RFC 5280 Appendix A.1 states that the Country Name in a certificate

shall have a size of 2 octets. Restrict country name length to 2 or 0.

wolfcrypt/src/asn.c

@@ -6712,6 +6712,14 @@ static int SetName(byte* output, word32 outputSz, CertName* name)
             int thisLen = strLen;
             int firstSz, secondSz, seqSz, setSz;
 
+            /* Restrict country code size */
+            if (i == 0) {
+                if (strLen >= CTC_COUNTRY_SIZE)
+                    strLen = CTC_COUNTRY_SIZE;
+                else
+                    strLen = 0;
+            }
+
             if (strLen == 0) { /* no user data for this item */
                 names[i].used = 0;
                 continue;

wolfssl/wolfcrypt/asn_public.h

@@ -77,6 +77,7 @@ enum Ctc_Encoding {
 };
 
 enum Ctc_Misc {
+    CTC_COUNTRY_SIZE  =     2,
     CTC_NAME_SIZE     =    64,
     CTC_DATE_SIZE     =    32,
     CTC_MAX_ALT_SIZE  = 16384,   /* may be huge */