diff --git a/certs/fpki-certpol-cert.der b/certs/fpki-certpol-cert.der new file mode 100644 index 000000000..f3fe08341 Binary files /dev/null and b/certs/fpki-certpol-cert.der differ diff --git a/certs/include.am b/certs/include.am index 1c622e8c3..d9cb8f314 100644 --- a/certs/include.am +++ b/certs/include.am @@ -75,6 +75,7 @@ EXTRA_DIST += \ certs/x942dh2048.der \ certs/x942dh2048.pem \ certs/fpki-cert.der \ + certs/fpki-certpol-cert.der \ certs/rid-cert.der \ certs/dh-priv-2048.der \ certs/dh-priv-2048.pem \ diff --git a/certs/renewcerts.sh b/certs/renewcerts.sh index cf5154217..49c03f189 100755 --- a/certs/renewcerts.sh +++ b/certs/renewcerts.sh @@ -373,6 +373,20 @@ run_renewcerts(){ echo "End of section" echo "---------------------------------------------------------------------" ########################################################### + ########## update and sign fpki-certpol-cert.der ################ + ########################################################### + echo "Updating fpki-certpol-cert.der" + echo "" + #pipe the following arguments to openssl req... + echo -e "US\\nMontana\\nBozeman\\nwolfSSL\\nFPKI\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key server-key.pem -config ./wolfssl.cnf -nodes > fpki-certpol-req.pem + check_result $? "Step 1" + + openssl x509 -req -in fpki-certpol-req.pem -extfile wolfssl.cnf -extensions fpki_ext_certpol -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out fpki-certpol-cert.der -outform DER + check_result $? "Step 2" + rm fpki-certpol-req.pem + echo "End of section" + echo "---------------------------------------------------------------------" + ########################################################### ########## update and sign rid-cert.der ################ ########################################################### echo "Updating rid-cert.der" diff --git a/certs/renewcerts/wolfssl.cnf b/certs/renewcerts/wolfssl.cnf index e955ba59c..5738bf768 100644 --- a/certs/renewcerts/wolfssl.cnf +++ b/certs/renewcerts/wolfssl.cnf @@ -355,6 +355,18 @@ subjectDirectoryAttributes = ASN1:SEQUENCE:SubjDirAttr policyConstraints = requireExplicitPolicy:0 2.16.840.1.101.3.6.10.1 = ASN1:SEQUENCE:PIVCertExt +[fpki_ext_certpol] +basicConstraints = CA:FALSE,pathlen:0 +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid +keyUsage = critical, digitalSignature +extendedKeyUsage = critical, clientAuth, 1.3.6.1.4.1.311.20.2.2, 1.3.6.1.5.2.3.4, 1.3.6.1.5.5.7.3.21 +subjectAltName = @FASC_UUID_altname +certificatePolicies = 2.16.840.1.101.3.2.1.3.13, 2.16.840.1.101.3.2.1.3.40, 2.16.840.1.101.3.2.1.3.41, 2.16.840.1.101.3.2.1.3.45, 2.16.840.1.101.2.1.11.5, 2.16.840.1.101.2.1.11.9, 2.16.840.1.101.2.1.11.10, 2.16.840.1.101.2.1.11.17, 2.16.840.1.101.2.1.11.18, 2.16.840.1.101.2.1.11.19, 2.16.840.1.101.2.1.11.20, 2.16.840.1.101.2.1.11.31, 2.16.840.1.101.2.1.11.36, 2.16.840.1.101.2.1.11.37, 2.16.840.1.101.2.1.11.38, 2.16.840.1.101.2.1.11.39, 2.16.840.1.101.2.1.11.40, 2.16.840.1.101.2.1.11.41, 2.16.840.1.101.2.1.11.42, 2.16.840.1.101.2.1.11.43, 2.16.840.1.101.2.1.11.44, 2.16.840.1.101.2.1.11.59, 2.16.840.1.101.2.1.11.60, 2.16.840.1.101.2.1.11.61, 2.16.840.1.101.2.1.11.62, 2.16.840.1.101.3.2.1.12.1, 2.16.840.1.101.3.2.1.12.2, 2.16.840.1.101.3.2.1.12.3, 2.16.840.1.101.3.2.1.12.4, 2.16.840.1.101.3.2.1.12.5, 2.16.840.1.101.3.2.1.12.6, 2.16.840.1.101.3.2.1.12.8, 2.16.840.1.101.3.2.1.12.9, 2.16.840.1.101.3.2.1.12.10, 2.16.840.1.101.3.2.1.3.4, 2.16.840.1.101.3.2.1.3.7, 2.16.840.1.101.3.2.1.3.12, 2.16.840.1.101.3.2.1.3.13, 2.16.840.1.101.3.2.1.3.16, 2.16.840.1.101.3.2.1.3.18, 2.16.840.1.101.3.2.1.3.20, 2.16.840.1.101.3.2.1.3.36, 2.16.840.1.101.3.2.1.3.38, 2.16.840.1.101.3.2.1.3.39, 2.16.840.1.101.3.2.1.3.41, 2.16.840.1.101.3.2.1.3.45, 2.16.840.1.101.3.2.1.3.47, 2.16.840.1.101.3.2.1.6.4, 2.16.840.1.101.3.2.1.6.12, 2.16.840.1.101.3.2.1.6.38, 2.16.840.1.101.3.2.1.5.4, 2.16.840.1.101.3.2.1.5.5, 2.16.840.1.101.3.2.1.5.10, 2.16.840.1.101.3.2.1.5.12, 1.3.6.1.4.1.73.15.3.1.12, 1.3.6.1.4.1.73.15.3.1.17, 1.3.6.1.4.1.45606.3.1.12, 1.3.6.1.4.1.45606.3.1.20, 1.3.6.1.4.1.45606.3.1.22, 1.3.6.1.4.1.25054.3.1.12, 1.3.6.1.4.1.25054.3.1.14, 1.3.6.1.4.1.25054.3.1.20, 1.3.6.1.4.1.25054.3.1.22, 1.3.6.1.4.1.24019.1.1.1.2, 1.3.6.1.4.1.24019.1.1.1.3, 1.3.6.1.4.1.24019.1.1.1.7, 1.3.6.1.4.1.24019.1.1.1.9, 1.3.6.1.4.1.24019.1.1.1.18, 1.3.6.1.4.1.24019.1.1.1.19, 1.3.6.1.4.1.38099.1.1.1.2, 1.3.6.1.4.1.38099.1.1.1.5, 1.3.6.1.4.1.38099.1.1.1.7, 2.16.840.1.113733.1.7.23.3.1.7, 2.16.840.1.113733.1.7.23.3.1.13, 2.16.840.1.113733.1.7.23.3.1.18, 2.16.840.1.113733.1.7.23.3.1.20, 2.16.840.1.113733.1.7.23.3.1.36, 2.16.840.1.114027.200.3.10.7.2, 2.16.840.1.114027.200.3.10.7.4, 2.16.840.1.114027.200.3.10.7.6, 2.16.840.1.114027.200.3.10.7.9, 2.16.840.1.114027.200.3.10.7.16, 1.3.6.1.4.1.13948.1.1.1.6, 2.16.840.1.113839.0.100.12.1, 2.16.840.1.113839.0.100.12.2, 2.16.840.1.113839.0.100.18.0, 2.16.840.1.113839.0.100.18.1, 2.16.840.1.113839.0.100.18.2, 2.16.840.1.113839.0.100.20.1, 1.3.6.1.4.1.103.100.1.1.3.3, 1.3.6.1.4.1.16334.509.2.8, 1.3.6.1.4.1.16334.509.2.9, 1.3.6.1.4.1.16334.509.2.11, 1.3.6.1.4.1.16334.509.2.14, 1.3.6.1.4.1.1569.10.1.12, 1.3.6.1.4.1.1569.10.1.18, 1.3.6.1.4.1.26769.10.1.12, 1.3.6.1.4.1.26769.10.1.18, 1.3.6.1.4.1.3922.1.1.1.12, 1.3.6.1.4.1.3922.1.1.1.18, 1.3.6.1.4.1.3922.1.1.1.20, 1.3.6.1.4.1.3922.1.1.1.38, 1.2.36.1.334.1.2.1.2, 1.2.36.1.334.1.2.1.3, 1.2.36.1.334.1.2.2.2, 2.16.528.1.1003.1.2.5.1, 2.16.528.1.1003.1.2.5.2, 2.16.528.1.1003.1.2.5.3 +subjectDirectoryAttributes = ASN1:SEQUENCE:SubjDirAttr +policyConstraints = requireExplicitPolicy:0 +2.16.840.1.101.3.6.10.1 = ASN1:SEQUENCE:PIVCertExt + # using example UUID from RFC4122 [FASC_UUID_altname] otherName.1 = 1.3.6.1.4.1.311.20.2.3;UTF8:facts@wolfssl.com diff --git a/tests/api.c b/tests/api.c index 3d6ad8284..c0ebce887 100644 --- a/tests/api.c +++ b/tests/api.c @@ -4908,6 +4908,7 @@ static int test_wolfSSL_FPKI(void) #if defined(WOLFSSL_FPKI) && !defined(NO_RSA) && !defined(NO_FILESYSTEM) XFILE f = XBADFILE; const char* fpkiCert = "./certs/fpki-cert.der"; + const char* fpkiCertPolCert = "./certs/fpki-certpol-cert.der"; DecodedCert cert; byte buf[4096]; byte* uuid = NULL; @@ -4934,6 +4935,29 @@ static int test_wolfSSL_FPKI(void) ExpectIntEQ(wc_GetUUIDFromCert(&cert, uuid, &uuidSz), 0); XFREE(uuid, NULL, DYNAMIC_TYPE_TMP_BUFFER); wc_FreeDecodedCert(&cert); + + XMEMSET(buf, 0, 4096); + fascnSz = uuidSz = bytes = 0; + f = XBADFILE; + + ExpectTrue((f = XFOPEN(fpkiCertPolCert, "rb")) != XBADFILE); + ExpectIntGT(bytes = (int)XFREAD(buf, 1, sizeof(buf), f), 0); + if (f != XBADFILE) + XFCLOSE(f); + + wc_InitDecodedCert(&cert, buf, (word32)bytes, NULL); + ExpectIntEQ(wc_ParseCert(&cert, CERT_TYPE, 0, NULL), 0); + ExpectIntEQ(wc_GetFASCNFromCert(&cert, NULL, &fascnSz), WC_NO_ERR_TRACE(LENGTH_ONLY_E)); + ExpectNotNull(fascn = (byte*)XMALLOC(fascnSz, NULL, + DYNAMIC_TYPE_TMP_BUFFER)); + ExpectIntEQ(wc_GetFASCNFromCert(&cert, fascn, &fascnSz), 0); + XFREE(fascn, NULL, DYNAMIC_TYPE_TMP_BUFFER); + + ExpectIntEQ(wc_GetUUIDFromCert(&cert, NULL, &uuidSz), WC_NO_ERR_TRACE(LENGTH_ONLY_E)); + ExpectNotNull(uuid = (byte*)XMALLOC(uuidSz, NULL, DYNAMIC_TYPE_TMP_BUFFER)); + ExpectIntEQ(wc_GetUUIDFromCert(&cert, uuid, &uuidSz), 0); + XFREE(uuid, NULL, DYNAMIC_TYPE_TMP_BUFFER); + wc_FreeDecodedCert(&cert); #endif return EXPECT_RESULT(); diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index af3636fd2..4c65ee4b8 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -5724,7 +5724,7 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz) oid = extCertPolicyStateMediumDeviceHardwareOid; *oidSz = sizeof(extCertPolicyStateMediumDeviceHardwareOid); break; - + /* U.S. Treasury SSP PKI OIDs */ case CP_TREAS_MEDIUMHW_OID: oid = extCertPolicyTreasuryMediumHardwareOid; @@ -5742,7 +5742,7 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz) oid = extCertPolicyTreasuryPiviContentSigningOid; *oidSz = sizeof(extCertPolicyTreasuryPiviContentSigningOid); break; - + /* Boeing PKI OIDs */ case CP_BOEING_MEDIUMHW_SHA256_OID: oid = extCertPolicyBoeingMediumHardwareSha256Oid; @@ -5752,7 +5752,7 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz) oid = extCertPolicyBoeingMediumHardwareContentSigningSha256Oid; *oidSz = sizeof(extCertPolicyBoeingMediumHardwareContentSigningSha256Oid); break; - + /* DigiCert NFI PKI OIDs */ case CP_DIGICERT_NFSSP_MEDIUMHW_OID: oid = extCertPolicyDigicertNfiMediumHardwareOid; @@ -5774,7 +5774,7 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz) oid = extCertPolicyDigicertNfiMediumDevicesHardwareOid; *oidSz = sizeof(extCertPolicyDigicertNfiMediumDevicesHardwareOid); break; - + /* Entrust Managed Services NFI PKI OIDs */ case CP_ENTRUST_NFSSP_MEDIUMHW_OID: oid = extCertPolicyEntrustNfiMediumHardwareOid; @@ -5796,19 +5796,19 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz) oid = extCertPolicyEntrustNfiMediumDevicesHwOid; *oidSz = sizeof(extCertPolicyEntrustNfiMediumDevicesHwOid); break; - + /* Exostar LLC PKI OIDs */ case CP_EXOSTAR_MEDIUMHW_SHA2_OID: oid = extCertPolicyExostarMediumHardwareSha2Oid; *oidSz = sizeof(extCertPolicyExostarMediumHardwareSha2Oid); break; - + /* Lockheed Martin PKI OIDs */ case CP_LOCKHEED_MEDIUMHW_OID: oid = extCertPolicyLockheedMediumAssuranceHardwareOid; *oidSz = sizeof(extCertPolicyLockheedMediumAssuranceHardwareOid); break; - + /* Northrop Grumman PKI OIDs */ case CP_NORTHROP_MEDIUM_256_HW_OID: oid = extCertPolicyNorthropMediumAssurance256HardwareTokenOid; @@ -5826,7 +5826,7 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz) oid = extCertPolicyNorthropMediumAssurance384HardwareTokenOid; *oidSz = sizeof(extCertPolicyNorthropMediumAssurance384HardwareTokenOid); break; - + /* Raytheon PKI OIDs */ case CP_RAYTHEON_MEDIUMHW_OID: oid = extCertPolicyRaytheonMediumHardwareOid; @@ -5844,7 +5844,7 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz) oid = extCertPolicyRaytheonSha2MediumDeviceHardwareOid; *oidSz = sizeof(extCertPolicyRaytheonSha2MediumDeviceHardwareOid); break; - + /* WidePoint NFI PKI OIDs */ case CP_WIDEPOINT_MEDIUMHW_OID: oid = extCertPolicyWidepointNfiMediumHardwareOid; @@ -5862,7 +5862,7 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz) oid = extCertPolicyWidepointNfiMediumDevicesHardwareOid; *oidSz = sizeof(extCertPolicyWidepointNfiMediumDevicesHardwareOid); break; - + /* Australian Defence Organisation PKI OIDs */ case CP_ADO_MEDIUM_OID: oid = extCertPolicyAdoIndividualMediumAssuranceOid;