From f313edb4cfa7227f1bd1bf4fa40bf51162ee2f15 Mon Sep 17 00:00:00 2001
From: Kareem <kareem@wolfssl.com>
Date: Thu, 27 Mar 2025 12:13:57 -0700
Subject: [PATCH] Add a test certificate for all of the FPKI certificate policy
 OIDs.

---
 certs/fpki-certpol-cert.der  | Bin 0 -> 2874 bytes
 certs/include.am             |   1 +
 certs/renewcerts.sh          |  14 ++++++++++++++
 certs/renewcerts/wolfssl.cnf |  12 ++++++++++++
 tests/api.c                  |  24 ++++++++++++++++++++++++
 wolfcrypt/src/asn.c          |  20 ++++++++++----------
 6 files changed, 61 insertions(+), 10 deletions(-)
 create mode 100644 certs/fpki-certpol-cert.der

diff --git a/certs/fpki-certpol-cert.der b/certs/fpki-certpol-cert.der
new file mode 100644
index 0000000000000000000000000000000000000000..f3fe08341769a6fb92fde97bae3d8c7c99133de6
GIT binary patch
literal 2874
zcmXqL;x;pA;*wjy%*4pV#K>sC%f_kI=F#?@mywa1mBFBKiXpcFCmVAp3!5-gXt1Gx
z0UwCN!NcyGpI4HYmk1MK=V5osuS(5L%rg`;;0LMU;^7EREHBB=FUc?zHV^~}ar1CF
z=jRod=9FaSr5j2Zh=Bx|dHBoA%k|3hbJB{7bM%t)a}DJUWZ}->WE2y~%uCC6KvG~J
zC(dhRYG7<+ZfI#>ZekK8&TC|DXk=sr<r*~hlJ0D%*SL7tK{f>k`xx>XaDyDk&BNjr
z;O$9?dz%=QkVBS{m4Ug5k)Oe!iIIz`iII`vz*LTh;f|jQbGKh|byR0eJ?6UZ(;gLr
z9aGQg`(67c)3K*!{_hp(_5Wh#1eSj9I>r9nRKNe>-s%JTHLFuri2peiTfOUn;?p9%
ze7&|CQ;Tn{kq+J&Z+~5qSJnSva&lldcZ&U5=N(IBVoWx#V_1-U^jkf5WJX2tvL1<*
zOu6e1OET*15O{p-jKh}9#csx#?RiIbi!b~9;_lkwJ=OY(TmPm7^6U-S{4h6OW{-05
zMNZ~UkxK$QQx0ogSUAmV&%-NH(Z?4YIG9|)?_zFXG_Ao%dFsOQUBZ{97e9(sJ(<OO
z*fL?smJOLsPMj}qaO^Qw*c_p>eAVkC51%DAAH6i~{>=;iYp*jgGcqtPZepKi(8NB;
zfQOAaR92XU)qt6ak-<O~#N%TTV-eXbXmoPYjFv|ye_XK6V|F?v&(~*TAP<sOW|1%u
zYY<WIOBXCTtR`#!);M|dk{hxHPhVUGCs<j2M#ldvEX+*o4F;wl4XPl%wt*%ahc+7{
zD=RxQ6C0N{8zT#2leq{J6B|27l!=)IE-h-%*aFfg$Wm)iy+9F3G4ldp9>KK4<dS0K
z6uLm2jU%DWgE5tvjctK6i{wQMfg2j@bp%>WMHgm7Xsl-vXj|0s-16}2Hr>*qJgd^u
z%oM9M3&RwXw8T_h^OV$NT|>hZ1KmV(GgDmygG7U5OT$#Nq%<>wCN?#YI}})&*klcw
z*dz^j*tj4TF)=dpqVP0Oc$z3YT?1}5POv^EMs8MQ4kt2)3z;K`%n?H72qSYukU8?m
z92I1aDl$h6nWK)((Lm;CB6GBmIoik^9b}F*GRFp)V~fnOLk=DuMid?s3Xd6u$AZFR
zMd7ib@HkL-oG3glWF9k$nau1cay%$J)Cd<qkrP7UiJ<UQP<U!6JarTvda^-IZu-b7
z*-%`~hT={(6dPDkRI;Lk87oRiu!2ni=Sxq1W=2$=paCx%H(0Lei5f@}g)4$8D+cE_
z9*#p+4CeBo$|CfFWyK8m*m%GeHSP{(WMpJQ<1?f2+0po%XnY|wzA&8Mv=Y^P2%i;A
zp51_-jTe-6+kUt*vWqh_VhHe}s}MpL5J4AEfeZY~ZuDU0VrN1ZU_lpPLl@vg7Z8Al
z>zf)zMn*Oe7wqt#`V1*NpvDF_g3E*=E5v}xMO7?>s#pXp3yz}n6h=m7W{_Sm_rG6r
zEfWVSmlKuCjmqT%C2FwV9z`ysBnRRN!Id^%6a-1ak{p<ekewIA$jHb8R}AK&$s*Di
zSQcCWYN;?b`7tsvGJy&v7>5~&!vrabS_Bx|vl*FKA*B?IhbqTxAPuS~I9WstgbV~=
z^%y6MAq%J-2dQFJKvir5BZGlFv@T#~<6>kHG61!NAe93%8z&<p<A3C~3pcp!!pM;L
z(r(tKeGK)U&xF#>R9J|nR68*-?z9oVtG&8n{jWpaUd<Dm`KG$R5U$oyH+?hpi{F#m
zsu>6RHgWWEEx6x!DA{k(ohu<nd6j=1;PRP0TV+Z9Mzusi_G#tqt{XI;@G5k@D&$@C
zt#a0cSMxXeFq-aYv72=E^oh%duNYY`P1@_haBO;|-g=g^Dhv%XzATTg(K+SJdhQxS
zp3u?T2Y3X6ymzd<?^wF_-n-26U%a9}9Q1GhUTEiS_sZhrj{x_eo@qsDy%}FuaRe@#
zV70z(s){q?-i=O-X;)kxet(gwcscBY(d@PzcaOgh{xDT~YtNesn-xllyQJsM$t_Qe
N4cc<qGVRTZAOO7aq!$1H

literal 0
HcmV?d00001

diff --git a/certs/include.am b/certs/include.am
index 1c622e8c3..d9cb8f314 100644
--- a/certs/include.am
+++ b/certs/include.am
@@ -75,6 +75,7 @@ EXTRA_DIST += \
              certs/x942dh2048.der \
              certs/x942dh2048.pem \
              certs/fpki-cert.der \
+             certs/fpki-certpol-cert.der \
              certs/rid-cert.der \
              certs/dh-priv-2048.der \
              certs/dh-priv-2048.pem \
diff --git a/certs/renewcerts.sh b/certs/renewcerts.sh
index cf5154217..49c03f189 100755
--- a/certs/renewcerts.sh
+++ b/certs/renewcerts.sh
@@ -373,6 +373,20 @@ run_renewcerts(){
     echo "End of section"
     echo "---------------------------------------------------------------------"
     ###########################################################
+    ########## update and sign fpki-certpol-cert.der ################
+    ###########################################################
+    echo "Updating fpki-certpol-cert.der"
+    echo ""
+    #pipe the following arguments to openssl req...
+    echo -e "US\\nMontana\\nBozeman\\nwolfSSL\\nFPKI\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key server-key.pem -config ./wolfssl.cnf -nodes > fpki-certpol-req.pem
+    check_result $? "Step 1"
+
+    openssl x509 -req -in fpki-certpol-req.pem -extfile wolfssl.cnf -extensions fpki_ext_certpol -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out fpki-certpol-cert.der -outform DER
+    check_result $? "Step 2"
+    rm fpki-certpol-req.pem
+    echo "End of section"
+    echo "---------------------------------------------------------------------"
+    ###########################################################
     ########## update and sign rid-cert.der ################
     ###########################################################
     echo "Updating rid-cert.der"
diff --git a/certs/renewcerts/wolfssl.cnf b/certs/renewcerts/wolfssl.cnf
index e955ba59c..5738bf768 100644
--- a/certs/renewcerts/wolfssl.cnf
+++ b/certs/renewcerts/wolfssl.cnf
@@ -355,6 +355,18 @@ subjectDirectoryAttributes = ASN1:SEQUENCE:SubjDirAttr
 policyConstraints = requireExplicitPolicy:0
 2.16.840.1.101.3.6.10.1 = ASN1:SEQUENCE:PIVCertExt
 
+[fpki_ext_certpol]
+basicConstraints = CA:FALSE,pathlen:0
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid
+keyUsage = critical, digitalSignature
+extendedKeyUsage = critical, clientAuth, 1.3.6.1.4.1.311.20.2.2, 1.3.6.1.5.2.3.4, 1.3.6.1.5.5.7.3.21
+subjectAltName = @FASC_UUID_altname
+certificatePolicies = 2.16.840.1.101.3.2.1.3.13, 2.16.840.1.101.3.2.1.3.40, 2.16.840.1.101.3.2.1.3.41, 2.16.840.1.101.3.2.1.3.45, 2.16.840.1.101.2.1.11.5, 2.16.840.1.101.2.1.11.9, 2.16.840.1.101.2.1.11.10, 2.16.840.1.101.2.1.11.17, 2.16.840.1.101.2.1.11.18, 2.16.840.1.101.2.1.11.19, 2.16.840.1.101.2.1.11.20, 2.16.840.1.101.2.1.11.31, 2.16.840.1.101.2.1.11.36, 2.16.840.1.101.2.1.11.37, 2.16.840.1.101.2.1.11.38, 2.16.840.1.101.2.1.11.39, 2.16.840.1.101.2.1.11.40, 2.16.840.1.101.2.1.11.41, 2.16.840.1.101.2.1.11.42, 2.16.840.1.101.2.1.11.43, 2.16.840.1.101.2.1.11.44, 2.16.840.1.101.2.1.11.59, 2.16.840.1.101.2.1.11.60, 2.16.840.1.101.2.1.11.61, 2.16.840.1.101.2.1.11.62, 2.16.840.1.101.3.2.1.12.1, 2.16.840.1.101.3.2.1.12.2, 2.16.840.1.101.3.2.1.12.3, 2.16.840.1.101.3.2.1.12.4, 2.16.840.1.101.3.2.1.12.5, 2.16.840.1.101.3.2.1.12.6, 2.16.840.1.101.3.2.1.12.8, 2.16.840.1.101.3.2.1.12.9, 2.16.840.1.101.3.2.1.12.10, 2.16.840.1.101.3.2.1.3.4, 2.16.840.1.101.3.2.1.3.7, 2.16.840.1.101.3.2.1.3.12, 2.16.840.1.101.3.2.1.3.13, 2.16.840.1.101.3.2.1.3.16, 2.16.840.1.101.3.2.1.3.18, 2.16.840.1.101.3.2.1.3.20, 2.16.840.1.101.3.2.1.3.36, 2.16.840.1.101.3.2.1.3.38, 2.16.840.1.101.3.2.1.3.39, 2.16.840.1.101.3.2.1.3.41, 2.16.840.1.101.3.2.1.3.45, 2.16.840.1.101.3.2.1.3.47, 2.16.840.1.101.3.2.1.6.4, 2.16.840.1.101.3.2.1.6.12, 2.16.840.1.101.3.2.1.6.38, 2.16.840.1.101.3.2.1.5.4, 2.16.840.1.101.3.2.1.5.5, 2.16.840.1.101.3.2.1.5.10, 2.16.840.1.101.3.2.1.5.12, 1.3.6.1.4.1.73.15.3.1.12, 1.3.6.1.4.1.73.15.3.1.17, 1.3.6.1.4.1.45606.3.1.12, 1.3.6.1.4.1.45606.3.1.20, 1.3.6.1.4.1.45606.3.1.22, 1.3.6.1.4.1.25054.3.1.12, 1.3.6.1.4.1.25054.3.1.14, 1.3.6.1.4.1.25054.3.1.20, 1.3.6.1.4.1.25054.3.1.22, 1.3.6.1.4.1.24019.1.1.1.2, 1.3.6.1.4.1.24019.1.1.1.3, 1.3.6.1.4.1.24019.1.1.1.7, 1.3.6.1.4.1.24019.1.1.1.9, 1.3.6.1.4.1.24019.1.1.1.18, 1.3.6.1.4.1.24019.1.1.1.19, 1.3.6.1.4.1.38099.1.1.1.2, 1.3.6.1.4.1.38099.1.1.1.5, 1.3.6.1.4.1.38099.1.1.1.7, 2.16.840.1.113733.1.7.23.3.1.7, 2.16.840.1.113733.1.7.23.3.1.13, 2.16.840.1.113733.1.7.23.3.1.18, 2.16.840.1.113733.1.7.23.3.1.20, 2.16.840.1.113733.1.7.23.3.1.36, 2.16.840.1.114027.200.3.10.7.2, 2.16.840.1.114027.200.3.10.7.4, 2.16.840.1.114027.200.3.10.7.6, 2.16.840.1.114027.200.3.10.7.9, 2.16.840.1.114027.200.3.10.7.16, 1.3.6.1.4.1.13948.1.1.1.6, 2.16.840.1.113839.0.100.12.1, 2.16.840.1.113839.0.100.12.2, 2.16.840.1.113839.0.100.18.0, 2.16.840.1.113839.0.100.18.1, 2.16.840.1.113839.0.100.18.2, 2.16.840.1.113839.0.100.20.1, 1.3.6.1.4.1.103.100.1.1.3.3, 1.3.6.1.4.1.16334.509.2.8, 1.3.6.1.4.1.16334.509.2.9, 1.3.6.1.4.1.16334.509.2.11, 1.3.6.1.4.1.16334.509.2.14, 1.3.6.1.4.1.1569.10.1.12, 1.3.6.1.4.1.1569.10.1.18, 1.3.6.1.4.1.26769.10.1.12, 1.3.6.1.4.1.26769.10.1.18, 1.3.6.1.4.1.3922.1.1.1.12, 1.3.6.1.4.1.3922.1.1.1.18, 1.3.6.1.4.1.3922.1.1.1.20, 1.3.6.1.4.1.3922.1.1.1.38, 1.2.36.1.334.1.2.1.2, 1.2.36.1.334.1.2.1.3, 1.2.36.1.334.1.2.2.2, 2.16.528.1.1003.1.2.5.1, 2.16.528.1.1003.1.2.5.2, 2.16.528.1.1003.1.2.5.3
+subjectDirectoryAttributes = ASN1:SEQUENCE:SubjDirAttr
+policyConstraints = requireExplicitPolicy:0
+2.16.840.1.101.3.6.10.1 = ASN1:SEQUENCE:PIVCertExt
+
 # using example UUID from RFC4122
 [FASC_UUID_altname]
 otherName.1 = 1.3.6.1.4.1.311.20.2.3;UTF8:facts@wolfssl.com
diff --git a/tests/api.c b/tests/api.c
index 3d6ad8284..c0ebce887 100644
--- a/tests/api.c
+++ b/tests/api.c
@@ -4908,6 +4908,7 @@ static int test_wolfSSL_FPKI(void)
 #if defined(WOLFSSL_FPKI) && !defined(NO_RSA) && !defined(NO_FILESYSTEM)
     XFILE f = XBADFILE;
     const char* fpkiCert = "./certs/fpki-cert.der";
+    const char* fpkiCertPolCert = "./certs/fpki-certpol-cert.der";
     DecodedCert cert;
     byte buf[4096];
     byte* uuid = NULL;
@@ -4934,6 +4935,29 @@ static int test_wolfSSL_FPKI(void)
     ExpectIntEQ(wc_GetUUIDFromCert(&cert, uuid, &uuidSz), 0);
     XFREE(uuid, NULL, DYNAMIC_TYPE_TMP_BUFFER);
     wc_FreeDecodedCert(&cert);
+
+    XMEMSET(buf, 0, 4096);
+    fascnSz = uuidSz = bytes = 0;
+    f = XBADFILE;
+
+    ExpectTrue((f = XFOPEN(fpkiCertPolCert, "rb")) != XBADFILE);
+    ExpectIntGT(bytes = (int)XFREAD(buf, 1, sizeof(buf), f), 0);
+    if (f != XBADFILE)
+        XFCLOSE(f);
+
+    wc_InitDecodedCert(&cert, buf, (word32)bytes, NULL);
+    ExpectIntEQ(wc_ParseCert(&cert, CERT_TYPE, 0, NULL), 0);
+    ExpectIntEQ(wc_GetFASCNFromCert(&cert, NULL, &fascnSz), WC_NO_ERR_TRACE(LENGTH_ONLY_E));
+    ExpectNotNull(fascn = (byte*)XMALLOC(fascnSz, NULL,
+        DYNAMIC_TYPE_TMP_BUFFER));
+    ExpectIntEQ(wc_GetFASCNFromCert(&cert, fascn, &fascnSz), 0);
+    XFREE(fascn, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+
+    ExpectIntEQ(wc_GetUUIDFromCert(&cert, NULL, &uuidSz), WC_NO_ERR_TRACE(LENGTH_ONLY_E));
+    ExpectNotNull(uuid = (byte*)XMALLOC(uuidSz, NULL, DYNAMIC_TYPE_TMP_BUFFER));
+    ExpectIntEQ(wc_GetUUIDFromCert(&cert, uuid, &uuidSz), 0);
+    XFREE(uuid, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    wc_FreeDecodedCert(&cert);
 #endif
 
     return EXPECT_RESULT();
diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index af3636fd2..4c65ee4b8 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -5724,7 +5724,7 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz)
                     oid = extCertPolicyStateMediumDeviceHardwareOid;
                     *oidSz = sizeof(extCertPolicyStateMediumDeviceHardwareOid);
                     break;
-                    
+
                 /* U.S. Treasury SSP PKI OIDs */
                 case CP_TREAS_MEDIUMHW_OID:
                     oid = extCertPolicyTreasuryMediumHardwareOid;
@@ -5742,7 +5742,7 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz)
                     oid = extCertPolicyTreasuryPiviContentSigningOid;
                     *oidSz = sizeof(extCertPolicyTreasuryPiviContentSigningOid);
                     break;
-                    
+
                 /* Boeing PKI OIDs */
                 case CP_BOEING_MEDIUMHW_SHA256_OID:
                     oid = extCertPolicyBoeingMediumHardwareSha256Oid;
@@ -5752,7 +5752,7 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz)
                     oid = extCertPolicyBoeingMediumHardwareContentSigningSha256Oid;
                     *oidSz = sizeof(extCertPolicyBoeingMediumHardwareContentSigningSha256Oid);
                     break;
-                    
+
                 /* DigiCert NFI PKI OIDs */
                 case CP_DIGICERT_NFSSP_MEDIUMHW_OID:
                     oid = extCertPolicyDigicertNfiMediumHardwareOid;
@@ -5774,7 +5774,7 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz)
                     oid = extCertPolicyDigicertNfiMediumDevicesHardwareOid;
                     *oidSz = sizeof(extCertPolicyDigicertNfiMediumDevicesHardwareOid);
                     break;
-                    
+
                 /* Entrust Managed Services NFI PKI OIDs */
                 case CP_ENTRUST_NFSSP_MEDIUMHW_OID:
                     oid = extCertPolicyEntrustNfiMediumHardwareOid;
@@ -5796,19 +5796,19 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz)
                     oid = extCertPolicyEntrustNfiMediumDevicesHwOid;
                     *oidSz = sizeof(extCertPolicyEntrustNfiMediumDevicesHwOid);
                     break;
-                    
+
                 /* Exostar LLC PKI OIDs */
                 case CP_EXOSTAR_MEDIUMHW_SHA2_OID:
                     oid = extCertPolicyExostarMediumHardwareSha2Oid;
                     *oidSz = sizeof(extCertPolicyExostarMediumHardwareSha2Oid);
                     break;
-                    
+
                 /* Lockheed Martin PKI OIDs */
                 case CP_LOCKHEED_MEDIUMHW_OID:
                     oid = extCertPolicyLockheedMediumAssuranceHardwareOid;
                     *oidSz = sizeof(extCertPolicyLockheedMediumAssuranceHardwareOid);
                     break;
-                    
+
                 /* Northrop Grumman PKI OIDs */
                 case CP_NORTHROP_MEDIUM_256_HW_OID:
                     oid = extCertPolicyNorthropMediumAssurance256HardwareTokenOid;
@@ -5826,7 +5826,7 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz)
                     oid = extCertPolicyNorthropMediumAssurance384HardwareTokenOid;
                     *oidSz = sizeof(extCertPolicyNorthropMediumAssurance384HardwareTokenOid);
                     break;
-                    
+
                 /* Raytheon PKI OIDs */
                 case CP_RAYTHEON_MEDIUMHW_OID:
                     oid = extCertPolicyRaytheonMediumHardwareOid;
@@ -5844,7 +5844,7 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz)
                     oid = extCertPolicyRaytheonSha2MediumDeviceHardwareOid;
                    *oidSz = sizeof(extCertPolicyRaytheonSha2MediumDeviceHardwareOid);
                     break;
-                    
+
                 /* WidePoint NFI PKI OIDs */
                 case CP_WIDEPOINT_MEDIUMHW_OID:
                     oid = extCertPolicyWidepointNfiMediumHardwareOid;
@@ -5862,7 +5862,7 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz)
                     oid = extCertPolicyWidepointNfiMediumDevicesHardwareOid;
                     *oidSz = sizeof(extCertPolicyWidepointNfiMediumDevicesHardwareOid);
                     break;
-                    
+
                 /* Australian Defence Organisation PKI OIDs */
                 case CP_ADO_MEDIUM_OID:
                     oid = extCertPolicyAdoIndividualMediumAssuranceOid;