hash, int nameType, #endif /* OPENSSL_EXTRA */ } #endif /* WOLFSSL_CERT_EXT */ + else if (id == ASN_POSTAL_CODE) { + copy = WOLFSSL_POSTAL_NAME; + copyLen = sizeof(WOLFSSL_POSTAL_NAME) - 1; + #ifdef WOLFSSL_CERT_GEN + if (nameType == SUBJECT) { + cert->subjectPC = (char*)&input[srcIdx]; + cert->subjectPCLen = strLen; + cert->subjectPCEnc = b; + } + #endif /* WOLFSSL_CERT_GEN */ + #if (defined(OPENSSL_EXTRA) || \ + defined(OPENSSL_EXTRA_X509_SMALL)) \ + && !defined(WOLFCRYPT_ONLY) + nid = NID_postalCode; + #endif /* OPENSSL_EXTRA */ + } } #ifdef WOLFSSL_CERT_EXT else if ((srcIdx + ASN_JOI_PREFIX_SZ + 2 <= (word32)maxIdx) && @@ -14533,6 +14602,9 @@ static int DecodeCrlDist(const byte* input, int sz, DecodedCert* cert) WOLFSSL_ENTER("DecodeCrlDist"); + cert->extCrlInfoRaw = input; + cert->extCrlInfoRawSz = sz; + /* Unwrap the list of Distribution Points*/ if (GetSequence(input, &idx, &length, sz) < 0) return ASN_PARSE_E; @@ -14625,6 +14697,9 @@ static int DecodeCrlDist(const byte* input, int sz, DecodedCert* cert) CALLOC_ASNGETDATA(dataASN, crlDistASN_Length, ret, cert->heap); + cert->extCrlInfoRaw = input; + cert->extCrlInfoRawSz = sz; + if (ret == 0) { /* Get the GeneralName choice */ GetASN_Choice(&dataASN[4], generalNameChoice); @@ -14869,6 +14944,8 @@ static int DecodeAuthKeyId(const byte* input, int sz, DecodedCert* cert) } #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) + cert->extRawAuthKeyIdSrc = input; + cert->extRawAuthKeyIdSz = sz; cert->extAuthKeyIdSrc = &input[idx]; cert->extAuthKeyIdSz = length; #endif /* OPENSSL_EXTRA */ @@ -14895,7 +14972,9 @@ static int DecodeAuthKeyId(const byte* input, int sz, DecodedCert* cert) } else { #ifdef OPENSSL_EXTRA - /* Store the autority key id. */ + /* Store the authority key id. */ + cert->extRawAuthKeyIdSrc = input; + cert->extRawAuthKeyIdSz = sz; GetASN_GetConstRef(&dataASN[1], &cert->extAuthKeyIdSrc, &cert->extAuthKeyIdSz); #endif /* OPENSSL_EXTRA */ @@ -15163,6 +15242,58 @@ static int DecodeExtKeyUsage(const byte* input, int sz, DecodedCert* cert) #endif /* WOLFSSL_ASN_TEMPLATE */ } +#ifndef IGNORE_NETSCAPE_CERT_TYPE + +#ifdef WOLFSSL_ASN_TEMPLATE +/* ASN.1 template for Netscape Certificate Type + * https://docs.oracle.com/cd/E19957-01/816-5533-10/ext.htm#1033183 + */ +static const ASNItem nsCertTypeASN[] = { +/* 0 */ { 0, ASN_BIT_STRING, 0, 0, 0 }, +}; + +/* Number of items in ASN.1 template for nsCertType. */ +#define nsCertTypeASN_Length (sizeof(nsCertTypeASN) / sizeof(ASNItem)) +#endif + +static int DecodeNsCertType(const byte* input, int sz, DecodedCert* cert) +{ +#ifndef WOLFSSL_ASN_TEMPLATE + word32 idx = 0; + int len = 0; + + WOLFSSL_ENTER("DecodeNsCertType"); + if (CheckBitString(input, &idx, &len, (word32)sz, 0, NULL) < 0) { + return ASN_PARSE_E; + } + + /* Don't need to worry about unused bits as CheckBitString makes sure + * they're zero. */ + cert->nsCertType = input[idx]; + + return 0; +#else + DECL_ASNGETDATA(dataASN, nsCertTypeASN_Length); + int ret = 0; + word32 idx = 0; + + WOLFSSL_ENTER("DecodeNsCertType"); + (void)cert; + + CALLOC_ASNGETDATA(dataASN, nsCertTypeASN_Length, ret, cert->heap); + + if (ret == 0) + ret = GetASN_Items(nsCertTypeASN, dataASN, nsCertTypeASN_Length, 1, + input, &idx, sz); + if (ret == 0) + cert->nsCertType = dataASN[0].data.buffer.data[0]; + + FREE_ASNGETDATA(dataASN, cert->heap); + return ret; +#endif +} +#endif + #ifndef IGNORE_NAME_CONSTRAINTS #ifdef WOLFSSL_ASN_TEMPLATE @@ -15976,11 +16107,8 @@ static int DecodeExtensionType(const byte* input, int length, word32 oid, #ifndef IGNORE_NETSCAPE_CERT_TYPE /* Netscape's certificate type. */ case NETSCAPE_CT_OID: - WOLFSSL_MSG("Netscape certificate type extension not supported " - "yet."); - if (CheckBitString(input, &idx, &length, length, 0, NULL) < 0) { + if (DecodeNsCertType(input, length, cert) < 0) ret = ASN_PARSE_E; - } break; #endif #ifdef HAVE_OCSP @@ -19927,10 +20055,14 @@ typedef struct DerCert { byte extensions[MAX_EXTENSIONS_SZ]; /* all extensions */ #ifdef WOLFSSL_CERT_EXT byte skid[MAX_KID_SZ]; /* Subject Key Identifier extension */ - byte akid[MAX_KID_SZ]; /* Authority Key Identifier extension */ + byte akid[MAX_KID_SZ + sizeof(CertName)]; /* Authority Key Identifier extension */ byte keyUsage[MAX_KEYUSAGE_SZ]; /* Key Usage extension */ byte extKeyUsage[MAX_EXTKEYUSAGE_SZ]; /* Extended Key Usage extension */ +#ifndef IGNORE_NETSCAPE_CERT_TYPE + byte nsCertType[MAX_NSCERTTYPE_SZ]; /* Extended Key Usage extension */ +#endif byte certPolicies[MAX_CERTPOL_NB*MAX_CERTPOL_SZ]; /* Certificate Policies */ + byte crlInfo[CTC_MAX_CRLINFO_SZ]; /* CRL Distribution Points */ #endif #ifdef WOLFSSL_CERT_REQ byte attrib[MAX_ATTRIB_SZ]; /* Cert req attributes encoded */ @@ -19952,7 +20084,12 @@ typedef struct DerCert { int akidSz; /* encoded SKID extension length */ int keyUsageSz; /* encoded KeyUsage extension length */ int extKeyUsageSz; /* encoded ExtendedKeyUsage extension length */ +#ifndef IGNORE_NETSCAPE_CERT_TYPE + int nsCertTypeSz; /* encoded Netscape Certifcate Type + * extension length */ +#endif int certPoliciesSz; /* encoded CertPolicies extension length*/ + int crlInfoSz; /* encoded CRL Dist Points length */ #endif #ifdef WOLFSSL_ALT_NAMES int altNamesSz; /* encoded AltNames extension length */ @@ -20621,28 +20758,34 @@ const char* GetOneCertName(CertName* name, int idx) return name->state; case 2: - return name->locality; + return name->street; case 3: - return name->sur; + return name->locality; case 4: - return name->org; + return name->sur; case 5: - return name->unit; + return name->org; case 6: - return name->commonName; + return name->unit; case 7: - return name->serialDev; + return name->commonName; case 8: + return name->serialDev; + + case 9: + return name->postalCode; + + case 10: #ifdef WOLFSSL_CERT_EXT return name->busCat; - case 9: + case 11: #endif return name->email; @@ -20663,28 +20806,34 @@ static char GetNameType(CertName* name, int idx) return name->stateEnc; case 2: - return name->localityEnc; + return name->postalCodeEnc; case 3: - return name->surEnc; + return name->localityEnc; case 4: - return name->orgEnc; + return name->surEnc; case 5: - return name->unitEnc; + return name->orgEnc; case 6: - return name->commonNameEnc; + return name->unitEnc; case 7: - return name->serialDevEnc; + return name->commonNameEnc; case 8: + return name->serialDevEnc; + + case 9: + return name->postalCodeEnc; + + case 10: #ifdef WOLFSSL_CERT_EXT return name->busCatEnc; - case 9: + case 11: #endif /* FALL THROUGH */ /* The last index, email name, does not have encoding type. @@ -20706,28 +20855,34 @@ byte GetCertNameId(int idx) return ASN_STATE_NAME; case 2: - return ASN_LOCALITY_NAME; + return ASN_STREET_ADDR; case 3: - return ASN_SUR_NAME; + return ASN_LOCALITY_NAME; case 4: - return ASN_ORG_NAME; + return ASN_SUR_NAME; case 5: - return ASN_ORGUNIT_NAME; + return ASN_ORG_NAME; case 6: - return ASN_COMMON_NAME; + return ASN_ORGUNIT_NAME; case 7: - return ASN_SERIAL_NUMBER; + return ASN_COMMON_NAME; case 8: + return ASN_SERIAL_NUMBER; + + case 9: + return ASN_POSTAL_CODE; + + case 10: #ifdef WOLFSSL_CERT_EXT return ASN_BUS_CAT; - case 9: + case 11: #endif return ASN_EMAIL_NAME; @@ -20890,36 +21045,55 @@ static int SetSKID(byte* output, word32 outSz, const byte *input, word32 length) /* encode Authority Key Identifier, return total bytes written * RFC5280 : non-critical */ -static int SetAKID(byte* output, word32 outSz, - byte *input, word32 length, void* heap) +static int SetAKID(byte* output, word32 outSz, byte *input, word32 length, + byte rawAkid) { - byte *enc_val; - int ret, enc_valSz; - const byte akid_oid[] = { 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04 }; + int enc_valSz, inSeqSz; + byte enc_val_buf[MAX_KID_SZ]; + byte* enc_val; + const byte akid_oid[] = { 0x06, 0x03, 0x55, 0x1d, 0x23 }; const byte akid_cs[] = { 0x80 }; - - (void)heap; + word32 idx; if (output == NULL || input == NULL) return BAD_FUNC_ARG; - enc_valSz = length + 3 + sizeof(akid_cs); - enc_val = (byte *)XMALLOC(enc_valSz, heap, DYNAMIC_TYPE_TMP_BUFFER); - if (enc_val == NULL) - return MEMORY_E; + if (rawAkid) { + enc_val = input; + enc_valSz = length; + } + else { + enc_val = enc_val_buf; + enc_valSz = length + 3 + sizeof(akid_cs); + if (enc_valSz > (int)sizeof(enc_val_buf)) + return BAD_FUNC_ARG; - /* sequence for ContentSpec & value */ - ret = SetOidValue(enc_val, enc_valSz, akid_cs, sizeof(akid_cs), - input, length); - if (ret > 0) { - enc_valSz = ret; - - ret = SetOidValue(output, outSz, akid_oid, sizeof(akid_oid), - enc_val, enc_valSz); + /* sequence for ContentSpec & value */ + enc_valSz = SetOidValue(enc_val, enc_valSz, akid_cs, sizeof(akid_cs), + input, length); + if (enc_valSz <= 0) + return enc_valSz; } - XFREE(enc_val, heap, DYNAMIC_TYPE_TMP_BUFFER); - return ret; + /* The size of the extension sequence contents */ + inSeqSz = sizeof(akid_oid) + SetOctetString(enc_valSz, NULL) + + enc_valSz; + + if (SetSequence(inSeqSz, NULL) + inSeqSz > outSz) + return BAD_FUNC_ARG; + + /* Write out the sequence header */ + idx = SetSequence(inSeqSz, output); + + /* Write out OID */ + XMEMCPY(output + idx, akid_oid, sizeof(akid_oid)); + idx += sizeof(akid_oid); + + /* Write out AKID */ + idx += SetOctetString(enc_valSz, output + idx); + XMEMCPY(output + idx, enc_val, enc_valSz); + + return idx + enc_valSz; } /* encode Key Usage, return total bytes written @@ -21163,6 +21337,89 @@ static int SetExtKeyUsage(Cert* cert, byte* output, word32 outSz, byte input) #endif } +#ifndef IGNORE_NETSCAPE_CERT_TYPE +#ifndef WOLFSSL_ASN_TEMPLATE +static int SetNsCertType(Cert* cert, byte* output, word32 outSz, byte input) +{ + word32 idx; + byte unusedBits = 0; + byte nsCertType = input; + word32 totalSz; + word32 bitStrSz; + const byte nscerttype_oid[] = { 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, + 0x86, 0xF8, 0x42, 0x01, 0x01 }; + + if (cert == NULL || output == NULL || + input == 0) + return BAD_FUNC_ARG; + + totalSz = sizeof(nscerttype_oid); + + /* Get amount of lsb zero's */ + for (;(input & 1) == 0; input >>= 1) + unusedBits++; + + /* 1 byte of NS Cert Type extension */ + bitStrSz = SetBitString(1, unusedBits, NULL) + 1; + totalSz += SetOctetString(bitStrSz, NULL) + bitStrSz; + + if (SetSequence(totalSz, NULL) + totalSz > outSz) + return BAD_FUNC_ARG; + + /* 1. Seq + Total Len */ + idx = SetSequence(totalSz, output); + + /* 2. Object ID */ + XMEMCPY(&output[idx], nscerttype_oid, sizeof(nscerttype_oid)); + idx += sizeof(nscerttype_oid); + + /* 3. Octet String */ + idx += SetOctetString(bitStrSz, &output[idx]); + + /* 4. Bit String */ + idx += SetBitString(1, unusedBits, &output[idx]); + output[idx++] = nsCertType; + + return idx; +} +#endif +#endif + +#ifndef WOLFSSL_ASN_TEMPLATE +static int SetCRLInfo(Cert* cert, byte* output, word32 outSz, byte* input, + int inSz) +{ + word32 idx; + word32 totalSz; + const byte crlinfo_oid[] = { 0x06, 0x03, 0x55, 0x1D, 0x1F }; + + if (cert == NULL || output == NULL || + input == 0 || inSz <= 0) + return BAD_FUNC_ARG; + + totalSz = sizeof(crlinfo_oid) + SetOctetString(inSz, NULL) + inSz; + + if (SetSequence(totalSz, NULL) + totalSz > outSz) + return BAD_FUNC_ARG; + + /* 1. Seq + Total Len */ + idx = SetSequence(totalSz, output); + + /* 2. Object ID */ + XMEMCPY(&output[idx], crlinfo_oid, sizeof(crlinfo_oid)); + idx += sizeof(crlinfo_oid); + + /* 3. Octet String */ + idx += SetOctetString(inSz, &output[idx]); + + /* 4. CRL Info */ + XMEMCPY(&output[idx], input, inSz); + idx += inSz; + + return idx; +} +#endif + /* encode Certificate Policies, return total bytes written * each input value must be ITU-T X.690 formatted : a.b.c... * input must be an array of values with a NULL terminated for the latest @@ -21625,6 +21882,7 @@ int wc_EncodeName(EncodedName* name, const char* nameStr, char nameType, static const byte nameOid[NAME_ENTRIES - 1][NAME_OID_SZ] = { { 0x55, 0x04, ASN_COUNTRY_NAME }, { 0x55, 0x04, ASN_STATE_NAME }, + { 0x55, 0x04, ASN_STREET_ADDR }, { 0x55, 0x04, ASN_LOCALITY_NAME }, { 0x55, 0x04, ASN_SUR_NAME }, { 0x55, 0x04, ASN_ORG_NAME }, @@ -21634,6 +21892,7 @@ static const byte nameOid[NAME_ENTRIES - 1][NAME_OID_SZ] = { #ifdef WOLFSSL_CERT_EXT { 0x55, 0x04, ASN_BUS_CAT }, #endif + { 0x55, 0x04, ASN_POSTAL_CODE }, /* Email OID is much longer. */ }; @@ -22042,6 +22301,15 @@ static const ASNItem certExtsASN[] = { /* 28 */ { 2, ASN_OBJECT_ID, 0, 0, 0 }, /* 29 */ { 2, ASN_OCTET_STRING, 0, 1, 0 }, /* 30 */ { 3, ASN_SEQUENCE, 0, 0, 0 }, + /* Netscape Certificate Type */ +/* 31 */ { 1, ASN_SEQUENCE, 1, 1, 0 }, +/* 32 */ { 2, ASN_OBJECT_ID, 0, 0, 0 }, +/* 33 */ { 2, ASN_OCTET_STRING, 0, 1, 0 }, +/* 34 */ { 3, ASN_BIT_STRING, 0, 0, 0 }, +/* 35 */ { 1, ASN_SEQUENCE, 1, 1, 0 }, +/* 36 */ { 2, ASN_OBJECT_ID, 0, 0, 0 }, +/* 37 */ { 2, ASN_OCTET_STRING, 0, 0, 0 }, + #endif }; @@ -22064,6 +22332,9 @@ static int EncodeExtensions(Cert* cert, byte* output, word32 maxSz, static const byte kuOID[] = { 0x55, 0x1d, 0x0f }; static const byte ekuOID[] = { 0x55, 0x1d, 0x25 }; static const byte cpOID[] = { 0x55, 0x1d, 0x20 }; + static const byte nsCertOID[] = { 0x60, 0x86, 0x48, 0x01, + 0x86, 0xF8, 0x42, 0x01, 0x01 }; + static const byte crlInfoOID[] = { 0x55, 0x1D, 0x1F }; #endif (void)forRequest; @@ -22156,6 +22427,28 @@ static int EncodeExtensions(Cert* cert, byte* output, word32 maxSz, /* Don't write out Certificate Policies extension items. */ SetASNItem_NoOut(dataASN, 27, 30); } + #ifndef IGNORE_NETSCAPE_CERT_TYPE + /* Netscape Certificate Type */ + if (cert->nsCertType != 0) { + /* Set Netscape Certificate Type OID and data. */ + SetASN_Buffer(&dataASN[32], nsCertOID, sizeof(nsCertOID)); + SetASN_Buffer(&dataASN[34], &cert->nsCertType, 1); + } + else + #endif + { + /* Don't write out Netscape Certificate Type. */ + SetASNItem_NoOut(dataASN, 31, 34); + } + if (cert->crlInfoSz > 0) { + /* Set CRL Distribution Points OID and data. */ + SetASN_Buffer(&dataASN[36], crlInfoOID, sizeof(crlInfoOID)); + SetASN_Buffer(&dataASN[37], cert->crlInfo, cert->crlInfoSz); + } + else { + /* Don't write out Netscape Certificate Type. */ + SetASNItem_NoOut(dataASN, 35, 37); + } #endif } @@ -22179,7 +22472,7 @@ static int EncodeExtensions(Cert* cert, byte* output, word32 maxSz, SetASN_Items(certExtsASN, dataASN, certExtsASN_Length, output); #ifdef WOLFSSL_CERT_EXT - if (cert->keyUsage != 0){ + if (cert->extKeyUsage != 0){ /* Encode Extended Key Usage into space provided. */ if (SetExtKeyUsage(cert, (byte*)dataASN[26].data.buffer.data, dataASN[26].data.buffer.length, cert->extKeyUsage) <= 0) { @@ -22209,6 +22502,10 @@ static int EncodeExtensions(Cert* cert, byte* output, word32 maxSz, #ifndef WOLFSSL_ASN_TEMPLATE /* Set Date validity from now until now + daysValid * return size in bytes written to output, 0 on error */ +/* TODO https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.5 + * "MUST always encode certificate validity dates through the year 2049 as + * UTCTime; certificate validity dates in 2050 or later MUST be encoded as + * GeneralizedTime." */ static int SetValidity(byte* output, int daysValid) { #ifndef NO_ASN_TIME @@ -22562,11 +22859,13 @@ static int EncodeCert(Cert* cert, DerCert* der, RsaKey* rsaKey, ecc_key* eccKey, /* AKID */ if (cert->akidSz) { /* check the provided AKID size */ - if (cert->akidSz > (int)min(CTC_MAX_AKID_SIZE, sizeof(der->akid))) + if ((!cert->rawAkid && + cert->akidSz > (int)min(CTC_MAX_AKID_SIZE, sizeof(der->akid))) || + (cert->rawAkid && cert->akidSz > (int)sizeof(der->akid))) return AKID_E; - der->akidSz = SetAKID(der->akid, sizeof(der->akid), - cert->akid, cert->akidSz, cert->heap); + der->akidSz = SetAKID(der->akid, sizeof(der->akid), cert->akid, + cert->akidSz, cert->rawAkid); if (der->akidSz <= 0) return AKID_E; @@ -22599,6 +22898,31 @@ static int EncodeCert(Cert* cert, DerCert* der, RsaKey* rsaKey, ecc_key* eccKey, else der->extKeyUsageSz = 0; +#ifndef IGNORE_NETSCAPE_CERT_TYPE + /* Netscape Certificate Type */ + if (cert->nsCertType != 0) { + der->nsCertTypeSz = SetNsCertType(cert, der->nsCertType, + sizeof(der->nsCertType), cert->nsCertType); + if (der->nsCertTypeSz <= 0) + return EXTENSIONS_E; + + der->extensionsSz += der->nsCertTypeSz; + } + else + der->nsCertTypeSz = 0; +#endif + + if (cert->crlInfoSz > 0) { + der->crlInfoSz = SetCRLInfo(cert, der->crlInfo, sizeof(der->crlInfo), + cert->crlInfo, cert->crlInfoSz); + if (der->crlInfoSz <= 0) + return EXTENSIONS_E; + + der->extensionsSz += der->crlInfoSz; + } + else + der->crlInfoSz = 0; + /* Certificate Policies */ if (cert->certPoliciesNb != 0) { der->certPoliciesSz = SetCertificatePolicies(der->certPolicies, @@ -22664,6 +22988,15 @@ static int EncodeCert(Cert* cert, DerCert* der, RsaKey* rsaKey, ecc_key* eccKey, return EXTENSIONS_E; } + /* put CRL Distribution Points */ + if (der->crlInfoSz) { + ret = SetExtensions(der->extensions, sizeof(der->extensions), + &der->extensionsSz, + der->crlInfo, der->crlInfoSz); + if (ret <= 0) + return EXTENSIONS_E; + } + /* put KeyUsage */ if (der->keyUsageSz) { ret = SetExtensions(der->extensions, sizeof(der->extensions), @@ -22682,6 +23015,17 @@ static int EncodeCert(Cert* cert, DerCert* der, RsaKey* rsaKey, ecc_key* eccKey, return EXTENSIONS_E; } + /* put Netscape Cert Type */ +#ifndef IGNORE_NETSCAPE_CERT_TYPE + if (der->nsCertTypeSz) { + ret = SetExtensions(der->extensions, sizeof(der->extensions), + &der->extensionsSz, + der->nsCertType, der->nsCertTypeSz); + if (ret <= 0) + return EXTENSIONS_E; + } +#endif + /* put Certificate Policies */ if (der->certPoliciesSz) { ret = SetExtensions(der->extensions, sizeof(der->extensions), @@ -26957,16 +27301,20 @@ static int DecodeAsymKeyPublic(const byte* input, word32* inOutIdx, word32 inSz, return ASN_PARSE_E; /* key header */ - ret = CheckBitString(input, inOutIdx, NULL, inSz, 1, NULL); + ret = CheckBitString(input, inOutIdx, &length, inSz, 1, NULL); if (ret != 0) return ret; /* check that the value found is not too large for pubKey buffer */ - if (inSz - *inOutIdx > *pubKeyLen) + if ((word32)length > *pubKeyLen) + return ASN_PARSE_E; + + /* check that input buffer is exhausted */ + if (*inOutIdx + (word32)length != inSz) return ASN_PARSE_E; /* This is the raw point data compressed or uncompressed. */ - *pubKeyLen = inSz - *inOutIdx; + *pubKeyLen = length; XMEMCPY(pubKey, input + *inOutIdx, *pubKeyLen); #else len = inSz - *inOutIdx; @@ -26982,9 +27330,11 @@ static int DecodeAsymKeyPublic(const byte* input, word32* inOutIdx, word32 inSz, /* Decode Ed25519 private key. */ ret = GetASN_Items(edPubKeyASN, dataASN, edPubKeyASN_Length, 1, input, inOutIdx, inSz); - if (ret != 0) { + if (ret != 0) + ret = ASN_PARSE_E; + /* check that input buffer is exhausted */ + if (*inOutIdx != inSz) ret = ASN_PARSE_E; - } } /* Check the public value length is correct. */ if ((ret == 0) && (dataASN[3].data.ref.length > *pubKeyLen)) { diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index 94d55690d..c73c68952 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -12289,18 +12289,20 @@ static void initDefaultName(void) static const CertName certDefaultName = { "US", CTC_PRINTABLE, /* country */ "Oregon", CTC_UTF8, /* state */ + "Main St", CTC_UTF8, /* street */ "Portland", CTC_UTF8, /* locality */ "Test", CTC_UTF8, /* sur */ "wolfSSL", CTC_UTF8, /* org */ "Development", CTC_UTF8, /* unit */ "www.wolfssl.com", CTC_UTF8, /* commonName */ "wolfSSL12345", CTC_PRINTABLE, /* serial number of device */ + "12-456", CTC_PRINTABLE, /* Postal Code */ #ifdef WOLFSSL_CERT_EXT "Private Organization", CTC_UTF8, /* businessCategory */ "US", CTC_PRINTABLE, /* jurisdiction country */ "Oregon", CTC_PRINTABLE, /* jurisdiction state */ #endif - "info@wolfssl.com" /* email */ + "info@wolfssl.com", /* email */ }; #endif /* WOLFSSL_MULTI_ATTRIB */ diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 0804e3209..d00a5b3e5 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -3854,12 +3854,14 @@ struct WOLFSSL_X509 { #ifdef HAVE_EX_DATA WOLFSSL_CRYPTO_EX_DATA ex_data; #endif - byte* authKeyId; + byte* authKeyId; /* Points into authKeyIdSrc */ + byte* authKeyIdSrc; byte* subjKeyId; byte* extKeyUsageSrc; #ifdef OPENSSL_ALL byte* subjAltNameSrc; #endif + byte* rawCRLInfo; byte* CRLInfo; byte* authInfo; #if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) @@ -3868,12 +3870,18 @@ struct WOLFSSL_X509 { #endif word32 pathLength; word16 keyUsage; + int rawCRLInfoSz; int CRLInfoSz; int authInfoSz; word32 authKeyIdSz; + word32 authKeyIdSrcSz; word32 subjKeyIdSz; + byte extKeyUsage; word32 extKeyUsageSz; word32 extKeyUsageCount; +#ifndef IGNORE_NETSCAPE_CERT_TYPE + byte nsCertType; +#endif #ifdef OPENSSL_ALL word32 subjAltNameSz; #endif diff --git a/wolfssl/openssl/x509v3.h b/wolfssl/openssl/x509v3.h index fa30dcc1b..2e3298226 100644 --- a/wolfssl/openssl/x509v3.h +++ b/wolfssl/openssl/x509v3.h @@ -57,8 +57,8 @@ #define X509_PURPOSE_SSL_CLIENT 0 #define X509_PURPOSE_SSL_SERVER 1 -#define NS_SSL_CLIENT 0 -#define NS_SSL_SERVER 1 +#define NS_SSL_CLIENT WC_NS_SSL_CLIENT +#define NS_SSL_SERVER WC_NS_SSL_SERVER /* Forward reference */ diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index 80a7ece30..840fa7b0c 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -598,9 +598,11 @@ enum DN_Tags { ASN_COUNTRY_NAME = 0x06, /* C */ ASN_LOCALITY_NAME = 0x07, /* L */ ASN_STATE_NAME = 0x08, /* ST */ + ASN_STREET_ADDR = 0x09, /* street */ ASN_ORG_NAME = 0x0a, /* O */ ASN_ORGUNIT_NAME = 0x0b, /* OU */ ASN_BUS_CAT = 0x0f, /* businessCategory */ + ASN_POSTAL_CODE = 0x11, /* postalCode */ ASN_EMAIL_NAME = 0x98, /* not oid number there is 97 in 2.5.4.0-97 */ /* pilot attribute types @@ -636,6 +638,9 @@ extern const WOLFSSL_ObjectInfo wolfssl_object_info[]; #define WOLFSSL_LN_LOCALITY_NAME "/localityName=" #define WOLFSSL_STATE_NAME "/ST=" #define WOLFSSL_LN_STATE_NAME "/stateOrProvinceName=" +#define WOLFSSL_STREET_ADDR_NAME "/street=" +#define WOLFSSL_LN_STREET_ADDR_NAME "/streetAddress=" +#define WOLFSSL_POSTAL_NAME "/postalCode=" #define WOLFSSL_ORG_NAME "/O=" #define WOLFSSL_LN_ORG_NAME "/organizationName=" #define WOLFSSL_ORGUNIT_NAME "/OU=" @@ -715,12 +720,14 @@ enum NID_countryName = 0x06, /* C */ NID_localityName = 0x07, /* L */ NID_stateOrProvinceName = 0x08, /* ST */ + NID_streetAddress = ASN_STREET_ADDR, /* street */ NID_organizationName = 0x0a, /* O */ NID_organizationalUnitName = 0x0b, /* OU */ NID_jurisdictionCountryName = 0xc, NID_jurisdictionStateOrProvinceName = 0xd, NID_businessCategory = ASN_BUS_CAT, NID_domainComponent = ASN_DOMAIN_COMPONENT, + NID_postalCode = ASN_POSTAL_CODE, /* postalCode */ NID_favouriteDrink = 462, NID_userId = 458, NID_emailAddress = 0x30, /* emailAddress */ @@ -857,6 +864,10 @@ enum Misc_ASN { CTC_MAX_EKU_OID_SZ, /* Max encoded ExtKeyUsage (SEQ/LEN + OBJID + OCTSTR/LEN + SEQ + (6 * (SEQ + OID))) */ +#ifndef IGNORE_NETSCAPE_CERT_TYPE + MAX_NSCERTTYPE_SZ = MAX_SEQ_SZ + 17, /* SEQ + OID + OCTET STR + + * NS BIT STR */ +#endif MAX_CERTPOL_NB = CTC_MAX_CERTPOL_NB,/* Max number of Cert Policy */ MAX_CERTPOL_SZ = CTC_MAX_CERTPOL_SZ, #endif @@ -1127,6 +1138,15 @@ enum CsrAttrType { #define EXTKEYUSE_SERVER_AUTH 0x02 #define EXTKEYUSE_ANY 0x01 +#define WC_NS_SSL_CLIENT 0x80 +#define WC_NS_SSL_SERVER 0x40 +#define WC_NS_SMIME 0x20 +#define WC_NS_OBJSIGN 0x10 +#define WC_NS_SSL_CA 0x04 +#define WC_NS_SMIME_CA 0x02 +#define WC_NS_OBJSIGN_CA 0x01 + + typedef struct DNS_entry DNS_entry; struct DNS_entry { @@ -1382,6 +1402,10 @@ struct DecodedCert { const byte* extAuthInfoCaIssuer; /* Authority Info Access caIssuer URI */ int extAuthInfoCaIssuerSz; /* length of the caIssuer URI */ #endif + const byte* extCrlInfoRaw; /* Entire CRL Distribution Points + * Extension. This is useful when + * re-generating the DER. */ + int extCrlInfoRawSz; /* length of the extension */ const byte* extCrlInfo; /* CRL Distribution Points */ int extCrlInfoSz; /* length of the URI */ byte extSubjKeyId[KEYID_SIZE]; /* Subject Key ID */ @@ -1398,6 +1422,8 @@ struct DecodedCert { const byte* extExtKeyUsageSrc; word32 extExtKeyUsageSz; word32 extExtKeyUsageCount; + const byte* extRawAuthKeyIdSrc; + word32 extRawAuthKeyIdSz; const byte* extAuthKeyIdSrc; word32 extAuthKeyIdSz; const byte* extSubjKeyIdSrc; @@ -1437,6 +1463,9 @@ struct DecodedCert { char* subjectST; int subjectSTLen; char subjectSTEnc; + char* subjectStreet; + int subjectStreetLen; + char subjectStreetEnc; char* subjectO; int subjectOLen; char subjectOEnc; @@ -1457,9 +1486,12 @@ struct DecodedCert { int subjectJSLen; char subjectJSEnc; #endif + char* subjectPC; + int subjectPCLen; + char subjectPCEnc; char* subjectEmail; int subjectEmailLen; -#endif /* WOLFSSL_CERT_GEN */ +#endif /* defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT) */ #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) /* WOLFSSL_X509_NAME structures (used void* to avoid including ssl.h) */ void* issuerName; @@ -1476,7 +1508,10 @@ struct DecodedCert { #ifdef WOLFSSL_CERT_EXT char extCertPolicies[MAX_CERTPOL_NB][MAX_CERTPOL_SZ]; int extCertPoliciesNb; -#endif /* defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT) */ +#endif /* WOLFSSL_CERT_EXT */ +#ifndef IGNORE_NETSCAPE_CERT_TYPE + byte nsCertType; +#endif #ifdef WOLFSSL_CERT_REQ /* CSR attributes */ @@ -1880,9 +1915,9 @@ WOLFSSL_LOCAL int wc_MIME_free_hdrs(MimeHdr* head); enum cert_enums { #ifdef WOLFSSL_CERT_EXT - NAME_ENTRIES = 10, + NAME_ENTRIES = 12, #else - NAME_ENTRIES = 9, + NAME_ENTRIES = 11, #endif JOINT_LEN = 2, EMAIL_JOINT_LEN = 9, diff --git a/wolfssl/wolfcrypt/asn_public.h b/wolfssl/wolfcrypt/asn_public.h index f108c17ad..a11ceb623 100644 --- a/wolfssl/wolfcrypt/asn_public.h +++ b/wolfssl/wolfcrypt/asn_public.h @@ -197,7 +197,9 @@ enum Ctc_Misc { CTC_MAX_SKID_SIZE = 32, /* SHA256_DIGEST_SIZE */ CTC_MAX_AKID_SIZE = 32, /* SHA256_DIGEST_SIZE */ CTC_MAX_CERTPOL_SZ = 64, - CTC_MAX_CERTPOL_NB = 2 /* Max number of Certificate Policy */ + CTC_MAX_CERTPOL_NB = 2, /* Max number of Certificate Policy */ + CTC_MAX_CRLINFO_SZ = 200, /* Arbitrary size that should be enough for at + * least two distribution points. */ #endif /* WOLFSSL_CERT_EXT */ }; @@ -305,6 +307,8 @@ typedef struct CertName { char countryEnc; char state[CTC_NAME_SIZE]; char stateEnc; + char street[CTC_NAME_SIZE]; + char streetEnc; char locality[CTC_NAME_SIZE]; char localityEnc; char sur[CTC_NAME_SIZE]; @@ -317,6 +321,8 @@ typedef struct CertName { char commonNameEnc; char serialDev[CTC_NAME_SIZE]; char serialDevEnc; + char postalCode[CTC_NAME_SIZE]; + char postalCodeEnc; #ifdef WOLFSSL_CERT_EXT char busCat[CTC_NAME_SIZE]; char busCatEnc; @@ -357,10 +363,18 @@ typedef struct Cert { #ifdef WOLFSSL_CERT_EXT byte skid[CTC_MAX_SKID_SIZE]; /* Subject Key Identifier */ int skidSz; /* SKID size in bytes */ - byte akid[CTC_MAX_AKID_SIZE]; /* Authority Key Identifier */ + byte akid[CTC_MAX_AKID_SIZE + sizeof(CertName)]; /* Authority Key + * Identifier */ int akidSz; /* AKID size in bytes */ + byte rawAkid; /* Set to true if akid is a + * AuthorityKeyIdentifier object. + * Set to false if akid is just a + * KeyIdentifier object. */ word16 keyUsage; /* Key Usage */ byte extKeyUsage; /* Extended Key Usage */ +#ifndef IGNORE_NETSCAPE_CERT_TYPE + byte nsCertType; /* Netscape Certificate Type */ +#endif #ifdef WOLFSSL_EKU_OID /* Extended Key Usage OIDs */ byte extKeyUsageOID[CTC_MAX_EKU_NB][CTC_MAX_EKU_OID_SZ]; @@ -368,6 +382,8 @@ typedef struct Cert { #endif char certPolicies[CTC_MAX_CERTPOL_NB][CTC_MAX_CERTPOL_SZ]; word16 certPoliciesNb; /* Number of Cert Policy */ + byte crlInfo[CTC_MAX_CRLINFO_SZ]; /* CRL Distribution points */ + int crlInfoSz; #endif #if defined(WOLFSSL_CERT_EXT) || defined(OPENSSL_EXTRA) || \ defined(WOLFSSL_CERT_REQ)