Merge remote-tracking branch 'upstream/master' into zd20936

.github/workflows/os-check.yml

@@ -65,6 +65,7 @@ jobs:
            --enable-cert-setup-cb --enable-sessioncerts',
           '--disable-sni --disable-ecc --disable-tls13 --disable-secure-renegotiation-info',
           'CPPFLAGS=-DWOLFSSL_BLIND_PRIVATE_KEY',
+          '--enable-all --enable-certgencache',
         ]
     name: make check
     if: github.repository_owner == 'wolfssl'

.wolfssl_known_macro_extras

@@ -663,6 +663,7 @@ WOLFSSL_ALLOW_TLS_SHA1
 WOLFSSL_ALTERNATIVE_DOWNGRADE
 WOLFSSL_ALT_NAMES_NO_REV
 WOLFSSL_ARM_ARCH_NEON_64BIT
+WOLFSSL_ARMASM_NEON_NO_TABLE_LOOKUP
 WOLFSSL_ASCON_UNROLL
 WOLFSSL_ASNC_CRYPT
 WOLFSSL_ASN_EXTRA

CMakeLists.txt

@@ -2693,6 +2693,18 @@ if(WOLFSSL_EXAMPLES)
         tests/api/test_ossl_mac.c
         tests/api/test_ossl_rsa.c
         tests/api/test_ossl_sk.c
+        tests/api/test_ossl_x509.c
+        tests/api/test_ossl_x509_ext.c
+        tests/api/test_ossl_x509_name.c
+        tests/api/test_ossl_x509_pk.c
+        tests/api/test_ossl_x509_vp.c
+        tests/api/test_ossl_x509_io.c
+        tests/api/test_ossl_x509_crypto.c
+        tests/api/test_ossl_x509_acert.c
+        tests/api/test_ossl_x509_info.c
+        tests/api/test_ossl_x509_str.c
+        tests/api/test_ossl_x509_lu.c
+        tests/api/test_ossl_pem.c
         tests/api/test_tls13.c
         tests/srp.c
         tests/suites.c

IDE/Renesas/e2studio/RA6M4/include.am

@@ -17,3 +17,7 @@ EXTRA_DIST+= IDE/Renesas/e2studio/RA6M4/test/key_data/key_data_sce.c
 EXTRA_DIST+= IDE/Renesas/e2studio/RA6M4/test/key_data/key_data.h
 EXTRA_DIST+= IDE/Renesas/e2studio/RA6M4/common/wolfssl_demo.h
 EXTRA_DIST+= IDE/Renesas/e2studio/RA6M4/common/user_settings.h
+EXTRA_DIST+= IDE/Renesas/e2studio/RA6M4/tools/README.md
+EXTRA_DIST+= IDE/Renesas/e2studio/RA6M4/tools/example_keys/generate_SignedCA.sh
+EXTRA_DIST+= IDE/Renesas/e2studio/RA6M4/tools/example_keys/rsa_private.pem
+EXTRA_DIST+= IDE/Renesas/e2studio/RA6M4/tools/example_keys/rsa_public.pem

linuxkm/Makefile

@@ -104,21 +104,41 @@ ifndef MAKE_TMPDIR
 endif
 
 GENERATE_SECTION_MAP := $(AWK) 'BEGIN { printf("") >ENVIRON["SECTION_MAP"]; }		\
-	{										\
-	    if ($$7 !~ "^[0-9]+$$")							\
-		next;									\
-	    if ($$4 == "SECTION") {							\
-		sections[$$7] = $$8;							\
-		next;									\
+	/^Section Headers:/ {								\
+	    in_sections = 1;								\
+	    in_symbols = 0;								\
+	    next;									\
+	}										\
+	/^Symbol table / {								\
+	    if (! in_sections) {							\
+		print "symbol table appeared before section headers." >"/dev/stderr";	\
+		exit(1);								\
 	    }										\
-	    if (($$4 == "NOTYPE") || ($$4 == "OBJECT") || ($$4 == "FUNC")) {		\
-		if (($$8 == "$$d") || ($$8 == "$$t"))					\
+	    in_sections = 0;								\
+	    in_symbols = 1;								\
+	    next;									\
+	}										\
+	{										\
+	    if (in_sections) {								\
+		if (match($$0,								\
+			  "^[[:space:]]*\\[[[:space:]]*([0-9]+)[[:space:]]*\\][[:space:]]+([^[:space:]]+)[[:space:]]",\
+			  section_line_a)) {						\
+		    sections[section_line_a[1]] = section_line_a[2];			\
 		    next;								\
-		if ($$7 in sections) {							\
-		    if (sections[$$7] ~ "_wolfcrypt$$")					\
-			print $$8 "\t" sections[$$7] >>ENVIRON["SECTION_MAP"];		\
-		} else									\
-		    print $$8 " is in section " $$7 " with no name mapping." >"/dev/stderr";\
+		}									\
+	    }										\
+	    if (in_symbols) {								\
+		if ($$7 !~ "^[0-9]+$$")							\
+		    next;								\
+		if (($$4 == "NOTYPE") || ($$4 == "OBJECT") || ($$4 == "FUNC")) {	\
+		    if (($$8 == "$$d") || ($$8 == "$$t"))				\
+			next;								\
+		    if ($$7 in sections) {						\
+			if (sections[$$7] ~ "_wolfcrypt$$")				\
+			    print $$8 "\t" sections[$$7] >>ENVIRON["SECTION_MAP"];	\
+		    } else								\
+			print $$8 " is in section " $$7 " with no name mapping." >"/dev/stderr";\
+		}									\
 	    }										\
 	}'
 
@@ -272,7 +292,7 @@ ifeq "$(ENABLED_LINUXKM_PIE)" "yes"
 	@SECTION_MAP=$$(mktemp)
 	@trap 'rm "$$SECTION_MAP"' EXIT
 	@export SECTION_MAP
-	@$(READELF) --wide --symbols "$@" | $(GENERATE_SECTION_MAP)
+	@$(READELF) --wide --sections --symbols "$@" | $(GENERATE_SECTION_MAP)
 	@$(READELF) --wide --relocs "$@" | $(GENERATE_RELOC_TAB) >| '$(MODULE_TOP)/linuxkm/wc_linuxkm_pie_reloc_tab.c'
 	+$(MAKE) ARCH='$(KERNEL_ARCH)' $(OVERRIDE_PATHS) $(CROSS_COMPILE) -C '$(KERNEL_ROOT)' M='$(MODULE_TOP)' $(KBUILD_EXTRA_FLAGS) CC_FLAGS_FTRACE=
 	@$(READELF) --wide --relocs "$@" | $(GENERATE_RELOC_TAB) >| "$$RELOC_TMP"

linuxkm/include.am

@@ -24,6 +24,7 @@ EXTRA_DIST += m4/ax_linuxkm.m4 \
 	      linuxkm/patches/5.10.236/WOLFSSL_LINUXKM_HAVE_GET_RANDOM_CALLBACKS-5v10v236.patch \
 	      linuxkm/patches/5.15/WOLFSSL_LINUXKM_HAVE_GET_RANDOM_CALLBACKS-5v15.patch \
 	      linuxkm/patches/5.17/WOLFSSL_LINUXKM_HAVE_GET_RANDOM_CALLBACKS-5v17.patch \
+	      linuxkm/patches/5.17-ubuntu-jammy-tegra/WOLFSSL_LINUXKM_HAVE_GET_RANDOM_CALLBACKS-5v17-ubuntu-jammy-tegra.patch \
 	      linuxkm/patches/6.1.73/WOLFSSL_LINUXKM_HAVE_GET_RANDOM_CALLBACKS-6v1v73.patch \
 	      linuxkm/patches/6.12/WOLFSSL_LINUXKM_HAVE_GET_RANDOM_CALLBACKS-6v12.patch \
 	      linuxkm/patches/6.15/WOLFSSL_LINUXKM_HAVE_GET_RANDOM_CALLBACKS-6v15.patch

linuxkm/lkcapi_sha_glue.c

@@ -1073,17 +1073,17 @@ static inline struct wc_rng_inst *get_drbg(struct crypto_rng *tfm) {
         return NULL;
     }
 
-    #if defined(CONFIG_SMP) && !defined(CONFIG_PREEMPT_COUNT) && \
-        (LINUX_VERSION_CODE >= KERNEL_VERSION(5, 7, 0))
     if (tfm == crypto_default_rng) {
+        #if defined(CONFIG_SMP) && (LINUX_VERSION_CODE >= KERNEL_VERSION(5, 7, 0))
         migrate_disable(); /* this actually makes irq_count() nonzero, so that
                             * DISABLE_VECTOR_REGISTERS() is superfluous, but
                             * don't depend on that.
                             */
+        #endif
+        local_bh_disable();
         new_lock_value = 2;
     }
     else
-    #endif
     {
         new_lock_value = 1;
     }
@@ -1104,7 +1104,9 @@ static inline struct wc_rng_inst *get_drbg(struct crypto_rng *tfm) {
 }
 
 /* get_drbg_n() is used by bulk seed, mix-in, and reseed operations.  It expects
- * the caller to be able to wait until the requested DRBG is available.
+ * the caller to be able to wait until the requested DRBG is available.  If the
+ * caller can't sleep and the requested DRBG is busy, it returns immediately --
+ * this avoids priority inversions and deadlocks.
  */
 static inline struct wc_rng_inst *get_drbg_n(struct wc_linuxkm_drbg_ctx *ctx, int n) {
     int can_sleep = (preempt_count() == 0);
@@ -1119,23 +1121,22 @@ static inline struct wc_rng_inst *get_drbg_n(struct wc_linuxkm_drbg_ctx *ctx, in
             cond_resched();
         }
         else
-            cpu_relax();
+            return NULL;
     }
 
     __builtin_unreachable();
 }
 
 static inline void put_drbg(struct wc_rng_inst *drbg) {
-    #if defined(CONFIG_SMP) && !defined(CONFIG_PREEMPT_COUNT) && \
-        (LINUX_VERSION_CODE >= KERNEL_VERSION(5, 7, 0))
     int migration_disabled = (drbg->lock == 2);
-    #endif
     __atomic_store_n(&(drbg->lock),0,__ATOMIC_RELEASE);
-    #if defined(CONFIG_SMP) && !defined(CONFIG_PREEMPT_COUNT) && \
-        (LINUX_VERSION_CODE >= KERNEL_VERSION(5, 7, 0))
-    if (migration_disabled)
+
+    if (migration_disabled) {
+        local_bh_enable();
+        #if defined(CONFIG_SMP) && (LINUX_VERSION_CODE >= KERNEL_VERSION(5, 7, 0))
         migrate_enable();
-    #endif
+        #endif
+    }
 }
 
 static int wc_linuxkm_drbg_generate(struct crypto_rng *tfm,

linuxkm/patches/5.17-ubuntu-jammy-tegra/WOLFSSL_LINUXKM_HAVE_GET_RANDOM_CALLBACKS-5v17-ubuntu-jammy-tegra.patch

@@ -0,0 +1,462 @@
+--- 5.17-ubuntu-jammy-tegra/drivers/char/random.c.dist	2025-12-10 09:55:51.740854778 -0600
++++ 5.17-ubuntu-jammy-tegra/drivers/char/random.c	2025-12-10 10:19:00.414922381 -0600
+@@ -60,6 +60,260 @@
+ #include <asm/irq_regs.h>
+ #include <asm/io.h>
+ 
++#ifdef WOLFSSL_LINUXKM_HAVE_GET_RANDOM_CALLBACKS
++
++#include <linux/delay.h>
++
++static atomic_long_t random_bytes_cb_owner =
++    ATOMIC_INIT((long)NULL);
++static atomic_t random_bytes_cb_refcnt =
++    ATOMIC_INIT(0); /* 0 if unregistered, 1 if no calls in flight. */
++static _get_random_bytes_cb_t _get_random_bytes_cb = NULL;
++static get_random_bytes_user_cb_t get_random_bytes_user_cb = NULL;
++static crng_ready_cb_t crng_ready_cb = NULL;
++static mix_pool_bytes_cb_t mix_pool_bytes_cb = NULL;
++static credit_init_bits_cb_t credit_init_bits_cb = NULL;
++static crng_reseed_cb_t crng_reseed_cb = NULL;
++
++int wolfssl_linuxkm_register_random_bytes_handlers(
++    struct module *new_random_bytes_cb_owner,
++    const struct wolfssl_linuxkm_random_bytes_handlers *handlers)
++{
++    if ((! new_random_bytes_cb_owner) ||
++        (! handlers) ||
++        (! handlers->_get_random_bytes) ||
++        (! handlers->get_random_bytes_user))
++    {
++        return -EINVAL;
++    }
++
++    /* random_bytes_cb_owner is used to enforce serialization of
++     * wolfssl_register_random_bytes_handlers() and
++     * wolfssl_unregister_random_bytes_handlers().
++     */
++    if (atomic_long_cmpxchg(&random_bytes_cb_owner,
++                            (long)NULL,
++                            (long)new_random_bytes_cb_owner)
++        != (long)NULL)
++    {
++        return -EBUSY;
++    }
++
++    {
++        int current_random_bytes_cb_refcnt = atomic_read(&random_bytes_cb_refcnt);
++        if (current_random_bytes_cb_refcnt) {
++            pr_err("BUG: random_bytes_cb_refcnt == %d with null random_bytes_cb_owner", current_random_bytes_cb_refcnt);
++            atomic_long_set(&random_bytes_cb_owner, (long)NULL);
++            return -EFAULT;
++        }
++    }
++
++    if (! try_module_get(new_random_bytes_cb_owner)) {
++        atomic_long_set(&random_bytes_cb_owner, (long)NULL);
++        return -ENODEV;
++    }
++
++    _get_random_bytes_cb = handlers->_get_random_bytes;
++    get_random_bytes_user_cb = handlers->get_random_bytes_user;
++    crng_ready_cb = handlers->crng_ready;
++    mix_pool_bytes_cb = handlers->mix_pool_bytes;
++    credit_init_bits_cb = handlers->credit_init_bits;
++    crng_reseed_cb = handlers->crng_reseed;
++
++    barrier();
++    atomic_set_release(&random_bytes_cb_refcnt, 1);
++
++    return 0;
++}
++EXPORT_SYMBOL_GPL(wolfssl_linuxkm_register_random_bytes_handlers);
++
++int wolfssl_linuxkm_unregister_random_bytes_handlers(void)
++{
++    int current_random_bytes_cb_refcnt;
++    int n_tries;
++    if (! atomic_long_read(&random_bytes_cb_owner))
++        return -ENODEV;
++
++    /* we're racing the kernel at large to try to catch random_bytes_cb_refcnt
++     * with no callers in flight -- retry and relax up to 100 times.
++     */
++    for (n_tries = 0; n_tries < 100; ++n_tries) {
++        current_random_bytes_cb_refcnt = atomic_cmpxchg(&random_bytes_cb_refcnt, 1, 0);
++        if (current_random_bytes_cb_refcnt == 1)
++            break;
++        if (current_random_bytes_cb_refcnt < 0) {
++            pr_err("BUG: random_bytes_cb_refcnt is %d in wolfssl_linuxkm_unregister_random_bytes_handlers.", current_random_bytes_cb_refcnt);
++            break;
++        }
++        if (msleep_interruptible(10) != 0)
++            return -EINTR;
++    }
++    if (current_random_bytes_cb_refcnt != 1) {
++        pr_warn("WARNING: wolfssl_unregister_random_bytes_handlers called with random_bytes_cb_refcnt == %d", current_random_bytes_cb_refcnt);
++        return -EBUSY;
++    }
++
++    _get_random_bytes_cb = NULL;
++    get_random_bytes_user_cb = NULL;
++    crng_ready_cb = NULL;
++    mix_pool_bytes_cb = NULL;
++    credit_init_bits_cb = NULL;
++    crng_reseed_cb = NULL;
++
++    module_put((struct module *)atomic_long_read(&random_bytes_cb_owner));
++    barrier();
++    atomic_long_set(&random_bytes_cb_owner, (long)NULL);
++
++    return 0;
++}
++EXPORT_SYMBOL_GPL(wolfssl_linuxkm_unregister_random_bytes_handlers);
++
++static __always_inline int reserve_random_bytes_cb(void) {
++    int current_random_bytes_cb_refcnt =
++        atomic_read_acquire(&random_bytes_cb_refcnt);
++
++    if (! current_random_bytes_cb_refcnt)
++        return -ENODEV;
++
++    if (current_random_bytes_cb_refcnt < 0) {
++        pr_err("BUG: random_bytes_cb_refcnt is %d in reserve_random_bytes_cb.", current_random_bytes_cb_refcnt);
++        return -EFAULT;
++    }
++
++    for (;;) {
++        int orig_random_bytes_cb_refcnt =
++            atomic_cmpxchg(
++                &random_bytes_cb_refcnt,
++                current_random_bytes_cb_refcnt,
++                current_random_bytes_cb_refcnt + 1);
++        if (orig_random_bytes_cb_refcnt == current_random_bytes_cb_refcnt)
++            return 0;
++        else if (! orig_random_bytes_cb_refcnt)
++            return -ENODEV;
++        else
++            current_random_bytes_cb_refcnt = orig_random_bytes_cb_refcnt;
++    }
++
++    __builtin_unreachable();
++}
++
++static __always_inline void release_random_bytes_cb(void) {
++    atomic_dec(&random_bytes_cb_refcnt);
++}
++
++static inline int call__get_random_bytes_cb(void *buf, size_t len)
++{
++    int ret;
++
++    if (! _get_random_bytes_cb)
++        return -ENODEV;
++
++    ret = reserve_random_bytes_cb();
++    if (ret)
++        return ret;
++
++    ret = _get_random_bytes_cb(buf, len);
++
++    release_random_bytes_cb();
++
++    return ret;
++}
++
++static inline ssize_t call_get_random_bytes_user_cb(struct iov_iter *iter)
++{
++    ssize_t ret;
++
++    if (! get_random_bytes_user_cb)
++        return -ECANCELED;
++
++    ret = (ssize_t)reserve_random_bytes_cb();
++    if (ret)
++        return ret;
++
++    ret = get_random_bytes_user_cb(iter);
++
++    release_random_bytes_cb();
++
++    return ret;
++}
++
++static inline bool call_crng_ready_cb(void)
++{
++    bool ret;
++
++    /* Null crng_ready_cb signifies that the DRBG is always ready, i.e. that if
++     * called, it will always have or obtain sufficient entropy to fulfill the
++     * call.
++     */
++    if (! crng_ready_cb)
++        return 1;
++
++    if (reserve_random_bytes_cb() != 0)
++        return 0;
++
++    ret = crng_ready_cb();
++
++    release_random_bytes_cb();
++
++    return ret;
++}
++
++static inline int call_mix_pool_bytes_cb(const void *buf, size_t len)
++{
++    int ret;
++
++    if (! mix_pool_bytes_cb)
++        return -ENODEV;
++
++    ret = reserve_random_bytes_cb();
++    if (ret)
++        return ret;
++
++    ret = mix_pool_bytes_cb(buf, len);
++
++    release_random_bytes_cb();
++
++    return ret;
++}
++
++static inline int call_credit_init_bits_cb(size_t bits)
++{
++    int ret;
++
++    if (! credit_init_bits_cb)
++        return -ENODEV;
++
++    ret = reserve_random_bytes_cb();
++    if (ret)
++        return ret;
++
++    ret = credit_init_bits_cb(bits);
++
++    release_random_bytes_cb();
++
++    return ret;
++}
++
++static inline int call_crng_reseed_cb(void)
++{
++    int ret;
++
++    if (! crng_reseed_cb)
++        return -ENODEV;
++
++    ret = reserve_random_bytes_cb();
++    if (ret)
++        return ret;
++
++    ret = crng_reseed_cb();
++
++    release_random_bytes_cb();
++
++    return ret;
++}
++
++#endif /* WOLFSSL_LINUXKM_HAVE_GET_RANDOM_CALLBACKS */
++
+ /*********************************************************************
+  *
+  * Initialization and readiness waiting.
+@@ -79,7 +333,15 @@ static enum {
+ 	CRNG_EARLY = 1, /* At least POOL_EARLY_BITS collected */
+ 	CRNG_READY = 2  /* Fully initialized with POOL_READY_BITS collected */
+ } crng_init __read_mostly = CRNG_EMPTY;
++
+ #define crng_ready() (likely(crng_init >= CRNG_READY))
++#ifdef WOLFSSL_LINUXKM_HAVE_GET_RANDOM_CALLBACKS
++    #define crng_ready_by_cb() (atomic_read(&random_bytes_cb_refcnt) && call_crng_ready_cb())
++    #define crng_ready_maybe_cb() (atomic_read(&random_bytes_cb_refcnt) ? (call_crng_ready_cb() || crng_ready()) : crng_ready())
++#else
++    #define crng_ready_maybe_cb() crng_ready()
++#endif
++
+ /* Various types of waiters for crng_init->CRNG_READY transition. */
+ static DECLARE_WAIT_QUEUE_HEAD(crng_init_wait);
+ static struct fasync_struct *fasync;
+@@ -105,7 +367,7 @@ MODULE_PARM_DESC(ratelimit_disable, "Dis
+  */
+ bool rng_is_initialized(void)
+ {
+-	return crng_ready();
++	return crng_ready_maybe_cb();
+ }
+ EXPORT_SYMBOL(rng_is_initialized);
+ 
+@@ -124,11 +386,11 @@ static void try_to_generate_entropy(void
+  */
+ int wait_for_random_bytes(void)
+ {
+-	while (!crng_ready()) {
++	while (!crng_ready_maybe_cb()) {
+ 		int ret;
+ 
+ 		try_to_generate_entropy();
+-		ret = wait_event_interruptible_timeout(crng_init_wait, crng_ready(), HZ);
++		ret = wait_event_interruptible_timeout(crng_init_wait, crng_ready_maybe_cb(), HZ);
+ 		if (ret)
+ 			return ret > 0 ? 0 : ret;
+ 	}
+@@ -182,7 +444,7 @@ static void __cold process_random_ready_
+ }
+ 
+ #define warn_unseeded_randomness() \
+-	if (IS_ENABLED(CONFIG_WARN_ALL_UNSEEDED_RANDOM) && !crng_ready()) \
++	if (IS_ENABLED(CONFIG_WARN_ALL_UNSEEDED_RANDOM) && !crng_ready_maybe_cb()) \
+ 		printk_deferred(KERN_NOTICE "random: %s called from %pS with crng_init=%d\n", \
+ 				__func__, (void *)_RET_IP_, crng_init)
+ 
+@@ -401,6 +663,14 @@ static void _get_random_bytes(void *buf,
+ 	if (!len)
+ 		return;
+ 
++#ifdef WOLFSSL_LINUXKM_HAVE_GET_RANDOM_CALLBACKS
++        /* If call__get_random_bytes_cb() doesn't succeed, flow falls through to
++         * the native implementation.  _get_random_bytes() must succeed.
++         */
++        if (call__get_random_bytes_cb(buf, len) == 0)
++            return;
++#endif
++
+ 	first_block_len = min_t(size_t, 32, len);
+ 	crng_make_state(chacha_state, buf, first_block_len);
+ 	len -= first_block_len;
+@@ -450,6 +720,18 @@ static ssize_t get_random_bytes_user(str
+ 	if (unlikely(!iov_iter_count(iter)))
+ 		return 0;
+ 
++#ifdef WOLFSSL_LINUXKM_HAVE_GET_RANDOM_CALLBACKS
++        {
++            ssize_t cb_ret = call_get_random_bytes_user_cb(iter);
++            /* If the callback returns -ECANCELED, that signals that iter is
++             * still intact, and flow can safely fall through to the native
++             * implementation.
++             */
++            if (cb_ret != -ECANCELED)
++                return cb_ret;
++        }
++#endif
++
+ 	/*
+ 	 * Immediately overwrite the ChaCha key at index 4 with random
+ 	 * bytes, in case userspace causes copy_to_iter() below to sleep
+@@ -526,7 +808,7 @@ type get_random_ ##type(void)							\
+ 										\
+ 	warn_unseeded_randomness();						\
+ 										\
+-	if  (!crng_ready()) {							\
++	if  (!crng_ready_maybe_cb()) {						\
+ 		_get_random_bytes(&ret, sizeof(ret));				\
+ 		return ret;							\
+ 	}									\
+@@ -650,6 +932,11 @@ static void mix_pool_bytes(const void *b
+ {
+ 	unsigned long flags;
+ 
++#ifdef WOLFSSL_LINUXKM_HAVE_GET_RANDOM_CALLBACKS
++        (void)call_mix_pool_bytes_cb(buf, len);
++        /* fall through to mix into native pool too. */
++#endif
++
+ 	spin_lock_irqsave(&input_pool.lock, flags);
+ 	_mix_pool_bytes(buf, len);
+ 	spin_unlock_irqrestore(&input_pool.lock, flags);
+@@ -701,7 +988,11 @@ static void extract_entropy(void *buf, s
+ 	memzero_explicit(&block, sizeof(block));
+ }
+ 
++#ifdef WOLFSSL_LINUXKM_HAVE_GET_RANDOM_CALLBACKS
++#define credit_init_bits(bits) do { (void)call_credit_init_bits_cb(bits); if (!crng_ready()) _credit_init_bits(bits); } while (0)
++#else
+ #define credit_init_bits(bits) if (!crng_ready()) _credit_init_bits(bits)
++#endif
+ 
+ static void __cold _credit_init_bits(size_t bits)
+ {
+@@ -1228,7 +1519,7 @@ SYSCALL_DEFINE3(getrandom, char __user *
+ 	if ((flags & (GRND_INSECURE | GRND_RANDOM)) == (GRND_INSECURE | GRND_RANDOM))
+ 		return -EINVAL;
+ 
+-	if (!crng_ready() && !(flags & GRND_INSECURE)) {
++	if (!crng_ready_maybe_cb() && !(flags & GRND_INSECURE)) {
+ 		if (flags & GRND_NONBLOCK)
+ 			return -EAGAIN;
+ 		ret = wait_for_random_bytes();
+@@ -1244,6 +1535,10 @@ SYSCALL_DEFINE3(getrandom, char __user *
+ 
+ static __poll_t random_poll(struct file *file, poll_table *wait)
+ {
++#ifdef WOLFSSL_LINUXKM_HAVE_GET_RANDOM_CALLBACKS
++	if (crng_ready_by_cb())
++		return EPOLLIN | EPOLLRDNORM;
++#endif
+ 	poll_wait(file, &crng_init_wait, wait);
+ 	return crng_ready() ? EPOLLIN | EPOLLRDNORM : EPOLLOUT | EPOLLWRNORM;
+ }
+@@ -1285,7 +1580,7 @@ static ssize_t urandom_read_iter(struct
+ {
+ 	static int maxwarn = 10;
+ 
+-	if (!crng_ready()) {
++	if (!crng_ready_maybe_cb()) {
+ 		if (!ratelimit_disable && maxwarn <= 0)
+ 			++urandom_warning.missed;
+ 		else if (ratelimit_disable || __ratelimit(&urandom_warning)) {
+@@ -1368,6 +1663,14 @@ static long random_ioctl(struct file *f,
+ 	case RNDRESEEDCRNG:
+ 		if (!capable(CAP_SYS_ADMIN))
+ 			return -EPERM;
++#ifdef WOLFSSL_LINUXKM_HAVE_GET_RANDOM_CALLBACKS
++		/* fall through to reseed native crng too. */
++		if (call_crng_reseed_cb() == 0) {
++			if (crng_ready())
++				crng_reseed();
++			return 0;
++		}
++#endif
+ 		if (!crng_ready())
+ 			return -ENODATA;
+ 		crng_reseed();
+--- 5.17-ubuntu-jammy-tegra/include/linux/random.h.dist	2025-12-10 10:11:26.642681781 -0600
++++ 5.17-ubuntu-jammy-tegra/include/linux/random.h	2025-12-10 10:14:44.417609545 -0600
+@@ -138,4 +138,37 @@ int random_online_cpu(unsigned int cpu);
+ extern const struct file_operations random_fops, urandom_fops;
+ #endif
+ 
++#ifndef WOLFSSL_LINUXKM_HAVE_GET_RANDOM_CALLBACKS
++    #define WOLFSSL_LINUXKM_HAVE_GET_RANDOM_CALLBACKS 1
++#endif
++
++typedef int (*_get_random_bytes_cb_t)(void *buf, size_t len);
++struct iov_iter;
++/* kernels >= 5.17.0 use get_random_bytes_user() */
++typedef ssize_t (*get_random_bytes_user_cb_t)(struct iov_iter *iter);
++/* kernels < 5.17.0 use extract_crng_user(), though some LTS kernels,
++ * e.g. 5.10.236, have the 5.17+ architecture backported.
++ */
++typedef ssize_t (*extract_crng_user_cb_t)(void __user *buf, size_t nbytes);
++typedef bool (*crng_ready_cb_t)(void);
++typedef int (*mix_pool_bytes_cb_t)(const void *buf, size_t len);
++typedef int (*credit_init_bits_cb_t)(size_t bits);
++typedef int (*crng_reseed_cb_t)(void);
++
++struct wolfssl_linuxkm_random_bytes_handlers {
++    _get_random_bytes_cb_t _get_random_bytes;
++    get_random_bytes_user_cb_t get_random_bytes_user;
++    extract_crng_user_cb_t extract_crng_user;
++    crng_ready_cb_t crng_ready;
++    mix_pool_bytes_cb_t mix_pool_bytes;
++    credit_init_bits_cb_t credit_init_bits;
++    crng_reseed_cb_t crng_reseed;
++};
++
++int wolfssl_linuxkm_register_random_bytes_handlers(
++    struct module *new_random_bytes_cb_owner,
++    const struct wolfssl_linuxkm_random_bytes_handlers *handlers);
++
++int wolfssl_linuxkm_unregister_random_bytes_handlers(void);
++
+ #endif /* _LINUX_RANDOM_H */

src/internal.c

@@ -2085,7 +2085,8 @@ int wolfSSL_session_export_internal(WOLFSSL* ssl, byte* buf, word32* sz,
         #endif
     }
 
-    /* check is at least the minimum size needed, TLS cipher states add more */
+    /* check if sz is sufficient for the worst-case scenario computed above,
+     * TLS cipher states add more */
     if (ret == 0 && (totalLen > *sz || buf == NULL)) {
         WOLFSSL_MSG("export buffer was too small or null");
         *sz = totalLen;

src/ssl_load.c

@@ -1607,6 +1607,9 @@ static int ProcessBufferCertPublicKey(WOLFSSL_CTX* ctx, WOLFSSL* ssl,
 #ifndef NO_RSA
     word32 idx;
 #endif
+    if (ctx == NULL && ssl == NULL) {
+        return BAD_FUNC_ARG;
+    }
 
     /* Get key size and check unless not verifying. */
     switch (cert->keyOID) {

src/x509.c

@@ -11630,15 +11630,20 @@ int wolfSSL_i2d_X509_NAME_canon(WOLFSSL_X509_NAME* name, unsigned char** out)
             }
             nameStr = (const char*)wolfSSL_ASN1_STRING_data(cano_data);
 
-            ret = wc_EncodeNameCanonical(&names[i], nameStr, CTC_UTF8,
-                (byte)ConvertNIDToWolfSSL(entry->nid));
-            if (ret < 0) {
-                WC_FREE_VAR_EX(names, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-                wolfSSL_ASN1_STRING_free(cano_data);
-                WOLFSSL_MSG("EncodeName failed");
-                return WOLFSSL_FATAL_ERROR;
+            /* allow for blank values in the name structure, eg OU= */
+            if (nameStr)
+            {
+                ret = wc_EncodeNameCanonical(&names[i], nameStr, CTC_UTF8,
+                    (byte)ConvertNIDToWolfSSL(entry->nid));
+                if (ret < 0) {
+                    WC_FREE_VAR_EX(names, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+                    wolfSSL_ASN1_STRING_free(cano_data);
+                    WOLFSSL_MSG("EncodeName failed");
+                    return WOLFSSL_FATAL_ERROR;
+                }
+                totalBytes += ret;
             }
-            totalBytes += ret;
+
             wolfSSL_ASN1_STRING_free(cano_data);
         }
     }
@@ -14190,6 +14195,13 @@ int wolfSSL_X509_check_host(WOLFSSL_X509 *x, const char *chk, size_t chklen,
         chklen--;
     }
 
+#ifdef WOLFSSL_IP_ALT_NAME
+    ret = CheckIPAddr(dCert, (char *)chk);
+    if (ret == 0) {
+        goto out;
+    }
+#endif /* WOLFSSL_IP_ALT_NAME */
+
     ret = CheckHostName(dCert, (char *)chk, chklen, flags, 0);
 
 out:

tests/api/include.am

@@ -78,6 +78,21 @@ tests_unit_test_SOURCES += tests/api/test_ossl_ec.c
 tests_unit_test_SOURCES += tests/api/test_ossl_ecx.c
 tests_unit_test_SOURCES += tests/api/test_ossl_dsa.c
 tests_unit_test_SOURCES += tests/api/test_ossl_sk.c
+# OpenSSL X509
+tests_unit_test_SOURCES += tests/api/test_ossl_x509.c
+tests_unit_test_SOURCES += tests/api/test_ossl_x509_ext.c
+tests_unit_test_SOURCES += tests/api/test_ossl_x509_name.c
+tests_unit_test_SOURCES += tests/api/test_ossl_x509_pk.c
+tests_unit_test_SOURCES += tests/api/test_ossl_x509_vp.c
+tests_unit_test_SOURCES += tests/api/test_ossl_x509_io.c
+tests_unit_test_SOURCES += tests/api/test_ossl_x509_crypto.c
+tests_unit_test_SOURCES += tests/api/test_ossl_x509_acert.c
+tests_unit_test_SOURCES += tests/api/test_ossl_x509_info.c
+# OpenSSL X509 Store
+tests_unit_test_SOURCES += tests/api/test_ossl_x509_str.c
+tests_unit_test_SOURCES += tests/api/test_ossl_x509_lu.c
+# SSL PEM
+tests_unit_test_SOURCES += tests/api/test_ossl_pem.c
 # TLS 1.3 specific
 tests_unit_test_SOURCES += tests/api/test_tls13.c
 endif
@@ -147,5 +162,17 @@ EXTRA_DIST += tests/api/test_ossl_ec.h
 EXTRA_DIST += tests/api/test_ossl_ecx.h
 EXTRA_DIST += tests/api/test_ossl_dsa.h
 EXTRA_DIST += tests/api/test_ossl_sk.h
+EXTRA_DIST += tests/api/test_ossl_x509.h
+EXTRA_DIST += tests/api/test_ossl_x509_ext.h
+EXTRA_DIST += tests/api/test_ossl_x509_name.h
+EXTRA_DIST += tests/api/test_ossl_x509_pk.h
+EXTRA_DIST += tests/api/test_ossl_x509_vp.h
+EXTRA_DIST += tests/api/test_ossl_x509_io.h
+EXTRA_DIST += tests/api/test_ossl_x509_crypto.h
+EXTRA_DIST += tests/api/test_ossl_x509_acert.h
+EXTRA_DIST += tests/api/test_ossl_x509_info.h
+EXTRA_DIST += tests/api/test_ossl_x509_str.h
+EXTRA_DIST += tests/api/test_ossl_x509_lu.h
+EXTRA_DIST += tests/api/test_ossl_pem.h
 EXTRA_DIST += tests/api/test_tls13.h
 

tests/api/test_aes.c

@@ -289,7 +289,7 @@ int test_wc_AesEncryptDecryptDirect(void)
 
 #if !defined(NO_AES) && defined(HAVE_AES_ECB)
 /* Assembly code doing 8 iterations at a time. */
-#define ECB_LEN     (9 * WC_AES_BLOCK_SIZE)
+#define ECB_LEN     (15 * WC_AES_BLOCK_SIZE)
 
 static int test_wc_AesEcbEncryptDecrypt_BadArgs(Aes* aes, byte* key,
     word32 keyLen)
@@ -1993,7 +1993,7 @@ int test_wc_AesCtrSetKey(void)
 
 #if !defined(NO_AES) && defined(WOLFSSL_AES_COUNTER)
 /* Assembly code doing 8 iterations at a time. */
-#define CTR_LEN     (9 * WC_AES_BLOCK_SIZE)
+#define CTR_LEN     (15 * WC_AES_BLOCK_SIZE)
 
 static int test_wc_AesCtrEncrypt_BadArgs(Aes* aes, byte* key,
     word32 keyLen, byte* iv)
@@ -2237,6 +2237,18 @@ int test_wc_AesCtrEncryptDecrypt(void)
         0x86, 0x8f, 0x83, 0xff, 0x3d, 0xbe, 0x6e, 0xfa,
         0xd2, 0x2b, 0x3e, 0x70, 0x21, 0x1c, 0xe8, 0x7b,
         0xe4, 0x01, 0x2c, 0xd0, 0x82, 0xe2, 0x7a, 0x4a,
+        0xcf, 0x67, 0x82, 0x1c, 0x80, 0x79, 0x85, 0x5e,
+        0xe5, 0xf9, 0x3a, 0x0d, 0x1a, 0xa7, 0x89, 0x29,
+        0xee, 0xe7, 0x2b, 0xd6, 0x29, 0xac, 0xfa, 0xca,
+        0xc8, 0xcb, 0x4e, 0x6c, 0x1f, 0x30, 0x5e, 0x95,
+        0xa5, 0xa2, 0x17, 0xe2, 0x93, 0xd3, 0xe6, 0xbe,
+        0x91, 0x37, 0x84, 0x01, 0xdb, 0x44, 0x4c, 0x60,
+        0x1c, 0x2c, 0x64, 0x7d, 0xb7, 0x73, 0x12, 0x11,
+        0xc2, 0x6a, 0xfd, 0xac, 0x6d, 0x85, 0xd8, 0xeb,
+        0x0e, 0x70, 0xd3, 0x82, 0x93, 0x65, 0xff, 0x18,
+        0x4e, 0x22, 0x07, 0x8a, 0xf6, 0xfd, 0x36, 0x9d,
+        0x5c, 0x15, 0x1c, 0x84, 0x69, 0x13, 0x68, 0x78,
+        0xf1, 0x04, 0x02, 0x66, 0xec, 0x37, 0xcc, 0x0d,
     };
 #elif defined(WOLFSSL_AES_192)
     byte expected24[CTR_LEN] = {
@@ -2258,6 +2270,18 @@ int test_wc_AesCtrEncryptDecrypt(void)
         0x8d, 0x3b, 0xa9, 0x17, 0x4c, 0x2a, 0xc7, 0x97,
         0x99, 0xb7, 0xaf, 0x86, 0x17, 0xf9, 0xe4, 0x2c,
         0x5a, 0x4d, 0x6d, 0x7f, 0xfe, 0xb8, 0xaa, 0x9b,
+        0xf8, 0xb6, 0xcb, 0x6f, 0x2f, 0xa4, 0x57, 0x61,
+        0x88, 0x6c, 0x94, 0xaa, 0xf7, 0x97, 0xcf, 0xcd,
+        0x19, 0x29, 0x9e, 0xf3, 0x30, 0xb8, 0xaa, 0x56,
+        0x49, 0xcb, 0xf0, 0x56, 0xdd, 0xac, 0x4b, 0x41,
+        0x00, 0xb3, 0x19, 0xdd, 0xef, 0x69, 0xd0, 0x9c,
+        0xd1, 0x67, 0x48, 0x62, 0x9f, 0x56, 0x21, 0x2d,
+        0x05, 0xb3, 0x4d, 0x0b, 0xac, 0xb6, 0x63, 0xf4,
+        0x44, 0xfc, 0x43, 0xc0, 0xa9, 0x8c, 0x37, 0xd6,
+        0xc3, 0x8c, 0xa4, 0x42, 0x68, 0x08, 0x2c, 0x1e,
+        0xe7, 0xcc, 0xe4, 0x1f, 0x82, 0x9a, 0xe0, 0xfb,
+        0x18, 0x84, 0x55, 0xaf, 0x02, 0xcc, 0x55, 0x13,
+        0x7e, 0xc7, 0x05, 0xb8, 0xb9, 0x5e, 0x90, 0xc3,
     };
 #else
     byte expected32[CTR_LEN] = {
@@ -2279,6 +2303,18 @@ int test_wc_AesCtrEncryptDecrypt(void)
         0xf1, 0x7b, 0x2b, 0x87, 0xe4, 0xcd, 0x93, 0x22,
         0x07, 0xdc, 0x35, 0x46, 0x8a, 0x1d, 0xf5, 0xe4,
         0x23, 0x01, 0x67, 0x00, 0x66, 0x7b, 0xd6, 0x56,
+        0x0d, 0x57, 0x4f, 0x6f, 0x45, 0x82, 0x91, 0x58,
+        0x81, 0x37, 0xcc, 0xb4, 0xa4, 0xa3, 0x3c, 0x57,
+        0x42, 0x05, 0x95, 0xa3, 0x04, 0x1f, 0xfd, 0x32,
+        0xb7, 0xc8, 0xbb, 0x14, 0xe7, 0xf1, 0xc1, 0x1f,
+        0xe9, 0x33, 0x6a, 0xb0, 0x10, 0x0d, 0xfb, 0x91,
+        0x88, 0xca, 0x20, 0x29, 0xeb, 0xcd, 0x9c, 0x71,
+        0x07, 0xfd, 0x3f, 0x6b, 0x1f, 0xb3, 0x76, 0xb7,
+        0x6b, 0xa1, 0xad, 0xbe, 0xd3, 0x45, 0xb5, 0xe9,
+        0x04, 0x9a, 0xfd, 0x6a, 0x85, 0xa2, 0xbc, 0x4e,
+        0xca, 0xdb, 0x84, 0xbc, 0x0e, 0x0c, 0x96, 0x65,
+        0xc9, 0x95, 0x2b, 0xcb, 0x98, 0x8c, 0xd2, 0x78,
+        0x85, 0x7e, 0x1a, 0xa2, 0x6a, 0x73, 0x90, 0x80,
     };
 #endif
     byte    iv[]   = "1234567890abcdef";
@@ -3407,6 +3443,275 @@ int test_wc_AesCcmEncryptDecrypt(void)
     return EXPECT_RESULT();
 } /* END test_wc_AesCcmEncryptDecrypt */
 
+/*******************************************************************************
+ * AES-XTS
+ ******************************************************************************/
+
+/*
+ * test function for wc_AesXtsSetKey()
+ */
+int test_wc_AesXtsSetKey(void)
+{
+    EXPECT_DECLS;
+#if !defined(NO_AES) && defined(WOLFSSL_AES_XTS)
+    XtsAes aes;
+#ifdef WOLFSSL_AES_128
+    byte key16[] = {
+        0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
+        0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
+        0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
+        0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
+    };
+#endif
+#if defined(WOLFSSL_AES_192) && !defined(HAVE_FIPS)
+    byte key24[] = {
+        0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
+        0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
+        0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
+        0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
+        0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
+        0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
+    };
+#endif
+#ifdef WOLFSSL_AES_256
+    byte key32[] = {
+        0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
+        0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
+        0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
+        0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
+        0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
+        0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
+        0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
+        0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
+    };
+#endif
+    byte badKey16[] = {
+        0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
+        0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
+        0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
+        0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65
+    };
+    byte badKey24[] = {
+        0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
+        0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
+        0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
+        0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
+        0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
+        0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36
+    };
+    byte badKey32[] = {
+        0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
+        0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
+        0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
+        0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
+        0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x37, 0x37,
+        0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
+        0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
+        0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65
+    };
+    byte* key;
+    word32 keyLen;
+
+#ifdef WOLFSSL_AES_128
+    key = key16;
+    keyLen = sizeof(key16)/sizeof(byte);
+#elif defined(WOLFSSL_AES_192)
+    key = key24;
+    keyLen = sizeof(key24)/sizeof(byte);
+#else
+    key = key32;
+    keyLen = sizeof(key32)/sizeof(byte);
+#endif
+
+#ifdef WOLFSSL_AES_128
+    ExpectIntEQ(wc_AesXtsSetKey(&aes, key16, sizeof(key16)/sizeof(byte),
+        AES_ENCRYPTION, NULL, INVALID_DEVID), 0);
+    wc_AesXtsFree(&aes);
+#endif
+#if defined(WOLFSSL_AES_192) && !defined(HAVE_FIPS)
+    ExpectIntEQ(wc_AesXtsSetKey(&aes, key24, sizeof(key24)/sizeof(byte),
+        AES_ENCRYPTION, NULL, INVALID_DEVID), 0);
+    wc_AesXtsFree(&aes);
+#endif
+#ifdef WOLFSSL_AES_256
+    ExpectIntEQ(wc_AesXtsSetKey(&aes, key32, sizeof(key32)/sizeof(byte),
+        AES_ENCRYPTION, NULL, INVALID_DEVID), 0);
+    wc_AesXtsFree(&aes);
+#endif
+
+    /* Pass in bad args. */
+    ExpectIntEQ(wc_AesXtsSetKey(NULL, NULL, keyLen, AES_ENCRYPTION, NULL,
+        INVALID_DEVID), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
+    ExpectIntEQ(wc_AesXtsSetKey(NULL, key, keyLen, AES_ENCRYPTION, NULL,
+        INVALID_DEVID), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
+    ExpectIntEQ(wc_AesXtsSetKey(&aes, NULL, keyLen, AES_ENCRYPTION, NULL,
+        INVALID_DEVID), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
+    ExpectIntEQ(wc_AesXtsSetKey(&aes, badKey16, sizeof(badKey16)/sizeof(byte),
+        AES_ENCRYPTION, NULL, INVALID_DEVID), WC_NO_ERR_TRACE(WC_KEY_SIZE_E));
+    ExpectIntEQ(wc_AesXtsSetKey(&aes, badKey24, sizeof(badKey24)/sizeof(byte),
+        AES_ENCRYPTION, NULL, INVALID_DEVID), WC_NO_ERR_TRACE(WC_KEY_SIZE_E));
+    ExpectIntEQ(wc_AesXtsSetKey(&aes, badKey32, sizeof(badKey32)/sizeof(byte),
+        AES_ENCRYPTION, NULL, INVALID_DEVID), WC_NO_ERR_TRACE(WC_KEY_SIZE_E));
+    ExpectIntEQ(wc_AesXtsSetKey(&aes, key, keyLen, -2, NULL, INVALID_DEVID),
+        WC_NO_ERR_TRACE(BAD_FUNC_ARG));
+#endif
+    return EXPECT_RESULT();
+} /* END test_wc_AesXtsSetKey */
+
+int test_wc_AesXtsEncryptDecrypt_Sizes(void)
+{
+    EXPECT_DECLS;
+#if !defined(NO_AES) && defined(WOLFSSL_AES_XTS) && \
+    defined(WOLFSSL_AES_256) && !defined(WOLFSSL_AFALG) && \
+    !defined(WOLFSSL_KCAPI)
+    #define XTS_LEN     (WC_AES_BLOCK_SIZE * 16)
+    byte key32[] = {
+        0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
+        0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
+        0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
+        0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
+        0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
+        0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
+        0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
+        0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
+    };
+    byte tweak[] = {
+        0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
+        0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
+    };
+    XtsAes aes;
+    word32 tweakLen = (word32)sizeof(tweak)/sizeof(byte);
+    int sz;
+    WC_DECLARE_VAR(plain, byte, XTS_LEN, NULL);
+    WC_DECLARE_VAR(cipher, byte, XTS_LEN, NULL);
+#ifdef HAVE_AES_DECRYPT
+    WC_DECLARE_VAR(decrypted, byte, XTS_LEN, NULL);
+#endif
+
+    WC_ALLOC_VAR(plain, byte, XTS_LEN, NULL);
+    WC_ALLOC_VAR(cipher, byte, XTS_LEN, NULL);
+#ifdef HAVE_AES_DECRYPT
+    WC_ALLOC_VAR(decrypted, byte, XTS_LEN, NULL);
+#endif
+
+#ifdef WC_DECLARE_VAR_IS_HEAP_ALLOC
+    ExpectNotNull(plain);
+    ExpectNotNull(cipher);
+#ifdef HAVE_AES_DECRYPT
+    ExpectNotNull(decrypted);
+#endif
+#endif
+
+    XMEMSET(&aes, 0, sizeof(Aes));
+    XMEMSET(plain, 0xa5, XTS_LEN);
+
+    for (sz = WC_AES_BLOCK_SIZE; sz <= XTS_LEN; sz *= 2) {
+        ExpectIntEQ(wc_AesXtsSetKey(&aes, key32, sizeof(key32)/sizeof(byte),
+            AES_ENCRYPTION, NULL, INVALID_DEVID), 0);
+        XMEMSET(cipher, 0, XTS_LEN);
+        ExpectIntEQ(wc_AesXtsEncrypt(&aes, cipher, plain, sz, tweak, tweakLen),
+            0);
+        wc_AesXtsFree(&aes);
+
+#ifdef HAVE_AES_DECRYPT
+        ExpectIntEQ(wc_AesXtsSetKey(&aes, key32, sizeof(key32)/sizeof(byte),
+            AES_DECRYPTION, NULL, INVALID_DEVID), 0);
+        XMEMSET(decrypted, 0xff, XTS_LEN);
+        ExpectIntEQ(wc_AesXtsDecrypt(&aes, decrypted, cipher, sz, tweak,
+            tweakLen), 0);
+        ExpectBufEQ(decrypted, plain, sz);
+        wc_AesXtsFree(&aes);
+#endif
+    }
+
+    WC_FREE_VAR(plain, NULL);
+    WC_FREE_VAR(cipher, NULL);
+#ifdef HAVE_AES_DECRYPT
+    WC_FREE_VAR(decrypted, NULL);
+#endif
+#endif
+    return EXPECT_RESULT();
+}
+
+/*
+ * test function for wc_AesXtsEncrypt and wc_AesXtsDecrypt
+ */
+int test_wc_AesXtsEncryptDecrypt(void)
+{
+    EXPECT_DECLS;
+#if !defined(NO_AES) && defined(WOLFSSL_AES_XTS) && \
+    defined(WOLFSSL_AES_256)
+    XtsAes  aes;
+    byte key32[] = {
+        0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
+        0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
+        0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
+        0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
+        0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
+        0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
+        0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
+        0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
+    };
+    byte vector[] = { /* Now is the time for all w/o trailing 0 */
+        0x4e,0x6f,0x77,0x20,0x69,0x73,0x20,0x74,
+        0x68,0x65,0x20,0x74,0x69,0x6d,0x65,0x20,
+        0x66,0x6f,0x72,0x20,0x61,0x6c,0x6c,0x20
+    };
+    byte tweak[] = {
+        0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
+        0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
+    };
+    word32 tweakLen = (word32)sizeof(tweak)/sizeof(byte);
+    byte enc[sizeof(vector)];
+    byte resultT[WC_AES_BLOCK_SIZE];
+    byte dec[sizeof(vector)];
+
+    /* Init stack variables. */
+    XMEMSET(&aes, 0, sizeof(Aes));
+    XMEMSET(enc, 0, sizeof(vector));
+    XMEMSET(dec, 0, sizeof(vector));
+    XMEMSET(resultT, 0, WC_AES_BLOCK_SIZE);
+
+    ExpectIntEQ(wc_AesXtsSetKey(&aes, key32, sizeof(key32)/sizeof(byte),
+        AES_ENCRYPTION, NULL, INVALID_DEVID), 0);
+    ExpectIntEQ(wc_AesXtsEncrypt(&aes, enc, vector, sizeof(vector), tweak,
+        tweakLen), 0);
+    wc_AesXtsFree(&aes);
+    ExpectIntEQ(wc_AesXtsSetKey(&aes, key32, sizeof(key32)/sizeof(byte),
+        AES_DECRYPTION, NULL, INVALID_DEVID), 0);
+    ExpectIntEQ(wc_AesXtsDecrypt(&aes, dec, enc, sizeof(vector), tweak,
+        tweakLen), 0);
+    ExpectIntEQ(XMEMCMP(vector, dec, sizeof(vector)), 0);
+    wc_AesXtsFree(&aes);
+
+    ExpectIntEQ(wc_AesXtsSetKey(&aes, key32, sizeof(key32)/sizeof(byte),
+        AES_ENCRYPTION, NULL, INVALID_DEVID), 0);
+    /* Test bad args for wc_AesXtsEncrypt and wc_AesXtsDecrypt */
+    ExpectIntEQ(wc_AesXtsEncrypt(NULL, enc, vector, sizeof(vector), tweak,
+        tweakLen), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
+    ExpectIntEQ(wc_AesXtsEncrypt(&aes, NULL, vector, sizeof(vector), tweak,
+        tweakLen), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
+    ExpectIntEQ(wc_AesXtsEncrypt(&aes, enc, NULL, sizeof(vector), tweak,
+        tweakLen), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
+    wc_AesXtsFree(&aes);
+    /* END wc_AesXtsEncrypt */
+
+#ifdef HAVE_AES_DECRYPT
+    ExpectIntEQ(wc_AesXtsSetKey(&aes, key32, sizeof(key32)/sizeof(byte),
+        AES_DECRYPTION, NULL, INVALID_DEVID), 0);
+    ExpectIntEQ(wc_AesXtsDecrypt(NULL, dec, enc, sizeof(enc)/sizeof(byte),
+        tweak, tweakLen), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
+    ExpectIntEQ(wc_AesXtsDecrypt(&aes, NULL, enc, sizeof(enc)/sizeof(byte),
+        tweak, tweakLen), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
+    ExpectIntEQ(wc_AesXtsDecrypt(&aes, dec, NULL, sizeof(enc)/sizeof(byte),
+        tweak, tweakLen), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
+    wc_AesXtsFree(&aes);
+#endif /* HAVE_AES_DECRYPT */
+#endif
+
+    return EXPECT_RESULT();
+} /* END test_wc_AesXtsEncryptDecrypt */
+
 #if defined(WOLFSSL_AES_EAX) && defined(WOLFSSL_AES_256) && \
     (!defined(HAVE_FIPS) || FIPS_VERSION_GE(5, 3)) && !defined(HAVE_SELFTEST)
 

tests/api/test_aes.h

@@ -41,6 +41,9 @@ int test_wc_AesGcmMixedEncDecLongIV(void);
 int test_wc_AesGcmStream(void);
 int test_wc_AesCcmSetKey(void);
 int test_wc_AesCcmEncryptDecrypt(void);
+int test_wc_AesXtsSetKey(void);
+int test_wc_AesXtsEncryptDecrypt_Sizes(void);
+int test_wc_AesXtsEncryptDecrypt(void);
 #if defined(WOLFSSL_AES_EAX) && defined(WOLFSSL_AES_256) && \
     (!defined(HAVE_FIPS) || FIPS_VERSION_GE(5, 3)) && !defined(HAVE_SELFTEST)
 int test_wc_AesEaxVectors(void);
@@ -68,7 +71,10 @@ int test_wc_GmacUpdate(void);
     TEST_DECL_GROUP("aes", test_wc_AesGcmMixedEncDecLongIV),    \
     TEST_DECL_GROUP("aes", test_wc_AesGcmStream),               \
     TEST_DECL_GROUP("aes", test_wc_AesCcmSetKey),               \
-    TEST_DECL_GROUP("aes", test_wc_AesCcmEncryptDecrypt)
+    TEST_DECL_GROUP("aes", test_wc_AesCcmEncryptDecrypt),       \
+    TEST_DECL_GROUP("aes", test_wc_AesXtsSetKey),               \
+    TEST_DECL_GROUP("aes", test_wc_AesXtsEncryptDecrypt_Sizes), \
+    TEST_DECL_GROUP("aes", test_wc_AesXtsEncryptDecrypt)
 
 #if defined(WOLFSSL_AES_EAX) && defined(WOLFSSL_AES_256) && \
     (!defined(HAVE_FIPS) || FIPS_VERSION_GE(5, 3)) && !defined(HAVE_SELFTEST)

tests/api/test_ossl_pem.h

@@ -0,0 +1,65 @@
+/* test_ossl_pem.h
+ *
+ * Copyright (C) 2006-2025 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+#ifndef WOLFCRYPT_TEST_SSL_PEM_H
+#define WOLFCRYPT_TEST_SSL_PEM_H
+
+#include <tests/api/api_decl.h>
+
+int test_wolfSSL_PEM_def_callback(void);
+int test_wolfSSL_PEM_read_PrivateKey(void);
+int test_wolfSSL_PEM_read_PUBKEY(void);
+int test_wolfSSL_PEM_PrivateKey_rsa(void);
+int test_wolfSSL_PEM_PrivateKey_ecc(void);
+int test_wolfSSL_PEM_PrivateKey_dsa(void);
+int test_wolfSSL_PEM_PrivateKey_dh(void);
+int test_wolfSSL_PEM_PrivateKey(void);
+int test_wolfSSL_PEM_file_RSAKey(void);
+int test_wolfSSL_PEM_file_RSAPrivateKey(void);
+int test_wolfSSL_PEM_read_RSA_PUBKEY(void);
+int test_wolfSSL_PEM_read_bio(void);
+int test_wolfSSL_PEM_bio_RSAKey(void);
+int test_wolfSSL_PEM_bio_RSAPrivateKey(void);
+int test_wolfSSL_PEM_bio_DSAKey(void);
+int test_wolfSSL_PEM_bio_ECKey(void);
+int test_wolfSSL_PEM_PUBKEY(void);
+
+
+#define TEST_SSL_PEM_DECLS                                              \
+    TEST_DECL_GROUP("ossl_pem", test_wolfSSL_PEM_def_callback),         \
+    TEST_DECL_GROUP("ossl_pem", test_wolfSSL_PEM_read_PrivateKey),      \
+    TEST_DECL_GROUP("ossl_pem", test_wolfSSL_PEM_read_PUBKEY),          \
+    TEST_DECL_GROUP("ossl_pem", test_wolfSSL_PEM_PrivateKey_rsa),       \
+    TEST_DECL_GROUP("ossl_pem", test_wolfSSL_PEM_PrivateKey_ecc),       \
+    TEST_DECL_GROUP("ossl_pem", test_wolfSSL_PEM_PrivateKey_dsa),       \
+    TEST_DECL_GROUP("ossl_pem", test_wolfSSL_PEM_PrivateKey_dh),        \
+    TEST_DECL_GROUP("ossl_pem", test_wolfSSL_PEM_PrivateKey),           \
+    TEST_DECL_GROUP("ossl_pem", test_wolfSSL_PEM_file_RSAKey),          \
+    TEST_DECL_GROUP("ossl_pem", test_wolfSSL_PEM_file_RSAPrivateKey),   \
+    TEST_DECL_GROUP("ossl_pem", test_wolfSSL_PEM_read_RSA_PUBKEY),      \
+    TEST_DECL_GROUP("ossl_pem", test_wolfSSL_PEM_read_bio),             \
+    TEST_DECL_GROUP("ossl_pem", test_wolfSSL_PEM_bio_RSAKey),           \
+    TEST_DECL_GROUP("ossl_pem", test_wolfSSL_PEM_bio_RSAPrivateKey),    \
+    TEST_DECL_GROUP("ossl_pem", test_wolfSSL_PEM_bio_DSAKey),           \
+    TEST_DECL_GROUP("ossl_pem", test_wolfSSL_PEM_bio_ECKey),            \
+    TEST_DECL_GROUP("ossl_pem", test_wolfSSL_PEM_PUBKEY)
+
+#endif /* WOLFCRYPT_TEST_SSL_PEM_H */

tests/api/test_ossl_sk.c

@@ -55,7 +55,7 @@ int test_wolfSSL_sk_push_get_node(void)
     WOLFSSL_STACK* stack = NULL;
     WOLFSSL_STACK* node1 = NULL;
     WOLFSSL_STACK* node2 = NULL;
-    WOLFSSL_STACK* node;
+    WOLFSSL_STACK* node = NULL;
 
     ExpectNotNull(node1 = wolfSSL_sk_new_node(HEAP_HINT));
     ExpectNotNull(node2 = wolfSSL_sk_new_node(HEAP_HINT));

tests/api/test_ossl_x509.h

@@ -0,0 +1,90 @@
+/* test_ossl_x509.h
+ *
+ * Copyright (C) 2006-2025 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+#ifndef WOLFCRYPT_TEST_OSSL_X509_H
+#define WOLFCRYPT_TEST_OSSL_X509_H
+
+#include <tests/api/api_decl.h>
+
+int test_x509_get_key_id(void);
+int test_wolfSSL_X509_get_version(void);
+int test_wolfSSL_X509_cmp_time(void);
+int test_wolfSSL_X509_time_adj(void);
+int test_wolfSSL_X509_NID(void);
+int test_wolfSSL_i2d_X509_NAME_canon(void);
+int test_wolfSSL_X509_subject_name_hash(void);
+int test_wolfSSL_X509_issuer_name_hash(void);
+int test_wolfSSL_X509_check_host(void);
+int test_wolfSSL_X509_check_email(void);
+int test_wolfSSL_X509(void);
+int test_wolfSSL_X509_get0_tbs_sigalg(void);
+int test_wolfSSL_X509_set_name(void);
+int test_wolfSSL_X509_set_notAfter(void);
+int test_wolfSSL_X509_set_notBefore(void);
+int test_wolfSSL_X509_set_version(void);
+int test_wolfSSL_X509_get_serialNumber(void);
+int test_wolfSSL_get_tbs(void);
+int test_wolfSSL_X509_ext_get_critical_by_NID(void);
+int test_wolfSSL_X509_CRL_distribution_points(void);
+int test_wolfSSL_X509_check_ip_asc(void);
+int test_wolfSSL_X509_bad_altname(void);
+int test_wolfSSL_X509_name_match1(void);
+int test_wolfSSL_X509_name_match2(void);
+int test_wolfSSL_X509_name_match3(void);
+int test_wolfSSL_X509_max_altnames(void);
+int test_wolfSSL_X509_max_name_constraints(void);
+int test_wolfSSL_X509_check_ca(void);
+int test_X509_get_signature_nid(void);
+int test_wolfSSL_X509_cmp(void);
+
+#define TEST_OSSL_X509_DECLS                                                   \
+    TEST_DECL_GROUP("ossl_x509", test_x509_get_key_id),                        \
+    TEST_DECL_GROUP("ossl_x509", test_wolfSSL_X509_get_version),               \
+    TEST_DECL_GROUP("ossl_x509", test_wolfSSL_X509_cmp_time),                  \
+    TEST_DECL_GROUP("ossl_x509", test_wolfSSL_X509_time_adj),                  \
+    TEST_DECL_GROUP("ossl_x509", test_wolfSSL_X509_NID),                       \
+    TEST_DECL_GROUP("ossl_x509", test_wolfSSL_i2d_X509_NAME_canon),            \
+    TEST_DECL_GROUP("ossl_x509", test_wolfSSL_X509_subject_name_hash),         \
+    TEST_DECL_GROUP("ossl_x509", test_wolfSSL_X509_issuer_name_hash),          \
+    TEST_DECL_GROUP("ossl_x509", test_wolfSSL_X509_check_host),                \
+    TEST_DECL_GROUP("ossl_x509", test_wolfSSL_X509_check_email),               \
+    TEST_DECL_GROUP("ossl_x509", test_wolfSSL_X509),                           \
+    TEST_DECL_GROUP("ossl_x509", test_wolfSSL_X509_get0_tbs_sigalg),           \
+    TEST_DECL_GROUP("ossl_x509", test_wolfSSL_X509_set_name),                  \
+    TEST_DECL_GROUP("ossl_x509", test_wolfSSL_X509_set_notAfter),              \
+    TEST_DECL_GROUP("ossl_x509", test_wolfSSL_X509_set_notBefore),             \
+    TEST_DECL_GROUP("ossl_x509", test_wolfSSL_X509_set_version),               \
+    TEST_DECL_GROUP("ossl_x509", test_wolfSSL_X509_get_serialNumber),          \
+    TEST_DECL_GROUP("ossl_x509", test_wolfSSL_get_tbs),                        \
+    TEST_DECL_GROUP("ossl_x509", test_wolfSSL_X509_ext_get_critical_by_NID),   \
+    TEST_DECL_GROUP("ossl_x509", test_wolfSSL_X509_CRL_distribution_points),   \
+    TEST_DECL_GROUP("ossl_x509", test_wolfSSL_X509_check_ip_asc),              \
+    TEST_DECL_GROUP("ossl_x509", test_wolfSSL_X509_bad_altname),               \
+    TEST_DECL_GROUP("ossl_x509", test_wolfSSL_X509_name_match1),               \
+    TEST_DECL_GROUP("ossl_x509", test_wolfSSL_X509_name_match2),               \
+    TEST_DECL_GROUP("ossl_x509", test_wolfSSL_X509_name_match3),               \
+    TEST_DECL_GROUP("ossl_x509", test_wolfSSL_X509_max_altnames),              \
+    TEST_DECL_GROUP("ossl_x509", test_wolfSSL_X509_max_name_constraints),      \
+    TEST_DECL_GROUP("ossl_x509", test_wolfSSL_X509_check_ca),                  \
+    TEST_DECL_GROUP("ossl_x509", test_X509_get_signature_nid),                 \
+    TEST_DECL_GROUP("ossl_x509", test_wolfSSL_X509_cmp)
+
+#endif /* WOLFCRYPT_TEST_OSSL_X509_H */

tests/api/test_ossl_x509_acert.c

@@ -0,0 +1,535 @@
+/* test_ossl_x509_acert.c
+ *
+ * Copyright (C) 2006-2025 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+#include <tests/unit.h>
+
+#ifdef NO_INLINE
+    #include <wolfssl/wolfcrypt/misc.h>
+#else
+    #define WOLFSSL_MISC_INCLUDED
+    #include <wolfcrypt/src/misc.c>
+#endif
+
+#include <wolfssl/ssl.h>
+#ifdef OPENSSL_EXTRA
+    #include <wolfssl/openssl/pem.h>
+#endif
+#include <tests/api/api.h>
+#include <tests/api/test_ossl_x509_acert.h>
+
+#if defined(WOLFSSL_ACERT) && !defined(NO_CERTS) && !defined(NO_RSA) && \
+    defined(WC_RSA_PSS) && !defined(NO_FILESYSTEM) && defined(OPENSSL_EXTRA)
+/* Given acert file and its pubkey file, read them and then
+ * attempt to verify signed acert.
+ *
+ * If expect_pass is true, then verification should pass.
+ * If expect_pass is false, then verification should fail.
+ * */
+static int do_acert_verify_test(const char * acert_file,
+                                const char * pkey_file,
+                                size_t       expect_pass)
+{
+    X509_ACERT * x509 = NULL;
+    EVP_PKEY *   pkey = NULL;
+    BIO *        bp = NULL;
+    int          verify_rc = 0;
+
+    /* First read the attribute certificate. */
+    bp = BIO_new_file(acert_file, "r");
+    if (bp == NULL) {
+        return -1;
+    }
+
+    x509 = PEM_read_bio_X509_ACERT(bp, NULL, NULL, NULL);
+    BIO_free(bp);
+    bp = NULL;
+
+    if (x509 == NULL) {
+        return -1;
+    }
+
+    /* Next read the associated pub key. */
+    bp = BIO_new_file(pkey_file, "r");
+
+    if (bp == NULL) {
+        X509_ACERT_free(x509);
+        x509 = NULL;
+        return -1;
+    }
+
+    pkey = PEM_read_bio_PUBKEY(bp, &pkey, NULL, NULL);
+    BIO_free(bp);
+    bp = NULL;
+
+    if (pkey == NULL) {
+        X509_ACERT_free(x509);
+        x509 = NULL;
+        return -1;
+    }
+
+    /* Finally, do verification. */
+    verify_rc = X509_ACERT_verify(x509, pkey);
+
+    X509_ACERT_free(x509);
+    x509 = NULL;
+
+    EVP_PKEY_free(pkey);
+    pkey = NULL;
+
+    if (expect_pass && verify_rc != 1) {
+        return -1;
+    }
+
+    if (!expect_pass && verify_rc == 1) {
+        return -1;
+    }
+
+    return 0;
+}
+#endif
+
+int test_wolfSSL_X509_ACERT_verify(void)
+{
+    EXPECT_DECLS;
+#if defined(WOLFSSL_ACERT) && !defined(NO_CERTS) && !defined(NO_RSA) && \
+    defined(WC_RSA_PSS) && !defined(NO_FILESYSTEM) && defined(OPENSSL_EXTRA)
+    /* Walk over list of signed ACERTs and their pubkeys.
+     * All should load and pass verification. */
+    const char * acerts[4] = {"certs/acert/acert.pem",
+                              "certs/acert/acert_ietf.pem",
+                              "certs/acert/rsa_pss/acert.pem",
+                              "certs/acert/rsa_pss/acert_ietf.pem"};
+    const char * pkeys[4] =  {"certs/acert/acert_pubkey.pem",
+                              "certs/acert/acert_ietf_pubkey.pem",
+                              "certs/acert/rsa_pss/acert_pubkey.pem",
+                              "certs/acert/rsa_pss/acert_ietf_pubkey.pem"};
+    int    rc = 0;
+    size_t i = 0;
+    size_t j = 0;
+
+    for (i = 0; i < 4; ++i) {
+        for (j = i; j < 4; ++j) {
+            rc = do_acert_verify_test(acerts[i], pkeys[j], i == j);
+
+            if (rc) {
+                fprintf(stderr, "error: %s: i = %zu, j = %zu, rc = %d\n",
+                        "do_acert_verify_test", i, j, rc);
+                break;
+            }
+        }
+
+        if (rc) { break; }
+    }
+
+    ExpectIntEQ(rc, 0);
+#endif
+    return EXPECT_RESULT();
+}
+
+int test_wolfSSL_X509_ACERT_misc_api(void)
+{
+    EXPECT_DECLS;
+#if defined(WOLFSSL_ACERT) && !defined(NO_CERTS) && !defined(NO_RSA) && \
+    !defined(NO_FILESYSTEM) && defined(OPENSSL_EXTRA)
+    const char * acerts[4] = {"certs/acert/acert.pem",
+                              "certs/acert/acert_ietf.pem",
+                              "certs/acert/rsa_pss/acert.pem",
+                              "certs/acert/rsa_pss/acert_ietf.pem"};
+    int          rc = 0;
+    X509_ACERT * x509 = NULL;
+    BIO *        bp = NULL;
+    long         ver_long = 0;
+    int          ver = 0;
+    int          nid = 0;
+    const byte * raw_attr = NULL;
+    word32       attr_len = 0;
+    size_t       i = 0;
+    int          buf_len = 0;
+    byte         ietf_serial[] = {0x03, 0xb5, 0x90, 0x59, 0x02,
+                                  0xa2, 0xaa, 0xb5, 0x40, 0x21,
+                                  0x44, 0xb8, 0x2c, 0x4f, 0xd9,
+                                  0x80, 0x1b, 0x5f, 0x57, 0xc2};
+
+    for (i = 0; i < 4; ++i) {
+        const char * acert_file = acerts[i];
+        int          is_rsa_pss = 0;
+        int          is_ietf_acert = 0;
+        byte         serial[64];
+        int          serial_len = sizeof(serial);
+
+        XMEMSET(serial, 0, sizeof(serial));
+
+        is_rsa_pss = XSTRSTR(acert_file, "rsa_pss") != NULL ? 1 : 0;
+        is_ietf_acert = XSTRSTR(acert_file, "ietf.pem") != NULL ? 1 : 0;
+
+        /* First read the attribute certificate. */
+        bp = BIO_new_file(acert_file, "r");
+        ExpectNotNull(bp);
+
+        x509 = PEM_read_bio_X509_ACERT(bp, NULL, NULL, NULL);
+        ExpectNotNull(x509);
+
+        /* We're done with the bio for now. */
+        if (bp != NULL) {
+            BIO_free(bp);
+            bp = NULL;
+        }
+
+        /* Check version and signature NID. */
+        ver_long = X509_ACERT_get_version(x509);
+        ExpectIntEQ(ver_long, 1);
+
+        ver = wolfSSL_X509_ACERT_version(x509);
+        ExpectIntEQ(ver, 2);
+
+        nid = X509_ACERT_get_signature_nid(x509);
+
+        if (is_rsa_pss) {
+            ExpectIntEQ(nid, NID_rsassaPss);
+        }
+        else {
+            ExpectIntEQ(nid, NID_sha256WithRSAEncryption);
+        }
+
+        /* Get the serial number buffer.
+         * The ietf acert example has a 20 byte serial number. */
+        rc = wolfSSL_X509_ACERT_get_serial_number(x509, serial, &serial_len);
+        ExpectIntEQ(rc, SSL_SUCCESS);
+
+        if (is_ietf_acert) {
+            ExpectIntEQ(serial_len, 20);
+            ExpectIntEQ(XMEMCMP(serial, ietf_serial, sizeof(ietf_serial)), 0);
+        }
+        else {
+            ExpectIntEQ(serial_len, 1);
+            ExpectTrue(serial[0] == 0x01);
+        }
+
+        /* Repeat the same but with null serial buffer. This is ok. */
+        rc = wolfSSL_X509_ACERT_get_serial_number(x509, NULL, &serial_len);
+        ExpectIntEQ(rc, SSL_SUCCESS);
+
+        if (is_ietf_acert) {
+            ExpectIntEQ(serial_len, 20);
+        }
+        else {
+            ExpectIntEQ(serial_len, 1);
+            ExpectTrue(serial[0] == 0x01);
+        }
+
+        /* Get the attributes buffer. */
+        rc = wolfSSL_X509_ACERT_get_attr_buf(x509, &raw_attr, &attr_len);
+        ExpectIntEQ(rc, SSL_SUCCESS);
+
+        if (is_ietf_acert) {
+            /* This cert has a 65 byte attributes field. */
+            ExpectNotNull(raw_attr);
+            ExpectIntEQ(attr_len, 65);
+        }
+        else {
+            /* This cert has a 237 byte attributes field. */
+            ExpectNotNull(raw_attr);
+            ExpectIntEQ(attr_len, 237);
+        }
+
+        /* Test printing acert to memory bio. */
+        ExpectNotNull(bp = BIO_new(BIO_s_mem()));
+        rc = X509_ACERT_print(bp, x509);
+        ExpectIntEQ(rc, SSL_SUCCESS);
+
+        /* Now do a bunch of invalid stuff with partially valid inputs. */
+        rc = wolfSSL_X509_ACERT_get_attr_buf(x509, &raw_attr, NULL);
+        ExpectIntEQ(rc, BAD_FUNC_ARG);
+
+        rc = wolfSSL_X509_ACERT_get_attr_buf(x509, NULL, &attr_len);
+        ExpectIntEQ(rc, BAD_FUNC_ARG);
+
+        rc = wolfSSL_X509_ACERT_get_attr_buf(NULL, &raw_attr, &attr_len);
+        ExpectIntEQ(rc, BAD_FUNC_ARG);
+
+        ver_long = X509_ACERT_get_version(NULL);
+        ExpectIntEQ(ver_long, 0);
+
+        ver = wolfSSL_X509_ACERT_version(NULL);
+        ExpectIntEQ(ver, 0);
+
+        rc = wolfSSL_X509_ACERT_get_signature(x509, NULL, NULL);
+        ExpectIntEQ(rc, WOLFSSL_FATAL_ERROR);
+
+        rc = wolfSSL_X509_ACERT_get_signature(x509, NULL, &buf_len);
+        ExpectIntEQ(rc, SSL_SUCCESS);
+        ExpectIntEQ(buf_len, 256);
+
+        rc = wolfSSL_X509_ACERT_get_serial_number(x509, serial, NULL);
+        ExpectIntEQ(rc, BAD_FUNC_ARG);
+
+        rc = X509_ACERT_print(bp, NULL);
+        ExpectIntEQ(rc, WOLFSSL_FAILURE);
+
+        rc = X509_ACERT_print(NULL, x509);
+        ExpectIntEQ(rc, WOLFSSL_FAILURE);
+
+        /* Finally free the acert and bio, we're done with them. */
+        if (x509 != NULL) {
+            X509_ACERT_free(x509);
+            x509 = NULL;
+        }
+
+        if (bp != NULL) {
+            BIO_free(bp);
+            bp = NULL;
+        }
+    }
+#endif
+    return EXPECT_RESULT();
+}
+
+int test_wolfSSL_X509_ACERT_buffer(void)
+{
+    EXPECT_DECLS;
+#if defined(WOLFSSL_ACERT) && !defined(NO_CERTS) && \
+    !defined(NO_RSA) && defined(WC_RSA_PSS) && \
+    (defined(OPENSSL_EXTRA_X509_SMALL) || defined(OPENSSL_EXTRA))
+    const byte acert_ietf[] = \
+    "-----BEGIN ATTRIBUTE CERTIFICATE-----\n"
+    "MIICPTCCASUCAQEwN6AWMBGkDzANMQswCQYDVQQDDAJDQQIBAqEdpBswGTEXMBUG\n"
+    "A1UEAwwOc2VydmVyLmV4YW1wbGWgLTArpCkwJzElMCMGA1UEAwwcQXR0cmlidXRl\n"
+    "IENlcnRpZmljYXRlIElzc3VlcjANBgkqhkiG9w0BAQsFAAIUA7WQWQKiqrVAIUS4\n"
+    "LE/ZgBtfV8IwIhgPMjAyMTA2MTUxMjM1MDBaGA8yMDMxMDYxMzEyMzUwMFowQTAj\n"
+    "BggrBgEFBQcKBDEXMBWgCYYHVGVzdHZhbDAIDAZncm91cDEwGgYDVQRIMRMwEaEP\n"
+    "gw1hZG1pbmlzdHJhdG9yMCwwHwYDVR0jBBgwFoAUYm7JaGdsZLtTgt0tqoCK2MrI\n"
+    "i10wCQYDVR04BAIFADANBgkqhkiG9w0BAQsFAAOCAQEAlIOJ2Dj3TEUj6BIv6vUs\n"
+    "GqFWms05i+d10XSzWrunlUTQPoJcUjYkifOWp/7RpZ2XnRl+6hH+nIbmwSmXWwBn\n"
+    "ERw2bQMmw/""/nWuN4Qv9t7ltuovWC0pJX6VMT1IRTuTV4SxuZpFL37vkmnFlPBlb+\n"
+    "mn3ESSxLTjThWFIq1tip4IaxE/i5Uh32GlJglatFHM1PCGoJtyLtYb6KHDlvknw6\n"
+    "coDyjIcj0FZwtQw41jLwxI8jWNmrpt978wdpprB/URrRs+m02HmeQoiHFi/qvdv8\n"
+    "d+5vHf3Pi/ulhz/+dvr0p1vEQSoFnYxLXuty2p5m3PJPZCFmT3gURgmgR3BN9d7A\n"
+    "Bw==\n"
+    "-----END ATTRIBUTE CERTIFICATE-----\n";
+    X509_ACERT * x509 = NULL;
+    int          rc = 0;
+    byte         ietf_serial[] = {0x03, 0xb5, 0x90, 0x59, 0x02,
+                                  0xa2, 0xaa, 0xb5, 0x40, 0x21,
+                                  0x44, 0xb8, 0x2c, 0x4f, 0xd9,
+                                  0x80, 0x1b, 0x5f, 0x57, 0xc2};
+    byte         serial[64];
+    int          serial_len = sizeof(serial);
+    const byte * raw_attr = NULL;
+    word32       attr_len = 0;
+
+    x509 = wolfSSL_X509_ACERT_load_certificate_buffer_ex(acert_ietf,
+                                                         sizeof(acert_ietf),
+                                                         WOLFSSL_FILETYPE_PEM,
+                                                         HEAP_HINT);
+
+    rc = wolfSSL_X509_ACERT_get_serial_number(x509, serial, &serial_len);
+    ExpectIntEQ(rc, SSL_SUCCESS);
+
+    ExpectIntEQ(serial_len, 20);
+    ExpectIntEQ(XMEMCMP(serial, ietf_serial, sizeof(ietf_serial)), 0);
+
+    /* Get the attributes buffer. */
+    rc = wolfSSL_X509_ACERT_get_attr_buf(x509, &raw_attr, &attr_len);
+    ExpectIntEQ(rc, SSL_SUCCESS);
+
+    /* This cert has a 65 byte attributes field. */
+    ExpectNotNull(raw_attr);
+    ExpectIntEQ(attr_len, 65);
+
+    ExpectNotNull(x509);
+
+    if (x509 != NULL) {
+        wolfSSL_X509_ACERT_free(x509);
+        x509 = NULL;
+    }
+#endif
+    return EXPECT_RESULT();
+}
+
+/* note: when ACERT generation and signing are implemented,
+ * this test will be filled out appropriately.
+ * */
+int test_wolfSSL_X509_ACERT_new_and_sign(void)
+{
+    EXPECT_DECLS;
+#if defined(WOLFSSL_ACERT) && !defined(NO_CERTS) && \
+    !defined(NO_RSA) && defined(WC_RSA_PSS) && \
+    (defined(OPENSSL_EXTRA_X509_SMALL) || defined(OPENSSL_EXTRA))
+    X509_ACERT * x509 = NULL;
+    int          rc = 0;
+
+    x509 = X509_ACERT_new();
+    ExpectNotNull(x509);
+
+    if (x509 != NULL) {
+        wolfSSL_X509_ACERT_free(x509);
+        x509 = NULL;
+    }
+
+    /* Same but with static memory hint. */
+    x509 = wolfSSL_X509_ACERT_new_ex(HEAP_HINT);
+    ExpectNotNull(x509);
+
+    #ifndef NO_WOLFSSL_STUB
+    /* ACERT sign not implemented yet. */
+    if (x509 != NULL) {
+        rc = wolfSSL_X509_ACERT_sign(x509, NULL, NULL);
+        ExpectIntEQ(rc, WOLFSSL_NOT_IMPLEMENTED);
+    }
+    #else
+    (void) rc;
+    #endif /* NO_WOLFSSL_STUB */
+
+    if (x509 != NULL) {
+        wolfSSL_X509_ACERT_free(x509);
+        x509 = NULL;
+    }
+
+#endif
+    return EXPECT_RESULT();
+}
+
+/* Test ACERT support, but with ASN functions only.
+ *
+ * This example acert_ietf has both Holder IssuerSerial
+ * and Holder entityName fields.
+ * */
+int test_wolfSSL_X509_ACERT_asn(void)
+{
+    EXPECT_DECLS;
+#if defined(WOLFSSL_ACERT) && !defined(NO_CERTS)
+    const byte     acert_ietf[] = \
+    "-----BEGIN ATTRIBUTE CERTIFICATE-----\n"
+    "MIICPTCCASUCAQEwN6AWMBGkDzANMQswCQYDVQQDDAJDQQIBAqEdpBswGTEXMBUG\n"
+    "A1UEAwwOc2VydmVyLmV4YW1wbGWgLTArpCkwJzElMCMGA1UEAwwcQXR0cmlidXRl\n"
+    "IENlcnRpZmljYXRlIElzc3VlcjANBgkqhkiG9w0BAQsFAAIUA7WQWQKiqrVAIUS4\n"
+    "LE/ZgBtfV8IwIhgPMjAyMTA2MTUxMjM1MDBaGA8yMDMxMDYxMzEyMzUwMFowQTAj\n"
+    "BggrBgEFBQcKBDEXMBWgCYYHVGVzdHZhbDAIDAZncm91cDEwGgYDVQRIMRMwEaEP\n"
+    "gw1hZG1pbmlzdHJhdG9yMCwwHwYDVR0jBBgwFoAUYm7JaGdsZLtTgt0tqoCK2MrI\n"
+    "i10wCQYDVR04BAIFADANBgkqhkiG9w0BAQsFAAOCAQEAlIOJ2Dj3TEUj6BIv6vUs\n"
+    "GqFWms05i+d10XSzWrunlUTQPoJcUjYkifOWp/7RpZ2XnRl+6hH+nIbmwSmXWwBn\n"
+    "ERw2bQMmw/""/nWuN4Qv9t7ltuovWC0pJX6VMT1IRTuTV4SxuZpFL37vkmnFlPBlb+\n"
+    "mn3ESSxLTjThWFIq1tip4IaxE/i5Uh32GlJglatFHM1PCGoJtyLtYb6KHDlvknw6\n"
+    "coDyjIcj0FZwtQw41jLwxI8jWNmrpt978wdpprB/URrRs+m02HmeQoiHFi/qvdv8\n"
+    "d+5vHf3Pi/ulhz/+dvr0p1vEQSoFnYxLXuty2p5m3PJPZCFmT3gURgmgR3BN9d7A\n"
+    "Bw==\n"
+    "-----END ATTRIBUTE CERTIFICATE-----\n";
+    int            rc = 0;
+    int            n_diff = 0;
+    byte           ietf_serial[] =      {0x03, 0xb5, 0x90, 0x59, 0x02,
+                                         0xa2, 0xaa, 0xb5, 0x40, 0x21,
+                                         0x44, 0xb8, 0x2c, 0x4f, 0xd9,
+                                         0x80, 0x1b, 0x5f, 0x57, 0xc2};
+    byte           holderIssuerName[] = {0x31, 0x0b, 0x30, 0x09, 0x06,
+                                         0x03, 0x55, 0x04, 0x03, 0x0c,
+                                         0x02, 0x43, 0x41};
+    byte           holderEntityName[] = {0x31, 0x17, 0x30, 0x15, 0x06,
+                                         0x03, 0x55, 0x04, 0x03, 0x0c,
+                                         0x0e, 0x73, 0x65, 0x72, 0x76,
+                                         0x65, 0x72, 0x2e, 0x65, 0x78,
+                                         0x61, 0x6d, 0x70, 0x6c, 0x65};
+    DerBuffer *    der = NULL;
+    WC_DECLARE_VAR(acert, DecodedAcert, 1, 0);
+
+    rc = wc_PemToDer(acert_ietf, sizeof(acert_ietf), ACERT_TYPE, &der,
+                     HEAP_HINT, NULL, NULL);
+
+    ExpectIntEQ(rc, 0);
+    ExpectNotNull(der);
+
+    if (der != NULL) {
+        ExpectNotNull(der->buffer);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    acert = (DecodedAcert*)XMALLOC(sizeof(DecodedAcert), HEAP_HINT,
+                                   DYNAMIC_TYPE_DCERT);
+    ExpectNotNull(acert);
+#else
+    XMEMSET(acert, 0, sizeof(DecodedAcert));
+#endif
+
+    if (der != NULL && der->buffer != NULL
+#ifdef WOLFSSL_SMALL_STACK
+        && acert != NULL
+#endif
+    ) {
+        wc_InitDecodedAcert(acert, der->buffer, der->length, HEAP_HINT);
+        rc = wc_ParseX509Acert(acert, VERIFY_SKIP_DATE);
+        ExpectIntEQ(rc, 0);
+
+        ExpectIntEQ(acert->serialSz, 20);
+        ExpectIntEQ(XMEMCMP(acert->serial, ietf_serial, sizeof(ietf_serial)),
+                    0);
+
+        /* This cert has a 65 byte attributes field. */
+        ExpectNotNull(acert->rawAttr);
+        ExpectIntEQ(acert->rawAttrLen, 65);
+
+        ExpectNotNull(acert->holderIssuerName);
+        ExpectNotNull(acert->holderEntityName);
+
+        if ((acert->holderIssuerName != NULL) &&
+            (acert->holderEntityName != NULL)) {
+            ExpectNotNull(acert->holderEntityName->name);
+            ExpectNotNull(acert->holderIssuerName->name);
+        }
+        if ((acert->holderIssuerName != NULL) &&
+            (acert->holderEntityName != NULL) &&
+            (acert->holderIssuerName->name != NULL) &&
+            (acert->holderEntityName->name != NULL)) {
+            ExpectIntEQ(acert->holderIssuerName->len,
+                        sizeof(holderIssuerName));
+            ExpectIntEQ(acert->holderEntityName->len,
+                        sizeof(holderEntityName));
+
+            ExpectIntEQ(acert->holderIssuerName->type, ASN_DIR_TYPE);
+            ExpectIntEQ(acert->holderEntityName->type, ASN_DIR_TYPE);
+
+            n_diff = XMEMCMP(acert->holderIssuerName->name, holderIssuerName,
+                             sizeof(holderIssuerName));
+            ExpectIntEQ(n_diff, 0);
+
+            n_diff = XMEMCMP(acert->holderEntityName->name, holderEntityName,
+                             sizeof(holderEntityName));
+            ExpectIntEQ(n_diff, 0);
+        }
+
+        wc_FreeDecodedAcert(acert);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (acert != NULL) {
+        XFREE(acert, HEAP_HINT, DYNAMIC_TYPE_DCERT);
+        acert = NULL;
+    }
+#endif
+
+    if (der != NULL) {
+        wc_FreeDer(&der);
+        der = NULL;
+    }
+
+#endif
+    return EXPECT_RESULT();
+}
+
+

tests/api/test_ossl_x509_acert.h

@@ -0,0 +1,40 @@
+/* test_ossl_x509_acert.h
+ *
+ * Copyright (C) 2006-2025 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+#ifndef WOLFCRYPT_TEST_OSSL_X509_ACERT_H
+#define WOLFCRYPT_TEST_OSSL_X509_ACERT_H
+
+#include <tests/api/api_decl.h>
+
+int test_wolfSSL_X509_ACERT_verify(void);
+int test_wolfSSL_X509_ACERT_misc_api(void);
+int test_wolfSSL_X509_ACERT_buffer(void);
+int test_wolfSSL_X509_ACERT_new_and_sign(void);
+int test_wolfSSL_X509_ACERT_asn(void);
+
+#define TEST_OSSL_X509_ACERT_DECLS                                             \
+    TEST_DECL_GROUP("ossl_x509_acert", test_wolfSSL_X509_ACERT_verify),        \
+    TEST_DECL_GROUP("ossl_x509_acert", test_wolfSSL_X509_ACERT_misc_api),      \
+    TEST_DECL_GROUP("ossl_x509_acert", test_wolfSSL_X509_ACERT_buffer),        \
+    TEST_DECL_GROUP("ossl_x509_acert", test_wolfSSL_X509_ACERT_new_and_sign),  \
+    TEST_DECL_GROUP("ossl_x509_acert", test_wolfSSL_X509_ACERT_new_and_sign)
+
+#endif /* WOLFCRYPT_TEST_OSSL_X509_ACERT_H */

tests/api/test_ossl_x509_crypto.c

@@ -0,0 +1,782 @@
+/* test_ossl_x509_crypto.c
+ *
+ * Copyright (C) 2006-2025 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+#include <tests/unit.h>
+
+#ifdef NO_INLINE
+    #include <wolfssl/wolfcrypt/misc.h>
+#else
+    #define WOLFSSL_MISC_INCLUDED
+    #include <wolfcrypt/src/misc.c>
+#endif
+
+#include <wolfssl/ssl.h>
+#include <wolfssl/internal.h>
+#include <tests/utils.h>
+#include <tests/api/api.h>
+#include <tests/api/test_ossl_x509_crypto.h>
+
+int test_wolfSSL_X509_check_private_key(void)
+{
+    EXPECT_DECLS;
+#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_RSA) && \
+        defined(USE_CERT_BUFFERS_2048) && !defined(NO_CHECK_PRIVATE_KEY) && \
+        !defined(NO_FILESYSTEM)
+    X509*  x509 = NULL;
+    EVP_PKEY* pkey = NULL;
+    const byte* key;
+
+    /* Check with correct key */
+    ExpectNotNull((x509 = X509_load_certificate_file(cliCertFile,
+        SSL_FILETYPE_PEM)));
+    key = client_key_der_2048;
+    ExpectNotNull(d2i_PrivateKey(EVP_PKEY_RSA, &pkey, &key,
+        (long)sizeof_client_key_der_2048));
+    ExpectIntEQ(X509_check_private_key(x509, pkey), 1);
+    EVP_PKEY_free(pkey);
+    pkey = NULL;
+
+    /* Check with wrong key */
+    key = server_key_der_2048;
+    ExpectNotNull(d2i_PrivateKey(EVP_PKEY_RSA, &pkey, &key,
+        (long)sizeof_server_key_der_2048));
+    ExpectIntEQ(X509_check_private_key(x509, pkey), 0);
+
+    /* test for incorrect parameter */
+    ExpectIntEQ(X509_check_private_key(NULL, pkey), 0);
+    ExpectIntEQ(X509_check_private_key(x509, NULL), 0);
+    ExpectIntEQ(X509_check_private_key(NULL, NULL), 0);
+
+    EVP_PKEY_free(pkey);
+    X509_free(x509);
+#endif
+    return EXPECT_RESULT();
+}
+
+int test_wolfSSL_X509_verify(void)
+{
+    EXPECT_DECLS;
+#if !defined(NO_CERTS) && !defined(NO_RSA) && !defined(NO_FILESYSTEM) && \
+    defined(OPENSSL_EXTRA)
+    WOLFSSL_X509* ca = NULL;
+    WOLFSSL_X509* serv = NULL;
+    WOLFSSL_EVP_PKEY* pkey = NULL;
+    unsigned char buf[2048];
+    const unsigned char* pt = NULL;
+    int bufSz = 0;
+
+    ExpectNotNull(ca = wolfSSL_X509_load_certificate_file(caCertFile,
+        WOLFSSL_FILETYPE_PEM));
+
+    ExpectIntNE(wolfSSL_X509_get_pubkey_buffer(NULL, buf, NULL),
+        WOLFSSL_SUCCESS);
+    ExpectIntNE(wolfSSL_X509_get_pubkey_buffer(NULL, buf, &bufSz),
+        WOLFSSL_SUCCESS);
+    ExpectIntEQ(wolfSSL_X509_get_pubkey_buffer(ca, NULL, &bufSz),
+        WOLFSSL_SUCCESS);
+    ExpectIntEQ(bufSz, 294);
+
+    bufSz--;
+    ExpectIntNE(wolfSSL_X509_get_pubkey_buffer(ca, buf, &bufSz),
+        WOLFSSL_SUCCESS);
+    bufSz = 2048;
+    ExpectIntEQ(wolfSSL_X509_get_pubkey_buffer(ca, buf, &bufSz),
+        WOLFSSL_SUCCESS);
+    ExpectIntEQ(wolfSSL_X509_get_pubkey_type(NULL),
+        WC_NO_ERR_TRACE(WOLFSSL_FAILURE));
+    ExpectIntEQ(wolfSSL_X509_get_pubkey_type(ca), RSAk);
+
+
+    ExpectNotNull(serv = wolfSSL_X509_load_certificate_file(svrCertFile,
+        WOLFSSL_FILETYPE_PEM));
+
+    /* success case */
+    pt = buf;
+    ExpectNotNull(pkey = wolfSSL_d2i_PUBKEY(NULL, &pt, bufSz));
+
+    ExpectIntEQ(i2d_PUBKEY(pkey, NULL), bufSz);
+
+    ExpectIntEQ(wolfSSL_X509_verify(serv, pkey), WOLFSSL_SUCCESS);
+    wolfSSL_EVP_PKEY_free(pkey);
+    pkey = NULL;
+
+    /* fail case */
+    bufSz = 2048;
+    ExpectIntEQ(wolfSSL_X509_get_pubkey_buffer(serv, buf, &bufSz),
+        WOLFSSL_SUCCESS);
+    pt = buf;
+    ExpectNotNull(pkey = wolfSSL_d2i_PUBKEY(NULL, &pt, bufSz));
+    ExpectIntEQ(wolfSSL_X509_verify(serv, pkey),
+        WC_NO_ERR_TRACE(WOLFSSL_FAILURE));
+
+    ExpectIntEQ(wolfSSL_X509_verify(NULL, pkey),
+        WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR));
+    ExpectIntEQ(wolfSSL_X509_verify(serv, NULL),
+        WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR));
+
+#ifndef NO_WOLFSSL_STUB
+    ExpectNull(wolfSSL_X509_get0_pubkey_bitstr(NULL));
+    ExpectNull(wolfSSL_X509_get0_pubkey_bitstr(serv));
+#endif
+
+    wolfSSL_EVP_PKEY_free(pkey);
+
+    wolfSSL_FreeX509(ca);
+    wolfSSL_FreeX509(serv);
+#endif
+    return EXPECT_RESULT();
+}
+
+int test_wolfSSL_X509_sign(void)
+{
+    EXPECT_DECLS;
+#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_ASN_TIME) && \
+    defined(WOLFSSL_CERT_GEN) && defined(WOLFSSL_CERT_REQ) && !defined(NO_RSA)
+    int ret = 0;
+    char *cn = NULL;
+    word32 cnSz = 0;
+    X509_NAME *name = NULL;
+    X509_NAME *emptyName = NULL;
+    X509 *x509 = NULL;
+    X509 *ca = NULL;
+    DecodedCert dCert;
+    EVP_PKEY *pub = NULL;
+    EVP_PKEY *priv = NULL;
+    EVP_MD_CTX *mctx = NULL;
+#if defined(USE_CERT_BUFFERS_1024)
+    const unsigned char* rsaPriv = client_key_der_1024;
+    const unsigned char* rsaPub = client_keypub_der_1024;
+    const unsigned char* certIssuer = client_cert_der_1024;
+    long clientKeySz = (long)sizeof_client_key_der_1024;
+    long clientPubKeySz = (long)sizeof_client_keypub_der_1024;
+    long certIssuerSz = (long)sizeof_client_cert_der_1024;
+#elif defined(USE_CERT_BUFFERS_2048)
+    const unsigned char* rsaPriv = client_key_der_2048;
+    const unsigned char* rsaPub = client_keypub_der_2048;
+    const unsigned char* certIssuer = client_cert_der_2048;
+    long clientKeySz = (long)sizeof_client_key_der_2048;
+    long clientPubKeySz = (long)sizeof_client_keypub_der_2048;
+    long certIssuerSz = (long)sizeof_client_cert_der_2048;
+#endif
+    byte sn[16];
+    int snSz = sizeof(sn);
+    int sigSz = 0;
+#ifndef NO_WOLFSSL_STUB
+    const WOLFSSL_ASN1_BIT_STRING* sig = NULL;
+    const WOLFSSL_X509_ALGOR* alg = NULL;
+#endif
+
+    /* Set X509_NAME fields */
+    ExpectNotNull(name = X509_NAME_new());
+    ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8,
+                                       (byte*)"US", 2, -1, 0), SSL_SUCCESS);
+    ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8,
+                             (byte*)"wolfssl.com", 11, -1, 0), SSL_SUCCESS);
+    ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "emailAddress", MBSTRING_UTF8,
+                     (byte*)"support@wolfssl.com", 19, -1, 0), SSL_SUCCESS);
+
+    /* Get private and public keys */
+    ExpectNotNull(priv = wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, NULL, &rsaPriv,
+                                                                  clientKeySz));
+    ExpectNotNull(pub = wolfSSL_d2i_PUBKEY(NULL, &rsaPub, clientPubKeySz));
+    ExpectNotNull(x509 = X509_new());
+    ExpectIntEQ(X509_sign(x509, priv, EVP_sha256()), 0);
+    /* Set version 3 */
+    ExpectIntNE(X509_set_version(x509, 2L), 0);
+    /* Set subject name, add pubkey, and sign certificate */
+    ExpectIntEQ(X509_set_subject_name(x509, name), SSL_SUCCESS);
+    X509_NAME_free(name);
+    name = NULL;
+    ExpectIntEQ(X509_set_pubkey(x509, pub), SSL_SUCCESS);
+#ifdef WOLFSSL_ALT_NAMES
+    ExpectNull(wolfSSL_X509_get_next_altname(NULL));
+    ExpectNull(wolfSSL_X509_get_next_altname(x509));
+
+    /* Add some subject alt names */
+    ExpectIntNE(wolfSSL_X509_add_altname(NULL,
+                "ipsum", ASN_DNS_TYPE), SSL_SUCCESS);
+    ExpectIntEQ(wolfSSL_X509_add_altname(x509,
+                NULL, ASN_DNS_TYPE), SSL_SUCCESS);
+    ExpectIntEQ(wolfSSL_X509_add_altname(x509,
+                "sphygmomanometer",
+                ASN_DNS_TYPE), SSL_SUCCESS);
+    ExpectIntEQ(wolfSSL_X509_add_altname(x509,
+                "supercalifragilisticexpialidocious",
+                ASN_DNS_TYPE), SSL_SUCCESS);
+    ExpectIntEQ(wolfSSL_X509_add_altname(x509,
+                "Llanfairpwllgwyngyllgogerychwyrndrobwllllantysiliogogogoch",
+                ASN_DNS_TYPE), SSL_SUCCESS);
+#ifdef WOLFSSL_IP_ALT_NAME
+    {
+        unsigned char ip4_type[] = {127,128,0,255};
+        unsigned char ip6_type[] = {0xdd, 0xcc, 0xba, 0xab,
+                                    0xff, 0xee, 0x99, 0x88,
+                                    0x77, 0x66, 0x55, 0x44,
+                                    0x00, 0x33, 0x22, 0x11};
+        ExpectIntEQ(wolfSSL_X509_add_altname_ex(x509, (char*)ip4_type,
+                sizeof(ip4_type), ASN_IP_TYPE), SSL_SUCCESS);
+        ExpectIntEQ(wolfSSL_X509_add_altname_ex(x509, (char*)ip6_type,
+                sizeof(ip6_type), ASN_IP_TYPE), SSL_SUCCESS);
+    }
+#endif
+
+    {
+        int i;
+
+        if (x509 != NULL) {
+            x509->altNamesNext = x509->altNames;
+        }
+#ifdef WOLFSSL_IP_ALT_NAME
+        /* No names in IP address. */
+        ExpectNull(wolfSSL_X509_get_next_altname(x509));
+        ExpectNull(wolfSSL_X509_get_next_altname(x509));
+#endif
+        for (i = 0; i < 3; i++) {
+            ExpectNotNull(wolfSSL_X509_get_next_altname(x509));
+        }
+        ExpectNull(wolfSSL_X509_get_next_altname(x509));
+#ifdef WOLFSSL_MULTICIRCULATE_ALTNAMELIST
+        ExpectNotNull(wolfSSL_X509_get_next_altname(x509));
+#endif
+    }
+#endif /* WOLFSSL_ALT_NAMES */
+
+    {
+        ASN1_UTCTIME* infinite_past = NULL;
+        ExpectNotNull(infinite_past = ASN1_UTCTIME_set(NULL, 0));
+        ExpectIntEQ(X509_set1_notBefore(x509, infinite_past), 1);
+        ASN1_UTCTIME_free(infinite_past);
+    }
+
+    /* test valid sign case */
+    ExpectIntGT(ret = X509_sign(x509, priv, EVP_sha256()), 0);
+    /* test getting signature */
+#ifndef NO_WOLFSSL_STUB
+    wolfSSL_X509_get0_signature(&sig, &alg, x509);
+#endif
+    ExpectIntEQ(wolfSSL_X509_get_signature(x509, NULL, &sigSz),
+        WOLFSSL_SUCCESS);
+    ExpectIntGT(sigSz, 0);
+    ExpectIntEQ(wolfSSL_X509_get_signature(NULL, NULL, NULL),
+        WOLFSSL_FATAL_ERROR);
+    ExpectIntEQ(wolfSSL_X509_get_signature(x509, NULL, NULL),
+        WOLFSSL_FATAL_ERROR);
+    ExpectIntEQ(wolfSSL_X509_get_signature(NULL, NULL, &sigSz),
+        WOLFSSL_FATAL_ERROR);
+    sigSz = 0;
+    ExpectIntEQ(wolfSSL_X509_get_signature(x509, sn, &sigSz),
+        WOLFSSL_FATAL_ERROR);
+
+    /* test valid X509_sign_ctx case */
+    ExpectNotNull(mctx = EVP_MD_CTX_new());
+    ExpectIntEQ(EVP_DigestSignInit(mctx, NULL, EVP_sha256(), NULL, priv), 1);
+    ExpectIntGT(X509_sign_ctx(x509, mctx), 0);
+
+#if defined(OPENSSL_ALL) && defined(WOLFSSL_ALT_NAMES)
+    ExpectIntEQ(X509_get_ext_count(x509), 1);
+#endif
+#if defined(WOLFSSL_ALT_NAMES) && defined(WOLFSSL_IP_ALT_NAME)
+    ExpectIntEQ(wolfSSL_X509_check_ip_asc(x509, "127.128.0.255", 0), 1);
+    ExpectIntEQ(wolfSSL_X509_check_ip_asc(x509,
+        "DDCC:BAAB:FFEE:9988:7766:5544:0033:2211", 0), 1);
+#endif
+
+    ExpectIntEQ(wolfSSL_X509_get_serial_number(x509, sn, &snSz),
+                WOLFSSL_SUCCESS);
+    DEBUG_WRITE_CERT_X509(x509, "signed.pem");
+
+    /* Variation in size depends on ASN.1 encoding when MSB is set.
+     * WOLFSSL_ASN_TEMPLATE code does not generate a serial number
+     * with the MSB set. See GenerateInteger in asn.c */
+#ifndef USE_CERT_BUFFERS_1024
+#ifndef WOLFSSL_ALT_NAMES
+    /* Valid case - size should be 781-786 with 16 byte serial number */
+    ExpectTrue((781 + snSz <= ret) && (ret <= 781 + 5 + snSz));
+#elif defined(WOLFSSL_IP_ALT_NAME)
+    /* Valid case - size should be 955-960 with 16 byte serial number */
+    ExpectTrue((939 + snSz <= ret) && (ret <= 939 + 5 + snSz));
+#else
+    /* Valid case - size should be 926-931 with 16 byte serial number */
+    ExpectTrue((910 + snSz <= ret) && (ret <= 910 + 5 + snSz));
+#endif
+#else
+#ifndef WOLFSSL_ALT_NAMES
+    /* Valid case - size should be 537-542 with 16 byte serial number */
+    ExpectTrue((521 + snSz <= ret) && (ret <= 521 + 5 + snSz));
+#elif defined(OPENSSL_ALL) || defined(WOLFSSL_IP_ALT_NAME)
+    /* Valid case - size should be 695-670 with 16 byte serial number */
+    ExpectTrue((679 + snSz <= ret) && (ret <= 679 + 5 + snSz));
+#else
+    /* Valid case - size should be 666-671 with 16 byte serial number */
+    ExpectTrue((650 + snSz <= ret) && (ret <= 650 + 5 + snSz));
+#endif
+#endif
+    /* check that issuer name is as expected after signature */
+    InitDecodedCert(&dCert, certIssuer, (word32)certIssuerSz, 0);
+    ExpectIntEQ(ParseCert(&dCert, CERT_TYPE, NO_VERIFY, NULL), 0);
+
+    ExpectNotNull(emptyName = X509_NAME_new());
+    ExpectNotNull(ca = d2i_X509(NULL, &certIssuer, (int)certIssuerSz));
+    ExpectIntEQ(wolfSSL_X509_get_isCA(NULL), 0);
+    ExpectIntEQ(wolfSSL_X509_get_isCA(ca), 1);
+    ExpectNotNull(name = X509_get_subject_name(ca));
+    ExpectIntEQ(X509_NAME_get_sz(NULL), WOLFSSL_FATAL_ERROR);
+    ExpectIntGT(cnSz = X509_NAME_get_sz(name), 0);
+    ExpectNotNull(cn = (char*)XMALLOC(cnSz, HEAP_HINT, DYNAMIC_TYPE_OPENSSL));
+    ExpectNull(X509_NAME_oneline(NULL, cn, (int)cnSz));
+    ExpectPtrEq(X509_NAME_oneline(name, cn, 0), cn);
+    ExpectPtrEq(X509_NAME_oneline(emptyName, cn, (int)cnSz), cn);
+    ExpectNull(X509_NAME_oneline(emptyName, NULL, 0));
+    ExpectPtrEq(X509_NAME_oneline(name, cn, (int)cnSz), cn);
+    ExpectIntEQ(0, XSTRNCMP(cn, dCert.subject, XSTRLEN(cn)));
+    XFREE(cn, HEAP_HINT, DYNAMIC_TYPE_OPENSSL);
+    cn = NULL;
+
+#if defined(XSNPRINTF)
+    ExpectNull(wolfSSL_X509_get_name_oneline(NULL, NULL, 0));
+    ExpectNotNull(cn = wolfSSL_X509_get_name_oneline(name, NULL, 0));
+    ExpectIntGT((int)(cnSz = (word32)XSTRLEN(cn) + 1), 0);
+    ExpectPtrEq(wolfSSL_X509_get_name_oneline(name, cn, (int)cnSz), cn);
+    ExpectNull(wolfSSL_X509_get_name_oneline(NULL, cn, (int)cnSz));
+    ExpectNull(wolfSSL_X509_get_name_oneline(name, cn, cnSz - 1));
+    ExpectPtrEq(wolfSSL_X509_get_name_oneline(name, cn, (int)cnSz), cn);
+    ExpectPtrEq(wolfSSL_X509_get_name_oneline(emptyName, cn, (int)cnSz), cn);
+    XFREE(cn, HEAP_HINT, DYNAMIC_TYPE_OPENSSL);
+    cn = NULL;
+#endif
+    X509_NAME_free(emptyName);
+
+#ifdef WOLFSSL_MULTI_ATTRIB
+    /* test adding multiple OU's to the signer */
+    ExpectNotNull(name = X509_get_subject_name(ca));
+    ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "OU", MBSTRING_UTF8,
+                                       (byte*)"OU1", 3, -1, 0), SSL_SUCCESS);
+    ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "OU", MBSTRING_UTF8,
+                                       (byte*)"OU2", 3, -1, 0), SSL_SUCCESS);
+    ExpectIntGT(X509_sign(ca, priv, EVP_sha256()), 0);
+#endif
+
+    ExpectNotNull(name = X509_get_subject_name(ca));
+    ExpectIntEQ(X509_set_issuer_name(x509, name), SSL_SUCCESS);
+
+    ExpectIntGT(X509_sign(x509, priv, EVP_sha256()), 0);
+    ExpectNotNull(name = X509_get_issuer_name(x509));
+    cnSz = X509_NAME_get_sz(name);
+    ExpectNotNull(cn = (char*)XMALLOC(cnSz, HEAP_HINT, DYNAMIC_TYPE_OPENSSL));
+    ExpectNotNull(cn = X509_NAME_oneline(name, cn, (int)cnSz));
+    /* compare and don't include the multi-attrib "/OU=OU1/OU=OU2" above */
+    ExpectIntEQ(0, XSTRNCMP(cn, dCert.issuer, XSTRLEN(dCert.issuer)));
+    XFREE(cn, HEAP_HINT, DYNAMIC_TYPE_OPENSSL);
+    cn = NULL;
+
+    FreeDecodedCert(&dCert);
+
+    /* Test invalid parameters */
+    ExpectIntEQ(X509_sign(NULL, priv, EVP_sha256()), 0);
+    ExpectIntEQ(X509_sign(x509, NULL, EVP_sha256()), 0);
+    ExpectIntEQ(X509_sign(x509, priv, NULL), 0);
+
+    ExpectIntEQ(X509_sign_ctx(NULL, mctx), 0);
+    EVP_MD_CTX_free(mctx);
+    mctx = NULL;
+    ExpectNotNull(mctx = EVP_MD_CTX_new());
+    ExpectIntEQ(X509_sign_ctx(x509, mctx), 0);
+    ExpectIntEQ(X509_sign_ctx(x509, NULL), 0);
+
+    /* test invalid version number */
+#if defined(OPENSSL_ALL)
+    ExpectIntNE(X509_set_version(x509, 6L), 0);
+    ExpectIntGT(X509_sign(x509, priv, EVP_sha256()), 0);
+
+    /* uses ParseCert which fails on bad version number */
+    ExpectIntEQ(X509_get_ext_count(x509), WC_NO_ERR_TRACE(WOLFSSL_FAILURE));
+#endif
+
+    EVP_MD_CTX_free(mctx);
+    EVP_PKEY_free(priv);
+    EVP_PKEY_free(pub);
+    X509_free(x509);
+    X509_free(ca);
+#endif
+    return EXPECT_RESULT();
+}
+
+int test_wolfSSL_X509_sign2(void)
+{
+    EXPECT_DECLS;
+    /* test requires WOLFSSL_AKID_NAME to match expected output */
+#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && !defined(NO_CERTS) && \
+    defined(WOLFSSL_CERT_GEN) && defined(WOLFSSL_ALT_NAMES) && \
+    defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_AKID_NAME) && \
+    (defined(WOLFSSL_QT) || defined(OPENSSL_ALL) || \
+    defined(WOLFSSL_IP_ALT_NAME))
+    WOLFSSL_X509 *x509 = NULL;
+    WOLFSSL_X509 *ca = NULL;
+    const unsigned char *der = NULL;
+    const unsigned char *pt = NULL;
+    WOLFSSL_EVP_PKEY  *priv = NULL;
+    WOLFSSL_X509_NAME *name = NULL;
+    int derSz;
+#ifndef NO_ASN_TIME
+    WOLFSSL_ASN1_TIME *notBefore = NULL;
+    WOLFSSL_ASN1_TIME *notAfter = NULL;
+
+    const int year = 365*24*60*60;
+    const int day  = 24*60*60;
+    const int hour = 60*60;
+    const int mini = 60;
+    time_t t;
+#endif
+
+    const unsigned char expected[] = {
+        0x30, 0x82, 0x05, 0x13, 0x30, 0x82, 0x03, 0xFB, 0xA0, 0x03, 0x02, 0x01,
+        0x02, 0x02, 0x14, 0x6B, 0x61, 0x49, 0x45, 0xFF, 0x4A, 0xD1, 0x54, 0x16,
+        0xB4, 0x35, 0x37, 0xC4, 0x98, 0x5D, 0xA9, 0xF6, 0x67, 0x60, 0x91, 0x30,
+        0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B,
+        0x05, 0x00, 0x30, 0x81, 0x94, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55,
+        0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03,
+        0x55, 0x04, 0x08, 0x0C, 0x07, 0x4D, 0x6F, 0x6E, 0x74, 0x61, 0x6E, 0x61,
+        0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0C, 0x07, 0x42,
+        0x6F, 0x7A, 0x65, 0x6D, 0x61, 0x6E, 0x31, 0x11, 0x30, 0x0F, 0x06, 0x03,
+        0x55, 0x04, 0x0A, 0x0C, 0x08, 0x53, 0x61, 0x77, 0x74, 0x6F, 0x6F, 0x74,
+        0x68, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x0C, 0x0A,
+        0x43, 0x6F, 0x6E, 0x73, 0x75, 0x6C, 0x74, 0x69, 0x6E, 0x67, 0x31, 0x18,
+        0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x0F, 0x77, 0x77, 0x77,
+        0x2E, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D,
+        0x31, 0x1F, 0x30, 0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D,
+        0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, 0x6F,
+        0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x30, 0x1E, 0x17,
+        0x0D, 0x30, 0x30, 0x30, 0x32, 0x31, 0x35, 0x32, 0x30, 0x33, 0x30, 0x30,
+        0x30, 0x5A, 0x17, 0x0D, 0x30, 0x31, 0x30, 0x32, 0x31, 0x34, 0x32, 0x30,
+        0x33, 0x30, 0x30, 0x30, 0x5A, 0x30, 0x81, 0x9E, 0x31, 0x0B, 0x30, 0x09,
+        0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30,
+        0x0E, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x07, 0x4D, 0x6F, 0x6E, 0x74,
+        0x61, 0x6E, 0x61, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x07,
+        0x0C, 0x07, 0x42, 0x6F, 0x7A, 0x65, 0x6D, 0x61, 0x6E, 0x31, 0x15, 0x30,
+        0x13, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x0C, 0x0C, 0x77, 0x6F, 0x6C, 0x66,
+        0x53, 0x53, 0x4C, 0x5F, 0x32, 0x30, 0x34, 0x38, 0x31, 0x19, 0x30, 0x17,
+        0x06, 0x03, 0x55, 0x04, 0x0B, 0x0C, 0x10, 0x50, 0x72, 0x6F, 0x67, 0x72,
+        0x61, 0x6D, 0x6D, 0x69, 0x6E, 0x67, 0x2D, 0x32, 0x30, 0x34, 0x38, 0x31,
+        0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x0F, 0x77, 0x77,
+        0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F,
+        0x6D, 0x31, 0x1F, 0x30, 0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7,
+        0x0D, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77,
+        0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x30, 0x82,
+        0x01, 0x22, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D,
+        0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0F, 0x00, 0x30, 0x82,
+        0x01, 0x0A, 0x02, 0x82, 0x01, 0x01, 0x00, 0xC3, 0x03, 0xD1, 0x2B, 0xFE,
+        0x39, 0xA4, 0x32, 0x45, 0x3B, 0x53, 0xC8, 0x84, 0x2B, 0x2A, 0x7C, 0x74,
+        0x9A, 0xBD, 0xAA, 0x2A, 0x52, 0x07, 0x47, 0xD6, 0xA6, 0x36, 0xB2, 0x07,
+        0x32, 0x8E, 0xD0, 0xBA, 0x69, 0x7B, 0xC6, 0xC3, 0x44, 0x9E, 0xD4, 0x81,
+        0x48, 0xFD, 0x2D, 0x68, 0xA2, 0x8B, 0x67, 0xBB, 0xA1, 0x75, 0xC8, 0x36,
+        0x2C, 0x4A, 0xD2, 0x1B, 0xF7, 0x8B, 0xBA, 0xCF, 0x0D, 0xF9, 0xEF, 0xEC,
+        0xF1, 0x81, 0x1E, 0x7B, 0x9B, 0x03, 0x47, 0x9A, 0xBF, 0x65, 0xCC, 0x7F,
+        0x65, 0x24, 0x69, 0xA6, 0xE8, 0x14, 0x89, 0x5B, 0xE4, 0x34, 0xF7, 0xC5,
+        0xB0, 0x14, 0x93, 0xF5, 0x67, 0x7B, 0x3A, 0x7A, 0x78, 0xE1, 0x01, 0x56,
+        0x56, 0x91, 0xA6, 0x13, 0x42, 0x8D, 0xD2, 0x3C, 0x40, 0x9C, 0x4C, 0xEF,
+        0xD1, 0x86, 0xDF, 0x37, 0x51, 0x1B, 0x0C, 0xA1, 0x3B, 0xF5, 0xF1, 0xA3,
+        0x4A, 0x35, 0xE4, 0xE1, 0xCE, 0x96, 0xDF, 0x1B, 0x7E, 0xBF, 0x4E, 0x97,
+        0xD0, 0x10, 0xE8, 0xA8, 0x08, 0x30, 0x81, 0xAF, 0x20, 0x0B, 0x43, 0x14,
+        0xC5, 0x74, 0x67, 0xB4, 0x32, 0x82, 0x6F, 0x8D, 0x86, 0xC2, 0x88, 0x40,
+        0x99, 0x36, 0x83, 0xBA, 0x1E, 0x40, 0x72, 0x22, 0x17, 0xD7, 0x52, 0x65,
+        0x24, 0x73, 0xB0, 0xCE, 0xEF, 0x19, 0xCD, 0xAE, 0xFF, 0x78, 0x6C, 0x7B,
+        0xC0, 0x12, 0x03, 0xD4, 0x4E, 0x72, 0x0D, 0x50, 0x6D, 0x3B, 0xA3, 0x3B,
+        0xA3, 0x99, 0x5E, 0x9D, 0xC8, 0xD9, 0x0C, 0x85, 0xB3, 0xD9, 0x8A, 0xD9,
+        0x54, 0x26, 0xDB, 0x6D, 0xFA, 0xAC, 0xBB, 0xFF, 0x25, 0x4C, 0xC4, 0xD1,
+        0x79, 0xF4, 0x71, 0xD3, 0x86, 0x40, 0x18, 0x13, 0xB0, 0x63, 0xB5, 0x72,
+        0x4E, 0x30, 0xC4, 0x97, 0x84, 0x86, 0x2D, 0x56, 0x2F, 0xD7, 0x15, 0xF7,
+        0x7F, 0xC0, 0xAE, 0xF5, 0xFC, 0x5B, 0xE5, 0xFB, 0xA1, 0xBA, 0xD3, 0x02,
+        0x03, 0x01, 0x00, 0x01, 0xA3, 0x82, 0x01, 0x4F, 0x30, 0x82, 0x01, 0x4B,
+        0x30, 0x0C, 0x06, 0x03, 0x55, 0x1D, 0x13, 0x04, 0x05, 0x30, 0x03, 0x01,
+        0x01, 0xFF, 0x30, 0x1C, 0x06, 0x03, 0x55, 0x1D, 0x11, 0x04, 0x15, 0x30,
+        0x13, 0x82, 0x0B, 0x65, 0x78, 0x61, 0x6D, 0x70, 0x6C, 0x65, 0x2E, 0x63,
+        0x6F, 0x6D, 0x87, 0x04, 0x7F, 0x00, 0x00, 0x01, 0x30, 0x1D, 0x06, 0x03,
+        0x55, 0x1D, 0x0E, 0x04, 0x16, 0x04, 0x14, 0x33, 0xD8, 0x45, 0x66, 0xD7,
+        0x68, 0x87, 0x18, 0x7E, 0x54, 0x0D, 0x70, 0x27, 0x91, 0xC7, 0x26, 0xD7,
+        0x85, 0x65, 0xC0, 0x30, 0x81, 0xDE, 0x06, 0x03, 0x55, 0x1D, 0x23, 0x04,
+        0x81, 0xD6, 0x30, 0x81, 0xD3, 0x80, 0x14, 0x33, 0xD8, 0x45, 0x66, 0xD7,
+        0x68, 0x87, 0x18, 0x7E, 0x54, 0x0D, 0x70, 0x27, 0x91, 0xC7, 0x26, 0xD7,
+        0x85, 0x65, 0xC0, 0xA1, 0x81, 0xA4, 0xA4, 0x81, 0xA1, 0x30, 0x81, 0x9E,
+        0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55,
+        0x53, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x07,
+        0x4D, 0x6F, 0x6E, 0x74, 0x61, 0x6E, 0x61, 0x31, 0x10, 0x30, 0x0E, 0x06,
+        0x03, 0x55, 0x04, 0x07, 0x0C, 0x07, 0x42, 0x6F, 0x7A, 0x65, 0x6D, 0x61,
+        0x6E, 0x31, 0x15, 0x30, 0x13, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x0C, 0x0C,
+        0x77, 0x6F, 0x6C, 0x66, 0x53, 0x53, 0x4C, 0x5F, 0x32, 0x30, 0x34, 0x38,
+        0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x0C, 0x10, 0x50,
+        0x72, 0x6F, 0x67, 0x72, 0x61, 0x6D, 0x6D, 0x69, 0x6E, 0x67, 0x2D, 0x32,
+        0x30, 0x34, 0x38, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03,
+        0x0C, 0x0F, 0x77, 0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73,
+        0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F, 0x30, 0x1D, 0x06, 0x09, 0x2A,
+        0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6E,
+        0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63,
+        0x6F, 0x6D, 0x82, 0x14, 0x6B, 0x61, 0x49, 0x45, 0xFF, 0x4A, 0xD1, 0x54,
+        0x16, 0xB4, 0x35, 0x37, 0xC4, 0x98, 0x5D, 0xA9, 0xF6, 0x67, 0x60, 0x91,
+        0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x25, 0x04, 0x16, 0x30, 0x14, 0x06,
+        0x08, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x01, 0x06, 0x08, 0x2B,
+        0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x02, 0x30, 0x0D, 0x06, 0x09, 0x2A,
+        0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00, 0x03, 0x82,
+        0x01, 0x01, 0x00, 0x2F, 0x9F, 0x83, 0x05, 0x15, 0x1E, 0x5D, 0x7C, 0x22,
+        0x12, 0x20, 0xEE, 0x07, 0x35, 0x25, 0x39, 0xDD, 0x34, 0x06, 0xD3, 0x89,
+        0x31, 0x51, 0x8B, 0x9A, 0xE5, 0xE8, 0x60, 0x30, 0x07, 0x7A, 0xBB, 0x17,
+        0xB9, 0x54, 0x72, 0x83, 0xA2, 0x1F, 0x62, 0xE0, 0x18, 0xAC, 0x93, 0x5E,
+        0x63, 0xC7, 0xDD, 0x12, 0x58, 0x96, 0xC7, 0x90, 0x8B, 0x12, 0x50, 0xD2,
+        0x60, 0x0E, 0x24, 0x07, 0x53, 0x55, 0xD7, 0x8E, 0xC9, 0x56, 0x12, 0x28,
+        0xD8, 0xFD, 0x47, 0xE3, 0x13, 0xFB, 0x3C, 0xD6, 0x3D, 0x82, 0x09, 0x7E,
+        0x10, 0x19, 0xE1, 0xCD, 0xCC, 0x4C, 0x78, 0xDF, 0xE5, 0xFB, 0x2C, 0x8C,
+        0x88, 0xF7, 0x5B, 0x99, 0x93, 0xC6, 0xC7, 0x22, 0xA5, 0xFA, 0x76, 0x6C,
+        0xE9, 0xBC, 0x69, 0xBA, 0x02, 0x82, 0x18, 0xAF, 0x47, 0xD0, 0x9C, 0x5F,
+        0xED, 0xAE, 0x5A, 0x95, 0x59, 0x78, 0x86, 0x24, 0x22, 0xB6, 0x81, 0x03,
+        0x58, 0x9A, 0x14, 0x93, 0xDC, 0x24, 0x58, 0xF3, 0xD2, 0x6C, 0x8E, 0xD2,
+        0x6D, 0x8B, 0xE8, 0x4E, 0xC6, 0xA0, 0x2B, 0x0D, 0xDB, 0x1A, 0x76, 0x28,
+        0xA9, 0x8D, 0xFB, 0x51, 0xA6, 0xF0, 0x82, 0x30, 0xEE, 0x78, 0x1C, 0x71,
+        0xA8, 0x11, 0x8A, 0xA5, 0xC3, 0x91, 0xAB, 0x9A, 0x46, 0xFF, 0x8D, 0xCD,
+        0x82, 0x3F, 0x5D, 0xB6, 0x28, 0x46, 0x6D, 0x66, 0xE2, 0xEE, 0x1E, 0x82,
+        0x0D, 0x1A, 0x74, 0x87, 0xFB, 0xFD, 0x96, 0x26, 0x50, 0x09, 0xEC, 0xA7,
+        0x73, 0x89, 0x43, 0x3B, 0x42, 0x2D, 0xA9, 0x6B, 0x0F, 0x61, 0x81, 0x97,
+        0x11, 0x71, 0xF9, 0xDB, 0x9B, 0x69, 0x4B, 0x6E, 0xD3, 0x7D, 0xDA, 0xC6,
+        0x61, 0x9F, 0x39, 0x87, 0x53, 0x52, 0xA8, 0x4D, 0xAD, 0x80, 0x29, 0x6C,
+        0x19, 0xF0, 0x8D, 0xB1, 0x0D, 0x4E, 0xFB, 0x1B, 0xB7, 0xF1, 0x85, 0x49,
+        0x08, 0x2A, 0x94, 0xD0, 0x4E, 0x0B, 0x8F
+    };
+
+    pt = ca_key_der_2048;
+    ExpectNotNull(priv = wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, NULL, &pt,
+        sizeof_ca_key_der_2048));
+
+    pt = client_cert_der_2048;
+    ExpectNotNull(x509 = wolfSSL_d2i_X509(NULL, &pt,
+        sizeof_client_cert_der_2048));
+
+    pt = ca_cert_der_2048;
+    ExpectNotNull(ca = wolfSSL_d2i_X509(NULL, &pt, sizeof_ca_cert_der_2048));
+    ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca));
+    ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS);
+
+#ifndef NO_ASN_TIME
+    t = (time_t)30 * year + 45 * day + 20 * hour + 30 * mini + 7 * day;
+    ExpectNotNull(notBefore = wolfSSL_ASN1_TIME_adj(NULL, t, 0, 0));
+    ExpectNotNull(notAfter = wolfSSL_ASN1_TIME_adj(NULL, t, 365, 0));
+    ExpectIntEQ(notAfter->length, 13);
+
+    ExpectTrue(wolfSSL_X509_set_notBefore(x509, notBefore));
+    ExpectTrue(wolfSSL_X509_set1_notBefore(x509, notBefore));
+    ExpectTrue(wolfSSL_X509_set_notAfter(x509, notAfter));
+    ExpectTrue(wolfSSL_X509_set1_notAfter(x509, notAfter));
+#endif
+
+    ExpectNull(wolfSSL_X509_notBefore(NULL));
+    ExpectNotNull(wolfSSL_X509_notBefore(x509));
+    ExpectNull(wolfSSL_X509_notAfter(NULL));
+    ExpectNotNull(wolfSSL_X509_notAfter(x509));
+
+    ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0);
+    ExpectNotNull((der = wolfSSL_X509_get_der(x509, &derSz)));
+
+    ExpectIntEQ(derSz, sizeof(expected));
+#ifndef NO_ASN_TIME
+    ExpectIntEQ(XMEMCMP(der, expected, derSz), 0);
+#endif
+    wolfSSL_X509_free(ca);
+    wolfSSL_X509_free(x509);
+    wolfSSL_EVP_PKEY_free(priv);
+#ifndef NO_ASN_TIME
+    wolfSSL_ASN1_TIME_free(notBefore);
+    wolfSSL_ASN1_TIME_free(notAfter);
+#endif
+#endif
+    return EXPECT_RESULT();
+}
+
+int test_wolfSSL_make_cert(void)
+{
+    EXPECT_DECLS;
+#if !defined(NO_RSA) && !defined(NO_ASN_TIME) && defined(WOLFSSL_CERT_GEN) && \
+    defined(WOLFSSL_CERT_EXT)
+    int      ret = 0;
+    Cert     cert;
+    CertName name;
+    RsaKey   key;
+    WC_RNG   rng;
+    byte     der[FOURK_BUF];
+    word32   idx = 0;
+    const byte mySerial[8] = {1,2,3,4,5,6,7,8};
+
+#ifdef OPENSSL_EXTRA
+    const unsigned char* pt = NULL;
+    int                  certSz = 0;
+    X509*                x509 = NULL;
+    X509_NAME*           x509name = NULL;
+    X509_NAME_ENTRY*     entry = NULL;
+    ASN1_STRING*         entryValue = NULL;
+#endif
+
+    XMEMSET(&name, 0, sizeof(CertName));
+
+    /* set up cert name */
+    XMEMCPY(name.country, "US", sizeof("US"));
+    name.countryEnc = CTC_PRINTABLE;
+    XMEMCPY(name.state, "Oregon", sizeof("Oregon"));
+    name.stateEnc = CTC_UTF8;
+    XMEMCPY(name.locality, "Portland", sizeof("Portland"));
+    name.localityEnc = CTC_UTF8;
+    XMEMCPY(name.sur, "Test", sizeof("Test"));
+    name.surEnc = CTC_UTF8;
+    XMEMCPY(name.org, "wolfSSL", sizeof("wolfSSL"));
+    name.orgEnc = CTC_UTF8;
+    XMEMCPY(name.unit, "Development", sizeof("Development"));
+    name.unitEnc = CTC_UTF8;
+    XMEMCPY(name.commonName, "www.wolfssl.com", sizeof("www.wolfssl.com"));
+    name.commonNameEnc = CTC_UTF8;
+    XMEMCPY(name.serialDev, "wolfSSL12345", sizeof("wolfSSL12345"));
+    name.serialDevEnc = CTC_PRINTABLE;
+    XMEMCPY(name.userId, "TestUserID", sizeof("TestUserID"));
+    name.userIdEnc = CTC_PRINTABLE;
+#ifdef WOLFSSL_MULTI_ATTRIB
+    #if CTC_MAX_ATTRIB > 2
+    {
+        NameAttrib* n;
+        n = &name.name[0];
+        n->id   = ASN_DOMAIN_COMPONENT;
+        n->type = CTC_UTF8;
+        n->sz   = sizeof("com");
+        XMEMCPY(n->value, "com", sizeof("com"));
+
+        n = &name.name[1];
+        n->id   = ASN_DOMAIN_COMPONENT;
+        n->type = CTC_UTF8;
+        n->sz   = sizeof("wolfssl");
+        XMEMCPY(n->value, "wolfssl", sizeof("wolfssl"));
+    }
+    #endif
+#endif /* WOLFSSL_MULTI_ATTRIB */
+
+    ExpectIntEQ(wc_InitRsaKey(&key, HEAP_HINT), 0);
+#ifndef HAVE_FIPS
+    ExpectIntEQ(wc_InitRng_ex(&rng, HEAP_HINT, testDevId), 0);
+#else
+    ExpectIntEQ(wc_InitRng(&rng), 0);
+#endif
+
+    /* load test RSA key */
+    idx = 0;
+#if defined(USE_CERT_BUFFERS_1024)
+    ExpectIntEQ(wc_RsaPrivateKeyDecode(server_key_der_1024, &idx, &key,
+                sizeof_server_key_der_1024), 0);
+#elif defined(USE_CERT_BUFFERS_2048)
+    ExpectIntEQ(wc_RsaPrivateKeyDecode(server_key_der_2048, &idx, &key,
+                sizeof_server_key_der_2048), 0);
+#else
+    /* error case, no RSA key loaded, happens later */
+    (void)idx;
+#endif
+
+    XMEMSET(&cert, 0 , sizeof(Cert));
+    ExpectIntEQ(wc_InitCert(&cert), 0);
+
+    XMEMCPY(&cert.subject, &name, sizeof(CertName));
+    XMEMCPY(cert.serial, mySerial, sizeof(mySerial));
+    cert.serialSz = (int)sizeof(mySerial);
+    cert.isCA     = 1;
+#ifndef NO_SHA256
+    cert.sigType = CTC_SHA256wRSA;
+#else
+    cert.sigType = CTC_SHAwRSA;
+#endif
+
+    /* add SKID from the Public Key */
+    ExpectIntEQ(wc_SetSubjectKeyIdFromPublicKey(&cert, &key, NULL), 0);
+
+    /* add AKID from the Public Key */
+    ExpectIntEQ(wc_SetAuthKeyIdFromPublicKey(&cert, &key, NULL), 0);
+
+    ret = 0;
+    do {
+#if defined(WOLFSSL_ASYNC_CRYPT)
+        ret = wc_AsyncWait(ret, &key.asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
+#endif
+        if (ret >= 0) {
+            ret = wc_MakeSelfCert(&cert, der, FOURK_BUF, &key, &rng);
+        }
+    } while (ret == WC_NO_ERR_TRACE(WC_PENDING_E));
+    ExpectIntGT(ret, 0);
+
+#ifdef OPENSSL_EXTRA
+    /* der holds a certificate with DC's now check X509 parsing of it */
+    certSz = ret;
+    pt = der;
+    ExpectNotNull(x509 = d2i_X509(NULL, &pt, certSz));
+    ExpectNotNull(x509name = X509_get_subject_name(x509));
+#ifdef WOLFSSL_MULTI_ATTRIB
+    ExpectIntEQ((idx = X509_NAME_get_index_by_NID(x509name, NID_domainComponent,
+                    -1)), 5);
+    ExpectIntEQ((idx = X509_NAME_get_index_by_NID(x509name, NID_domainComponent,
+                    (int)idx)), 6);
+    ExpectIntEQ((idx = X509_NAME_get_index_by_NID(x509name, NID_domainComponent,
+                    (int)idx)), -1);
+#endif /* WOLFSSL_MULTI_ATTRIB */
+
+    /* compare DN at index 0 */
+    ExpectNotNull(entry = X509_NAME_get_entry(x509name, 0));
+    ExpectNotNull(entryValue = X509_NAME_ENTRY_get_data(entry));
+    ExpectIntEQ(ASN1_STRING_length(entryValue), 2);
+    ExpectStrEQ((const char*)ASN1_STRING_data(entryValue), "US");
+
+#ifndef WOLFSSL_MULTI_ATTRIB
+    /* compare Serial Number */
+    ExpectIntEQ((idx = X509_NAME_get_index_by_NID(x509name, NID_serialNumber,
+                    -1)), 7);
+    ExpectNotNull(entry = X509_NAME_get_entry(x509name, idx));
+    ExpectNotNull(entryValue = X509_NAME_ENTRY_get_data(entry));
+    ExpectIntEQ(ASN1_STRING_length(entryValue), XSTRLEN("wolfSSL12345"));
+    ExpectStrEQ((const char*)ASN1_STRING_data(entryValue), "wolfSSL12345");
+#endif
+
+#ifdef WOLFSSL_MULTI_ATTRIB
+    /* get first and second DC and compare result */
+    ExpectIntEQ((idx = X509_NAME_get_index_by_NID(x509name, NID_domainComponent,
+                    -1)), 5);
+    ExpectNotNull(entry = X509_NAME_get_entry(x509name, (int)idx));
+    ExpectNotNull(entryValue = X509_NAME_ENTRY_get_data(entry));
+    ExpectStrEQ((const char *)ASN1_STRING_data(entryValue), "com");
+
+    ExpectIntEQ((idx = X509_NAME_get_index_by_NID(x509name, NID_domainComponent,
+                   (int)idx)), 6);
+    ExpectNotNull(entry = X509_NAME_get_entry(x509name, (int)idx));
+    ExpectNotNull(entryValue = X509_NAME_ENTRY_get_data(entry));
+    ExpectStrEQ((const char *)ASN1_STRING_data(entryValue), "wolfssl");
+#endif /* WOLFSSL_MULTI_ATTRIB */
+
+    ExpectNull(X509_NAME_get_entry(NULL, 0));
+    /* try invalid index locations for regression test and sanity check */
+    ExpectNull(X509_NAME_get_entry(x509name, 11));
+    ExpectNull(X509_NAME_get_entry(x509name, 20));
+
+    X509_free(x509);
+#endif /* OPENSSL_EXTRA */
+
+    wc_FreeRsaKey(&key);
+    wc_FreeRng(&rng);
+#endif
+    return EXPECT_RESULT();
+}
+
+

tests/api/test_ossl_x509_crypto.h

@@ -0,0 +1,40 @@
+/* test_ossl_x509_crypto.h
+ *
+ * Copyright (C) 2006-2025 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+#ifndef WOLFCRYPT_TEST_OSSL_X509_CRYPTO_H
+#define WOLFCRYPT_TEST_OSSL_X509_CRYPTO_H
+
+#include <tests/api/api_decl.h>
+
+int test_wolfSSL_X509_check_private_key(void);
+int test_wolfSSL_X509_verify(void);
+int test_wolfSSL_X509_sign(void);
+int test_wolfSSL_X509_sign2(void);
+int test_wolfSSL_make_cert(void);
+
+#define TEST_OSSL_X509_CRYPTO_DECLS                                            \
+    TEST_DECL_GROUP("ossl_x509_crypto", test_wolfSSL_X509_check_private_key),  \
+    TEST_DECL_GROUP("ossl_x509_crypto", test_wolfSSL_X509_verify),             \
+    TEST_DECL_GROUP("ossl_x509_crypto", test_wolfSSL_X509_sign),               \
+    TEST_DECL_GROUP("ossl_x509_crypto", test_wolfSSL_X509_sign2),              \
+    TEST_DECL_GROUP("ossl_x509_crypto", test_wolfSSL_make_cert)
+
+#endif /* WOLFCRYPT_TEST_OSSL_X509_CRYPTO_H */

tests/api/test_ossl_x509_ext.h

@@ -0,0 +1,76 @@
+/* test_ossl_x509_ext.h
+ *
+ * Copyright (C) 2006-2025 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+#ifndef WOLFCRYPT_TEST_OSSL_X509_EXT_H
+#define WOLFCRYPT_TEST_OSSL_X509_EXT_H
+
+#include <tests/api/api_decl.h>
+
+int test_wolfSSL_X509_get_extension_flags(void);
+int test_wolfSSL_X509_get_ext(void);
+int test_wolfSSL_X509_get_ext_by_NID(void);
+int test_wolfSSL_X509_get_ext_subj_alt_name(void);
+int test_wolfSSL_X509_set_ext(void);
+int test_wolfSSL_X509_add_ext(void);
+int test_wolfSSL_X509_get_ext_count(void);
+int test_wolfSSL_X509_stack_extensions(void);
+int test_wolfSSL_X509_EXTENSION_new(void);
+int test_wolfSSL_X509_EXTENSION_dup(void);
+int test_wolfSSL_X509_EXTENSION_get_object(void);
+int test_wolfSSL_X509_EXTENSION_get_data(void);
+int test_wolfSSL_X509_EXTENSION_get_critical(void);
+int test_wolfSSL_X509_EXTENSION_create_by_OBJ(void);
+int test_wolfSSL_X509V3_set_ctx(void);
+int test_wolfSSL_X509V3_EXT_get(void);
+int test_wolfSSL_X509V3_EXT_nconf(void);
+int test_wolfSSL_X509V3_EXT_bc(void);
+int test_wolfSSL_X509V3_EXT_san(void);
+int test_wolfSSL_X509V3_EXT_aia(void);
+int test_wolfSSL_X509V3_EXT(void);
+int test_wolfSSL_X509V3_EXT_print(void);
+
+#define TEST_OSSL_X509_EXT_DECLS                                               \
+    TEST_DECL_GROUP("ossl_x509_ext", test_wolfSSL_X509_get_extension_flags),   \
+    TEST_DECL_GROUP("ossl_x509_ext", test_wolfSSL_X509_get_ext),               \
+    TEST_DECL_GROUP("ossl_x509_ext", test_wolfSSL_X509_get_ext_by_NID),        \
+    TEST_DECL_GROUP("ossl_x509_ext", test_wolfSSL_X509_get_ext_subj_alt_name), \
+    TEST_DECL_GROUP("ossl_x509_ext", test_wolfSSL_X509_set_ext),               \
+    TEST_DECL_GROUP("ossl_x509_ext", test_wolfSSL_X509_add_ext),               \
+    TEST_DECL_GROUP("ossl_x509_ext", test_wolfSSL_X509_get_ext_count),         \
+    TEST_DECL_GROUP("ossl_x509_ext", test_wolfSSL_X509_stack_extensions),      \
+    TEST_DECL_GROUP("ossl_x509_ext", test_wolfSSL_X509_EXTENSION_new),         \
+    TEST_DECL_GROUP("ossl_x509_ext", test_wolfSSL_X509_EXTENSION_dup),         \
+    TEST_DECL_GROUP("ossl_x509_ext", test_wolfSSL_X509_EXTENSION_get_object),  \
+    TEST_DECL_GROUP("ossl_x509_ext", test_wolfSSL_X509_EXTENSION_get_data),    \
+    TEST_DECL_GROUP("ossl_x509_ext",                                           \
+                                    test_wolfSSL_X509_EXTENSION_get_critical), \
+    TEST_DECL_GROUP("ossl_x509_ext",                                           \
+                                   test_wolfSSL_X509_EXTENSION_create_by_OBJ), \
+    TEST_DECL_GROUP("ossl_x509_ext", test_wolfSSL_X509V3_set_ctx),             \
+    TEST_DECL_GROUP("ossl_x509_ext", test_wolfSSL_X509V3_EXT_get),             \
+    TEST_DECL_GROUP("ossl_x509_ext", test_wolfSSL_X509V3_EXT_nconf),           \
+    TEST_DECL_GROUP("ossl_x509_ext", test_wolfSSL_X509V3_EXT_bc),              \
+    TEST_DECL_GROUP("ossl_x509_ext", test_wolfSSL_X509V3_EXT_san),             \
+    TEST_DECL_GROUP("ossl_x509_ext", test_wolfSSL_X509V3_EXT_aia),             \
+    TEST_DECL_GROUP("ossl_x509_ext", test_wolfSSL_X509V3_EXT),                 \
+    TEST_DECL_GROUP("ossl_x509_ext", test_wolfSSL_X509V3_EXT_print)
+
+#endif /* WOLFCRYPT_TEST_OSSL_X509_EXT_H */

tests/api/test_ossl_x509_info.c

@@ -0,0 +1,248 @@
+/* test_ossl_x509_info.c
+ *
+ * Copyright (C) 2006-2025 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+#include <tests/unit.h>
+
+#ifdef NO_INLINE
+    #include <wolfssl/wolfcrypt/misc.h>
+#else
+    #define WOLFSSL_MISC_INCLUDED
+    #include <wolfcrypt/src/misc.c>
+#endif
+
+#include <wolfssl/ssl.h>
+#include <tests/api/api.h>
+#include <tests/api/test_ossl_x509_info.h>
+
+int test_wolfSSL_X509_INFO_multiple_info(void)
+{
+    EXPECT_DECLS;
+#if defined(OPENSSL_ALL) && !defined(NO_RSA) && !defined(NO_BIO)
+    STACK_OF(X509_INFO) *info_stack = NULL;
+    X509_INFO *info = NULL;
+    int len;
+    int i;
+    const char* files[] = {
+        cliCertFile,
+        cliKeyFile,
+        /* This needs to be the order as svrCertFile contains the
+         * intermediate cert as well. */
+        svrKeyFile,
+        svrCertFile,
+        NULL,
+    };
+    const char** curFile;
+    BIO *fileBIO = NULL;
+    BIO *concatBIO = NULL;
+    byte tmp[FOURK_BUF];
+
+    /* concatenate the cert and the key file to force PEM_X509_INFO_read_bio
+     * to group objects together. */
+    ExpectNotNull(concatBIO = BIO_new(BIO_s_mem()));
+    for (curFile = files; EXPECT_SUCCESS() && *curFile != NULL; curFile++) {
+        int fileLen = 0;
+        ExpectNotNull(fileBIO = BIO_new_file(*curFile, "rb"));
+        ExpectIntGT(fileLen = wolfSSL_BIO_get_len(fileBIO), 0);
+        if (EXPECT_SUCCESS()) {
+            while ((len = BIO_read(fileBIO, tmp, sizeof(tmp))) > 0) {
+                ExpectIntEQ(BIO_write(concatBIO, tmp, len), len);
+                fileLen -= len;
+                if (EXPECT_FAIL())
+                    break;
+            }
+            /* Make sure we read the entire file */
+            ExpectIntEQ(fileLen, 0);
+        }
+        BIO_free(fileBIO);
+        fileBIO = NULL;
+    }
+
+    ExpectNotNull(info_stack = PEM_X509_INFO_read_bio(concatBIO, NULL, NULL,
+        NULL));
+    ExpectIntEQ(sk_X509_INFO_num(info_stack), 3);
+    for (i = 0; i < sk_X509_INFO_num(info_stack); i++) {
+        ExpectNotNull(info = sk_X509_INFO_value(info_stack, i));
+        ExpectNotNull(info->x509);
+        ExpectNull(info->crl);
+        if (i != 2) {
+            ExpectNotNull(info->x_pkey);
+            ExpectIntEQ(X509_check_private_key(info->x509,
+                                               info->x_pkey->dec_pkey), 1);
+        }
+        else {
+            ExpectNull(info->x_pkey);
+        }
+    }
+
+    sk_X509_INFO_pop_free(info_stack, X509_INFO_free);
+    BIO_free(concatBIO);
+#endif
+    return EXPECT_RESULT();
+}
+
+int test_wolfSSL_X509_INFO(void)
+{
+    EXPECT_DECLS;
+#if defined(OPENSSL_ALL) && !defined(NO_RSA) && !defined(NO_BIO)
+    STACK_OF(X509_INFO) *info_stack = NULL;
+    X509_INFO *info = NULL;
+    BIO *cert = NULL;
+    int i;
+    /* PEM in hex format to avoid null terminator */
+    byte data[] = {
+        0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x42, 0x45, 0x47,
+        0x49, 0x4e, 0x20, 0x43, 0x45, 0x52, 0x54, 0x63, 0x2d, 0x2d, 0x2d, 0x2d,
+        0x2d, 0x0a, 0x4d, 0x49, 0x49, 0x44, 0x4d, 0x54, 0x42, 0x75, 0x51, 0x3d,
+        0x0a, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x45, 0x4e, 0x44, 0x20, 0x2d, 0x2d,
+        0x2d, 0x2d, 0x2d
+    };
+    /* PEM in hex format to avoid null terminator */
+    byte data2[] = {
+        0x41, 0x53, 0x4e, 0x31, 0x20, 0x4f, 0x49, 0x44, 0x3a, 0x20, 0x70, 0x72,
+        0x69, 0x6d, 0x65, 0x32, 0x35, 0x36, 0x76, 0x31, 0x0a, 0x2d, 0x2d, 0x2d,
+        0x2d, 0x2d, 0x42, 0x45, 0x47, 0x49, 0x4e, 0x20, 0x45, 0x43, 0x20, 0x50,
+        0x41, 0x52, 0x41, 0x4d, 0x45, 0x54, 0x45, 0x52, 0x53, 0x2d, 0x2d, 0x2d,
+        0x2d, 0x43, 0x65, 0x72, 0x74, 0x69, 0x2d, 0x0a, 0x42, 0x67, 0x67, 0x71,
+        0x68, 0x6b, 0x6a, 0x4f, 0x50, 0x51, 0x4d, 0x42, 0x42, 0x77, 0x3d, 0x3d,
+        0x0a, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d
+    };
+
+    ExpectNotNull(cert = BIO_new_file(cliCertFileExt, "rb"));
+    ExpectNotNull(info_stack = PEM_X509_INFO_read_bio(cert, NULL, NULL, NULL));
+    for (i = 0; i < sk_X509_INFO_num(info_stack); i++) {
+        ExpectNotNull(info = sk_X509_INFO_value(info_stack, i));
+        ExpectNotNull(info->x509);
+        ExpectNull(info->crl);
+        ExpectNull(info->x_pkey);
+    }
+    sk_X509_INFO_pop_free(info_stack, X509_INFO_free);
+    info_stack = NULL;
+    BIO_free(cert);
+    cert = NULL;
+
+    ExpectNotNull(cert = BIO_new_file(cliCertFileExt, "rb"));
+    ExpectNotNull(info_stack = PEM_X509_INFO_read_bio(cert, NULL, NULL, NULL));
+    sk_X509_INFO_pop_free(info_stack, X509_INFO_free);
+    info_stack = NULL;
+    BIO_free(cert);
+    cert = NULL;
+
+    /* This case should fail due to invalid input. */
+    ExpectNotNull(cert = BIO_new(BIO_s_mem()));
+    ExpectIntEQ(BIO_write(cert, data, sizeof(data)), sizeof(data));
+    ExpectNull(info_stack = PEM_X509_INFO_read_bio(cert, NULL, NULL, NULL));
+    sk_X509_INFO_pop_free(info_stack, X509_INFO_free);
+    info_stack = NULL;
+    BIO_free(cert);
+    cert = NULL;
+    ExpectNotNull(cert = BIO_new(BIO_s_mem()));
+    ExpectIntEQ(BIO_write(cert, data2, sizeof(data2)), sizeof(data2));
+    ExpectNull(info_stack = PEM_X509_INFO_read_bio(cert, NULL, NULL, NULL));
+    sk_X509_INFO_pop_free(info_stack, X509_INFO_free);
+    BIO_free(cert);
+#endif
+    return EXPECT_RESULT();
+}
+
+int test_wolfSSL_PEM_X509_INFO_read_bio(void)
+{
+    EXPECT_DECLS;
+#if defined(OPENSSL_ALL) && !defined(NO_FILESYSTEM) && !defined(NO_RSA) && \
+    !defined(NO_BIO)
+    BIO* bio = NULL;
+    X509_INFO* info = NULL;
+    STACK_OF(X509_INFO)* sk = NULL;
+    STACK_OF(X509_INFO)* sk2 = NULL;
+    char* subject = NULL;
+    char exp1[] = "/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/"
+                  "CN=www.wolfssl.com/emailAddress=info@wolfssl.com";
+    char exp2[] = "/C=US/ST=Montana/L=Bozeman/O=wolfSSL/OU=Support/"
+                  "CN=www.wolfssl.com/emailAddress=info@wolfssl.com";
+
+    ExpectNotNull(bio = BIO_new(BIO_s_file()));
+    ExpectIntGT(BIO_read_filename(bio, svrCertFile), 0);
+    ExpectNotNull(sk = PEM_X509_INFO_read_bio(bio, NULL, NULL, NULL));
+    ExpectIntEQ(sk_X509_INFO_num(sk), 2);
+
+    /* using dereference to maintain testing for Apache port*/
+    ExpectNull(sk_X509_INFO_pop(NULL));
+    ExpectNotNull(info = sk_X509_INFO_pop(sk));
+    ExpectNotNull(subject = X509_NAME_oneline(X509_get_subject_name(info->x509),
+        0, 0));
+
+    ExpectIntEQ(0, XSTRNCMP(subject, exp1, sizeof(exp1)));
+    XFREE(subject, 0, DYNAMIC_TYPE_OPENSSL);
+    subject = NULL;
+    X509_INFO_free(info);
+    info = NULL;
+
+    ExpectNotNull(info = sk_X509_INFO_pop(sk));
+    ExpectNotNull(subject = X509_NAME_oneline(X509_get_subject_name(info->x509),
+        0, 0));
+
+    ExpectIntEQ(0, XSTRNCMP(subject, exp2, sizeof(exp2)));
+    XFREE(subject, 0, DYNAMIC_TYPE_OPENSSL);
+    subject = NULL;
+    X509_INFO_free(info);
+    ExpectNull(info = sk_X509_INFO_pop(sk));
+
+    sk_X509_INFO_pop_free(sk, X509_INFO_free);
+    sk = NULL;
+    BIO_free(bio);
+    bio = NULL;
+
+    ExpectNotNull(sk = wolfSSL_sk_X509_INFO_new_null());
+    ExpectNotNull(bio = BIO_new(BIO_s_file()));
+    ExpectIntGT(BIO_read_filename(bio, svrCertFile), 0);
+    ExpectNotNull(sk2 = PEM_X509_INFO_read_bio(bio, sk, NULL, NULL));
+    ExpectPtrEq(sk, sk2);
+    if (sk2 != sk) {
+        sk_X509_INFO_pop_free(sk, X509_INFO_free);
+    }
+    sk = NULL;
+    BIO_free(bio);
+    sk_X509_INFO_pop_free(sk2, X509_INFO_free);
+
+    ExpectNotNull(sk = wolfSSL_sk_X509_INFO_new_null());
+    sk_X509_INFO_free(sk);
+#endif
+    return EXPECT_RESULT();
+}
+
+int test_wolfSSL_PEM_X509_INFO_read(void)
+{
+    EXPECT_DECLS;
+#if defined(OPENSSL_ALL) && !defined(NO_FILESYSTEM) && !defined(NO_RSA) && \
+    !defined(NO_BIO)
+    XFILE fp = XBADFILE;
+    STACK_OF(X509_INFO)* sk = NULL;
+
+    ExpectTrue((fp = XFOPEN(svrCertFile, "rb")) != XBADFILE);
+    ExpectNull(wolfSSL_PEM_X509_INFO_read(XBADFILE, NULL, NULL, NULL));
+    ExpectNotNull(sk = wolfSSL_PEM_X509_INFO_read(fp, NULL, NULL, NULL));
+
+    sk_X509_INFO_pop_free(sk, X509_INFO_free);
+    if (fp != XBADFILE)
+        XFCLOSE(fp);
+#endif
+    return EXPECT_RESULT();
+}
+

tests/api/test_ossl_x509_info.h

@@ -0,0 +1,38 @@
+/* test_ossl_x509_info.h
+ *
+ * Copyright (C) 2006-2025 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+#ifndef WOLFCRYPT_TEST_OSSL_X509_INFO_H
+#define WOLFCRYPT_TEST_OSSL_X509_INFO_H
+
+#include <tests/api/api_decl.h>
+
+int test_wolfSSL_X509_INFO_multiple_info(void);
+int test_wolfSSL_X509_INFO(void);
+int test_wolfSSL_PEM_X509_INFO_read_bio(void);
+int test_wolfSSL_PEM_X509_INFO_read(void);
+
+#define TEST_OSSL_X509_INFO_DECLS                                              \
+    TEST_DECL_GROUP("ossl_x509_info", test_wolfSSL_X509_INFO_multiple_info),   \
+    TEST_DECL_GROUP("ossl_x509_info", test_wolfSSL_X509_INFO),                 \
+    TEST_DECL_GROUP("ossl_x509_info", test_wolfSSL_PEM_X509_INFO_read_bio),    \
+    TEST_DECL_GROUP("ossl_x509_info", test_wolfSSL_PEM_X509_INFO_read)
+
+#endif /* WOLFCRYPT_TEST_OSSL_X509_INFO_H */

tests/api/test_ossl_x509_io.c

@@ -0,0 +1,247 @@
+/* test_ossl_x509_io.c
+ *
+ * Copyright (C) 2006-2025 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+#include <tests/unit.h>
+
+#ifdef NO_INLINE
+    #include <wolfssl/wolfcrypt/misc.h>
+#else
+    #define WOLFSSL_MISC_INCLUDED
+    #include <wolfcrypt/src/misc.c>
+#endif
+
+#include <wolfssl/ssl.h>
+#include <wolfssl/internal.h>
+#ifdef OPENSSL_EXTRA
+    #include <wolfssl/openssl/pem.h>
+#endif
+#include <tests/api/api.h>
+#include <tests/api/test_ossl_x509_io.h>
+
+int test_wolfSSL_i2d_X509(void)
+{
+    EXPECT_DECLS;
+#if defined(OPENSSL_EXTRA) && defined(USE_CERT_BUFFERS_2048) && !defined(NO_RSA)
+    const unsigned char* cert_buf = server_cert_der_2048;
+    unsigned char* out = NULL;
+    unsigned char* tmp = NULL;
+    const unsigned char* nullPtr = NULL;
+    const unsigned char notCert[2] = { 0x30, 0x00 };
+    const unsigned char* notCertPtr = notCert;
+    X509* cert = NULL;
+
+    ExpectNull(d2i_X509(NULL, NULL, sizeof_server_cert_der_2048));
+    ExpectNull(d2i_X509(NULL, &nullPtr, sizeof_server_cert_der_2048));
+    ExpectNull(d2i_X509(NULL, &cert_buf, 0));
+    ExpectNull(d2i_X509(NULL, &notCertPtr, sizeof(notCert)));
+    ExpectNotNull(d2i_X509(&cert, &cert_buf, sizeof_server_cert_der_2048));
+    /* Pointer should be advanced */
+    ExpectPtrGT(cert_buf, server_cert_der_2048);
+    ExpectIntGT(i2d_X509(cert, &out), 0);
+    ExpectNotNull(out);
+    tmp = out;
+    ExpectIntGT(i2d_X509(cert, &tmp), 0);
+    ExpectPtrGT(tmp, out);
+#if defined(WOLFSSL_CERT_GEN) && !defined(NO_BIO) && !defined(NO_FILESYSTEM)
+    ExpectIntEQ(wolfSSL_PEM_write_X509(XBADFILE, NULL), 0);
+    ExpectIntEQ(wolfSSL_PEM_write_X509(XBADFILE, cert), 0);
+    ExpectIntEQ(wolfSSL_PEM_write_X509(stderr, cert), 1);
+#endif
+
+    XFREE(out, NULL, DYNAMIC_TYPE_OPENSSL);
+    X509_free(cert);
+#endif
+    return EXPECT_RESULT();
+}
+
+int test_wolfSSL_PEM_read_X509(void)
+{
+    EXPECT_DECLS;
+#if defined(OPENSSL_EXTRA) && defined(HAVE_CRL) && !defined(NO_FILESYSTEM) && \
+    !defined(NO_RSA)
+    X509 *x509 = NULL;
+    XFILE fp = XBADFILE;
+
+    ExpectTrue((fp = XFOPEN(svrCertFile, "rb")) != XBADFILE);
+    ExpectNotNull(x509 = (X509 *)PEM_read_X509(fp, (X509 **)NULL, NULL, NULL));
+    X509_free(x509);
+    if (fp != XBADFILE)
+        XFCLOSE(fp);
+#endif
+    return EXPECT_RESULT();
+}
+
+int test_wolfSSL_PEM_write_bio_X509(void)
+{
+    EXPECT_DECLS;
+#if defined(OPENSSL_EXTRA) && defined(OPENSSL_ALL) && \
+    defined(WOLFSSL_AKID_NAME) && defined(WOLFSSL_CERT_EXT) && \
+    defined(WOLFSSL_CERT_GEN) && !defined(NO_BIO) && !defined(NO_RSA) && \
+    !defined(NO_FILESYSTEM)
+    /* This test contains the hard coded expected
+     * lengths. Update if necessary */
+    XFILE fp = XBADFILE;
+    WOLFSSL_EVP_PKEY *priv = NULL;
+
+    BIO* input = NULL;
+    BIO* output = NULL;
+    X509* x509a = NULL;
+    X509* x509b = NULL;
+    X509* empty = NULL;
+
+    ASN1_TIME* notBeforeA = NULL;
+    ASN1_TIME* notAfterA  = NULL;
+#ifndef NO_ASN_TIME
+    ASN1_TIME* notBeforeB = NULL;
+    ASN1_TIME* notAfterB  = NULL;
+#endif
+    int expectedLen;
+
+    ExpectTrue((fp = XFOPEN("certs/server-key.pem", "rb")) != XBADFILE);
+    ExpectNotNull(priv = wolfSSL_PEM_read_PrivateKey(fp, NULL, NULL, NULL));
+    if (fp != XBADFILE) {
+        XFCLOSE(fp);
+        fp = XBADFILE;
+    }
+
+    ExpectNotNull(input = BIO_new_file("certs/test/cert-ext-multiple.pem",
+        "rb"));
+    ExpectIntEQ(wolfSSL_BIO_get_len(input), 2000);
+
+    /* read PEM into X509 struct, get notBefore / notAfter to verify against */
+    ExpectNotNull(PEM_read_bio_X509(input, &x509a, NULL, NULL));
+    ExpectNotNull(notBeforeA = X509_get_notBefore(x509a));
+    ExpectNotNull(notAfterA = X509_get_notAfter(x509a));
+
+    /* write X509 back to PEM BIO; no need to sign as nothing changed. */
+    ExpectNotNull(output = BIO_new(wolfSSL_BIO_s_mem()));
+    ExpectNotNull(empty = wolfSSL_X509_new());
+    ExpectIntEQ(PEM_write_bio_X509(NULL, NULL), WOLFSSL_FAILURE);
+    ExpectIntEQ(PEM_write_bio_X509(output, NULL), WOLFSSL_FAILURE);
+    ExpectIntEQ(PEM_write_bio_X509(NULL, x509a), WOLFSSL_FAILURE);
+    ExpectIntEQ(PEM_write_bio_X509(output, empty), WOLFSSL_FAILURE);
+    ExpectIntEQ(PEM_write_bio_X509(output, x509a), WOLFSSL_SUCCESS);
+    /* compare length against expected */
+    expectedLen = 2000;
+    ExpectIntEQ(wolfSSL_BIO_get_len(output), expectedLen);
+    wolfSSL_X509_free(empty);
+
+#ifndef NO_ASN_TIME
+    /* read exported X509 PEM back into struct, sanity check on export,
+     * make sure notBefore/notAfter are the same and certs are identical. */
+    ExpectNotNull(PEM_read_bio_X509(output, &x509b, NULL, NULL));
+    ExpectNotNull(notBeforeB = X509_get_notBefore(x509b));
+    ExpectNotNull(notAfterB = X509_get_notAfter(x509b));
+    ExpectIntEQ(ASN1_TIME_compare(notBeforeA, notBeforeB), 0);
+    ExpectIntEQ(ASN1_TIME_compare(notAfterA, notAfterB), 0);
+    ExpectIntEQ(0, wolfSSL_X509_cmp(x509a, x509b));
+    X509_free(x509b);
+    x509b = NULL;
+#endif
+
+    /* Reset output buffer */
+    BIO_free(output);
+    output = NULL;
+    ExpectNotNull(output = BIO_new(wolfSSL_BIO_s_mem()));
+
+    /* Test forcing the AKID to be generated just from KeyIdentifier */
+    if (EXPECT_SUCCESS() && x509a->authKeyIdSrc != NULL) {
+        XMEMMOVE(x509a->authKeyIdSrc, x509a->authKeyId, x509a->authKeyIdSz);
+        x509a->authKeyId = x509a->authKeyIdSrc;
+        x509a->authKeyIdSrc = NULL;
+        x509a->authKeyIdSrcSz = 0;
+    }
+
+    /* Resign to re-generate the der */
+    ExpectIntGT(wolfSSL_X509_sign(x509a, priv, EVP_sha256()), 0);
+
+    ExpectIntEQ(PEM_write_bio_X509(output, x509a), WOLFSSL_SUCCESS);
+
+    /* Check that we generate a smaller output since the AKID will
+     * only contain the KeyIdentifier without any additional
+     * information */
+
+    /* Here we copy the validity struct from the original */
+    expectedLen = 1688;
+    ExpectIntEQ(wolfSSL_BIO_get_len(output), expectedLen);
+
+    /* Reset buffers and x509 */
+    BIO_free(input);
+    input = NULL;
+    BIO_free(output);
+    output = NULL;
+    X509_free(x509a);
+    x509a = NULL;
+
+    /* test CA and basicConstSet values are encoded when
+     * the cert is a CA */
+    ExpectNotNull(input = BIO_new_file("certs/server-cert.pem", "rb"));
+
+    /* read PEM into X509 struct */
+    ExpectNotNull(PEM_read_bio_X509(input, &x509a, NULL, NULL));
+
+    /* write X509 back to PEM BIO; no need to sign as nothing changed */
+    ExpectNotNull(output = BIO_new(wolfSSL_BIO_s_mem()));
+    ExpectIntEQ(PEM_write_bio_X509(output, x509a), WOLFSSL_SUCCESS);
+
+    /* read exported X509 PEM back into struct, ensure isCa and basicConstSet
+     * values are maintained and certs are identical.*/
+    ExpectNotNull(PEM_read_bio_X509(output, &x509b, NULL, NULL));
+    ExpectIntEQ(x509b->isCa, 1);
+    ExpectIntEQ(x509b->basicConstSet, 1);
+    ExpectIntEQ(0, wolfSSL_X509_cmp(x509a, x509b));
+
+    X509_free(x509a);
+    x509a = NULL;
+    X509_free(x509b);
+    x509b = NULL;
+    BIO_free(input);
+    input = NULL;
+    BIO_free(output);
+    output = NULL;
+
+    /* test CA and basicConstSet values are encoded when
+     * the cert is not CA */
+    ExpectNotNull(input = BIO_new_file("certs/client-uri-cert.pem", "rb"));
+
+    /* read PEM into X509 struct */
+    ExpectNotNull(PEM_read_bio_X509(input, &x509a, NULL, NULL));
+
+    /* write X509 back to PEM BIO; no need to sign as nothing changed */
+    ExpectNotNull(output = BIO_new(wolfSSL_BIO_s_mem()));
+    ExpectIntEQ(PEM_write_bio_X509(output, x509a), WOLFSSL_SUCCESS);
+
+    /* read exported X509 PEM back into struct, ensure isCa and
+     * basicConstSet values are maintained and certs are identical */
+    ExpectNotNull(PEM_read_bio_X509(output, &x509b, NULL, NULL));
+    ExpectIntEQ(x509b->isCa, 0);
+    ExpectIntEQ(x509b->basicConstSet, 1);
+    ExpectIntEQ(0, wolfSSL_X509_cmp(x509a, x509b));
+
+    wolfSSL_EVP_PKEY_free(priv);
+    X509_free(x509a);
+    X509_free(x509b);
+    BIO_free(input);
+    BIO_free(output);
+#endif
+    return EXPECT_RESULT();
+}
+

tests/api/test_ossl_x509_io.h

@@ -0,0 +1,36 @@
+/* test_ossl_x509_io.h
+ *
+ * Copyright (C) 2006-2025 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+#ifndef WOLFCRYPT_TEST_OSSL_X509_IO_H
+#define WOLFCRYPT_TEST_OSSL_X509_IO_H
+
+#include <tests/api/api_decl.h>
+
+int test_wolfSSL_i2d_X509(void);
+int test_wolfSSL_PEM_read_X509(void);
+int test_wolfSSL_PEM_write_bio_X509(void);
+
+#define TEST_OSSL_X509_IO_DECLS                                         \
+    TEST_DECL_GROUP("ossl_x509_io", test_wolfSSL_i2d_X509),             \
+    TEST_DECL_GROUP("ossl_x509_io", test_wolfSSL_PEM_read_X509),        \
+    TEST_DECL_GROUP("ossl_x509_io", test_wolfSSL_PEM_write_bio_X509)
+
+#endif /* WOLFCRYPT_TEST_OSSL_X509_IO_H */

tests/api/test_ossl_x509_lu.c

@@ -0,0 +1,518 @@
+/* test_ossl_x509_lu.c
+ *
+ * Copyright (C) 2006-2025 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+#include <tests/unit.h>
+
+#ifdef NO_INLINE
+    #include <wolfssl/wolfcrypt/misc.h>
+#else
+    #define WOLFSSL_MISC_INCLUDED
+    #include <wolfcrypt/src/misc.c>
+#endif
+
+#include <wolfssl/ssl.h>
+#include <tests/api/api.h>
+#include <tests/api/test_ossl_x509_lu.h>
+
+int test_wolfSSL_X509_LOOKUP_load_file(void)
+{
+    EXPECT_DECLS;
+#if defined(OPENSSL_EXTRA) && defined(HAVE_CRL) && \
+   !defined(NO_FILESYSTEM) && !defined(NO_RSA) && defined(HAVE_ECC) && \
+   (!defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH))
+    WOLFSSL_X509_STORE*  store = NULL;
+    WOLFSSL_X509_LOOKUP* lookup = NULL;
+
+    ExpectNotNull(store = wolfSSL_X509_STORE_new());
+    ExpectNotNull(lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file()));
+    /* One RSA and one ECC certificate in file. */
+    ExpectIntEQ(wolfSSL_X509_LOOKUP_load_file(lookup, "certs/client-ca.pem",
+        X509_FILETYPE_PEM), 1);
+    ExpectIntEQ(wolfSSL_X509_LOOKUP_load_file(lookup, "certs/crl/crl2.pem",
+        X509_FILETYPE_PEM), 1);
+
+    if (store != NULL) {
+        ExpectIntEQ(wolfSSL_CertManagerVerify(store->cm, cliCertFile,
+            WOLFSSL_FILETYPE_PEM), 1);
+        ExpectIntEQ(wolfSSL_CertManagerVerify(store->cm, svrCertFile,
+            WOLFSSL_FILETYPE_PEM), WC_NO_ERR_TRACE(ASN_NO_SIGNER_E));
+    }
+    ExpectIntEQ(wolfSSL_X509_LOOKUP_load_file(lookup, "certs/ca-cert.pem",
+        X509_FILETYPE_PEM), 1);
+    if (store != NULL) {
+        ExpectIntEQ(wolfSSL_CertManagerVerify(store->cm, svrCertFile,
+            WOLFSSL_FILETYPE_PEM), 1);
+    }
+
+    wolfSSL_X509_STORE_free(store);
+#endif /* defined(OPENSSL_EXTRA) && defined(HAVE_CRL) &&
+        * !defined(NO_FILESYSTEM) && !defined(NO_RSA) */
+    return EXPECT_RESULT();
+}
+
+int test_wolfSSL_X509_LOOKUP_ctrl_file(void)
+{
+    EXPECT_DECLS;
+#if defined(OPENSSL_ALL) && !defined(NO_CERTS) && \
+    !defined(NO_FILESYSTEM) && !defined(NO_RSA) && \
+    defined(WOLFSSL_SIGNER_DER_CERT)
+    X509_STORE_CTX* ctx = NULL;
+    X509_STORE* str = NULL;
+    X509_LOOKUP* lookup = NULL;
+
+    X509* cert1 = NULL;
+    X509* x509Ca = NULL;
+    X509* x509Svr = NULL;
+    X509* issuer = NULL;
+
+    WOLFSSL_STACK* sk = NULL;
+    X509_NAME* caName = NULL;
+    X509_NAME* issuerName = NULL;
+
+    XFILE file1 = XBADFILE;
+    int i;
+    int cert_count = 0;
+    int cmp;
+
+    char der[] = "certs/ca-cert.der";
+
+#ifdef HAVE_CRL
+    char pem[][100] = {
+        "./certs/crl/crl.pem",
+        "./certs/crl/crl2.pem",
+        "./certs/crl/caEccCrl.pem",
+        "./certs/crl/eccCliCRL.pem",
+        "./certs/crl/eccSrvCRL.pem",
+        ""
+    };
+#endif
+    ExpectTrue((file1 = XFOPEN("./certs/ca-cert.pem", "rb")) != XBADFILE);
+    ExpectNotNull(cert1 = wolfSSL_PEM_read_X509(file1, NULL, NULL, NULL));
+    if (file1 != XBADFILE)
+        XFCLOSE(file1);
+
+    ExpectNotNull(ctx = X509_STORE_CTX_new());
+    ExpectNotNull((str = wolfSSL_X509_STORE_new()));
+    ExpectNotNull(lookup = X509_STORE_add_lookup(str, X509_LOOKUP_file()));
+    ExpectIntEQ(wolfSSL_X509_load_cert_crl_file(NULL, NULL,
+        WOLFSSL_FILETYPE_PEM), 0);
+    ExpectIntEQ(wolfSSL_X509_load_cert_crl_file(lookup, NULL,
+        WOLFSSL_FILETYPE_PEM), 0);
+    ExpectIntEQ(wolfSSL_X509_load_cert_crl_file(NULL, caCertFile,
+        WOLFSSL_FILETYPE_PEM), 0);
+    ExpectIntEQ(wolfSSL_X509_load_cert_crl_file(NULL, der       ,
+        WOLFSSL_FILETYPE_PEM), 0);
+    ExpectIntEQ(X509_LOOKUP_ctrl(lookup, X509_L_FILE_LOAD, caCertFile,
+                                    SSL_FILETYPE_PEM,NULL), 1);
+    ExpectNotNull(sk = wolfSSL_CertManagerGetCerts(str->cm));
+    ExpectIntEQ((cert_count = sk_X509_num(sk)), 1);
+
+    /* check if CA cert is loaded into the store */
+    for (i = 0; i < cert_count; i++) {
+        x509Ca = sk_X509_value(sk, i);
+        ExpectIntEQ(0, wolfSSL_X509_cmp(x509Ca, cert1));
+    }
+
+    ExpectNotNull((x509Svr =
+            wolfSSL_X509_load_certificate_file(svrCertFile, SSL_FILETYPE_PEM)));
+
+    ExpectIntEQ(X509_STORE_CTX_init(ctx, str, x509Svr, NULL), SSL_SUCCESS);
+
+    ExpectNull(X509_STORE_CTX_get0_current_issuer(NULL));
+    issuer = X509_STORE_CTX_get0_current_issuer(ctx);
+    ExpectNull(issuer);
+
+    ExpectIntEQ(X509_verify_cert(ctx), 1);
+
+    issuer = X509_STORE_CTX_get0_current_issuer(ctx);
+    ExpectNotNull(issuer);
+    caName = X509_get_subject_name(x509Ca);
+    ExpectNotNull(caName);
+    issuerName = X509_get_subject_name(issuer);
+    ExpectNotNull(issuerName);
+    cmp = X509_NAME_cmp(caName, issuerName);
+    ExpectIntEQ(cmp, 0);
+    /* load der format */
+    issuer = NULL;
+    X509_STORE_CTX_free(ctx);
+    ctx = NULL;
+    X509_STORE_free(str);
+    str = NULL;
+    sk_X509_pop_free(sk, NULL);
+    sk = NULL;
+    X509_free(x509Svr);
+    x509Svr = NULL;
+
+    ExpectNotNull((str = wolfSSL_X509_STORE_new()));
+    ExpectNotNull(lookup = X509_STORE_add_lookup(str, X509_LOOKUP_file()));
+    ExpectIntEQ(X509_LOOKUP_ctrl(lookup, X509_L_FILE_LOAD, der,
+                                    SSL_FILETYPE_ASN1,NULL), 1);
+    ExpectNotNull(sk = wolfSSL_CertManagerGetCerts(str->cm));
+    ExpectIntEQ((cert_count = sk_X509_num(sk)), 1);
+    /* check if CA cert is loaded into the store */
+    for (i = 0; i < cert_count; i++) {
+        x509Ca = sk_X509_value(sk, i);
+        ExpectIntEQ(0, wolfSSL_X509_cmp(x509Ca, cert1));
+    }
+
+    X509_STORE_free(str);
+    str = NULL;
+    sk_X509_pop_free(sk, NULL);
+    sk = NULL;
+    X509_free(cert1);
+    cert1 = NULL;
+
+#ifdef HAVE_CRL
+    ExpectNotNull(str = wolfSSL_X509_STORE_new());
+    ExpectNotNull(lookup = X509_STORE_add_lookup(str, X509_LOOKUP_file()));
+    ExpectIntEQ(X509_LOOKUP_ctrl(lookup, X509_L_FILE_LOAD, caCertFile,
+                                                    SSL_FILETYPE_PEM,NULL), 1);
+    ExpectIntEQ(X509_LOOKUP_ctrl(lookup, X509_L_FILE_LOAD,
+                                "certs/server-revoked-cert.pem",
+                                 SSL_FILETYPE_PEM,NULL), 1);
+    if (str) {
+        ExpectIntEQ(wolfSSL_CertManagerVerify(str->cm, svrCertFile,
+                    WOLFSSL_FILETYPE_PEM), 1);
+        /* since store hasn't yet known the revoked cert*/
+        ExpectIntEQ(wolfSSL_CertManagerVerify(str->cm,
+                    "certs/server-revoked-cert.pem",
+                    WOLFSSL_FILETYPE_PEM), 1);
+    }
+    for (i = 0; pem[i][0] != '\0'; i++)
+    {
+        ExpectIntEQ(X509_LOOKUP_ctrl(lookup, X509_L_FILE_LOAD, pem[i],
+                                        SSL_FILETYPE_PEM, NULL), 1);
+    }
+
+    if (str) {
+        /* since store knows crl list */
+        ExpectIntEQ(wolfSSL_CertManagerVerify(str->cm,
+                    "certs/server-revoked-cert.pem",
+                    WOLFSSL_FILETYPE_PEM ), WC_NO_ERR_TRACE(CRL_CERT_REVOKED));
+    }
+
+    ExpectIntEQ(X509_LOOKUP_ctrl(NULL, 0, NULL, 0, NULL), 0);
+    X509_STORE_free(str);
+#endif
+#endif
+    return EXPECT_RESULT();
+}
+
+int test_wolfSSL_X509_LOOKUP_ctrl_hash_dir(void)
+{
+    EXPECT_DECLS;
+#if defined(OPENSSL_ALL) && !defined(NO_FILESYSTEM) && !defined(NO_WOLFSSL_DIR)
+    const int  MAX_DIR = 4;
+    const char paths[][32] = {
+                             "./certs/ed25519",
+                             "./certs/ecc",
+                             "./certs/crl",
+                             "./certs/",
+                            };
+
+    char CertCrl_path[MAX_FILENAME_SZ];
+    char *p;
+    X509_STORE* str = NULL;
+    X509_LOOKUP* lookup = NULL;
+    WOLFSSL_STACK* sk = NULL;
+    int len, total_len, i;
+
+    (void)sk;
+
+    XMEMSET(CertCrl_path, 0, MAX_FILENAME_SZ);
+
+    /* illegal string */
+    ExpectNotNull((str = wolfSSL_X509_STORE_new()));
+    ExpectNotNull(lookup = X509_STORE_add_lookup(str, X509_LOOKUP_file()));
+    ExpectIntEQ(X509_LOOKUP_ctrl(lookup, X509_L_ADD_DIR, "",
+                                    SSL_FILETYPE_PEM, NULL), 0);
+    ExpectIntEQ(X509_LOOKUP_ctrl(lookup, X509_L_ADD_STORE, "",
+        SSL_FILETYPE_PEM, NULL), WOLFSSL_NOT_IMPLEMENTED);
+    ExpectIntEQ(X509_LOOKUP_ctrl(lookup, X509_L_LOAD_STORE, "",
+        SSL_FILETYPE_PEM, NULL), WOLFSSL_NOT_IMPLEMENTED);
+    ExpectIntEQ(X509_LOOKUP_ctrl(lookup, 0, "",
+        SSL_FILETYPE_PEM, NULL), WOLFSSL_FAILURE);
+
+    /* free store */
+    X509_STORE_free(str);
+    str = NULL;
+
+    /* short folder string */
+    ExpectNotNull((str = wolfSSL_X509_STORE_new()));
+    ExpectNotNull(lookup = X509_STORE_add_lookup(str, X509_LOOKUP_file()));
+    ExpectIntEQ(X509_LOOKUP_ctrl(lookup, X509_L_ADD_DIR, "./",
+                                    SSL_FILETYPE_PEM,NULL), 1);
+    #if defined(WOLFSSL_INT_H)
+    /* only available when including internal.h */
+    ExpectNotNull(sk = lookup->dirs->dir_entry);
+    #endif
+    /* free store */
+    X509_STORE_free(str);
+    str = NULL;
+
+    /* typical function check */
+    p = &CertCrl_path[0];
+    total_len = 0;
+
+    for (i = MAX_DIR - 1; i>=0 && total_len < MAX_FILENAME_SZ; i--) {
+        len = (int)XSTRLEN((const char*)&paths[i]);
+        total_len += len;
+        XSTRNCPY(p, paths[i], MAX_FILENAME_SZ - total_len);
+        p += len;
+        if (i != 0) *(p++) = SEPARATOR_CHAR;
+    }
+
+    ExpectNotNull((str = wolfSSL_X509_STORE_new()));
+    ExpectNotNull(lookup = X509_STORE_add_lookup(str, X509_LOOKUP_file()));
+    ExpectIntEQ(X509_LOOKUP_ctrl(lookup, X509_L_ADD_DIR, CertCrl_path,
+                                    SSL_FILETYPE_PEM,NULL), 1);
+    #if defined(WOLFSSL_INT_H)
+    /* only available when including internal.h */
+    ExpectNotNull(sk = lookup->dirs->dir_entry);
+    #endif
+
+    X509_STORE_free(str);
+#endif
+    return EXPECT_RESULT();
+}
+
+int test_wolfSSL_X509_load_crl_file(void)
+{
+    EXPECT_DECLS;
+#if defined(OPENSSL_EXTRA) && defined(HAVE_CRL) && !defined(NO_FILESYSTEM) && \
+    !defined(NO_STDIO_FILESYSTEM) && !defined(NO_RSA) && !defined(NO_BIO) && \
+    !defined(WOLFSSL_CRL_ALLOW_MISSING_CDP)
+    int i;
+    char pem[][100] = {
+        "./certs/crl/crl.pem",
+        "./certs/crl/crl2.pem",
+        "./certs/crl/caEccCrl.pem",
+        "./certs/crl/eccCliCRL.pem",
+        "./certs/crl/eccSrvCRL.pem",
+    #ifdef WC_RSA_PSS
+        "./certs/crl/crl_rsapss.pem",
+    #endif
+        ""
+    };
+    char der[][100] = {
+        "./certs/crl/crl.der",
+        "./certs/crl/crl2.der",
+        ""
+    };
+    WOLFSSL_X509_STORE*  store = NULL;
+    WOLFSSL_X509_LOOKUP* lookup = NULL;
+
+    ExpectNotNull(store = wolfSSL_X509_STORE_new());
+    ExpectNotNull(lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file()));
+
+    ExpectIntEQ(X509_LOOKUP_load_file(lookup, "certs/ca-cert.pem",
+        X509_FILETYPE_PEM), 1);
+#ifdef WC_RSA_PSS
+    ExpectIntEQ(X509_LOOKUP_load_file(lookup, "certs/rsapss/ca-rsapss.pem",
+        X509_FILETYPE_PEM), 1);
+#endif
+    ExpectIntEQ(X509_LOOKUP_load_file(lookup, "certs/server-revoked-cert.pem",
+        X509_FILETYPE_PEM), 1);
+    if (store) {
+        ExpectIntEQ(wolfSSL_CertManagerVerify(store->cm, svrCertFile,
+            WOLFSSL_FILETYPE_PEM), 1);
+        /* since store hasn't yet known the revoked cert*/
+        ExpectIntEQ(wolfSSL_CertManagerVerify(store->cm,
+            "certs/server-revoked-cert.pem", WOLFSSL_FILETYPE_PEM), 1);
+    }
+
+    ExpectIntEQ(X509_load_crl_file(lookup, pem[0], 0), 0);
+    for (i = 0; pem[i][0] != '\0'; i++) {
+        ExpectIntEQ(X509_load_crl_file(lookup, pem[i], WOLFSSL_FILETYPE_PEM),
+            1);
+    }
+
+    if (store) {
+        /* since store knows crl list */
+        ExpectIntEQ(wolfSSL_CertManagerVerify(store->cm,
+            "certs/server-revoked-cert.pem", WOLFSSL_FILETYPE_PEM),
+            WC_NO_ERR_TRACE(CRL_CERT_REVOKED));
+#ifdef WC_RSA_PSS
+        ExpectIntEQ(wolfSSL_CertManagerVerify(store->cm,
+            "certs/rsapss/server-rsapss-cert.pem", WOLFSSL_FILETYPE_PEM),
+            WC_NO_ERR_TRACE(ASN_NO_SIGNER_E));
+#endif
+    }
+    /* once feeing store */
+    X509_STORE_free(store);
+    store = NULL;
+
+    ExpectNotNull(store = wolfSSL_X509_STORE_new());
+    ExpectNotNull(lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file()));
+
+    ExpectIntEQ(X509_LOOKUP_load_file(lookup, "certs/ca-cert.pem",
+        X509_FILETYPE_PEM), 1);
+    ExpectIntEQ(X509_LOOKUP_load_file(lookup, "certs/server-revoked-cert.pem",
+        X509_FILETYPE_PEM), 1);
+    if (store) {
+        ExpectIntEQ(wolfSSL_CertManagerVerify(store->cm, svrCertFile,
+            WOLFSSL_FILETYPE_PEM), 1);
+        /* since store hasn't yet known the revoked cert*/
+        ExpectIntEQ(wolfSSL_CertManagerVerify(store->cm,
+            "certs/server-revoked-cert.pem", WOLFSSL_FILETYPE_PEM), 1);
+    }
+
+    for (i = 0; der[i][0] != '\0'; i++) {
+        ExpectIntEQ(X509_load_crl_file(lookup, der[i], WOLFSSL_FILETYPE_ASN1),
+            1);
+    }
+
+    if (store) {
+        /* since store knows crl list */
+        ExpectIntEQ(wolfSSL_CertManagerVerify(store->cm,
+            "certs/server-revoked-cert.pem", WOLFSSL_FILETYPE_PEM),
+            WC_NO_ERR_TRACE(CRL_CERT_REVOKED));
+    }
+
+    /* test for incorrect parameter */
+    ExpectIntEQ(X509_load_crl_file(NULL, pem[0], 0), 0);
+    ExpectIntEQ(X509_load_crl_file(lookup, NULL, 0), 0);
+    ExpectIntEQ(X509_load_crl_file(NULL, NULL, 0), 0);
+
+    X509_STORE_free(store);
+    store = NULL;
+#endif
+    return EXPECT_RESULT();
+}
+
+int test_X509_LOOKUP_add_dir(void)
+{
+    EXPECT_DECLS;
+#if defined(OPENSSL_ALL) && defined(WOLFSSL_CERT_GEN) && \
+    (defined(WOLFSSL_CERT_REQ) || defined(WOLFSSL_CERT_EXT)) && \
+    !defined(NO_FILESYSTEM) && !defined(NO_WOLFSSL_DIR)  && \
+    (defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL)) && \
+    defined(HAVE_CRL) && !defined(NO_RSA)
+
+    X509_STORE *     store = NULL;
+    X509_STORE_CTX * storeCtx = NULL;
+    X509_CRL *       crl = NULL;
+    X509 *           ca = NULL;
+    X509 *           cert = NULL;
+    const char       cliCrlPem[] = "./certs/crl/cliCrl.pem";
+    const char       srvCert[] = "./certs/server-cert.pem";
+    const char       caCert[] = "./certs/ca-cert.pem";
+    const char       caDir[] = "./certs/crl/hash_der";
+    XFILE            fp = XBADFILE;
+    X509_LOOKUP *    lookup = NULL;
+
+    ExpectNotNull(store = (X509_STORE *)X509_STORE_new());
+
+    /* Set up store with CA */
+    ExpectNotNull((ca = wolfSSL_X509_load_certificate_file(caCert,
+        SSL_FILETYPE_PEM)));
+    ExpectIntEQ(X509_STORE_add_cert(store, ca), SSL_SUCCESS);
+
+    /* Add CRL lookup directory to store.
+     * Test uses ./certs/crl/hash_der/0fdb2da4.r0, which is a copy
+     * of crl.der */
+    ExpectNotNull((lookup = X509_STORE_add_lookup(store,
+        X509_LOOKUP_hash_dir())));
+
+    ExpectIntEQ(X509_LOOKUP_add_dir(lookup, caDir, X509_FILETYPE_ASN1),
+        SSL_SUCCESS);
+
+    ExpectIntEQ(X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK),
+        SSL_SUCCESS);
+
+    /* Add CRL to store NOT containing the verified certificate, which
+     * forces use of the CRL lookup directory */
+    ExpectTrue((fp = XFOPEN(cliCrlPem, "rb")) != XBADFILE);
+    ExpectNotNull(crl = (X509_CRL *)PEM_read_X509_CRL(fp, (X509_CRL **)NULL,
+        NULL, NULL));
+    if (fp != XBADFILE) {
+        XFCLOSE(fp);
+        fp = XBADFILE;
+    }
+    ExpectIntEQ(X509_STORE_add_crl(store, crl), SSL_SUCCESS);
+
+    /* Create verification context outside of an SSL session */
+    ExpectNotNull((storeCtx = X509_STORE_CTX_new()));
+    ExpectNotNull((cert = wolfSSL_X509_load_certificate_file(srvCert,
+        SSL_FILETYPE_PEM)));
+    ExpectIntEQ(X509_STORE_CTX_init(storeCtx, store, cert, NULL), SSL_SUCCESS);
+
+    /* Perform verification, which should NOT return CRL missing */
+    ExpectIntNE(X509_verify_cert(storeCtx), WC_NO_ERR_TRACE(CRL_MISSING));
+
+    X509_CRL_free(crl);
+    crl = NULL;
+    X509_STORE_free(store);
+    store = NULL;
+    X509_STORE_CTX_free(storeCtx);
+    storeCtx = NULL;
+    X509_free(cert);
+    cert = NULL;
+    X509_free(ca);
+    ca = NULL;
+
+    /* Now repeat the same, but look for X509_FILETYPE_PEM.
+     * We should get CRL_MISSING at the end, because the lookup
+     * dir has only ASN1 CRLs. */
+
+    ExpectNotNull(store = (X509_STORE *)X509_STORE_new());
+
+    ExpectNotNull((ca = wolfSSL_X509_load_certificate_file(caCert,
+        SSL_FILETYPE_PEM)));
+    ExpectIntEQ(X509_STORE_add_cert(store, ca), SSL_SUCCESS);
+
+    ExpectNotNull((lookup = X509_STORE_add_lookup(store,
+        X509_LOOKUP_hash_dir())));
+
+    ExpectIntEQ(X509_LOOKUP_add_dir(lookup, caDir, X509_FILETYPE_PEM),
+        SSL_SUCCESS);
+
+    ExpectIntEQ(X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK),
+        SSL_SUCCESS);
+    ExpectTrue((fp = XFOPEN(cliCrlPem, "rb")) != XBADFILE);
+    ExpectNotNull(crl = (X509_CRL *)PEM_read_X509_CRL(fp, (X509_CRL **)NULL,
+        NULL, NULL));
+    if (fp != XBADFILE) {
+        XFCLOSE(fp);
+        fp = XBADFILE;
+    }
+    ExpectIntEQ(X509_STORE_add_crl(store, crl), SSL_SUCCESS);
+
+    ExpectNotNull((storeCtx = X509_STORE_CTX_new()));
+    ExpectNotNull((cert = wolfSSL_X509_load_certificate_file(srvCert,
+        SSL_FILETYPE_PEM)));
+    ExpectIntEQ(X509_STORE_CTX_init(storeCtx, store, cert, NULL), SSL_SUCCESS);
+
+    /* Now we SHOULD get CRL_MISSING, because we looked for PEM
+     * in dir containing only ASN1/DER. */
+    ExpectIntEQ(X509_verify_cert(storeCtx), WC_NO_ERR_TRACE(WOLFSSL_FAILURE));
+    ExpectIntEQ(X509_STORE_CTX_get_error(storeCtx),
+            X509_V_ERR_UNABLE_TO_GET_CRL);
+
+    X509_CRL_free(crl);
+    X509_STORE_free(store);
+    X509_STORE_CTX_free(storeCtx);
+    X509_free(cert);
+    X509_free(ca);
+#endif
+    return EXPECT_RESULT();
+}
+

tests/api/test_ossl_x509_lu.h

@@ -0,0 +1,40 @@
+/* test_ossl_x509_lu.h
+ *
+ * Copyright (C) 2006-2025 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+#ifndef WOLFCRYPT_TEST_OSSL_X509_LU_H
+#define WOLFCRYPT_TEST_OSSL_X509_LU_H
+
+#include <tests/api/api_decl.h>
+
+int test_wolfSSL_X509_LOOKUP_load_file(void);
+int test_wolfSSL_X509_LOOKUP_ctrl_file(void);
+int test_wolfSSL_X509_LOOKUP_ctrl_hash_dir(void);
+int test_wolfSSL_X509_load_crl_file(void);
+int test_X509_LOOKUP_add_dir(void);
+
+#define TEST_OSSL_X509_LOOKUP_DECLS                                            \
+    TEST_DECL_GROUP("ossl_x509_lu", test_wolfSSL_X509_LOOKUP_load_file),       \
+    TEST_DECL_GROUP("ossl_x509_lu", test_wolfSSL_X509_LOOKUP_ctrl_file),       \
+    TEST_DECL_GROUP("ossl_x509_lu", test_wolfSSL_X509_LOOKUP_ctrl_hash_dir),   \
+    TEST_DECL_GROUP("ossl_x509_lu", test_wolfSSL_X509_LOOKUP_ctrl_hash_dir),   \
+    TEST_DECL_GROUP("ossl_x509_lu", test_X509_LOOKUP_add_dir)
+
+#endif /* WOLFCRYPT_TEST_OSSL_X509_LU_H */

tests/api/test_ossl_x509_name.c

@@ -0,0 +1,717 @@
+/* test_ossl_x509_name.c
+ *
+ * Copyright (C) 2006-2025 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+#include <tests/unit.h>
+
+#ifdef NO_INLINE
+    #include <wolfssl/wolfcrypt/misc.h>
+#else
+    #define WOLFSSL_MISC_INCLUDED
+    #include <wolfcrypt/src/misc.c>
+#endif
+
+#include <wolfssl/ssl.h>
+#include <wolfssl/internal.h>
+#include <tests/api/api.h>
+#include <tests/api/test_ossl_x509_name.h>
+
+int test_wolfSSL_X509_NAME_get_entry(void)
+{
+    EXPECT_DECLS;
+#if !defined(NO_CERTS) && !defined(NO_RSA) && !defined(NO_FILESYSTEM)
+#if defined(OPENSSL_ALL) || \
+        (defined(OPENSSL_EXTRA) && \
+            (defined(KEEP_PEER_CERT) || defined(SESSION_CERTS)))
+    /* use openssl like name to test mapping */
+    X509_NAME_ENTRY* ne = NULL;
+    X509_NAME* name = NULL;
+    X509* x509 = NULL;
+    ASN1_STRING* asn = NULL;
+    char* subCN = NULL;
+    int idx = 0;
+    ASN1_OBJECT *object = NULL;
+#if defined(WOLFSSL_APACHE_HTTPD) || defined(OPENSSL_ALL) || \
+    defined(WOLFSSL_NGINX)
+#ifndef NO_BIO
+    BIO* bio = NULL;
+#endif
+#endif
+
+    ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(cliCertFile,
+        WOLFSSL_FILETYPE_PEM));
+    ExpectNotNull(name = X509_get_subject_name(x509));
+    ExpectIntGE(idx = X509_NAME_get_index_by_NID(name, NID_commonName, -1), 0);
+    ExpectNotNull(ne = X509_NAME_get_entry(name, idx));
+    ExpectNull(X509_NAME_ENTRY_get_data(NULL));
+    ExpectNotNull(asn = X509_NAME_ENTRY_get_data(ne));
+    ExpectNotNull(subCN = (char*)ASN1_STRING_data(asn));
+    wolfSSL_FreeX509(x509);
+    x509 = NULL;
+
+    ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(cliCertFile,
+        WOLFSSL_FILETYPE_PEM));
+    ExpectNotNull(name = X509_get_subject_name(x509));
+    ExpectIntGE(idx = X509_NAME_get_index_by_NID(name, NID_commonName, -1), 0);
+
+#if defined(WOLFSSL_APACHE_HTTPD) || defined(OPENSSL_ALL) || \
+    defined(WOLFSSL_NGINX)
+#ifndef NO_BIO
+    ExpectNotNull(bio = BIO_new(BIO_s_mem()));
+    ExpectIntEQ(X509_NAME_print_ex(bio, name, 4,
+                    (XN_FLAG_RFC2253 & ~XN_FLAG_DN_REV)), WOLFSSL_SUCCESS);
+    ExpectIntEQ(X509_NAME_print_ex_fp(XBADFILE, name, 4,
+                    (XN_FLAG_RFC2253 & ~XN_FLAG_DN_REV)), WOLFSSL_FAILURE);
+    ExpectIntEQ(X509_NAME_print_ex_fp(stderr, name, 4,
+                    (XN_FLAG_RFC2253 & ~XN_FLAG_DN_REV)), WOLFSSL_SUCCESS);
+    BIO_free(bio);
+#endif
+#endif
+
+    ExpectNotNull(ne = X509_NAME_get_entry(name, idx));
+    ExpectNotNull(object = X509_NAME_ENTRY_get_object(ne));
+    wolfSSL_FreeX509(x509);
+#endif /* OPENSSL_ALL || (OPENSSL_EXTRA && (KEEP_PEER_CERT || SESSION_CERTS) */
+#endif /* !NO_CERTS && !NO_RSA && !NO_FILESYSTEM */
+
+    return EXPECT_RESULT();
+}
+
+int test_wolfSSL_X509_NAME(void)
+{
+    EXPECT_DECLS;
+#if (defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)) && \
+    !defined(NO_CERTS) && !defined(NO_FILESYSTEM) && \
+    !defined(NO_RSA) && defined(WOLFSSL_CERT_GEN) && \
+    (defined(WOLFSSL_CERT_REQ) || defined(WOLFSSL_CERT_EXT) || \
+     defined(OPENSSL_EXTRA))
+    X509* x509 = NULL;
+#ifndef OPENSSL_EXTRA
+    const unsigned char* c = NULL;
+    int bytes = 0;
+#endif
+    unsigned char buf[4096];
+    XFILE f = XBADFILE;
+    const X509_NAME* a = NULL;
+    const X509_NAME* b = NULL;
+    X509_NAME* d2i_name = NULL;
+    int sz = 0;
+    unsigned char* tmp = NULL;
+    char file[] = "./certs/ca-cert.der";
+#ifndef OPENSSL_EXTRA_X509_SMALL
+    byte empty[] = { /* CN=empty emailAddress= */
+        0x30, 0x21, 0x31, 0x0E, 0x30, 0x0C, 0x06, 0x03,
+        0x55, 0x04, 0x03, 0x0C, 0x05, 0x65, 0x6D, 0x70,
+        0x74, 0x79, 0x31, 0x0F, 0x30, 0x0D, 0x06, 0x09,
+        0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09,
+        0x01, 0x16, 0x00
+    };
+#endif
+#if defined(OPENSSL_EXTRA) && !defined(NO_PWDBASED)
+    byte   digest[64]; /* max digest size */
+    word32 digestSz;
+#endif
+
+#ifndef OPENSSL_EXTRA_X509_SMALL
+    /* test compile of deprecated function, returns 0 */
+    ExpectIntEQ(CRYPTO_thread_id(), 0);
+#endif
+
+    ExpectNotNull(a = X509_NAME_new());
+    ExpectNotNull(b = X509_NAME_new());
+#ifndef OPENSSL_EXTRA_X509_SMALL
+    ExpectIntEQ(X509_NAME_cmp(a, b), 0);
+#endif
+    X509_NAME_free((X509_NAME*)b);
+    X509_NAME_free((X509_NAME*)a);
+    a = NULL;
+
+    ExpectTrue((f = XFOPEN(file, "rb")) != XBADFILE);
+#ifndef OPENSSL_EXTRA
+    ExpectIntGT(bytes = (int)XFREAD(buf, 1, sizeof(buf), f), 0);
+    if (f != XBADFILE)
+        XFCLOSE(f);
+
+    c = buf;
+    ExpectNotNull(x509 = wolfSSL_X509_d2i_ex(NULL, c, bytes, HEAP_HINT));
+#else
+    ExpectNull(wolfSSL_X509_d2i_fp(NULL, XBADFILE));
+    ExpectNotNull(wolfSSL_X509_d2i_fp(&x509, f));
+    if (f != XBADFILE)
+        XFCLOSE(f);
+#endif
+
+    /* test cmp function */
+    ExpectNull(X509_get_issuer_name(NULL));
+    ExpectNotNull(a = X509_get_issuer_name(x509));
+    ExpectNull(X509_get_subject_name(NULL));
+    ExpectNotNull(b = X509_get_subject_name(x509));
+#ifdef KEEP_PEER_CERT
+    ExpectNull(wolfSSL_X509_get_subjectCN(NULL));
+    ExpectNotNull(wolfSSL_X509_get_subjectCN(x509));
+#endif
+
+#if defined(OPENSSL_EXTRA)
+    ExpectIntEQ(X509_check_issued(NULL, NULL),
+        WOLFSSL_X509_V_ERR_SUBJECT_ISSUER_MISMATCH);
+    ExpectIntEQ(X509_check_issued(x509, NULL),
+        WOLFSSL_X509_V_ERR_SUBJECT_ISSUER_MISMATCH);
+    ExpectIntEQ(X509_check_issued(NULL, x509),
+        WOLFSSL_X509_V_ERR_SUBJECT_ISSUER_MISMATCH);
+    ExpectIntEQ(X509_check_issued(x509, x509), WOLFSSL_X509_V_OK);
+    ExpectIntEQ(X509_NAME_cmp(NULL, NULL), -2);
+    ExpectIntEQ(X509_NAME_cmp(NULL, b), -2);
+    ExpectIntEQ(X509_NAME_cmp(a, NULL), -2);
+    ExpectIntEQ(X509_NAME_cmp(a, b), 0); /* self signed should be 0 */
+
+#if !defined(NO_PWDBASED)
+    ExpectIntEQ(wolfSSL_X509_NAME_digest(NULL, NULL, NULL, NULL), 0);
+    ExpectIntEQ(wolfSSL_X509_NAME_digest(a, NULL, NULL, NULL), 0);
+#ifndef NO_SHA256
+    ExpectIntEQ(wolfSSL_X509_NAME_digest(NULL, wolfSSL_EVP_sha256(), NULL,
+        NULL), 0);
+#endif
+    ExpectIntEQ(wolfSSL_X509_NAME_digest(NULL, NULL, digest, NULL), 0);
+    ExpectIntEQ(wolfSSL_X509_NAME_digest(NULL, NULL, NULL, &digestSz), 0);
+    ExpectIntEQ(wolfSSL_X509_NAME_digest(a, NULL, digest,
+        &digestSz), 0);
+#ifndef NO_SHA256
+    ExpectIntEQ(wolfSSL_X509_NAME_digest(NULL, wolfSSL_EVP_sha256(), digest,
+        &digestSz), 0);
+    ExpectIntEQ(wolfSSL_X509_NAME_digest(a, wolfSSL_EVP_sha256(), NULL,
+        &digestSz), 0);
+    ExpectIntEQ(wolfSSL_X509_NAME_digest(a, wolfSSL_EVP_sha256(), digest,
+        NULL), 1);
+    ExpectIntEQ(wolfSSL_X509_NAME_digest(a, wolfSSL_EVP_sha256(), digest,
+        &digestSz), 1);
+    ExpectTrue(digestSz == 32);
+#endif
+#else
+    ExpectIntEQ(wolfSSL_X509_NAME_digest(NULL, NULL, NULL, NULL),
+        NOT_COMPILED_IN);
+#endif
+#endif /* OPENSSL_EXTRA */
+
+    tmp = buf;
+    ExpectIntGT((sz = i2d_X509_NAME((X509_NAME*)a, &tmp)), 0);
+    if (sz > 0 && tmp == buf) {
+        fprintf(stderr, "\nERROR - %s line %d failed with:", __FILE__,
+            __LINE__);
+        fprintf(stderr, " Expected pointer to be incremented\n");
+        abort();
+    }
+
+#ifndef OPENSSL_EXTRA_X509_SMALL
+    tmp = buf;
+    ExpectNotNull(d2i_name = d2i_X509_NAME(NULL, &tmp, sz));
+#endif
+
+    /* if output parameter is NULL, should still return required size. */
+    ExpectIntGT((sz = i2d_X509_NAME((X509_NAME*)b, NULL)), 0);
+    /* retry but with the function creating a buffer */
+    tmp = NULL;
+    ExpectIntGT((sz = i2d_X509_NAME((X509_NAME*)b, &tmp)), 0);
+    XFREE(tmp, NULL, DYNAMIC_TYPE_OPENSSL);
+    tmp = NULL;
+
+#ifdef WOLFSSL_CERT_NAME_ALL
+    /* test for givenName and name */
+    {
+        WOLFSSL_X509_NAME_ENTRY* entry = NULL;
+        WOLFSSL_X509_NAME_ENTRY empty;
+        const byte gName[] = "test-given-name";
+        const byte name[] = "test-name";
+
+        XMEMSET(&empty, 0, sizeof(empty));
+
+        ExpectNull(wolfSSL_X509_NAME_ENTRY_create_by_NID(NULL,
+            NID_givenName, ASN_UTF8STRING, NULL, sizeof(gName)));
+        ExpectNotNull(entry = wolfSSL_X509_NAME_ENTRY_create_by_NID(NULL,
+            NID_givenName, ASN_UTF8STRING, gName, sizeof(gName)));
+        ExpectNotNull(wolfSSL_X509_NAME_ENTRY_create_by_NID(&entry,
+            NID_givenName, ASN_UTF8STRING, gName, sizeof(gName)));
+        ExpectIntEQ(wolfSSL_X509_NAME_add_entry(NULL         , NULL  , -1, 0),
+            0);
+        ExpectIntEQ(wolfSSL_X509_NAME_add_entry((X509_NAME*)b, NULL  , -1, 0),
+            0);
+        ExpectIntEQ(wolfSSL_X509_NAME_add_entry(NULL         , entry , -1, 0),
+            0);
+        ExpectIntEQ(wolfSSL_X509_NAME_add_entry((X509_NAME*)b, &empty, -1, 0),
+            0);
+        ExpectIntEQ(wolfSSL_X509_NAME_add_entry((X509_NAME*)b, entry , 99, 0),
+            0);
+        ExpectIntEQ(wolfSSL_X509_NAME_add_entry((X509_NAME*)b, entry , -1, 0),
+            1);
+        wolfSSL_X509_NAME_ENTRY_free(entry);
+        entry = NULL;
+
+        ExpectNotNull(wolfSSL_X509_NAME_ENTRY_create_by_NID(&entry,
+            NID_name, ASN_UTF8STRING, name, sizeof(name)));
+        ExpectIntEQ(wolfSSL_X509_NAME_add_entry((X509_NAME*)b, entry, -1, 0),
+            1);
+        wolfSSL_X509_NAME_ENTRY_free(entry);
+
+        tmp = NULL;
+        ExpectIntGT((sz = i2d_X509_NAME((X509_NAME*)b, &tmp)), 0);
+        XFREE(tmp, NULL, DYNAMIC_TYPE_OPENSSL);
+    }
+#endif
+
+    b = NULL;
+    ExpectNull(X509_NAME_dup(NULL));
+    ExpectNotNull(b = X509_NAME_dup((X509_NAME*)a));
+#ifndef OPENSSL_EXTRA_X509_SMALL
+    ExpectIntEQ(X509_NAME_cmp(a, b), 0);
+#endif
+    ExpectIntEQ(X509_NAME_entry_count(NULL), 0);
+    ExpectIntEQ(X509_NAME_entry_count((X509_NAME*)b), 7);
+    X509_NAME_free((X509_NAME*)b);
+    ExpectNotNull(b = wolfSSL_X509_NAME_new());
+    ExpectIntEQ(X509_NAME_entry_count((X509_NAME*)b), 0);
+    ExpectIntEQ(wolfSSL_X509_NAME_copy(NULL, NULL), BAD_FUNC_ARG);
+    ExpectIntEQ(wolfSSL_X509_NAME_copy((X509_NAME*)a, NULL), BAD_FUNC_ARG);
+    ExpectIntEQ(wolfSSL_X509_NAME_copy(NULL, (X509_NAME*)b), BAD_FUNC_ARG);
+    ExpectIntEQ(wolfSSL_X509_NAME_copy((X509_NAME*)a, (X509_NAME*)b), 1);
+    ExpectIntEQ(X509_NAME_entry_count((X509_NAME*)b), 7);
+    X509_NAME_free((X509_NAME*)b);
+    X509_NAME_free(d2i_name);
+    d2i_name = NULL;
+    X509_free(x509);
+
+#ifndef OPENSSL_EXTRA_X509_SMALL
+    /* test with an empty domain component */
+    tmp = empty;
+    sz  = sizeof(empty);
+    ExpectNotNull(d2i_name = d2i_X509_NAME(NULL, &tmp, sz));
+    ExpectIntEQ(X509_NAME_entry_count(d2i_name), 2);
+
+    /* size of empty emailAddress will be 0 */
+    tmp = buf;
+    ExpectIntEQ(X509_NAME_get_text_by_NID(d2i_name, NID_emailAddress,
+                (char*)tmp, sizeof(buf)), 0);
+
+    /* should contain no organization name */
+    tmp = buf;
+    ExpectIntEQ(X509_NAME_get_text_by_NID(d2i_name, NID_organizationName,
+                (char*)tmp, sizeof(buf)), -1);
+    X509_NAME_free(d2i_name);
+#endif
+#endif
+    return EXPECT_RESULT();
+}
+
+int test_wolfSSL_X509_NAME_hash(void)
+{
+    EXPECT_DECLS;
+#if defined(OPENSSL_EXTRA) && !defined(NO_FILESYSTEM) && \
+    !defined(NO_RSA) && !defined(NO_SHA) && !defined(NO_BIO)
+    BIO* bio = NULL;
+    X509* x509 = NULL;
+    X509_NAME* name = NULL;
+
+    ExpectIntEQ(X509_NAME_hash(NULL), 0);
+    ExpectNotNull(name = wolfSSL_X509_NAME_new_ex(NULL));
+    ExpectIntEQ(X509_NAME_hash(name), 0);
+    X509_NAME_free(name);
+
+    ExpectNotNull(bio = BIO_new(BIO_s_file()));
+    ExpectIntGT(BIO_read_filename(bio, svrCertFile), 0);
+    ExpectNotNull(PEM_read_bio_X509(bio, &x509, NULL, NULL));
+    ExpectIntEQ(X509_NAME_hash(X509_get_subject_name(x509)), 0x137DC03F);
+    ExpectIntEQ(X509_NAME_hash(X509_get_issuer_name(x509)), 0xFDB2DA4);
+    X509_free(x509);
+    BIO_free(bio);
+#endif
+    return EXPECT_RESULT();
+}
+
+int test_wolfSSL_X509_NAME_print_ex(void)
+{
+    EXPECT_DECLS;
+#if (defined(OPENSSL_ALL) || (defined(OPENSSL_EXTRA) && \
+     (defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) || \
+     defined(HAVE_LIGHTY) || defined(WOLFSSL_HAPROXY) || \
+     defined(WOLFSSL_OPENSSH) || defined(HAVE_SBLIM_SFCB)))) && \
+    !defined(NO_BIO) && !defined(NO_RSA)
+    int memSz = 0;
+    byte* mem = NULL;
+    BIO* bio = NULL;
+    BIO* membio = NULL;
+    X509* x509 = NULL;
+    X509_NAME* name = NULL;
+    X509_NAME* empty = NULL;
+
+    const char* expNormal  = "C=US, CN=wolfssl.com";
+    const char* expEqSpace = "C = US, CN = wolfssl.com";
+    const char* expReverse = "CN=wolfssl.com, C=US";
+
+    const char* expNotEscaped = "C= US,+\"\\ , CN=#wolfssl.com<>;";
+    const char* expNotEscapedRev = "CN=#wolfssl.com<>;, C= US,+\"\\ ";
+    const char* expRFC5523 =
+        "CN=\\#wolfssl.com\\<\\>\\;, C=\\ US\\,\\+\\\"\\\\\\ ";
+
+    /* Test with real cert (svrCertFile) first */
+    ExpectNotNull(bio = BIO_new(BIO_s_file()));
+    ExpectIntGT(BIO_read_filename(bio, svrCertFile), 0);
+    ExpectNotNull(PEM_read_bio_X509(bio, &x509, NULL, NULL));
+    ExpectNotNull(name = X509_get_subject_name(x509));
+
+    /* Test without flags */
+    ExpectNotNull(membio = BIO_new(BIO_s_mem()));
+    ExpectNotNull(empty = wolfSSL_X509_NAME_new());
+    ExpectIntEQ(X509_NAME_print_ex(NULL, NULL, 0, 0), WOLFSSL_FAILURE);
+    ExpectIntEQ(X509_NAME_print_ex(membio, NULL, 0, 0), WOLFSSL_FAILURE);
+    ExpectIntEQ(X509_NAME_print_ex(NULL, name, 0, 0), WOLFSSL_FAILURE);
+    ExpectIntEQ(X509_NAME_print_ex(membio, empty, 0, 0), WOLFSSL_SUCCESS);
+    ExpectIntEQ(X509_NAME_print_ex(membio, name, 0, 0), WOLFSSL_SUCCESS);
+    wolfSSL_X509_NAME_free(empty);
+    BIO_free(membio);
+    membio = NULL;
+
+    /* Test flag: XN_FLAG_RFC2253 */
+    ExpectNotNull(membio = BIO_new(BIO_s_mem()));
+    ExpectIntEQ(X509_NAME_print_ex(membio, name, 0,
+                XN_FLAG_RFC2253), WOLFSSL_SUCCESS);
+    BIO_free(membio);
+    membio = NULL;
+
+    /* Test flag: XN_FLAG_RFC2253 | XN_FLAG_DN_REV */
+    ExpectNotNull(membio = BIO_new(BIO_s_mem()));
+    ExpectIntEQ(X509_NAME_print_ex(membio, name, 0,
+                XN_FLAG_RFC2253 | XN_FLAG_DN_REV), WOLFSSL_SUCCESS);
+    BIO_free(membio);
+    membio = NULL;
+
+    X509_free(x509);
+    BIO_free(bio);
+    name = NULL;
+
+    /* Test with empty issuer cert empty-issuer-cert.pem.
+     * See notes in certs/test/gen-testcerts.sh for how it was generated. */
+    ExpectNotNull(bio = BIO_new(BIO_s_file()));
+    ExpectIntGT(BIO_read_filename(bio, noIssuerCertFile), 0);
+    ExpectNotNull(PEM_read_bio_X509(bio, &x509, NULL, NULL));
+    ExpectNotNull(name = X509_get_subject_name(x509));
+
+    ExpectNotNull(membio = BIO_new(BIO_s_mem()));
+    ExpectIntEQ(X509_NAME_print_ex(membio, name, 0, 0), WOLFSSL_SUCCESS);
+    /* Should be empty string "" */
+    ExpectIntEQ((memSz = BIO_get_mem_data(membio, &mem)), 0);
+
+    BIO_free(membio);
+    membio = NULL;
+    X509_free(x509);
+    BIO_free(bio);
+    name = NULL;
+
+    /* Test normal case without escaped characters */
+    {
+        /* Create name: "/C=US/CN=wolfssl.com" */
+        ExpectNotNull(name = X509_NAME_new());
+        ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName",
+                    MBSTRING_UTF8, (byte*)"US", 2, -1, 0),
+                    WOLFSSL_SUCCESS);
+        ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "commonName",
+                    MBSTRING_UTF8, (byte*)"wolfssl.com", 11, -1, 0),
+                    WOLFSSL_SUCCESS);
+
+        /* Test without flags */
+        ExpectNotNull(membio = BIO_new(BIO_s_mem()));
+        ExpectIntEQ(X509_NAME_print_ex(membio, name, 0, 0), WOLFSSL_SUCCESS);
+        ExpectIntGE((memSz = BIO_get_mem_data(membio, &mem)), 0);
+        ExpectIntEQ(memSz, XSTRLEN(expNormal));
+        ExpectIntEQ(XSTRNCMP((char*)mem, expNormal, XSTRLEN(expNormal)), 0);
+        BIO_free(membio);
+        membio = NULL;
+
+        /* Test with XN_FLAG_ONELINE which should enable XN_FLAG_SPC_EQ for
+           spaces around '=' */
+        ExpectNotNull(membio = BIO_new(BIO_s_mem()));
+        ExpectIntEQ(X509_NAME_print_ex(membio, name, 0, XN_FLAG_ONELINE),
+            WOLFSSL_SUCCESS);
+        ExpectIntGE((memSz = BIO_get_mem_data(membio, &mem)), 0);
+        ExpectIntEQ(memSz, XSTRLEN(expEqSpace));
+        ExpectIntEQ(XSTRNCMP((char*)mem, expEqSpace, XSTRLEN(expEqSpace)), 0);
+        BIO_free(membio);
+        membio = NULL;
+
+        /* Test flags: XN_FLAG_RFC2253 - should be reversed */
+        ExpectNotNull(membio = BIO_new(BIO_s_mem()));
+        ExpectIntEQ(X509_NAME_print_ex(membio, name, 0,
+                    XN_FLAG_RFC2253), WOLFSSL_SUCCESS);
+        ExpectIntGE((memSz = BIO_get_mem_data(membio, &mem)), 0);
+        ExpectIntEQ(memSz, XSTRLEN(expReverse));
+        BIO_free(membio);
+        membio = NULL;
+
+        /* Test flags: XN_FLAG_DN_REV - reversed */
+        ExpectNotNull(membio = BIO_new(BIO_s_mem()));
+        ExpectIntEQ(X509_NAME_print_ex(membio, name, 0,
+                    XN_FLAG_DN_REV), WOLFSSL_SUCCESS);
+        ExpectIntGE((memSz = BIO_get_mem_data(membio, &mem)), 0);
+        ExpectIntEQ(memSz, XSTRLEN(expReverse));
+        ExpectIntEQ(XSTRNCMP((char*)mem, expReverse, XSTRLEN(expReverse)), 0);
+        BIO_free(membio);
+        membio = NULL;
+
+        X509_NAME_free(name);
+        name = NULL;
+    }
+
+    /* Test RFC2253 characters are escaped with backslashes */
+    {
+        ExpectNotNull(name = X509_NAME_new());
+        ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName",
+                    /* space at beginning and end, and: ,+"\ */
+                    MBSTRING_UTF8, (byte*)" US,+\"\\ ", 8, -1, 0),
+                    WOLFSSL_SUCCESS);
+        ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "commonName",
+                    /* # at beginning, and: <>;*/
+                    MBSTRING_UTF8, (byte*)"#wolfssl.com<>;", 15, -1, 0),
+                    WOLFSSL_SUCCESS);
+        /* Test without flags */
+        ExpectNotNull(membio = BIO_new(BIO_s_mem()));
+        ExpectIntEQ(X509_NAME_print_ex(membio, name, 0, 0), WOLFSSL_SUCCESS);
+        ExpectIntGE((memSz = BIO_get_mem_data(membio, &mem)), 0);
+        ExpectIntEQ(memSz, XSTRLEN(expNotEscaped));
+        ExpectIntEQ(XSTRNCMP((char*)mem, expNotEscaped,
+                    XSTRLEN(expNotEscaped)), 0);
+        BIO_free(membio);
+        membio = NULL;
+
+        /* Test flags: XN_FLAG_RFC5523 - should be reversed and escaped */
+        ExpectNotNull(membio = BIO_new(BIO_s_mem()));
+        ExpectIntEQ(X509_NAME_print_ex(membio, name, 0,
+                    XN_FLAG_RFC2253), WOLFSSL_SUCCESS);
+        ExpectIntGE((memSz = BIO_get_mem_data(membio, &mem)), 0);
+        ExpectIntEQ(memSz, XSTRLEN(expRFC5523));
+        ExpectIntEQ(XSTRNCMP((char*)mem, expRFC5523, XSTRLEN(expRFC5523)), 0);
+        BIO_free(membio);
+        membio = NULL;
+
+        /* Test flags: XN_FLAG_DN_REV - reversed but not escaped */
+        ExpectNotNull(membio = BIO_new(BIO_s_mem()));
+        ExpectIntEQ(X509_NAME_print_ex(membio, name, 0,
+                    XN_FLAG_DN_REV), WOLFSSL_SUCCESS);
+        ExpectIntGE((memSz = BIO_get_mem_data(membio, &mem)), 0);
+        ExpectIntEQ(memSz, XSTRLEN(expNotEscapedRev));
+        ExpectIntEQ(XSTRNCMP((char*)mem, expNotEscapedRev,
+                    XSTRLEN(expNotEscapedRev)), 0);
+        BIO_free(membio);
+
+        X509_NAME_free(name);
+    }
+#endif
+    return EXPECT_RESULT();
+}
+
+int test_wolfSSL_X509_NAME_ENTRY(void)
+{
+    EXPECT_DECLS;
+#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_FILESYSTEM) && \
+    !defined(NO_RSA) && defined(WOLFSSL_CERT_GEN)
+    X509*      x509 = NULL;
+#ifndef NO_BIO
+    X509*      empty = NULL;
+    BIO*       bio = NULL;
+#endif
+    X509_NAME* nm = NULL;
+    X509_NAME_ENTRY* entry = NULL;
+    WOLF_STACK_OF(WOLFSSL_X509_NAME_ENTRY)* entries = NULL;
+    unsigned char cn[] = "another name to add";
+#ifdef OPENSSL_ALL
+    int i;
+    int names_len = 0;
+#endif
+
+    ExpectNotNull(x509 =
+            wolfSSL_X509_load_certificate_file(cliCertFile, SSL_FILETYPE_PEM));
+#ifndef NO_BIO
+    ExpectNotNull(empty = wolfSSL_X509_new());
+    ExpectNotNull(bio = BIO_new(BIO_s_mem()));
+    ExpectIntEQ(PEM_write_bio_X509_AUX(NULL, NULL), WOLFSSL_FAILURE);
+    ExpectIntEQ(PEM_write_bio_X509_AUX(bio, NULL), WOLFSSL_FAILURE);
+    ExpectIntEQ(PEM_write_bio_X509_AUX(NULL, x509), WOLFSSL_FAILURE);
+    ExpectIntEQ(PEM_write_bio_X509_AUX(bio, empty), WOLFSSL_FAILURE);
+    ExpectIntEQ(PEM_write_bio_X509_AUX(bio, x509), SSL_SUCCESS);
+    wolfSSL_X509_free(empty);
+#endif
+
+#ifdef WOLFSSL_CERT_REQ
+    {
+        X509_REQ* req = NULL;
+#ifndef NO_BIO
+        X509_REQ* emptyReq = NULL;
+        BIO*      bReq = NULL;
+#endif
+
+        ExpectNotNull(req =
+            wolfSSL_X509_load_certificate_file(cliCertFile, SSL_FILETYPE_PEM));
+#ifndef NO_BIO
+        ExpectNotNull(emptyReq = wolfSSL_X509_REQ_new());
+        ExpectNotNull(bReq = BIO_new(BIO_s_mem()));
+        ExpectIntEQ(PEM_write_bio_X509_REQ(NULL, NULL), WOLFSSL_FAILURE);
+        ExpectIntEQ(PEM_write_bio_X509_REQ(bReq, NULL), WOLFSSL_FAILURE);
+        ExpectIntEQ(PEM_write_bio_X509_REQ(NULL, req), WOLFSSL_FAILURE);
+        ExpectIntEQ(PEM_write_bio_X509_REQ(bReq, emptyReq), WOLFSSL_FAILURE);
+        ExpectIntEQ(PEM_write_bio_X509_REQ(bReq, req), SSL_SUCCESS);
+
+        BIO_free(bReq);
+        X509_REQ_free(emptyReq);
+#endif
+        X509_free(req);
+    }
+#endif
+
+    ExpectNotNull(nm = X509_get_subject_name(x509));
+
+    /* Test add entry */
+    ExpectNotNull(entry = X509_NAME_ENTRY_create_by_NID(NULL, NID_commonName,
+                0x0c, cn, (int)sizeof(cn)));
+    ExpectIntEQ(X509_NAME_add_entry(nm, entry, -1, 0), SSL_SUCCESS);
+
+    /* @TODO the internal name entry set value needs investigated for matching
+     * behavior with OpenSSL. At the moment the getter function for the set
+     * value is being tested only in that it succeeds in getting the internal
+     * value. */
+    ExpectIntGT(X509_NAME_ENTRY_set(X509_NAME_get_entry(nm, 1)), 0);
+
+#ifdef WOLFSSL_CERT_EXT
+    ExpectIntEQ(X509_NAME_add_entry_by_txt(NULL, NULL, MBSTRING_UTF8,
+        (byte*)"support@wolfssl.com", 19, -1, 1), WOLFSSL_FAILURE);
+    ExpectIntEQ(X509_NAME_add_entry_by_txt(nm, NULL, MBSTRING_UTF8,
+        (byte*)"support@wolfssl.com", 19, -1, 1), WOLFSSL_FAILURE);
+    ExpectIntEQ(X509_NAME_add_entry_by_txt(NULL, "emailAddress", MBSTRING_UTF8,
+        (byte*)"support@wolfssl.com", 19, -1, 1), WOLFSSL_FAILURE);
+    ExpectIntEQ(X509_NAME_add_entry_by_txt(nm, "emailAddress", MBSTRING_UTF8,
+        (byte*)"support@wolfssl.com", 19, -1, 1), WOLFSSL_SUCCESS);
+    ExpectIntEQ(X509_NAME_add_entry_by_txt(nm, "commonName", MBSTRING_UTF8,
+        (byte*)"wolfssl.com", 11, 0, 1), WOLFSSL_SUCCESS);
+    ExpectNull(wolfSSL_X509_NAME_delete_entry(NULL, -1));
+    ExpectNull(wolfSSL_X509_NAME_delete_entry(nm, -1));
+    ExpectNotNull(wolfSSL_X509_NAME_delete_entry(nm, 0));
+#endif
+    X509_NAME_ENTRY_free(entry);
+    entry = NULL;
+
+#ifdef WOLFSSL_CERT_REQ
+    {
+        unsigned char srv_pkcs9p[] = "Server";
+        unsigned char rfc822Mlbx[] = "support@wolfssl.com";
+        unsigned char fvrtDrnk[] = "tequila";
+        unsigned char* der = NULL;
+        char* subject = NULL;
+
+        ExpectIntEQ(X509_NAME_add_entry_by_NID(nm, NID_pkcs9_contentType,
+            MBSTRING_ASC, srv_pkcs9p, -1, -1, 0), SSL_SUCCESS);
+
+        ExpectIntEQ(X509_NAME_add_entry_by_NID(nm, NID_rfc822Mailbox,
+            MBSTRING_ASC, rfc822Mlbx, -1, -1, 0), SSL_SUCCESS);
+
+        ExpectIntEQ(X509_NAME_add_entry_by_NID(nm, NID_favouriteDrink,
+            MBSTRING_ASC, fvrtDrnk, -1, -1, 0), SSL_SUCCESS);
+
+        ExpectIntEQ(wolfSSL_i2d_X509_NAME(NULL, &der), BAD_FUNC_ARG);
+        ExpectIntGT(wolfSSL_i2d_X509_NAME(nm, &der), 0);
+        ExpectNotNull(der);
+
+        ExpectNotNull(subject = X509_NAME_oneline(nm, NULL, 0));
+        ExpectNotNull(XSTRSTR(subject, "rfc822Mailbox=support@wolfssl.com"));
+        ExpectNotNull(XSTRSTR(subject, "favouriteDrink=tequila"));
+        ExpectNotNull(XSTRSTR(subject, "contentType=Server"));
+    #ifdef DEBUG_WOLFSSL
+        if (subject != NULL) {
+            fprintf(stderr, "\n\t%s\n", subject);
+        }
+    #endif
+        XFREE(subject, 0, DYNAMIC_TYPE_OPENSSL);
+        XFREE(der, NULL, DYNAMIC_TYPE_OPENSSL);
+    }
+#endif
+
+    ExpectNull(entry = X509_NAME_ENTRY_create_by_txt(NULL, NULL, 0x0c, cn,
+        (int)sizeof(cn)));
+    /* Test add entry by text */
+    ExpectNotNull(entry = X509_NAME_ENTRY_create_by_txt(NULL, "commonName",
+                0x0c, cn, (int)sizeof(cn)));
+    ExpectPtrEq(X509_NAME_ENTRY_create_by_txt(&entry, "commonName",
+                0x0c, cn, (int)sizeof(cn)), entry);
+    #if defined(OPENSSL_ALL) || defined(WOLFSSL_ASIO) \
+    || defined(WOLFSSL_HAPROXY) || defined(WOLFSSL_NGINX)
+    ExpectNull(X509_NAME_ENTRY_create_by_txt(&entry, "unknown",
+                V_ASN1_UTF8STRING, cn, (int)sizeof(cn)));
+    #endif
+    ExpectIntEQ(X509_NAME_add_entry(nm, entry, -1, 0), SSL_SUCCESS);
+    X509_NAME_ENTRY_free(entry);
+    entry = NULL;
+
+    /* Test add entry by NID */
+    ExpectIntEQ(X509_NAME_add_entry_by_NID(nm, NID_commonName, MBSTRING_UTF8,
+                                       cn, -1, -1, 0), SSL_SUCCESS);
+
+#ifdef OPENSSL_ALL
+    /* stack of name entry */
+    ExpectIntGT((names_len = sk_X509_NAME_ENTRY_num(nm->entries)), 0);
+    for (i = 0; i < names_len; i++) {
+        ExpectNotNull(entry = sk_X509_NAME_ENTRY_value(nm->entries, i));
+    }
+#endif
+
+    ExpectNotNull(entries = wolfSSL_sk_X509_NAME_ENTRY_new(NULL));
+    ExpectIntEQ(sk_X509_NAME_ENTRY_num(NULL), BAD_FUNC_ARG);
+    ExpectIntEQ(sk_X509_NAME_ENTRY_num(entries), 0);
+    ExpectNull(sk_X509_NAME_ENTRY_value(NULL, 0));
+    ExpectNull(sk_X509_NAME_ENTRY_value(entries, 0));
+    wolfSSL_sk_X509_NAME_ENTRY_free(entries);
+#ifndef NO_BIO
+    BIO_free(bio);
+#endif
+    X509_free(x509); /* free's nm */
+#endif
+    return EXPECT_RESULT();
+}
+
+int test_wolfSSL_X509_NAME_ENTRY_get_object(void)
+{
+    EXPECT_DECLS;
+#if defined(OPENSSL_EXTRA) && !defined(NO_FILESYSTEM) && !defined(NO_RSA)
+    X509 *x509 = NULL;
+    X509_NAME* name = NULL;
+    int idx = 0;
+    X509_NAME_ENTRY *ne = NULL;
+    ASN1_OBJECT *object = NULL;
+
+    ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(cliCertFile,
+        WOLFSSL_FILETYPE_PEM));
+    ExpectNotNull(name = X509_get_subject_name(x509));
+    ExpectIntGE(X509_NAME_get_index_by_NID(NULL, NID_commonName, -1),
+        BAD_FUNC_ARG);
+    ExpectIntGE(idx = X509_NAME_get_index_by_NID(name, NID_commonName, -1), 0);
+    ExpectIntGE(idx = X509_NAME_get_index_by_NID(name, NID_commonName, -2), 0);
+
+    ExpectNotNull(ne = X509_NAME_get_entry(name, idx));
+    ExpectNull(X509_NAME_ENTRY_get_object(NULL));
+    ExpectNotNull(object = X509_NAME_ENTRY_get_object(ne));
+
+    X509_free(x509);
+#endif
+    return EXPECT_RESULT();
+}
+

tests/api/test_ossl_x509_name.h

@@ -0,0 +1,42 @@
+/* test_ossl_x509_name.h
+ *
+ * Copyright (C) 2006-2025 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+#ifndef WOLFCRYPT_TEST_OSSL_X509_NAME_H
+#define WOLFCRYPT_TEST_OSSL_X509_NAME_H
+
+#include <tests/api/api_decl.h>
+
+int test_wolfSSL_X509_NAME_get_entry(void);
+int test_wolfSSL_X509_NAME(void);
+int test_wolfSSL_X509_NAME_hash(void);
+int test_wolfSSL_X509_NAME_print_ex(void);
+int test_wolfSSL_X509_NAME_ENTRY(void);
+int test_wolfSSL_X509_NAME_ENTRY_get_object(void);
+
+#define TEST_OSSL_X509_NAME_DECLS                                              \
+    TEST_DECL_GROUP("ossl_x509_name", test_wolfSSL_X509_NAME_get_entry),       \
+    TEST_DECL_GROUP("ossl_x509_name", test_wolfSSL_X509_NAME),                 \
+    TEST_DECL_GROUP("ossl_x509_name", test_wolfSSL_X509_NAME_hash),            \
+    TEST_DECL_GROUP("ossl_x509_name", test_wolfSSL_X509_NAME_print_ex),        \
+    TEST_DECL_GROUP("ossl_x509_name", test_wolfSSL_X509_NAME_ENTRY),           \
+    TEST_DECL_GROUP("ossl_x509_name", test_wolfSSL_X509_NAME_ENTRY_get_object)
+
+#endif /* WOLFCRYPT_TEST_OSSL_X509_NAME_H */

tests/api/test_ossl_x509_pk.c

@@ -0,0 +1,350 @@
+/* test_ossl_x509_pk.c
+ *
+ * Copyright (C) 2006-2025 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+#include <tests/unit.h>
+
+#ifdef NO_INLINE
+    #include <wolfssl/wolfcrypt/misc.h>
+#else
+    #define WOLFSSL_MISC_INCLUDED
+    #include <wolfcrypt/src/misc.c>
+#endif
+
+#include <wolfssl/ssl.h>
+#include <tests/utils.h>
+#include <tests/api/api.h>
+#include <tests/api/test_ossl_x509_pk.h>
+
+int test_wolfSSL_X509_get_X509_PUBKEY(void)
+{
+    EXPECT_DECLS;
+#if (defined(OPENSSL_ALL) || defined(WOLFSSL_APACHE_HTTPD))
+    X509* x509 = NULL;
+    X509_PUBKEY* pubKey;
+
+    ExpectNotNull(x509 = X509_new());
+
+    ExpectNull(pubKey = wolfSSL_X509_get_X509_PUBKEY(NULL));
+    ExpectNotNull(pubKey = wolfSSL_X509_get_X509_PUBKEY(x509));
+
+    X509_free(x509);
+#endif
+    return EXPECT_RESULT();
+}
+
+int test_wolfSSL_X509_PUBKEY_RSA(void)
+{
+    EXPECT_DECLS;
+#if (defined(OPENSSL_ALL) || defined(WOLFSSL_APACHE_HTTPD)) && \
+    !defined(NO_SHA256) && !defined(NO_RSA)
+    X509* x509 = NULL;
+    ASN1_OBJECT* obj = NULL;
+    const ASN1_OBJECT* pa_oid = NULL;
+    X509_PUBKEY* pubKey = NULL;
+    X509_PUBKEY* pubKey2 = NULL;
+    EVP_PKEY* evpKey = NULL;
+    byte buf[1024];
+    byte* tmp;
+
+    const unsigned char *pk = NULL;
+    int ppklen;
+    int pptype;
+    X509_ALGOR *pa = NULL;
+    const void *pval;
+
+    ExpectNotNull(x509 = X509_load_certificate_file(cliCertFile,
+        SSL_FILETYPE_PEM));
+
+    ExpectNotNull(pubKey = X509_get_X509_PUBKEY(x509));
+    ExpectIntEQ(X509_PUBKEY_get0_param(&obj, &pk, &ppklen, &pa, pubKey), 1);
+    ExpectNotNull(pk);
+    ExpectNotNull(pa);
+    ExpectNotNull(pubKey);
+    ExpectIntGT(ppklen, 0);
+
+    tmp = buf;
+    ExpectIntEQ(wolfSSL_i2d_X509_PUBKEY(NULL, NULL), WOLFSSL_FATAL_ERROR);
+    ExpectIntEQ(wolfSSL_i2d_X509_PUBKEY(NULL, &tmp), WOLFSSL_FATAL_ERROR);
+    ExpectIntEQ(wolfSSL_i2d_X509_PUBKEY(pubKey, NULL), 294);
+    ExpectIntEQ(wolfSSL_i2d_X509_PUBKEY(pubKey, &tmp), 294);
+
+    ExpectIntEQ(OBJ_obj2nid(obj), NID_rsaEncryption);
+
+    ExpectNotNull(evpKey = X509_PUBKEY_get(pubKey));
+    ExpectNotNull(pubKey2 = X509_PUBKEY_new());
+    ExpectIntEQ(X509_PUBKEY_get0_param(&obj, &pk, &ppklen, &pa, NULL), 0);
+    ExpectIntEQ(X509_PUBKEY_get0_param(&obj, &pk, &ppklen, &pa, pubKey2), 0);
+    ExpectIntEQ(X509_PUBKEY_set(NULL, NULL), 0);
+    ExpectIntEQ(X509_PUBKEY_set(&pubKey2, NULL), 0);
+    ExpectIntEQ(X509_PUBKEY_set(NULL, evpKey), 0);
+    ExpectIntEQ(X509_PUBKEY_set(&pubKey2, evpKey), 1);
+    ExpectIntEQ(X509_PUBKEY_get0_param(NULL, NULL, NULL, NULL, pubKey2), 1);
+    ExpectIntEQ(X509_PUBKEY_get0_param(&obj, &pk, &ppklen, &pa, pubKey2), 1);
+    ExpectNotNull(pk);
+    ExpectNotNull(pa);
+    ExpectIntGT(ppklen, 0);
+    X509_ALGOR_get0(&pa_oid, &pptype, &pval, pa);
+    ExpectNotNull(pa_oid);
+    ExpectNull(pval);
+    ExpectIntEQ(pptype, V_ASN1_NULL);
+    ExpectIntEQ(OBJ_obj2nid(pa_oid), EVP_PKEY_RSA);
+
+    X509_PUBKEY_free(NULL);
+    X509_PUBKEY_free(pubKey2);
+    X509_free(x509);
+    EVP_PKEY_free(evpKey);
+#endif
+    return EXPECT_RESULT();
+}
+
+int test_wolfSSL_X509_PUBKEY_EC(void)
+{
+    EXPECT_DECLS;
+#if (defined(OPENSSL_ALL) || defined(WOLFSSL_APACHE_HTTPD)) && defined(HAVE_ECC)
+    X509* x509 = NULL;
+    ASN1_OBJECT* obj = NULL;
+    ASN1_OBJECT* poid = NULL;
+    const ASN1_OBJECT* pa_oid = NULL;
+    X509_PUBKEY* pubKey = NULL;
+    X509_PUBKEY* pubKey2 = NULL;
+    EVP_PKEY* evpKey = NULL;
+
+    const unsigned char *pk = NULL;
+    int ppklen;
+    int pptype;
+    X509_ALGOR *pa = NULL;
+    const void *pval;
+    char buf[50];
+
+    ExpectNotNull(x509 = X509_load_certificate_file(cliEccCertFile,
+                                                    SSL_FILETYPE_PEM));
+    ExpectNotNull(pubKey = X509_get_X509_PUBKEY(x509));
+    ExpectNotNull(evpKey = X509_PUBKEY_get(pubKey));
+    ExpectNotNull(pubKey2 = X509_PUBKEY_new());
+    ExpectIntEQ(X509_PUBKEY_set(&pubKey2, evpKey), 1);
+    ExpectIntEQ(X509_PUBKEY_get0_param(&obj, &pk, &ppklen, &pa, pubKey2), 1);
+    ExpectNotNull(pk);
+    ExpectNotNull(pa);
+    ExpectIntGT(ppklen, 0);
+    X509_ALGOR_get0(&pa_oid, &pptype, &pval, pa);
+    ExpectNotNull(pa_oid);
+    ExpectNotNull(pval);
+    ExpectIntEQ(pptype, V_ASN1_OBJECT);
+    ExpectIntEQ(OBJ_obj2nid(pa_oid), EVP_PKEY_EC);
+    poid = (ASN1_OBJECT *)pval;
+    ExpectIntGT(OBJ_obj2txt(buf, (int)sizeof(buf), poid, 0), 0);
+    ExpectIntEQ(OBJ_txt2nid(buf), NID_X9_62_prime256v1);
+
+    X509_PUBKEY_free(pubKey2);
+    X509_free(x509);
+    EVP_PKEY_free(evpKey);
+#endif
+    return EXPECT_RESULT();
+}
+
+int test_wolfSSL_X509_PUBKEY_DSA(void)
+{
+    EXPECT_DECLS;
+#if (defined(OPENSSL_ALL) || defined(WOLFSSL_APACHE_HTTPD)) && !defined(NO_DSA)
+    word32  bytes;
+#ifdef USE_CERT_BUFFERS_1024
+    byte    tmp[ONEK_BUF];
+#elif defined(USE_CERT_BUFFERS_2048)
+    byte    tmp[TWOK_BUF];
+#else
+    byte    tmp[TWOK_BUF];
+#endif /* END USE_CERT_BUFFERS_1024 */
+    const unsigned char* dsaKeyDer = tmp;
+
+    ASN1_OBJECT* obj = NULL;
+    ASN1_STRING* str;
+    const ASN1_OBJECT* pa_oid = NULL;
+    X509_PUBKEY* pubKey = NULL;
+    EVP_PKEY* evpKey = NULL;
+
+    const unsigned char *pk = NULL;
+    int ppklen, pptype;
+    X509_ALGOR *pa = NULL;
+    const void *pval;
+
+#ifdef USE_CERT_BUFFERS_1024
+    XMEMSET(tmp, 0, sizeof(tmp));
+    XMEMCPY(tmp, dsa_key_der_1024, sizeof_dsa_key_der_1024);
+    bytes = sizeof_dsa_key_der_1024;
+#elif defined(USE_CERT_BUFFERS_2048)
+    XMEMSET(tmp, 0, sizeof(tmp));
+    XMEMCPY(tmp, dsa_key_der_2048, sizeof_dsa_key_der_2048);
+    bytes = sizeof_dsa_key_der_2048;
+#else
+    {
+        XFILE fp = XBADFILE;
+        XMEMSET(tmp, 0, sizeof(tmp));
+        ExpectTrue((fp = XFOPEN("./certs/dsa2048.der", "rb")) != XBADFILE);
+        ExpectIntGT(bytes = (word32) XFREAD(tmp, 1, sizeof(tmp), fp), 0);
+        if (fp != XBADFILE)
+            XFCLOSE(fp);
+    }
+#endif
+
+    /* Initialize pkey with der format dsa key */
+    ExpectNotNull(d2i_PrivateKey(EVP_PKEY_DSA, &evpKey, &dsaKeyDer, bytes));
+
+    ExpectNotNull(pubKey = X509_PUBKEY_new());
+    ExpectIntEQ(X509_PUBKEY_set(&pubKey, evpKey), 1);
+    ExpectIntEQ(X509_PUBKEY_get0_param(&obj, &pk, &ppklen, &pa, pubKey), 1);
+    ExpectNotNull(pk);
+    ExpectNotNull(pa);
+    ExpectIntGT(ppklen, 0);
+    X509_ALGOR_get0(&pa_oid, &pptype, &pval, pa);
+    ExpectNotNull(pa_oid);
+    ExpectNotNull(pval);
+    ExpectIntEQ(pptype, V_ASN1_SEQUENCE);
+    ExpectIntEQ(OBJ_obj2nid(pa_oid), EVP_PKEY_DSA);
+    str = (ASN1_STRING *)pval;
+    DEBUG_WRITE_DER(ASN1_STRING_data(str), ASN1_STRING_length(str), "str.der");
+#ifdef USE_CERT_BUFFERS_1024
+    ExpectIntEQ(ASN1_STRING_length(str), 291);
+#else
+    ExpectIntEQ(ASN1_STRING_length(str), 549);
+#endif /* END USE_CERT_BUFFERS_1024 */
+
+    X509_PUBKEY_free(pubKey);
+    EVP_PKEY_free(evpKey);
+#endif
+    return EXPECT_RESULT();
+}
+
+int test_wolfSSL_X509_PUBKEY_get(void)
+{
+    EXPECT_DECLS;
+#ifdef OPENSSL_ALL
+    WOLFSSL_X509_PUBKEY pubkey;
+    WOLFSSL_X509_PUBKEY* key;
+    WOLFSSL_EVP_PKEY evpkey ;
+    WOLFSSL_EVP_PKEY* evpPkey;
+    WOLFSSL_EVP_PKEY* retEvpPkey;
+
+    XMEMSET(&pubkey, 0, sizeof(WOLFSSL_X509_PUBKEY));
+    XMEMSET(&evpkey, 0, sizeof(WOLFSSL_EVP_PKEY));
+
+    key = &pubkey;
+    evpPkey = &evpkey;
+
+    evpPkey->type = WOLFSSL_SUCCESS;
+    key->pkey = evpPkey;
+
+    ExpectNotNull(retEvpPkey = wolfSSL_X509_PUBKEY_get(key));
+    ExpectIntEQ(retEvpPkey->type, WOLFSSL_SUCCESS);
+
+    ExpectNull(retEvpPkey = wolfSSL_X509_PUBKEY_get(NULL));
+
+    key->pkey = NULL;
+    ExpectNull(retEvpPkey = wolfSSL_X509_PUBKEY_get(key));
+#endif
+    return EXPECT_RESULT();
+}
+
+int test_wolfSSL_X509_set_pubkey(void)
+{
+    EXPECT_DECLS;
+#ifdef OPENSSL_ALL
+    WOLFSSL_X509* x509 = NULL;
+    WOLFSSL_EVP_PKEY* pkey = NULL;
+
+    ExpectNotNull(x509 = wolfSSL_X509_new());
+
+#if !defined(NO_RSA)
+    {
+        WOLFSSL_RSA* rsa = NULL;
+
+        ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new());
+        if (pkey != NULL) {
+            pkey->type = WC_EVP_PKEY_RSA;
+        }
+        ExpectIntEQ(wolfSSL_X509_set_pubkey(x509, pkey), WOLFSSL_FAILURE);
+        ExpectNotNull(rsa = wolfSSL_RSA_new());
+        ExpectIntEQ(wolfSSL_EVP_PKEY_assign(pkey, EVP_PKEY_RSA, rsa),
+            WOLFSSL_SUCCESS);
+        if (EXPECT_FAIL()) {
+            wolfSSL_RSA_free(rsa);
+        }
+        ExpectIntEQ(wolfSSL_X509_set_pubkey(x509, pkey), WOLFSSL_SUCCESS);
+        wolfSSL_EVP_PKEY_free(pkey);
+        pkey = NULL;
+    }
+#endif
+#if !defined(HAVE_SELFTEST) && (defined(WOLFSSL_KEY_GEN) || \
+        defined(WOLFSSL_CERT_GEN)) && !defined(NO_DSA)
+    {
+        WOLFSSL_DSA* dsa = NULL;
+
+        ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new());
+        if (pkey != NULL) {
+            pkey->type = WC_EVP_PKEY_DSA;
+        }
+        ExpectIntEQ(wolfSSL_X509_set_pubkey(x509, pkey), WOLFSSL_FAILURE);
+        ExpectNotNull(dsa = wolfSSL_DSA_new());
+        ExpectIntEQ(wolfSSL_EVP_PKEY_assign(pkey, EVP_PKEY_DSA, dsa),
+            WOLFSSL_SUCCESS);
+        if (EXPECT_FAIL()) {
+            wolfSSL_DSA_free(dsa);
+        }
+        ExpectIntEQ(wolfSSL_X509_set_pubkey(x509, pkey), WOLFSSL_FAILURE);
+        wolfSSL_EVP_PKEY_free(pkey);
+        pkey = NULL;
+    }
+#endif
+#if defined(HAVE_ECC)
+    {
+        WOLFSSL_EC_KEY* ec = NULL;
+
+        ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new());
+        if (pkey != NULL) {
+            pkey->type = WC_EVP_PKEY_EC;
+        }
+        ExpectIntEQ(wolfSSL_X509_set_pubkey(x509, pkey), WOLFSSL_FAILURE);
+        ExpectNotNull(ec = wolfSSL_EC_KEY_new());
+        ExpectIntEQ(wolfSSL_EC_KEY_generate_key(ec), 1);
+        ExpectIntEQ(wolfSSL_EVP_PKEY_assign(pkey, EVP_PKEY_EC, ec),
+            WOLFSSL_SUCCESS);
+        if (EXPECT_FAIL()) {
+            wolfSSL_EC_KEY_free(ec);
+        }
+        ExpectIntEQ(wolfSSL_X509_set_pubkey(x509, pkey), WOLFSSL_SUCCESS);
+        wolfSSL_EVP_PKEY_free(pkey);
+        pkey = NULL;
+    }
+#endif
+#if !defined(NO_DH)
+    ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new());
+    if (pkey != NULL) {
+        pkey->type = WC_EVP_PKEY_DH;
+    }
+    ExpectIntEQ(wolfSSL_X509_set_pubkey(x509, pkey), WOLFSSL_FAILURE);
+    wolfSSL_EVP_PKEY_free(pkey);
+    pkey = NULL;
+#endif
+
+    wolfSSL_X509_free(x509);
+#endif
+    return EXPECT_RESULT();
+}
+

tests/api/test_ossl_x509_pk.h

@@ -0,0 +1,42 @@
+/* test_ossl_x509_pk.h
+ *
+ * Copyright (C) 2006-2025 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+#ifndef WOLFCRYPT_TEST_OSSL_X509_PK_H
+#define WOLFCRYPT_TEST_OSSL_X509_PK_H
+
+#include <tests/api/api_decl.h>
+
+int test_wolfSSL_X509_get_X509_PUBKEY(void);
+int test_wolfSSL_X509_PUBKEY_RSA(void);
+int test_wolfSSL_X509_PUBKEY_EC(void);
+int test_wolfSSL_X509_PUBKEY_DSA(void);
+int test_wolfSSL_X509_PUBKEY_get(void);
+int test_wolfSSL_X509_set_pubkey(void);
+
+#define TEST_OSSL_X509_PK_DECLS                                                \
+    TEST_DECL_GROUP("ossl_x509_pk", test_wolfSSL_X509_get_X509_PUBKEY),        \
+    TEST_DECL_GROUP("ossl_x509_pk", test_wolfSSL_X509_PUBKEY_RSA),             \
+    TEST_DECL_GROUP("ossl_x509_pk", test_wolfSSL_X509_PUBKEY_EC),              \
+    TEST_DECL_GROUP("ossl_x509_pk", test_wolfSSL_X509_PUBKEY_DSA),             \
+    TEST_DECL_GROUP("ossl_x509_pk", test_wolfSSL_X509_PUBKEY_get),             \
+    TEST_DECL_GROUP("ossl_x509_pk", test_wolfSSL_X509_set_pubkey)
+
+#endif /* WOLFCRYPT_TEST_OSSL_X509_PK_H */

tests/api/test_ossl_x509_str.h

@@ -0,0 +1,66 @@
+/* test_ossl_x509_str.h
+ *
+ * Copyright (C) 2006-2025 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+#ifndef WOLFCRYPT_TEST_OSSL_X509_STR_H
+#define WOLFCRYPT_TEST_OSSL_X509_STR_H
+
+#include <tests/api/api_decl.h>
+
+int test_wolfSSL_X509_STORE_CTX_set_time(void);
+int test_wolfSSL_X509_STORE_CTX_get0_store(void);
+int test_wolfSSL_X509_STORE_CTX(void);
+int test_wolfSSL_X509_STORE_CTX_ex(void);
+int test_X509_STORE_untrusted(void);
+int test_X509_STORE_InvalidCa(void);
+int test_wolfSSL_X509_STORE_CTX_trusted_stack_cleanup(void);
+int test_wolfSSL_X509_STORE_CTX_get_issuer(void);
+int test_wolfSSL_X509_STORE_set_flags(void);
+int test_wolfSSL_X509_STORE(void);
+int test_wolfSSL_X509_STORE_load_locations(void);
+int test_X509_STORE_get0_objects(void);
+int test_wolfSSL_X509_STORE_get1_certs(void);
+int test_wolfSSL_X509_STORE_set_get_crl(void);
+int test_wolfSSL_X509_CA_num(void);
+int test_X509_STORE_No_SSL_CTX(void);
+
+#define TEST_OSSL_X509_STORE_DECLS                                             \
+    TEST_DECL_GROUP("ossl_x509_store", test_wolfSSL_X509_STORE_CTX_set_time),  \
+    TEST_DECL_GROUP("ossl_x509_store",                                         \
+                                      test_wolfSSL_X509_STORE_CTX_get0_store), \
+    TEST_DECL_GROUP("ossl_x509_store", test_wolfSSL_X509_STORE_CTX),           \
+    TEST_DECL_GROUP("ossl_x509_store", test_wolfSSL_X509_STORE_CTX_ex),        \
+    TEST_DECL_GROUP("ossl_x509_store", test_X509_STORE_untrusted),             \
+    TEST_DECL_GROUP("ossl_x509_store", test_X509_STORE_InvalidCa),             \
+    TEST_DECL_GROUP("ossl_x509_store",                                         \
+                           test_wolfSSL_X509_STORE_CTX_trusted_stack_cleanup), \
+    TEST_DECL_GROUP("ossl_x509_store",                                         \
+                                      test_wolfSSL_X509_STORE_CTX_get_issuer), \
+    TEST_DECL_GROUP("ossl_x509_store", test_wolfSSL_X509_STORE_set_flags),     \
+    TEST_DECL_GROUP("ossl_x509_store", test_wolfSSL_X509_STORE),               \
+    TEST_DECL_GROUP("ossl_x509_store",                                         \
+                                      test_wolfSSL_X509_STORE_load_locations), \
+    TEST_DECL_GROUP("ossl_x509_store", test_X509_STORE_get0_objects),          \
+    TEST_DECL_GROUP("ossl_x509_store", test_wolfSSL_X509_STORE_get1_certs),    \
+    TEST_DECL_GROUP("ossl_x509_store", test_wolfSSL_X509_STORE_set_get_crl),   \
+    TEST_DECL_GROUP("ossl_x509_store", test_wolfSSL_X509_CA_num),              \
+    TEST_DECL_GROUP("ossl_x509_store", test_X509_STORE_No_SSL_CTX)
+
+#endif /* WOLFCRYPT_TEST_OSSL_X509_STR_H */

tests/api/test_ossl_x509_vp.c

@@ -0,0 +1,276 @@
+/* test_ossl_x509_vp.c
+ *
+ * Copyright (C) 2006-2025 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+#include <tests/unit.h>
+
+#ifdef NO_INLINE
+    #include <wolfssl/wolfcrypt/misc.h>
+#else
+    #define WOLFSSL_MISC_INCLUDED
+    #include <wolfcrypt/src/misc.c>
+#endif
+
+#include <wolfssl/ssl.h>
+#include <tests/api/api.h>
+#include <tests/api/test_ossl_x509_vp.h>
+
+int test_wolfSSL_X509_VERIFY_PARAM(void)
+{
+    EXPECT_DECLS;
+#if defined(OPENSSL_EXTRA)
+    X509_VERIFY_PARAM *paramTo = NULL;
+    X509_VERIFY_PARAM *paramFrom = NULL;
+    char testIPv4[] = "127.0.0.1";
+    char testIPv6[] = "0001:0000:0000:0000:0000:0000:0000:0000/32";
+    char testhostName1[] = "foo.hoge.com";
+    char testhostName2[] = "foobar.hoge.com";
+
+    ExpectNotNull(paramTo = X509_VERIFY_PARAM_new());
+    ExpectNotNull(XMEMSET(paramTo, 0, sizeof(X509_VERIFY_PARAM)));
+
+    ExpectNotNull(paramFrom = X509_VERIFY_PARAM_new());
+    ExpectNotNull(XMEMSET(paramFrom, 0, sizeof(X509_VERIFY_PARAM)));
+
+    ExpectIntEQ(X509_VERIFY_PARAM_set1_host(paramFrom, testhostName1,
+        (int)XSTRLEN(testhostName1)), 1);
+    ExpectIntEQ(0, XSTRNCMP(paramFrom->hostName, testhostName1,
+        (int)XSTRLEN(testhostName1)));
+
+    X509_VERIFY_PARAM_set_hostflags(NULL, 0x00);
+
+    X509_VERIFY_PARAM_set_hostflags(paramFrom, 0x01);
+    ExpectIntEQ(0x01, paramFrom->hostFlags);
+
+    ExpectIntEQ(X509_VERIFY_PARAM_set1_ip_asc(NULL, testIPv4), 0);
+
+    ExpectIntEQ(X509_VERIFY_PARAM_set1_ip_asc(paramFrom, testIPv4), 1);
+    ExpectIntEQ(0, XSTRNCMP(paramFrom->ipasc, testIPv4, WOLFSSL_MAX_IPSTR));
+
+    ExpectIntEQ(X509_VERIFY_PARAM_set1_ip_asc(paramFrom, NULL), 1);
+
+    ExpectIntEQ(X509_VERIFY_PARAM_set1_ip_asc(paramFrom, testIPv6), 1);
+    ExpectIntEQ(0, XSTRNCMP(paramFrom->ipasc, testIPv6, WOLFSSL_MAX_IPSTR));
+
+    /* null pointer */
+    ExpectIntEQ(X509_VERIFY_PARAM_set1(NULL, paramFrom), 0);
+    /* in the case of "from" null, returns success */
+    ExpectIntEQ(X509_VERIFY_PARAM_set1(paramTo, NULL), 1);
+
+    ExpectIntEQ(X509_VERIFY_PARAM_set1(NULL, NULL), 0);
+
+    /* inherit flags test : VPARAM_DEFAULT */
+    ExpectIntEQ(X509_VERIFY_PARAM_set1(paramTo, paramFrom), 1);
+    ExpectIntEQ(0, XSTRNCMP(paramTo->hostName, testhostName1,
+                                    (int)XSTRLEN(testhostName1)));
+    ExpectIntEQ(0x01, paramTo->hostFlags);
+    ExpectIntEQ(0, XSTRNCMP(paramTo->ipasc, testIPv6, WOLFSSL_MAX_IPSTR));
+
+    /* inherit flags test : VPARAM OVERWRITE */
+    ExpectIntEQ(X509_VERIFY_PARAM_set1_host(paramTo, testhostName2,
+        (int)XSTRLEN(testhostName2)), 1);
+    ExpectIntEQ(X509_VERIFY_PARAM_set1_ip_asc(paramTo, testIPv4), 1);
+    X509_VERIFY_PARAM_set_hostflags(paramTo, 0x00);
+
+    if (paramTo != NULL) {
+        paramTo->inherit_flags = X509_VP_FLAG_OVERWRITE;
+    }
+
+    ExpectIntEQ(X509_VERIFY_PARAM_set1(paramTo, paramFrom), 1);
+    ExpectIntEQ(0, XSTRNCMP(paramTo->hostName, testhostName1,
+        (int)XSTRLEN(testhostName1)));
+    ExpectIntEQ(0x01, paramTo->hostFlags);
+    ExpectIntEQ(0, XSTRNCMP(paramTo->ipasc, testIPv6, WOLFSSL_MAX_IPSTR));
+
+    /* inherit flags test : VPARAM_RESET_FLAGS */
+    ExpectIntEQ(X509_VERIFY_PARAM_set1_host(paramTo, testhostName2,
+        (int)XSTRLEN(testhostName2)), 1);
+    ExpectIntEQ(X509_VERIFY_PARAM_set1_ip_asc(paramTo, testIPv4), 1);
+    X509_VERIFY_PARAM_set_hostflags(paramTo, 0x10);
+
+    if (paramTo != NULL) {
+        paramTo->inherit_flags = X509_VP_FLAG_RESET_FLAGS;
+    }
+
+    ExpectIntEQ(X509_VERIFY_PARAM_set1(paramTo, paramFrom), 1);
+    ExpectIntEQ(0, XSTRNCMP(paramTo->hostName, testhostName1,
+                                        (int)XSTRLEN(testhostName1)));
+    ExpectIntEQ(0x01, paramTo->hostFlags);
+    ExpectIntEQ(0, XSTRNCMP(paramTo->ipasc, testIPv6, WOLFSSL_MAX_IPSTR));
+    ExpectIntEQ(0, XSTRNCMP(paramTo->ipasc, testIPv6, WOLFSSL_MAX_IPSTR));
+
+    /* inherit flags test : VPARAM_LOCKED */
+    ExpectIntEQ(X509_VERIFY_PARAM_set1_host(paramTo, testhostName2,
+        (int)XSTRLEN(testhostName2)), 1);
+    ExpectIntEQ(X509_VERIFY_PARAM_set1_ip_asc(paramTo, testIPv4), 1);
+    X509_VERIFY_PARAM_set_hostflags(paramTo, 0x00);
+
+    if (paramTo != NULL) {
+        paramTo->inherit_flags = X509_VP_FLAG_LOCKED;
+    }
+
+    ExpectIntEQ(X509_VERIFY_PARAM_set1(paramTo, paramFrom), 1);
+    ExpectIntEQ(0, XSTRNCMP(paramTo->hostName, testhostName2,
+                                    (int)XSTRLEN(testhostName2)));
+    ExpectIntEQ(0x00, paramTo->hostFlags);
+    ExpectIntEQ(0, XSTRNCMP(paramTo->ipasc, testIPv4, WOLFSSL_MAX_IPSTR));
+
+    /* test for incorrect parameters */
+    ExpectIntEQ(X509_VERIFY_PARAM_set_flags(NULL, X509_V_FLAG_CRL_CHECK_ALL),
+        0);
+
+    ExpectIntEQ(X509_VERIFY_PARAM_set_flags(NULL, 0), 0);
+
+    /* inherit flags test : VPARAM_ONCE, not testable yet */
+
+    ExpectIntEQ(X509_VERIFY_PARAM_set_flags(paramTo, X509_V_FLAG_CRL_CHECK_ALL),
+        1);
+
+    ExpectIntEQ(X509_VERIFY_PARAM_get_flags(NULL), 0);
+    ExpectIntEQ(X509_VERIFY_PARAM_get_flags(paramTo),
+        X509_V_FLAG_CRL_CHECK_ALL);
+
+    ExpectIntEQ(X509_VERIFY_PARAM_clear_flags(NULL, X509_V_FLAG_CRL_CHECK_ALL),
+        WOLFSSL_FAILURE);
+    ExpectIntEQ(X509_VERIFY_PARAM_clear_flags(paramTo,
+        X509_V_FLAG_CRL_CHECK_ALL), 1);
+
+    ExpectIntEQ(X509_VERIFY_PARAM_get_flags(paramTo), 0);
+
+    ExpectNull(wolfSSL_X509_VERIFY_PARAM_lookup(NULL));
+    ExpectNull(wolfSSL_X509_VERIFY_PARAM_lookup(""));
+    ExpectNotNull(wolfSSL_X509_VERIFY_PARAM_lookup("ssl_client"));
+    ExpectNotNull(wolfSSL_X509_VERIFY_PARAM_lookup("ssl_server"));
+
+    X509_VERIFY_PARAM_free(paramTo);
+    X509_VERIFY_PARAM_free(paramFrom);
+    X509_VERIFY_PARAM_free(NULL); /* to confirm NULL parameter gives no harm */
+#endif
+    return EXPECT_RESULT();
+}
+
+int test_wolfSSL_X509_VERIFY_PARAM_set1_ip(void)
+{
+    EXPECT_DECLS;
+#if defined(OPENSSL_EXTRA) && !defined(NO_FILESYSTEM)
+    unsigned char buf[16] = {0};
+    WOLFSSL_X509_VERIFY_PARAM* param = NULL;
+
+    ExpectNotNull(param = X509_VERIFY_PARAM_new());
+
+    ExpectIntEQ(X509_VERIFY_PARAM_set1_ip(NULL, NULL, 1), WOLFSSL_FAILURE);
+    ExpectIntEQ(X509_VERIFY_PARAM_set1_ip(param, NULL, 1), WOLFSSL_FAILURE);
+    ExpectIntEQ(X509_VERIFY_PARAM_set1_ip(NULL, buf, 1), WOLFSSL_FAILURE);
+    ExpectIntEQ(X509_VERIFY_PARAM_set1_ip(NULL, NULL, 16), WOLFSSL_FAILURE);
+    ExpectIntEQ(X509_VERIFY_PARAM_set1_ip(NULL, NULL, 4), WOLFSSL_FAILURE);
+    ExpectIntEQ(X509_VERIFY_PARAM_set1_ip(NULL, NULL, 0), WOLFSSL_FAILURE);
+    ExpectIntEQ(X509_VERIFY_PARAM_set1_ip(param, buf, 1), WOLFSSL_FAILURE);
+    ExpectIntEQ(X509_VERIFY_PARAM_set1_ip(param, NULL, 16), WOLFSSL_FAILURE);
+    ExpectIntEQ(X509_VERIFY_PARAM_set1_ip(param, NULL, 4), WOLFSSL_FAILURE);
+    ExpectIntEQ(X509_VERIFY_PARAM_set1_ip(NULL, buf, 16), WOLFSSL_FAILURE);
+    ExpectIntEQ(X509_VERIFY_PARAM_set1_ip(NULL, buf, 4), WOLFSSL_FAILURE);
+    ExpectIntEQ(X509_VERIFY_PARAM_set1_ip(NULL, buf, 0), WOLFSSL_FAILURE);
+
+    ExpectIntEQ(X509_VERIFY_PARAM_set1_ip(param, NULL, 0), WOLFSSL_SUCCESS);
+
+    /* test 127.0.0.1 */
+    buf[0] =0x7f; buf[1] = 0; buf[2] = 0; buf[3] = 1;
+    ExpectIntEQ(X509_VERIFY_PARAM_set1_ip(param, &buf[0], 4), SSL_SUCCESS);
+    ExpectIntEQ(XSTRNCMP(param->ipasc, "127.0.0.1", sizeof(param->ipasc)), 0);
+
+    /* test 2001:db8:3333:4444:5555:6666:7777:8888 */
+    buf[0]=32;buf[1]=1;buf[2]=13;buf[3]=184;
+    buf[4]=51;buf[5]=51;buf[6]=68;buf[7]=68;
+    buf[8]=85;buf[9]=85;buf[10]=102;buf[11]=102;
+    buf[12]=119;buf[13]=119;buf[14]=136;buf[15]=136;
+    ExpectIntEQ(X509_VERIFY_PARAM_set1_ip(param, &buf[0], 16), SSL_SUCCESS);
+    ExpectIntEQ(XSTRNCMP(param->ipasc,
+        "2001:db8:3333:4444:5555:6666:7777:8888", sizeof(param->ipasc)), 0);
+
+    /* test 2001:db8:: */
+    buf[0]=32;buf[1]=1;buf[2]=13;buf[3]=184;
+    buf[4]=0;buf[5]=0;buf[6]=0;buf[7]=0;
+    buf[8]=0;buf[9]=0;buf[10]=0;buf[11]=0;
+    buf[12]=0;buf[13]=0;buf[14]=0;buf[15]=0;
+    ExpectIntEQ(X509_VERIFY_PARAM_set1_ip(param, &buf[0], 16), SSL_SUCCESS);
+    ExpectIntEQ(XSTRNCMP(param->ipasc, "2001:db8::", sizeof(param->ipasc)), 0);
+
+    /* test ::1234:5678 */
+    buf[0]=0;buf[1]=0;buf[2]=0;buf[3]=0;
+    buf[4]=0;buf[5]=0;buf[6]=0;buf[7]=0;
+    buf[8]=0;buf[9]=0;buf[10]=0;buf[11]=0;
+    buf[12]=18;buf[13]=52;buf[14]=86;buf[15]=120;
+    ExpectIntEQ(X509_VERIFY_PARAM_set1_ip(param, &buf[0], 16), SSL_SUCCESS);
+    ExpectIntEQ(XSTRNCMP(param->ipasc, "::1234:5678", sizeof(param->ipasc)), 0);
+
+
+    /* test 2001:db8::1234:5678 */
+    buf[0]=32;buf[1]=1;buf[2]=13;buf[3]=184;
+    buf[4]=0;buf[5]=0;buf[6]=0;buf[7]=0;
+    buf[8]=0;buf[9]=0;buf[10]=0;buf[11]=0;
+    buf[12]=18;buf[13]=52;buf[14]=86;buf[15]=120;
+    ExpectIntEQ(X509_VERIFY_PARAM_set1_ip(param, &buf[0], 16), SSL_SUCCESS);
+    ExpectIntEQ(XSTRNCMP(param->ipasc, "2001:db8::1234:5678",
+                                                sizeof(param->ipasc)), 0);
+
+    /* test 2001:0db8:0001:0000:0000:0ab9:c0a8:0102*/
+    /*      2001:db8:1::ab9:c0a8:102 */
+    buf[0]=32;buf[1]=1;buf[2]=13;buf[3]=184;
+    buf[4]=0;buf[5]=1;buf[6]=0;buf[7]=0;
+    buf[8]=0;buf[9]=0;buf[10]=10;buf[11]=185;
+    buf[12]=192;buf[13]=168;buf[14]=1;buf[15]=2;
+    ExpectIntEQ(X509_VERIFY_PARAM_set1_ip(param, &buf[0], 16), SSL_SUCCESS);
+    ExpectIntEQ(XSTRNCMP(param->ipasc, "2001:db8:1::ab9:c0a8:102",
+                                                sizeof(param->ipasc)), 0);
+
+    XFREE(param, HEAP_HINT, DYNAMIC_TYPE_OPENSSL);
+#endif /* OPENSSL_EXTRA */
+    return EXPECT_RESULT();
+}
+
+int test_wolfSSL_X509_VERIFY_PARAM_set1_host(void)
+{
+    EXPECT_DECLS;
+#if defined(OPENSSL_EXTRA)
+    const char host[] = "www.example.com";
+    WOLFSSL_X509_VERIFY_PARAM* pParam = NULL;
+
+    ExpectNotNull(pParam = (WOLFSSL_X509_VERIFY_PARAM*)XMALLOC(
+        sizeof(WOLFSSL_X509_VERIFY_PARAM), HEAP_HINT, DYNAMIC_TYPE_OPENSSL));
+    if (pParam != NULL) {
+        XMEMSET(pParam, 0, sizeof(WOLFSSL_X509_VERIFY_PARAM));
+
+        ExpectIntEQ(X509_VERIFY_PARAM_set1_host(NULL, host, sizeof(host)),
+            WOLFSSL_FAILURE);
+
+        X509_VERIFY_PARAM_set1_host(pParam, host, sizeof(host));
+
+        ExpectIntEQ(XMEMCMP(pParam->hostName, host, sizeof(host)), 0);
+
+        XMEMSET(pParam, 0, sizeof(WOLFSSL_X509_VERIFY_PARAM));
+
+        ExpectIntNE(XMEMCMP(pParam->hostName, host, sizeof(host)), 0);
+
+        XFREE(pParam, HEAP_HINT, DYNAMIC_TYPE_OPENSSL);
+    }
+#endif /* OPENSSL_EXTRA */
+    return EXPECT_RESULT();
+}
+

tests/api/test_ossl_x509_vp.h

@@ -0,0 +1,36 @@
+/* test_ossl_x509_vp.h
+ *
+ * Copyright (C) 2006-2025 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+#ifndef WOLFCRYPT_TEST_OSSL_X509_VP_H
+#define WOLFCRYPT_TEST_OSSL_X509_VP_H
+
+#include <tests/api/api_decl.h>
+
+int test_wolfSSL_X509_VERIFY_PARAM(void);
+int test_wolfSSL_X509_VERIFY_PARAM_set1_ip(void);
+int test_wolfSSL_X509_VERIFY_PARAM_set1_host(void);
+
+#define TEST_OSSL_X509_VFY_PARAMS_DECLS                                        \
+    TEST_DECL_GROUP("ossl_x509_vp", test_wolfSSL_X509_VERIFY_PARAM),           \
+    TEST_DECL_GROUP("ossl_x509_vp", test_wolfSSL_X509_VERIFY_PARAM_set1_ip),   \
+    TEST_DECL_GROUP("ossl_x509_vp", test_wolfSSL_X509_VERIFY_PARAM_set1_host)
+
+#endif /* WOLFCRYPT_TEST_OSSL_X509_VP_H */

tests/utils.c

@@ -770,3 +770,26 @@ int test_memio_setup(struct test_memio_ctx *ctx,
 }
 
 #endif /* HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES */
+
+#if !defined(NO_FILESYSTEM) && defined(OPENSSL_EXTRA) && \
+    defined(DEBUG_UNIT_TEST_CERTS)
+/* Used when debugging name constraint tests. Not static to allow use in
+ * multiple locations with complex define guards. */
+void DEBUG_WRITE_CERT_X509(WOLFSSL_X509* x509, const char* fileName)
+{
+    BIO* out = BIO_new_file(fileName, "wb");
+    if (out != NULL) {
+        PEM_write_bio_X509(out, x509);
+        BIO_free(out);
+    }
+}
+void DEBUG_WRITE_DER(const byte* der, int derSz, const char* fileName)
+{
+    BIO* out = BIO_new_file(fileName, "wb");
+    if (out != NULL) {
+        BIO_write(out, der, derSz);
+        BIO_free(out);
+    }
+}
+#endif
+

tests/utils.h

@@ -82,4 +82,13 @@ int test_memio_modify_message_len(struct test_memio_ctx *ctx, int client, int ms
 int test_memio_remove_from_buffer(struct test_memio_ctx *ctx, int client, int off, int sz);
 #endif
 
+#if !defined(NO_FILESYSTEM) && defined(OPENSSL_EXTRA) && \
+    defined(DEBUG_UNIT_TEST_CERTS)
+void DEBUG_WRITE_CERT_X509(WOLFSSL_X509* x509, const char* fileName);
+void DEBUG_WRITE_DER(const byte* der, int derSz, const char* fileName);
+#else
+#define DEBUG_WRITE_CERT_X509(x509, fileName) WC_DO_NOTHING
+#define DEBUG_WRITE_DER(der, derSz, fileName) WC_DO_NOTHING
+#endif
+
 #endif /* TESTS_UTILS_H */

wolfcrypt/benchmark/benchmark.c

@@ -1038,7 +1038,7 @@ static const bench_alg bench_cipher_opt[] = {
 #ifdef HAVE_AESGCM
     { "-aes-gmac",           BENCH_AES_GMAC          },
 #endif
-#ifdef WOLFSSL_AES_DIRECT
+#if defined(HAVE_AES_ECB) || (defined(HAVE_FIPS) && defined(WOLFSSL_AES_DIRECT))
     { "-aes-ecb",            BENCH_AES_ECB           },
 #endif
 #ifdef WOLFSSL_AES_XTS
@@ -3844,7 +3844,7 @@ static void* benchmarks_do(void* args)
     #endif
     }
 #endif
-#ifdef HAVE_AES_ECB
+#if defined(HAVE_AES_ECB) || (defined(HAVE_FIPS) && defined(WOLFSSL_AES_DIRECT))
     if (bench_all || (bench_cipher_algs & BENCH_AES_ECB)) {
     #ifndef NO_SW_BENCH
         bench_aesecb(0);
@@ -5604,7 +5604,7 @@ void bench_gmac(int useDeviceID)
 #endif /* HAVE_AESGCM */
 
 
-#ifdef HAVE_AES_ECB
+#if defined(HAVE_AES_ECB) || (defined(HAVE_FIPS) && defined(WOLFSSL_AES_DIRECT))
 static void bench_aesecb_internal(int useDeviceID,
                                   const byte* key, word32 keySz,
                                   const char* encLabel, const char* decLabel)
@@ -5773,7 +5773,7 @@ void bench_aesecb(int useDeviceID)
                  "AES-256-ECB-enc", "AES-256-ECB-dec");
 #endif
 }
-#endif /* HAVE_AES_ECB */
+#endif /* HAVE_AES_ECB || (HAVE_FIPS && WOLFSSL_AES_DIRECT) */
 
 #ifdef WOLFSSL_AES_CFB
 static void bench_aescfb_internal(const byte* key,
@@ -12040,6 +12040,7 @@ void bench_ecc(int useDeviceID, int curveId)
     int ret = 0, i, times, count, pending = 0;
     int deviceID;
     int  keySize;
+    int  dgstSize;
     char name[BENCH_ECC_NAME_SZ];
     WC_DECLARE_ARRAY(genKey, ecc_key, BENCH_MAX_PENDING,
                      sizeof(ecc_key), HEAP_HINT);
@@ -12068,7 +12069,7 @@ void bench_ecc(int useDeviceID, int curveId)
     WC_DECLARE_ARRAY(sig, byte,
                      BENCH_MAX_PENDING, ECC_MAX_SIG_SIZE, HEAP_HINT);
     WC_DECLARE_ARRAY(digest, byte,
-                     BENCH_MAX_PENDING, MAX_ECC_BYTES, HEAP_HINT);
+                     BENCH_MAX_PENDING, WC_MAX_DIGEST_SIZE, HEAP_HINT);
 #endif
 
     bench_stats_prepare();
@@ -12099,6 +12100,29 @@ void bench_ecc(int useDeviceID, int curveId)
     deviceID = useDeviceID ? devId : INVALID_DEVID;
 
     keySize = wc_ecc_get_curve_size_from_id(curveId);
+    if (keySize < 28) {
+        /* SHA-1 */
+        dgstSize = 20;
+    }
+    else if (keySize < 32) {
+        /* SHA-224/SHA512-224/SHA3-224 */
+        dgstSize = 28;
+    }
+    else if (keySize < 48) {
+        /* SHA-256/SHA512-256/SHA3-256 */
+        dgstSize = 32;
+    }
+    else if (keySize < 64) {
+        /* SHA-384/SHA3-384 */
+        dgstSize = 48;
+    }
+    else {
+        /* SHA-512/SHA3-512 */
+        dgstSize = 64;
+    }
+    if (dgstSize > WC_MAX_DIGEST_SIZE) {
+        dgstSize = WC_MAX_DIGEST_SIZE;
+    }
 
     /* init keys */
     for (i = 0; i < BENCH_MAX_PENDING; i++) {
@@ -12187,7 +12211,7 @@ exit_ecdhe:
 
     /* Init digest to sign */
     for (i = 0; i < BENCH_MAX_PENDING; i++) {
-        for (count = 0; count < keySize; count++) {
+        for (count = 0; count < dgstSize; count++) {
             digest[i][count] = (byte)count;
         }
     }
@@ -12207,7 +12231,7 @@ exit_ecdhe:
                         x[i] = ECC_MAX_SIG_SIZE;
                     }
 
-                    ret = wc_ecc_sign_hash(digest[i], (word32)keySize, sig[i],
+                    ret = wc_ecc_sign_hash(digest[i], (word32)dgstSize, sig[i],
                                            &x[i], GLOBAL_RNG, genKey[i]);
 
                     if (!bench_async_handle(&ret,
@@ -12259,7 +12283,7 @@ exit_ecdsa_sign:
                     }
 
                     ret = wc_ecc_verify_hash(sig[i], x[i], digest[i],
-                                             (word32)keySize, &verify[i],
+                                             (word32)dgstSize, &verify[i],
                                              genKey[i]);
 
                     if (!bench_async_handle(&ret,

wolfcrypt/src/error.c

@@ -315,7 +315,7 @@ const char* wc_GetErrorString(int error)
         return "Random Number Generator failed";
 
     case HMAC_MIN_KEYLEN_E:
-        return "FIPS Mode HMAC Minimum Key Length error";
+        return "FIPS Mode HMAC Minimum Key or Salt Length error";
 
     case RSA_PAD_E:
         return "Rsa Padding error";

wolfssl/wolfcrypt/aes.h

@@ -888,9 +888,74 @@ WOLFSSL_API int wc_AesCtsDecryptFinal(Aes* aes, byte* out, word32* outSz);
 
 #endif
 
-#if defined(__aarch64__) && defined(WOLFSSL_ARMASM) && \
-    !defined(WOLFSSL_ARMASM_NO_HW_CRYPTO)
+#if defined(WOLFSSL_ARMASM)
+#if defined(__aarch64__) || defined(WOLFSSL_ARMASM_NO_HW_CRYPTO)
+WOLFSSL_LOCAL void AES_set_encrypt_key(const unsigned char* key, word32 len,
+    unsigned char* ks);
+WOLFSSL_LOCAL void AES_invert_key(unsigned char* ks, word32 rounds);
+WOLFSSL_LOCAL void AES_ECB_encrypt(const unsigned char* in, unsigned char* out,
+    unsigned long len, const unsigned char* ks, int nr);
+WOLFSSL_LOCAL void AES_ECB_decrypt(const unsigned char* in, unsigned char* out,
+    unsigned long len, const unsigned char* ks, int nr);
+WOLFSSL_LOCAL void AES_CBC_encrypt(const unsigned char* in, unsigned char* out,
+    unsigned long len, const unsigned char* ks, int nr, unsigned char* iv);
+WOLFSSL_LOCAL void AES_CBC_decrypt(const unsigned char* in, unsigned char* out,
+    unsigned long len, const unsigned char* ks, int nr, unsigned char* iv);
+WOLFSSL_LOCAL void AES_CTR_encrypt(const unsigned char* in, unsigned char* out,
+    unsigned long len, const unsigned char* ks, int nr, unsigned char* ctr);
+#if defined(GCM_TABLE) || defined(GCM_TABLE_4BIT)
+/* in pre-C2x C, constness conflicts for dimensioned arrays can't be resolved.
+ */
+WOLFSSL_LOCAL void GCM_gmult_len(byte* x, const byte** m,
+    const unsigned char* data, unsigned long len);
+#endif
+WOLFSSL_LOCAL void AES_GCM_encrypt(const unsigned char* in, unsigned char* out,
+    unsigned long len, const unsigned char* ks, int nr, unsigned char* ctr);
 
+#if defined(WOLFSSL_AES_XTS) && defined(__aarch64__)
+WOLFSSL_LOCAL void AES_XTS_encrypt(const byte* in, byte* out, word32 sz,
+    const byte* i, byte* key, byte* key2, byte* tmp, int nr);
+WOLFSSL_LOCAL void AES_XTS_decrypt(const byte* in, byte* out, word32 sz,
+    const byte* i, byte* key, byte* key2, byte* tmp, int nr);
+#endif
+#endif /* __aarch64__ || WOLFSSL_ARMASM_NO_HW_CRYPTO */
+
+#if defined(__aarch64__) && !defined(WOLFSSL_ARMASM_NO_NEON)
+WOLFSSL_LOCAL void AES_set_encrypt_key_NEON(const unsigned char* key,
+    word32 len, unsigned char* ks);
+WOLFSSL_LOCAL void AES_invert_key_NEON(unsigned char* ks, word32 rounds);
+WOLFSSL_LOCAL void AES_ECB_encrypt_NEON(const unsigned char* in,
+    unsigned char* out, unsigned long len, const unsigned char* ks, int nr);
+WOLFSSL_LOCAL void AES_ECB_decrypt_NEON(const unsigned char* in,
+    unsigned char* out, unsigned long len, const unsigned char* ks, int nr);
+WOLFSSL_LOCAL void AES_CBC_encrypt_NEON(const unsigned char* in,
+    unsigned char* out, unsigned long len, const unsigned char* ks, int nr,
+    unsigned char* iv);
+WOLFSSL_LOCAL void AES_CBC_decrypt_NEON(const unsigned char* in,
+    unsigned char* out, unsigned long len, const unsigned char* ks, int nr,
+    unsigned char* iv);
+WOLFSSL_LOCAL void AES_CTR_encrypt_NEON(const unsigned char* in,
+    unsigned char* out, unsigned long len, const unsigned char* ks, int nr,
+    unsigned char* ctr);
+#if defined(GCM_TABLE) || defined(GCM_TABLE_4BIT)
+/* in pre-C2x C, constness conflicts for dimensioned arrays can't be resolved.
+ */
+WOLFSSL_LOCAL void GCM_gmult_len_NEON(byte* x, const byte* h,
+    const unsigned char* data, unsigned long len);
+#endif
+WOLFSSL_LOCAL void AES_GCM_encrypt_NEON(const unsigned char* in,
+    unsigned char* out, unsigned long len, const unsigned char* ks, int nr,
+    unsigned char* ctr);
+#endif
+
+#ifdef WOLFSSL_AES_XTS
+WOLFSSL_LOCAL void AES_XTS_encrypt_NEON(const byte* in, byte* out, word32 sz,
+    const byte* i, byte* key, byte* key2, byte* tmp, int nr);
+WOLFSSL_LOCAL void AES_XTS_decrypt_NEON(const byte* in, byte* out, word32 sz,
+    const byte* i, byte* key, byte* key2, byte* tmp, int nr);
+#endif /* WOLFSSL_AES_XTS */
+
+#if defined(__aarch64__) && !defined(WOLFSSL_ARMASM_NO_HW_CRYPTO)
 WOLFSSL_LOCAL void AES_set_key_AARCH64(const byte* userKey, int keylen,
     byte* key, int dir);
 
@@ -979,7 +1044,7 @@ WOLFSSL_LOCAL void AES_GCM_decrypt_final_AARCH64_EOR3(byte* tag,
     const byte* authTag, word32 tbytes, word32 nbytes, word32 abytes, byte* h,
     byte* initCtr, int* res);
 #endif
-#endif
+#endif /* WOLFSSL_AESGCM_STREAM */
 
 #ifdef WOLFSSL_AES_XTS
 WOLFSSL_LOCAL void AES_XTS_encrypt_AARCH64(const byte* in, byte* out,
@@ -987,31 +1052,9 @@ WOLFSSL_LOCAL void AES_XTS_encrypt_AARCH64(const byte* in, byte* out,
 WOLFSSL_LOCAL void AES_XTS_decrypt_AARCH64(const byte* in, byte* out,
     word32 sz, const byte* i, byte* key, byte* key2, byte* tmp, int nr);
 #endif /* WOLFSSL_AES_XTS */
-#endif /* __aarch64__ && WOLFSSL_ARMASM && !WOLFSSL_ARMASM_NO_HW_CRYPTO */
+#endif /* __aarch64__ && !WOLFSSL_ARMASM_NO_HW_CRYPTO */
 
-#if !defined(__aarch64__) && defined(WOLFSSL_ARMASM)
-#if !defined(WOLFSSL_ARMASM_NO_HW_CRYPTO)
-WOLFSSL_LOCAL void AES_set_key_AARCH32(const byte* userKey, int keylen,
-    byte* key, int dir);
-
-WOLFSSL_LOCAL void AES_encrypt_AARCH32(const byte* inBlock, byte* outBlock,
-    byte* key, int nr);
-WOLFSSL_LOCAL void AES_decrypt_AARCH32(const byte* inBlock, byte* outBlock,
-    byte* key, int nr);
-WOLFSSL_LOCAL void AES_encrypt_blocks_AARCH32(const byte* in, byte* out,
-    word32 sz, byte* key, int nr);
-#endif
-
-#ifdef WOLFSSL_AES_XTS
-WOLFSSL_LOCAL void AES_XTS_encrypt_AARCH64(const byte* in, byte* out,
-    word32 sz, const byte* i, byte* key, byte* key2, byte* tmp, int nr);
-WOLFSSL_LOCAL void AES_XTS_decrypt_AARCH64(const byte* in, byte* out,
-    word32 sz, const byte* i, byte* key, byte* key2, byte* tmp, int nr);
-#endif /* WOLFSSL_AES_XTS */
-#endif /* __aarch64__ && WOLFSSL_ARMASM && !WOLFSSL_ARMASM_NO_HW_CRYPTO */
-
-#if !defined(__aarch64__) && defined(WOLFSSL_ARMASM)
-#if !defined(WOLFSSL_ARMASM_NO_HW_CRYPTO)
+#if !defined(__aarch64__) && !defined(WOLFSSL_ARMASM_NO_HW_CRYPTO)
 WOLFSSL_LOCAL void AES_set_key_AARCH32(const byte* userKey, int keylen,
     byte* key, int dir);
 
@@ -1049,30 +1092,8 @@ WOLFSSL_LOCAL void AES_XTS_encrypt_AARCH32(const byte* in, byte* out,
 WOLFSSL_LOCAL void AES_XTS_decrypt_AARCH32(const byte* in, byte* out,
     word32 sz, const byte* i, byte* key, byte* key2, byte* tmp, int nr);
 #endif /* WOLFSSL_AES_XTS */
-#else
-WOLFSSL_LOCAL void AES_set_encrypt_key(const unsigned char* key, word32 len,
-    unsigned char* ks);
-WOLFSSL_LOCAL void AES_invert_key(unsigned char* ks, word32 rounds);
-WOLFSSL_LOCAL void AES_ECB_encrypt(const unsigned char* in, unsigned char* out,
-    unsigned long len, const unsigned char* ks, int nr);
-WOLFSSL_LOCAL void AES_ECB_decrypt(const unsigned char* in, unsigned char* out,
-    unsigned long len, const unsigned char* ks, int nr);
-WOLFSSL_LOCAL void AES_CBC_encrypt(const unsigned char* in, unsigned char* out,
-    unsigned long len, const unsigned char* ks, int nr, unsigned char* iv);
-WOLFSSL_LOCAL void AES_CBC_decrypt(const unsigned char* in, unsigned char* out,
-    unsigned long len, const unsigned char* ks, int nr, unsigned char* iv);
-WOLFSSL_LOCAL void AES_CTR_encrypt(const unsigned char* in, unsigned char* out,
-    unsigned long len, const unsigned char* ks, int nr, unsigned char* ctr);
-#if defined(GCM_TABLE) || defined(GCM_TABLE_4BIT)
-/* in pre-C2x C, constness conflicts for dimensioned arrays can't be resolved.
- */
-WOLFSSL_LOCAL void GCM_gmult_len(byte* x, const byte** m,
-    const unsigned char* data, unsigned long len);
-#endif
-WOLFSSL_LOCAL void AES_GCM_encrypt(const unsigned char* in, unsigned char* out,
-    unsigned long len, const unsigned char* ks, int nr, unsigned char* ctr);
-#endif /* !WOLFSSL_ARMASM_NO_HW_CRYPTO */
-#endif
+#endif /* !__aarch64__ && !WOLFSSL_ARMASM_NO_HW_CRYPTO */
+#endif /* WOLFSSL_ARMASM */
 
 #ifdef __cplusplus
     } /* extern "C" */

wolfssl/wolfcrypt/hmac.h

@@ -66,8 +66,9 @@
 #define WC_HMAC_INNER_HASH_KEYED_DEV    2
 
 enum {
-    HMAC_FIPS_MIN_KEY = 14,   /* 112 bit key length minimum */
-
+    HMAC_FIPS_MIN_KEY = 14,   /* 112 bit key length minimum. Note that this
+                               * minimum also applies to the salt length for
+                               * HKDF. */
     IPAD    = 0x36,
     OPAD    = 0x5C,
 

wolfssl/wolfcrypt/wc_port.h

@@ -95,8 +95,8 @@
     #elif defined(__WATCOMC__)
           /* Watcom macro needs to expand to something, here just a comment: */
           #define WC_DEPRECATED(msg) /* null expansion */
-    #elif defined(_MSC_VER) || defined(__MINGW32__) || defined(__CYGWIN__) || \
-          defined(_WIN32_WCE)
+    #elif (defined(_MSC_VER) && _MSC_VER >= 1400) || defined(__MINGW32__) || \
+          defined(__CYGWIN__) || defined(_WIN32_WCE)
         #define WC_DEPRECATED(msg) __declspec(deprecated(msg))
     #elif (defined(__GNUC__) && (__GNUC__ >= 4)) || \
           defined(__IAR_SYSTEMS_ICC__)

wrapper/rust/wolfssl/src/wolfcrypt/ecc.rs

@@ -124,8 +124,8 @@ impl ECCPoint {
     /// let mut ecc = ECC::generate_ex(curve_size, &mut rng, curve_id, None, None).expect("Error with generate()");
     /// let ecc_point = ecc.make_pub_to_point(Some(&mut rng), None).expect("Error with make_pub_to_point()");
     /// let mut der = [0u8; 128];
-    /// let size = ecc_point.export_der_compressed(&mut der, curve_id).expect("Error with export_der_compressed()");
-    /// ECCPoint::import_der_ex(&der[0..size], curve_id, 1, None).expect("Error with import_der_ex()");
+    /// let size = ecc_point.export_der(&mut der, curve_id).expect("Error with export_der()");
+    /// ECCPoint::import_der_ex(&der[0..size], curve_id, 0, None).expect("Error with import_der_ex()");
     /// }
     /// ```
     #[cfg(ecc_import)]
@@ -227,7 +227,6 @@ impl ECCPoint {
     /// let ecc_point = ecc.make_pub_to_point(Some(&mut rng), None).expect("Error with make_pub_to_point()");
     /// let mut der = [0u8; 128];
     /// let size = ecc_point.export_der_compressed(&mut der, curve_id).expect("Error with export_der_compressed()");
-    /// ECCPoint::import_der_ex(&der[0..size], curve_id, 1, None).expect("Error with import_der_ex()");
     /// }
     /// ```
     #[cfg(all(ecc_export, ecc_comp_key))]

wrapper/rust/wolfssl/tests/test_ecc.rs

@@ -312,7 +312,6 @@ fn test_ecc_point_import_compressed() {
     let mut ecc_point = ecc.make_pub_to_point(Some(&mut rng), None).expect("Error with make_pub_to_point()");
     let mut der = [0u8; 128];
     let size = ecc_point.export_der_compressed(&mut der, curve_id).expect("Error with export_der_compressed()");
-    ECCPoint::import_der_ex(&der[0..size], curve_id, 1, None).expect("Error with import_der_ex()");
     ecc_point.forcezero();
 }