wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-07-30 02:37:28 +02:00
Code Issues Packages Projects Releases Wiki Activity

ASN.1 Additions for FPKI/CAC

Browse Source 
1. Add some OIDs used in the Federal PKI Policy Authority standard.
2. Added the SubjectDirectoryAttributes extension to certificate
   parsing. (limited to country of citizenship)
3. Rename constant label SUBJECT_INFO_ACCESS to SUBJ_INFO_ACC_OID
4. Added the SubjectInfoAccess extension to certificate parsing.
   (limited to one URL)
5. Add the SSH extended key usage flags.
6. Use some of the template changes on the new certificate items.
This commit is contained in:
John Safranek
2022-05-19 14:25:49 -07:00
committed by JacobBarthelmeh
parent b5d65b9579
commit 62cb2b4ca9
3 changed files with 373 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/x509.c
View File

@ -2198,7 +2198,7 @@ void* wolfSSL_X509_get_ext_d2i(const WOLFSSL_X509* x509, int nid, int* c,
WOLFSSL_MSG("Private Key Usage Period extension not supported");
break;
case SUBJECT_INFO_ACCESS:
case SUBJ_INFO_ACC_OID:
WOLFSSL_MSG("Subject Info Access extension not supported");
break;

305
wolfcrypt/src/asn.c
View File

@ -80,6 +80,9 @@ ASN Options:
extensions
* WOLFSSL_HAVE_ISSUER_NAMES: Store pointers to issuer name components and their
lengths and encodings.
* WOLFSSL_SUBJ_DIR_ATTR: Enable support for SubjectDirectoryAttributes
extension.
* WOLFSSL_SUBJ_INFO_ACC: Enable support for SubjectInfoAccess extension.
*/
#ifndef NO_ASN
@ -4053,13 +4056,33 @@ static const byte extExtKeyUsageOid[] = {85, 29, 37};
#ifdef HAVE_CRL
static const byte extCrlNumberOid[] = {85, 29, 20};
#endif
#ifdef WOLFSSL_SUBJ_DIR_ATTR
static const byte extSubjDirAttrOid[] = {85, 29, 9};
#endif
#ifdef WOLFSSL_SUBJ_INFO_ACC
static const byte extSubjInfoAccessOid[] = {43, 6, 1, 5, 5, 7, 1, 11};
#endif
/* certAuthInfoType */
static const byte extAuthInfoOcspOid[] = {43, 6, 1, 5, 5, 7, 48, 1};
static const byte extAuthInfoCaIssuerOid[] = {43, 6, 1, 5, 5, 7, 48, 2};
#ifdef WOLFSSL_SUBJ_INFO_ACC
static const byte extAuthInfoCaRespOid[] = {43, 6, 1, 5, 5, 7, 48, 5};
#endif /* WOLFSSL_SUBJ_INFO_ACC */
/* certPolicyType */
static const byte extCertPolicyAnyOid[] = {85, 29, 32, 0};
#ifdef WOLFSSL_FPKI
#define CERT_POLICY_TYPE_OID_BASE(num) {96, 134, 72, 1, 101, 3, 2, 1, 3, num}
static const byte extCertPolicyFpkiCommonAuthOid[] =
CERT_POLICY_TYPE_OID_BASE(13);
static const byte extCertPolicyFpkiPivAuthOid[] =
CERT_POLICY_TYPE_OID_BASE(40);
static const byte extCertPolicyFpkiPivAuthHwOid[] =
CERT_POLICY_TYPE_OID_BASE(41);
static const byte extCertPolicyFpkiPiviAuthOid[] =
CERT_POLICY_TYPE_OID_BASE(45);
#endif /* WOLFSSL_FPKI */
/* certAltNameType */
static const byte extAltNamesHwNameOid[] = {43, 6, 1, 5, 5, 7, 8, 4};
@ -4072,6 +4095,25 @@ static const byte extExtKeyUsageCodeSigningOid[] = {43, 6, 1, 5, 5, 7, 3, 3};
static const byte extExtKeyUsageEmailProtectOid[] = {43, 6, 1, 5, 5, 7, 3, 4};
static const byte extExtKeyUsageTimestampOid[] = {43, 6, 1, 5, 5, 7, 3, 8};
static const byte extExtKeyUsageOcspSignOid[] = {43, 6, 1, 5, 5, 7, 3, 9};
#ifdef WOLFSSL_WOLFSSH
#define EXT_KEY_USAGE_OID_BASE(num) {43, 6, 1, 5, 5, 7, 3, num}
static const byte extExtKeyUsageSshClientAuthOid[] =
EXT_KEY_USAGE_OID_BASE(21);
static const byte extExtKeyUsageSshMSCLOid[] =
{43, 6, 1, 4, 1, 130, 55, 20, 2, 2};
static const byte extExtKeyUsageSshKpClientAuthOid[] =
{43, 6, 1, 5, 2, 3, 4};
#endif /* WOLFSSL_WOLFSSH */
#ifdef WOLFSSL_SUBJ_DIR_ATTR
#define SUBJ_DIR_ATTR_TYPE_OID_BASE(num) {43, 6, 1, 5, 5, 7, 9, num}
static const byte extSubjDirAttrDobOid[] = SUBJ_DIR_ATTR_TYPE_OID_BASE(1);
static const byte extSubjDirAttrPobOid[] = SUBJ_DIR_ATTR_TYPE_OID_BASE(2);
static const byte extSubjDirAttrGenderOid[] =
SUBJ_DIR_ATTR_TYPE_OID_BASE(3);
static const byte extSubjDirAttrCocOid[] = SUBJ_DIR_ATTR_TYPE_OID_BASE(4);
static const byte extSubjDirAttrCorOid[] = SUBJ_DIR_ATTR_TYPE_OID_BASE(5);
#endif
#if defined(WOLFSSL_CERT_REQ) || defined(WOLFSSL_CERT_GEN) || \
defined(WOLFSSL_ASN_TEMPLATE) || defined(OPENSSL_EXTRA) || \
@ -4627,6 +4669,18 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz)
oid = ocspNoCheckOid;
*oidSz = sizeof(ocspNoCheckOid);
break;
#endif
#ifdef WOLFSSL_SUBJ_DIR_ATTR
case SUBJ_DIR_ATTR_OID:
oid = extSubjDirAttrOid;
*oidSz = sizeof(extSubjDirAttrOid);
break;
#endif
#ifdef WOLFSSL_SUBJ_INFO_ACC
case SUBJ_INFO_ACC_OID:
oid = extSubjInfoAccessOid;
*oidSz = sizeof(extSubjInfoAccessOid);
break;
#endif
default:
break;
@ -4660,6 +4714,11 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz)
oid = extAuthInfoCaIssuerOid;
*oidSz = sizeof(extAuthInfoCaIssuerOid);
break;
#ifdef WOLFSSL_SUBJ_INFO_ACC
case AIA_CA_REPO_OID:
oid = extAuthInfoCaRespOid;
*oidSz = sizeof(extAuthInfoCaRespOid);
#endif /* WOLFSSL_SUBJ_INFO_ACC */
default:
break;
}
@ -4671,6 +4730,24 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz)
oid = extCertPolicyAnyOid;
*oidSz = sizeof(extCertPolicyAnyOid);
break;
#if defined(WOLFSSL_FPKI)
case CP_FPKI_COMMON_AUTH_OID:
oid = extCertPolicyFpkiCommonAuthOid;
*oidSz = sizeof(extCertPolicyFpkiCommonAuthOid);
break;
case CP_FPKI_PIV_AUTH_OID:
oid = extCertPolicyFpkiPivAuthOid;
*oidSz = sizeof(extCertPolicyFpkiPivAuthOid);
break;
case CP_FPKI_PIV_AUTH_HW_OID:
oid = extCertPolicyFpkiPivAuthHwOid;
*oidSz = sizeof(extCertPolicyFpkiPivAuthHwOid);
break;
case CP_FPKI_PIVI_AUTH_OID:
oid = extCertPolicyFpkiPiviAuthOid;
*oidSz = sizeof(extCertPolicyFpkiPiviAuthOid);
break;
#endif /* WOLFSSL_FPKI */
default:
break;
}
@ -4717,6 +4794,20 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz)
oid = extExtKeyUsageOcspSignOid;
*oidSz = sizeof(extExtKeyUsageOcspSignOid);
break;
#ifdef WOLFSSL_WOLFSSH
case EKU_SSH_CLIENT_AUTH_OID:
oid = extExtKeyUsageSshClientAuthOid;
*oidSz = sizeof(extExtKeyUsageSshClientAuthOid);
break;
case EKU_SSH_MSCL_OID:
oid = extExtKeyUsageSshMSCLOid;
*oidSz = sizeof(extExtKeyUsageSshMSCLOid);
break;
case EKU_SSH_KP_CLIENT_AUTH_OID:
oid = extExtKeyUsageSshKpClientAuthOid;
*oidSz = sizeof(extExtKeyUsageSshKpClientAuthOid);
break;
#endif /* WOLFSSL_WOLFSSH */
default:
break;
}
@ -4942,6 +5033,34 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz)
}
break;
#endif
#ifdef WOLFSSL_SUBJ_DIR_ATTR
case oidSubjDirAttrType:
switch (id) {
case SDA_DOB_OID:
oid = extSubjDirAttrDobOid;
*oidSz = sizeof(extSubjDirAttrDobOid);
break;
case SDA_POB_OID:
oid = extSubjDirAttrPobOid;
*oidSz = sizeof(extSubjDirAttrPobOid);
break;
case SDA_GENDER_OID:
oid = extSubjDirAttrGenderOid;
*oidSz = sizeof(extSubjDirAttrGenderOid);
break;
case SDA_COC_OID:
oid = extSubjDirAttrCocOid;
*oidSz = sizeof(extSubjDirAttrCocOid);
break;
case SDA_COR_OID:
oid = extSubjDirAttrCorOid;
*oidSz = sizeof(extSubjDirAttrCorOid);
break;
default:
break;
}
break;
#endif /* WOLFSSL_SUBJ_DIR_ATTR */
case oidIgnoreType:
default:
break;
@ -15961,6 +16080,17 @@ static int DecodeExtKeyUsage(const byte* input, int sz, DecodedCert* cert)
case EKU_OCSP_SIGN_OID:
cert->extExtKeyUsage |= EXTKEYUSE_OCSP_SIGN;
break;
#ifdef WOLFSSL_WOLFSSH
case EKU_SSH_CLIENT_AUTH_OID:
cert->extExtKeyUsageSsh |= EXTKEYUSE_SSH_CLIENT_AUTH;
break;
case EKU_SSH_MSCL_OID:
cert->extExtKeyUsageSsh |= EXTKEYUSE_SSH_MSCL;
break;
case EKU_SSH_KP_CLIENT_AUTH_OID:
cert->extExtKeyUsageSsh |= EXTKEYUSE_SSH_KP_CLIENT_AUTH;
break;
#endif /* WOLFSSL_WOLFSSH */
default:
break;
}
@ -16696,6 +16826,163 @@ exit:
}
#endif /* WOLFSSL_SEP */
#ifdef WOLFSSL_SUBJ_DIR_ATTR
/* Decode subject directory attributes extension in a certificate.
*
* X.509: RFC 5280, 4.2.1.8 - Subject Directory Attributes.
*
* @param [in] input Buffer holding data.
* @param [in] sz Size of data in buffer.
* @param [in, out] cert Certificate object.
* @return 0 on success.
* @return ASN_PARSE_E when BER encoded data does not match ASN.1 items or
* is invalid.
*/
static int DecodeSubjDirAttr(const byte* input, int sz, DecodedCert* cert)
{
word32 idx = 0;
int length = 0;
int ret = 0;
WOLFSSL_ENTER("DecodeSubjDirAttr");
#ifdef OPENSSL_ALL
cert->extSubjDirAttrSrc = input;
cert->extSubjDirAttrSz = sz;
#endif /* OPENSSL_ALL */
/* Unwrap the list of Attributes */
if (GetSequence(input, &idx, &length, sz) < 0)
return ASN_PARSE_E;
if (length == 0) {
/* RFC 5280 4.2.1.8. Subject Directory Attributes
If the subjectDirectoryAttributes extension is present, the
sequence MUST contain at least one entry. */
return ASN_PARSE_E;
}
/* length is the length of the list contents */
while (idx < (word32)sz) {
word32 oid;
if (GetSequence(input, &idx, &length, sz) < 0)
return ASN_PARSE_E;
if (GetObjectId(input, &idx, &oid, oidSubjDirAttrType, sz) < 0)
return ASN_PARSE_E;
if (GetSet(input, &idx, &length, sz) < 0)
return ASN_PARSE_E;
/* There may be more than one countryOfCitizenship, but save the
* first one for now. */
if (oid == SDA_COC_OID) {
byte tag;
if (GetHeader(input, &tag, &idx, &length, sz, 1) < 0)
return ASN_PARSE_E;
if (length != COUNTRY_CODE_LEN)
return ASN_PARSE_E;
if (tag == ASN_PRINTABLE_STRING) {
XMEMCPY(cert->countryOfCitizenship,
input + idx, COUNTRY_CODE_LEN);
cert->countryOfCitizenship[COUNTRY_CODE_LEN] = 0;
}
}
idx += length;
}
return ret;
}
#endif /* WOLFSSL_SUBJ_DIR_ATTR */
#ifdef WOLFSSL_SUBJ_INFO_ACC
/* Decode subject infomation access extension in a certificate.
*
* X.509: RFC 5280, 4.2.2.2 - Subject Information Access.
*
* @param [in] input Buffer holding data.
* @param [in] sz Size of data in buffer.
* @param [in, out] cert Certificate object.
* @return 0 on success.
* @return ASN_BITSTR_E when the expected BIT_STRING tag is not found.
* @return ASN_PARSE_E when BER encoded data does not match ASN.1 items or
* is invalid.
* @return MEMORY_E on dynamic memory allocation failure.
*/
static int DecodeSubjInfoAcc(const byte* input, int sz, DecodedCert* cert)
{
word32 idx = 0;
int length = 0;
int ret = 0;
WOLFSSL_ENTER("DecodeSubjInfoAcc");
#ifdef OPENSSL_ALL
cert->extSubjAltNameSrc = input;
cert->extSubjAltNameSz = sz;
#endif /* OPENSSL_ALL */
/* Unwrap SubjectInfoAccessSyntax, the list of AccessDescriptions */
if (GetSequence(input, &idx, &length, sz) < 0)
return ASN_PARSE_E;
if (length == 0) {
/* RFC 5280 4.2.2.2. Subject Information Access
If the subjectInformationAccess extension is present, the
sequence MUST contain at least one entry. */
return ASN_PARSE_E;
}
/* Per fpkx-x509-cert-profile-common... section 5.3.
* [The] subjectInfoAccess extension must contain at least one
* instance of the id-ad-caRepository access method containing a
* publicly accessible HTTP URI which returns as certs-only
* CMS.
*/
while (idx < (word32)sz) {
word32 oid;
byte b;
/* Unwrap an AccessDescription */
if (GetSequence(input, &idx, &length, sz) < 0)
return ASN_PARSE_E;
/* Get the accessMethod */
if (GetObjectId(input, &idx, &oid, oidCertAuthInfoType, sz) < 0)
return ASN_PARSE_E;
/* Only supporting URIs right now. */
if (GetASNTag(input, &idx, &b, sz) < 0)
return ASN_PARSE_E;
if (GetLength(input, &idx, &length, sz) < 0)
return ASN_PARSE_E;
/* Set ocsp entry */
if (b == GENERALNAME_URI && oid == AIA_OCSP_OID) {
cert->extSubjInfoAccCaRepoSz = length;
cert->extSubjInfoAccCaRepo = input + idx;
break;
}
idx += length;
}
if (cert->extSubjInfoAccCaRepo == NULL ||
cert->extSubjInfoAccCaRepoSz == 0) {
WOLFSSL_MSG("SubjectInfoAccess missing an URL.");
ret = ASN_PARSE_E;
}
WOLFSSL_LEAVE("DecodeSubjInfoAcc", ret);
return ret;
}
#endif /* WOLFSSL_SUBJ_INFO_ACC */
/* Macro to check if bit is set, if not sets and return success.
Otherwise returns failure */
/* Macro required here because bit-field operation */
@ -16726,13 +17013,13 @@ exit:
* Inhibit anyPolicy - INHIBIT_ANY_OID
* Netscape Certificate Type - NETSCAPE_CT_OID (able to be excluded)
* OCSP no check - OCSP_NOCHECK_OID (when compiling OCSP)
* Subject Directory Attributes - SUBJ_DIR_ATTR_OID
* Subject Information Access - SUBJ_INFO_ACC_OID
* Unsupported extensions from RFC 5280:
* 4.2.1.5 - Policy mappings
* 4.2.1.7 - Issuer Alternative Name
* 4.2.1.8 - Subject Directory Attributes
* 4.2.1.11 - Policy Constraints
* 4.2.1.15 - Freshest CRL
* 4.2.2.2 - Subject Information Access
*
* @param [in] input Buffer containing extension type specific data.
* @param [in] length Length of data.
@ -16916,6 +17203,20 @@ static int DecodeExtensionType(const byte* input, int length, word32 oid,
if (DecodePolicyConstraints(&input[idx], length, cert) < 0)
return ASN_PARSE_E;
break;
#ifdef WOLFSSL_SUBJ_DIR_ATTR
case SUBJ_DIR_ATTR_OID:
VERIFY_AND_SET_OID(cert->extSubjDirAttrSet);
if (DecodeSubjDirAttr(&input[idx], length, cert) < 0)
return ASN_PARSE_E;
break;
#endif
#ifdef WOLFSSL_SUBJ_INFO_ACC
case SUBJ_INFO_ACC_OID:
VERIFY_AND_SET_OID(cert->extSubjInfoAccSet);
if (DecodeSubjInfoAcc(&input[idx], length, cert) < 0)
return ASN_PARSE_E;
break;
#endif
default:
if (isUnknownExt != NULL)
*isUnknownExt = 1;

74
wolfssl/wolfcrypt/asn.h
View File

@ -974,6 +974,8 @@ enum Misc_ASN {
PEM_LINE_SZ = 64, /* Length of Base64 encoded line, not including new line */
PEM_LINE_LEN = PEM_LINE_SZ + 12, /* PEM line max + fudge */
COUNTRY_CODE_LEN = 2, /* RFC 3739 */
};
#ifndef WC_MAX_NAME_ENTRIES
@ -1009,6 +1011,9 @@ enum Oid_Types {
oidTlsExtType = 18,
oidCrlExtType = 19,
oidCsrAttrType = 20,
#ifdef WOLFSSL_SUBJ_DIR_ATTR
oidSubjDirAttrType = 21,
#endif
oidIgnoreType
};
@ -1128,7 +1133,7 @@ enum Extensions_Sum {
EXT_KEY_USAGE_OID = 151, /* 2.5.29.37 */
NAME_CONS_OID = 144, /* 2.5.29.30 */
PRIV_KEY_USAGE_PERIOD_OID = 130, /* 2.5.29.16 */
SUBJECT_INFO_ACCESS = 79, /* 1.3.6.1.5.5.7.1.11 */
SUBJ_INFO_ACC_OID = 79, /* 1.3.6.1.5.5.7.1.11 */
POLICY_MAP_OID = 147, /* 2.5.29.33 */
POLICY_CONST_OID = 150, /* 2.5.29.36 */
ISSUE_ALT_NAMES_OID = 132, /* 2.5.29.18 */
@ -1136,13 +1141,20 @@ enum Extensions_Sum {
NETSCAPE_CT_OID = 753, /* 2.16.840.1.113730.1.1 */
OCSP_NOCHECK_OID = 121, /* 1.3.6.1.5.5.7.48.1.5
id-pkix-ocsp-nocheck */
SUBJ_DIR_ATTR_OID = 123, /* 2.5.29.9 */
AKEY_PACKAGE_OID = 1048 /* 2.16.840.1.101.2.1.2.78.5
RFC 5958 - Asymmetric Key Packages */
};
enum CertificatePolicy_Sum {
CP_ANY_OID = 146 /* id-ce 32 0 */
CP_ANY_OID = 146, /* id-ce 32 0 */
#ifdef WOLFSSL_FPKI
CP_FPKI_COMMON_AUTH_OID = 426, /* 2.16.840.1.101.3.2.1.3.13 */
CP_FPKI_PIV_AUTH_OID = 453, /* 2.16.840.1.101.3.2.1.3.40 */
CP_FPKI_PIV_AUTH_HW_OID = 454, /* 2.16.840.1.101.3.2.1.3.41 */
CP_FPKI_PIVI_AUTH_OID = 458 /* 2.16.840.1.101.3.2.1.3.45 */
#endif /* WOLFSSL_FPKI */
};
enum SepHardwareName_Sum {
@ -1150,10 +1162,15 @@ enum SepHardwareName_Sum {
};
enum AuthInfo_Sum {
AIA_OCSP_OID = 116, /* 1.3.6.1.5.5.7.48.1 */
AIA_CA_ISSUER_OID = 117 /* 1.3.6.1.5.5.7.48.2 */
AIA_OCSP_OID = 116, /* 1.3.6.1.5.5.7.48.1, id-ad-ocsp */
AIA_CA_ISSUER_OID = 117, /* 1.3.6.1.5.5.7.48.2, id-ad-caIssuers */
#ifdef WOLFSSL_SUBJ_INFO_ACC
AIA_CA_REPO_OID = 120 /* 1.3.6.1.5.5.7.48.5, id-ad-caRepository */
#endif /* WOLFSSL_SUBJ_INFO_ACC */
};
#define ID_PKIX(num) (67+(num)) /* 1.3.6.1.5.5.7.num, id-pkix num */
#define ID_KP(num) (ID_PKIX(3)+(num)) /* 1.3.6.1.5.5.7.3.num, id-kp num */
enum ExtKeyUsage_Sum { /* From RFC 5280 */
EKU_ANY_OID = 151, /* 2.5.29.37.0, anyExtendedKeyUsage */
EKU_SERVER_AUTH_OID = 71, /* 1.3.6.1.5.5.7.3.1, id-kp-serverAuth */
@ -1161,9 +1178,27 @@ enum ExtKeyUsage_Sum { /* From RFC 5280 */
EKU_CODESIGNING_OID = 73, /* 1.3.6.1.5.5.7.3.3, id-kp-codeSigning */
EKU_EMAILPROTECT_OID = 74, /* 1.3.6.1.5.5.7.3.4, id-kp-emailProtection */
EKU_TIMESTAMP_OID = 78, /* 1.3.6.1.5.5.7.3.8, id-kp-timeStamping */
EKU_OCSP_SIGN_OID = 79 /* 1.3.6.1.5.5.7.3.9, id-kp-OCSPSigning */
EKU_OCSP_SIGN_OID = 79, /* 1.3.6.1.5.5.7.3.9, id-kp-OCSPSigning */
/* From RFC 6187: X.509v3 Certificates for Secure Shell Authenticaiton */
EKU_SSH_CLIENT_AUTH_OID = ID_KP(21), /* id-kp-secureShellClient */
EKU_SSH_MSCL_OID = 264,
/* 1.3.6.1.4.1.311.20.2.2, MS Smart Card Logon */
EKU_SSH_KP_CLIENT_AUTH_OID = 64
/* 1.3.6.1.5.2.3.4, id-pkinit-KPClientAuth*/
};
#ifdef WOLFSSL_SUBJ_DIR_ATTR
#define ID_PDA(num) (ID_PKIX(9)+(num)) /* 1.3.6.1.5.5.7.9.num, id-pda num */
enum SubjDirAttr_Sum { /* From RFC 3739, section 3.3.2 */
SDA_DOB_OID = ID_PDA(1), /* id-pda-dateOfBirth */
SDA_POB_OID = ID_PDA(2), /* id-pda-placeOfBirth */
SDA_GENDER_OID = ID_PDA(3), /* id-pda-gender */
SDA_COC_OID = ID_PDA(4), /* id-pda-countryOfCitizenship */
SDA_COR_OID = ID_PDA(5) /* id-pda-countryOfResidence */
};
#endif /* WOLFSSL_SUBJ_DIR_ATTR */
#ifdef HAVE_LIBZ
enum CompressAlg_Sum {
ZLIBc = 679 /* 1.2.840.113549.1.9.16.3.8, id-alg-zlibCompress */
@ -1218,6 +1253,11 @@ enum CsrAttrType {
#define EXTKEYUSE_CLIENT_AUTH 0x04
#define EXTKEYUSE_SERVER_AUTH 0x02
#define EXTKEYUSE_ANY 0x01
#ifdef WOLFSSL_WOLFSSH
#define EXTKEYUSE_SSH_CLIENT_AUTH 0x01
#define EXTKEYUSE_SSH_MSCL 0x02
#define EXTKEYUSE_SSH_KP_CLIENT_AUTH 0x04
#endif /* WOLFSSL_WOLFSSH */
#define WC_NS_SSL_CLIENT 0x80
#define WC_NS_SSL_SERVER 0x40
@ -1530,6 +1570,9 @@ struct DecodedCert {
byte policyConstSkip; /* Policy Constraints skip certs value */
word16 extKeyUsage; /* Key usage bitfield */
byte extExtKeyUsage; /* Extended Key usage bitfield */
#ifdef WOLFSSL_WOLFSSH
byte extExtKeyUsageSsh; /* Extended Key Usage bitfield for SSH */
#endif /* WOLFSSL_WOLFSSH */
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
const byte* extExtKeyUsageSrc;
@ -1548,6 +1591,21 @@ struct DecodedCert {
const byte* extSubjAltNameSrc;
word32 extSubjAltNameSz;
#endif
#ifdef WOLFSSL_SUBJ_DIR_ATTR
char countryOfCitizenship[COUNTRY_CODE_LEN+1]; /* ISO 3166 Country Code */
#ifdef OPENSSL_ALL
const byte* extSubjDirAttrSrc;
word32 extSubjDirAttrSz;
#endif
#endif /* WOLFSSL_SUBJ_DIR_ATTR */
#ifdef WOLFSSL_SUBJ_INFO_ACC
const byte* extSubjInfoAccCaRepo;
word32 extSubjInfoAccCaRepoSz;
#ifdef OPENSSL_ALL
const byte* extSubjInfoAccSrc;
word32 extSubjInfoAccSz;
#endif
#endif /* WOLFSSL_SUBJ_INFO_ACC */
#if defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_ED448)
word32 pkCurveOID; /* Public Key's curve OID */
@ -1717,6 +1775,12 @@ struct DecodedCert {
byte extSubjKeyIdCrit : 1;
byte extKeyUsageCrit : 1;
byte extExtKeyUsageCrit : 1;
#ifdef WOLFSSL_SUBJ_DIR_ATTR
byte extSubjDirAttrSet : 1;
#endif
#ifdef WOLFSSL_SUBJ_INFO_ACC
byte extSubjInfoAccSet : 1;
#endif
#if defined(WOLFSSL_SEP) || defined(WOLFSSL_QT)
byte extCertPolicyCrit : 1;
#endif