diff --git a/certs/fpki-cert.der b/certs/fpki-cert.der new file mode 100644 index 000000000..9d35ad9d5 Binary files /dev/null and b/certs/fpki-cert.der differ diff --git a/certs/include.am b/certs/include.am index 78b432ef2..3ab8337a5 100644 --- a/certs/include.am +++ b/certs/include.am @@ -63,7 +63,8 @@ EXTRA_DIST += \ certs/csr.ext.der \ certs/entity-no-ca-bool-cert.pem \ certs/entity-no-ca-bool-key.pem \ - certs/x942dh2048.pem + certs/x942dh2048.pem \ + certs/fpki-cert.der EXTRA_DIST += \ certs/ca-key.der \ diff --git a/certs/renewcerts.sh b/certs/renewcerts.sh index ebef14a7f..208fc1a58 100755 --- a/certs/renewcerts.sh +++ b/certs/renewcerts.sh @@ -27,6 +27,7 @@ # client-relative-uri.pem # client-crl-dist.pem # entity-no-ca-bool-cert.pem +# fpki-cert.der # updates the following crls: # crl/cliCrl.pem # crl/crl.pem @@ -344,6 +345,20 @@ run_renewcerts(){ echo "End of section" echo "---------------------------------------------------------------------" ########################################################### + ########## update and sign fpki-cert.der ################ + ########################################################### + echo "Updating fpki-cert.der" + echo "" + #pipe the following arguments to openssl req... + echo -e "US\\nMontana\\nBozeman\\nwolfSSL\\nFPKI\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key server-key.pem -config ./wolfssl.cnf -nodes > fpki-req.pem + check_result $? "Step 1" + + openssl x509 -req -in fpki-req.pem -extfile wolfssl.cnf -extensions fpki_ext -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out fpki-cert.der -outform DER + check_result $? "Step 2" + rm fpki-req.pem + echo "End of section" + echo "---------------------------------------------------------------------" + ########################################################### ########## update and sign server-cert.pem ################ ########################################################### echo "Updating server-cert.pem" diff --git a/certs/renewcerts/wolfssl.cnf b/certs/renewcerts/wolfssl.cnf index faea03f5d..9f082b47e 100644 --- a/certs/renewcerts/wolfssl.cnf +++ b/certs/renewcerts/wolfssl.cnf @@ -335,3 +335,39 @@ clock_precision_digits = 0 # (optional) ordering = yes # timestamps? tsa_name = yes # include? ess_cert_id_chain = no # include chain? + + +[fpki_ext] +basicConstraints = CA:FALSE,pathlen:0 +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid +keyUsage = critical, digitalSignature +extendedKeyUsage = critical, clientAuth, 1.3.6.1.4.1.311.20.2.2, 1.3.6.1.5.2.3.4, 1.3.6.1.5.5.7.3.21 +subjectAltName = @FASC_UUID_altname +certificatePolicies = 2.16.840.1.101.3.2.1.3.13, 2.16.840.1.101.3.2.1.3.40, 2.16.840.1.101.3.2.1.3.41, 2.16.840.1.101.3.2.1.3.45 +subjectDirectoryAttributes = ASN1:SEQUENCE:SubjDirAttr +policyConstraints = requireExplicitPolicy:0 +2.16.840.1.101.3.6.10.1 = ASN1:SEQUENCE:PIVCertExt + +# using example UUID from RFC4122 +[FASC_UUID_altname] +otherName = 2.16.840.1.101.3.6.6;FORMAT:HEX,OCT:D1:38:10:D8:28:AF:2C:10:84:35:15:A1:68:58:28:AF:02:10:86:A2:84:E7:39:C3:EB +URI = urn:uuid:f81d4fae-7dec-11d0-a765-00a0c91e6bf6 + +[SubjDirAttr] +attribute = SEQUENCE:SDA_attr + +[SDA_attr] +type = OID:1.3.6.1.5.5.7.9.4 +values = SET:SDA_coc + +[SDA_coc] +value = PRINTABLESTRING:US + +[PIVCertExt] +attribute = SEQUENCE:PCE_attr + +[PCE_attr] +type = OID:2.16.840.1.101.3.6.9.1 +value = BOOLEAN:true + diff --git a/configure.ac b/configure.ac index 0235f4592..5d2f3c670 100644 --- a/configure.ac +++ b/configure.ac @@ -712,6 +712,9 @@ then # Store issuer name components when parsing certificates. AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HAVE_ISSUER_NAMES" + + # Certificate extensions and alt. names for FPKI use + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SUBJ_DIR_ATTR -DWOLFSSL_FPKI -DWOLFSSL_SUBJ_INFO_ACC" fi diff --git a/tests/api.c b/tests/api.c index d9d1a5cae..a83e2f1b5 100644 --- a/tests/api.c +++ b/tests/api.c @@ -2260,6 +2260,44 @@ static void test_wolfSSL_CertManagerNameConstraint5(void) #endif } +static void test_wolfSSL_FPKI(void) +{ +#if defined(WOLFSSL_FPKI) + XFILE f; + const char* fpkiCert = "./certs/fpki-cert.der"; + DecodedCert cert; + byte buf[4096]; + byte* uuid; + byte* fascn; + word32 fascnSz; + word32 uuidSz; + int bytes; + + printf(testingFmt, "test_wolfSSL_FPKI"); + f = XFOPEN(fpkiCert, "rb"); + AssertTrue((f != XBADFILE)); + bytes = (int)XFREAD(buf, 1, sizeof(buf), f); + XFCLOSE(f); +printf("size of file = %d\n", bytes); + + wc_InitDecodedCert(&cert, buf, bytes, NULL); + AssertIntEQ(wc_ParseCert(&cert, CERT_TYPE, 0, NULL), 0); + AssertIntEQ(wc_GetFASCNFromCert(&cert, NULL, &fascnSz), LENGTH_ONLY_E) ; + fascn = (byte*)XMALLOC(fascnSz, DYNAMIC_TYPE_TMP_BUFFER, NULL); + AssertNotNull(fascn); + AssertIntEQ(wc_GetFASCNFromCert(&cert, fascn, &fascnSz), 0); + XFREE(fascn, DYNAMIC_TYPE_TMP_BUFFER, NULL); + + AssertIntEQ(wc_GetUUIDFromCert(&cert, NULL, &uuidSz), LENGTH_ONLY_E); + uuid = (byte*)XMALLOC(uuidSz, DYNAMIC_TYPE_TMP_BUFFER, NULL); + AssertNotNull(uuid); + AssertIntEQ(wc_GetUUIDFromCert(&cert, uuid, &uuidSz), 0); + XFREE(uuid, DYNAMIC_TYPE_TMP_BUFFER, NULL); + + printf(resultFmt, passed); +#endif +} + static void test_wolfSSL_CertManagerCRL(void) { #if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && defined(HAVE_CRL) && \ @@ -8982,7 +9020,8 @@ static void test_wolfSSL_URI(void) wolfSSL_FreeX509(x509); x509 = wolfSSL_X509_load_certificate_file(badUri, WOLFSSL_FILETYPE_PEM); -#if !defined(IGNORE_NAME_CONSTRAINTS) && !defined(WOLFSSL_NO_ASN_STRICT) +#if !defined(IGNORE_NAME_CONSTRAINTS) && !defined(WOLFSSL_NO_ASN_STRICT) \ + && !defined(WOLFSSL_FPKI) AssertNull(x509); #else AssertNotNull(x509); @@ -54100,6 +54139,7 @@ void ApiTest(void) test_wolfSSL_CertManagerNameConstraint3(); test_wolfSSL_CertManagerNameConstraint4(); test_wolfSSL_CertManagerNameConstraint5(); + test_wolfSSL_FPKI(); test_wolfSSL_CertManagerCRL(); test_wolfSSL_CTX_load_verify_locations_ex(); test_wolfSSL_CTX_load_verify_buffer_ex();