diff --git a/src/x509.c b/src/x509.c index a117a4308..9a3ccb727 100644 --- a/src/x509.c +++ b/src/x509.c @@ -2198,7 +2198,7 @@ void* wolfSSL_X509_get_ext_d2i(const WOLFSSL_X509* x509, int nid, int* c, WOLFSSL_MSG("Private Key Usage Period extension not supported"); break; - case SUBJECT_INFO_ACCESS: + case SUBJ_INFO_ACC_OID: WOLFSSL_MSG("Subject Info Access extension not supported"); break; diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index a84df1f52..8316c7828 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -80,6 +80,9 @@ ASN Options: extensions * WOLFSSL_HAVE_ISSUER_NAMES: Store pointers to issuer name components and their lengths and encodings. + * WOLFSSL_SUBJ_DIR_ATTR: Enable support for SubjectDirectoryAttributes + extension. + * WOLFSSL_SUBJ_INFO_ACC: Enable support for SubjectInfoAccess extension. */ #ifndef NO_ASN @@ -4053,13 +4056,33 @@ static const byte extExtKeyUsageOid[] = {85, 29, 37}; #ifdef HAVE_CRL static const byte extCrlNumberOid[] = {85, 29, 20}; #endif +#ifdef WOLFSSL_SUBJ_DIR_ATTR + static const byte extSubjDirAttrOid[] = {85, 29, 9}; +#endif +#ifdef WOLFSSL_SUBJ_INFO_ACC + static const byte extSubjInfoAccessOid[] = {43, 6, 1, 5, 5, 7, 1, 11}; +#endif /* certAuthInfoType */ static const byte extAuthInfoOcspOid[] = {43, 6, 1, 5, 5, 7, 48, 1}; static const byte extAuthInfoCaIssuerOid[] = {43, 6, 1, 5, 5, 7, 48, 2}; +#ifdef WOLFSSL_SUBJ_INFO_ACC + static const byte extAuthInfoCaRespOid[] = {43, 6, 1, 5, 5, 7, 48, 5}; +#endif /* WOLFSSL_SUBJ_INFO_ACC */ /* certPolicyType */ static const byte extCertPolicyAnyOid[] = {85, 29, 32, 0}; +#ifdef WOLFSSL_FPKI +#define CERT_POLICY_TYPE_OID_BASE(num) {96, 134, 72, 1, 101, 3, 2, 1, 3, num} + static const byte extCertPolicyFpkiCommonAuthOid[] = + CERT_POLICY_TYPE_OID_BASE(13); + static const byte extCertPolicyFpkiPivAuthOid[] = + CERT_POLICY_TYPE_OID_BASE(40); + static const byte extCertPolicyFpkiPivAuthHwOid[] = + CERT_POLICY_TYPE_OID_BASE(41); + static const byte extCertPolicyFpkiPiviAuthOid[] = + CERT_POLICY_TYPE_OID_BASE(45); +#endif /* WOLFSSL_FPKI */ /* certAltNameType */ static const byte extAltNamesHwNameOid[] = {43, 6, 1, 5, 5, 7, 8, 4}; @@ -4072,6 +4095,25 @@ static const byte extExtKeyUsageCodeSigningOid[] = {43, 6, 1, 5, 5, 7, 3, 3}; static const byte extExtKeyUsageEmailProtectOid[] = {43, 6, 1, 5, 5, 7, 3, 4}; static const byte extExtKeyUsageTimestampOid[] = {43, 6, 1, 5, 5, 7, 3, 8}; static const byte extExtKeyUsageOcspSignOid[] = {43, 6, 1, 5, 5, 7, 3, 9}; +#ifdef WOLFSSL_WOLFSSH +#define EXT_KEY_USAGE_OID_BASE(num) {43, 6, 1, 5, 5, 7, 3, num} + static const byte extExtKeyUsageSshClientAuthOid[] = + EXT_KEY_USAGE_OID_BASE(21); + static const byte extExtKeyUsageSshMSCLOid[] = + {43, 6, 1, 4, 1, 130, 55, 20, 2, 2}; + static const byte extExtKeyUsageSshKpClientAuthOid[] = + {43, 6, 1, 5, 2, 3, 4}; +#endif /* WOLFSSL_WOLFSSH */ + +#ifdef WOLFSSL_SUBJ_DIR_ATTR +#define SUBJ_DIR_ATTR_TYPE_OID_BASE(num) {43, 6, 1, 5, 5, 7, 9, num} + static const byte extSubjDirAttrDobOid[] = SUBJ_DIR_ATTR_TYPE_OID_BASE(1); + static const byte extSubjDirAttrPobOid[] = SUBJ_DIR_ATTR_TYPE_OID_BASE(2); + static const byte extSubjDirAttrGenderOid[] = + SUBJ_DIR_ATTR_TYPE_OID_BASE(3); + static const byte extSubjDirAttrCocOid[] = SUBJ_DIR_ATTR_TYPE_OID_BASE(4); + static const byte extSubjDirAttrCorOid[] = SUBJ_DIR_ATTR_TYPE_OID_BASE(5); +#endif #if defined(WOLFSSL_CERT_REQ) || defined(WOLFSSL_CERT_GEN) || \ defined(WOLFSSL_ASN_TEMPLATE) || defined(OPENSSL_EXTRA) || \ @@ -4627,6 +4669,18 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz) oid = ocspNoCheckOid; *oidSz = sizeof(ocspNoCheckOid); break; + #endif + #ifdef WOLFSSL_SUBJ_DIR_ATTR + case SUBJ_DIR_ATTR_OID: + oid = extSubjDirAttrOid; + *oidSz = sizeof(extSubjDirAttrOid); + break; + #endif + #ifdef WOLFSSL_SUBJ_INFO_ACC + case SUBJ_INFO_ACC_OID: + oid = extSubjInfoAccessOid; + *oidSz = sizeof(extSubjInfoAccessOid); + break; #endif default: break; @@ -4660,6 +4714,11 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz) oid = extAuthInfoCaIssuerOid; *oidSz = sizeof(extAuthInfoCaIssuerOid); break; + #ifdef WOLFSSL_SUBJ_INFO_ACC + case AIA_CA_REPO_OID: + oid = extAuthInfoCaRespOid; + *oidSz = sizeof(extAuthInfoCaRespOid); + #endif /* WOLFSSL_SUBJ_INFO_ACC */ default: break; } @@ -4671,6 +4730,24 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz) oid = extCertPolicyAnyOid; *oidSz = sizeof(extCertPolicyAnyOid); break; + #if defined(WOLFSSL_FPKI) + case CP_FPKI_COMMON_AUTH_OID: + oid = extCertPolicyFpkiCommonAuthOid; + *oidSz = sizeof(extCertPolicyFpkiCommonAuthOid); + break; + case CP_FPKI_PIV_AUTH_OID: + oid = extCertPolicyFpkiPivAuthOid; + *oidSz = sizeof(extCertPolicyFpkiPivAuthOid); + break; + case CP_FPKI_PIV_AUTH_HW_OID: + oid = extCertPolicyFpkiPivAuthHwOid; + *oidSz = sizeof(extCertPolicyFpkiPivAuthHwOid); + break; + case CP_FPKI_PIVI_AUTH_OID: + oid = extCertPolicyFpkiPiviAuthOid; + *oidSz = sizeof(extCertPolicyFpkiPiviAuthOid); + break; + #endif /* WOLFSSL_FPKI */ default: break; } @@ -4717,6 +4794,20 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz) oid = extExtKeyUsageOcspSignOid; *oidSz = sizeof(extExtKeyUsageOcspSignOid); break; + #ifdef WOLFSSL_WOLFSSH + case EKU_SSH_CLIENT_AUTH_OID: + oid = extExtKeyUsageSshClientAuthOid; + *oidSz = sizeof(extExtKeyUsageSshClientAuthOid); + break; + case EKU_SSH_MSCL_OID: + oid = extExtKeyUsageSshMSCLOid; + *oidSz = sizeof(extExtKeyUsageSshMSCLOid); + break; + case EKU_SSH_KP_CLIENT_AUTH_OID: + oid = extExtKeyUsageSshKpClientAuthOid; + *oidSz = sizeof(extExtKeyUsageSshKpClientAuthOid); + break; + #endif /* WOLFSSL_WOLFSSH */ default: break; } @@ -4942,6 +5033,34 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz) } break; #endif +#ifdef WOLFSSL_SUBJ_DIR_ATTR + case oidSubjDirAttrType: + switch (id) { + case SDA_DOB_OID: + oid = extSubjDirAttrDobOid; + *oidSz = sizeof(extSubjDirAttrDobOid); + break; + case SDA_POB_OID: + oid = extSubjDirAttrPobOid; + *oidSz = sizeof(extSubjDirAttrPobOid); + break; + case SDA_GENDER_OID: + oid = extSubjDirAttrGenderOid; + *oidSz = sizeof(extSubjDirAttrGenderOid); + break; + case SDA_COC_OID: + oid = extSubjDirAttrCocOid; + *oidSz = sizeof(extSubjDirAttrCocOid); + break; + case SDA_COR_OID: + oid = extSubjDirAttrCorOid; + *oidSz = sizeof(extSubjDirAttrCorOid); + break; + default: + break; + } + break; +#endif /* WOLFSSL_SUBJ_DIR_ATTR */ case oidIgnoreType: default: break; @@ -15961,6 +16080,17 @@ static int DecodeExtKeyUsage(const byte* input, int sz, DecodedCert* cert) case EKU_OCSP_SIGN_OID: cert->extExtKeyUsage |= EXTKEYUSE_OCSP_SIGN; break; + #ifdef WOLFSSL_WOLFSSH + case EKU_SSH_CLIENT_AUTH_OID: + cert->extExtKeyUsageSsh |= EXTKEYUSE_SSH_CLIENT_AUTH; + break; + case EKU_SSH_MSCL_OID: + cert->extExtKeyUsageSsh |= EXTKEYUSE_SSH_MSCL; + break; + case EKU_SSH_KP_CLIENT_AUTH_OID: + cert->extExtKeyUsageSsh |= EXTKEYUSE_SSH_KP_CLIENT_AUTH; + break; + #endif /* WOLFSSL_WOLFSSH */ default: break; } @@ -16696,6 +16826,163 @@ exit: } #endif /* WOLFSSL_SEP */ +#ifdef WOLFSSL_SUBJ_DIR_ATTR +/* Decode subject directory attributes extension in a certificate. + * + * X.509: RFC 5280, 4.2.1.8 - Subject Directory Attributes. + * + * @param [in] input Buffer holding data. + * @param [in] sz Size of data in buffer. + * @param [in, out] cert Certificate object. + * @return 0 on success. + * @return ASN_PARSE_E when BER encoded data does not match ASN.1 items or + * is invalid. + */ +static int DecodeSubjDirAttr(const byte* input, int sz, DecodedCert* cert) +{ + word32 idx = 0; + int length = 0; + int ret = 0; + + WOLFSSL_ENTER("DecodeSubjDirAttr"); + +#ifdef OPENSSL_ALL + cert->extSubjDirAttrSrc = input; + cert->extSubjDirAttrSz = sz; +#endif /* OPENSSL_ALL */ + + /* Unwrap the list of Attributes */ + if (GetSequence(input, &idx, &length, sz) < 0) + return ASN_PARSE_E; + + if (length == 0) { + /* RFC 5280 4.2.1.8. Subject Directory Attributes + If the subjectDirectoryAttributes extension is present, the + sequence MUST contain at least one entry. */ + return ASN_PARSE_E; + } + + /* length is the length of the list contents */ + while (idx < (word32)sz) { + word32 oid; + + if (GetSequence(input, &idx, &length, sz) < 0) + return ASN_PARSE_E; + + if (GetObjectId(input, &idx, &oid, oidSubjDirAttrType, sz) < 0) + return ASN_PARSE_E; + + if (GetSet(input, &idx, &length, sz) < 0) + return ASN_PARSE_E; + + /* There may be more than one countryOfCitizenship, but save the + * first one for now. */ + if (oid == SDA_COC_OID) { + byte tag; + + if (GetHeader(input, &tag, &idx, &length, sz, 1) < 0) + return ASN_PARSE_E; + + if (length != COUNTRY_CODE_LEN) + return ASN_PARSE_E; + + if (tag == ASN_PRINTABLE_STRING) { + XMEMCPY(cert->countryOfCitizenship, + input + idx, COUNTRY_CODE_LEN); + cert->countryOfCitizenship[COUNTRY_CODE_LEN] = 0; + } + } + idx += length; + } + + return ret; +} +#endif /* WOLFSSL_SUBJ_DIR_ATTR */ + +#ifdef WOLFSSL_SUBJ_INFO_ACC +/* Decode subject infomation access extension in a certificate. + * + * X.509: RFC 5280, 4.2.2.2 - Subject Information Access. + * + * @param [in] input Buffer holding data. + * @param [in] sz Size of data in buffer. + * @param [in, out] cert Certificate object. + * @return 0 on success. + * @return ASN_BITSTR_E when the expected BIT_STRING tag is not found. + * @return ASN_PARSE_E when BER encoded data does not match ASN.1 items or + * is invalid. + * @return MEMORY_E on dynamic memory allocation failure. + */ +static int DecodeSubjInfoAcc(const byte* input, int sz, DecodedCert* cert) +{ + word32 idx = 0; + int length = 0; + int ret = 0; + + WOLFSSL_ENTER("DecodeSubjInfoAcc"); + +#ifdef OPENSSL_ALL + cert->extSubjAltNameSrc = input; + cert->extSubjAltNameSz = sz; +#endif /* OPENSSL_ALL */ + + /* Unwrap SubjectInfoAccessSyntax, the list of AccessDescriptions */ + if (GetSequence(input, &idx, &length, sz) < 0) + return ASN_PARSE_E; + + if (length == 0) { + /* RFC 5280 4.2.2.2. Subject Information Access + If the subjectInformationAccess extension is present, the + sequence MUST contain at least one entry. */ + return ASN_PARSE_E; + } + + /* Per fpkx-x509-cert-profile-common... section 5.3. + * [The] subjectInfoAccess extension must contain at least one + * instance of the id-ad-caRepository access method containing a + * publicly accessible HTTP URI which returns as certs-only + * CMS. + */ + + while (idx < (word32)sz) { + word32 oid; + byte b; + + /* Unwrap an AccessDescription */ + if (GetSequence(input, &idx, &length, sz) < 0) + return ASN_PARSE_E; + + /* Get the accessMethod */ + if (GetObjectId(input, &idx, &oid, oidCertAuthInfoType, sz) < 0) + return ASN_PARSE_E; + + /* Only supporting URIs right now. */ + if (GetASNTag(input, &idx, &b, sz) < 0) + return ASN_PARSE_E; + + if (GetLength(input, &idx, &length, sz) < 0) + return ASN_PARSE_E; + + /* Set ocsp entry */ + if (b == GENERALNAME_URI && oid == AIA_OCSP_OID) { + cert->extSubjInfoAccCaRepoSz = length; + cert->extSubjInfoAccCaRepo = input + idx; + break; + } + idx += length; + } + + if (cert->extSubjInfoAccCaRepo == NULL || + cert->extSubjInfoAccCaRepoSz == 0) { + WOLFSSL_MSG("SubjectInfoAccess missing an URL."); + ret = ASN_PARSE_E; + } + + WOLFSSL_LEAVE("DecodeSubjInfoAcc", ret); + return ret; +} +#endif /* WOLFSSL_SUBJ_INFO_ACC */ + /* Macro to check if bit is set, if not sets and return success. Otherwise returns failure */ /* Macro required here because bit-field operation */ @@ -16726,13 +17013,13 @@ exit: * Inhibit anyPolicy - INHIBIT_ANY_OID * Netscape Certificate Type - NETSCAPE_CT_OID (able to be excluded) * OCSP no check - OCSP_NOCHECK_OID (when compiling OCSP) + * Subject Directory Attributes - SUBJ_DIR_ATTR_OID + * Subject Information Access - SUBJ_INFO_ACC_OID * Unsupported extensions from RFC 5280: * 4.2.1.5 - Policy mappings * 4.2.1.7 - Issuer Alternative Name - * 4.2.1.8 - Subject Directory Attributes * 4.2.1.11 - Policy Constraints * 4.2.1.15 - Freshest CRL - * 4.2.2.2 - Subject Information Access * * @param [in] input Buffer containing extension type specific data. * @param [in] length Length of data. @@ -16916,6 +17203,20 @@ static int DecodeExtensionType(const byte* input, int length, word32 oid, if (DecodePolicyConstraints(&input[idx], length, cert) < 0) return ASN_PARSE_E; break; + #ifdef WOLFSSL_SUBJ_DIR_ATTR + case SUBJ_DIR_ATTR_OID: + VERIFY_AND_SET_OID(cert->extSubjDirAttrSet); + if (DecodeSubjDirAttr(&input[idx], length, cert) < 0) + return ASN_PARSE_E; + break; + #endif + #ifdef WOLFSSL_SUBJ_INFO_ACC + case SUBJ_INFO_ACC_OID: + VERIFY_AND_SET_OID(cert->extSubjInfoAccSet); + if (DecodeSubjInfoAcc(&input[idx], length, cert) < 0) + return ASN_PARSE_E; + break; + #endif default: if (isUnknownExt != NULL) *isUnknownExt = 1; diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index 97d154a0f..1a20e349b 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -974,6 +974,8 @@ enum Misc_ASN { PEM_LINE_SZ = 64, /* Length of Base64 encoded line, not including new line */ PEM_LINE_LEN = PEM_LINE_SZ + 12, /* PEM line max + fudge */ + + COUNTRY_CODE_LEN = 2, /* RFC 3739 */ }; #ifndef WC_MAX_NAME_ENTRIES @@ -1009,6 +1011,9 @@ enum Oid_Types { oidTlsExtType = 18, oidCrlExtType = 19, oidCsrAttrType = 20, +#ifdef WOLFSSL_SUBJ_DIR_ATTR + oidSubjDirAttrType = 21, +#endif oidIgnoreType }; @@ -1128,7 +1133,7 @@ enum Extensions_Sum { EXT_KEY_USAGE_OID = 151, /* 2.5.29.37 */ NAME_CONS_OID = 144, /* 2.5.29.30 */ PRIV_KEY_USAGE_PERIOD_OID = 130, /* 2.5.29.16 */ - SUBJECT_INFO_ACCESS = 79, /* 1.3.6.1.5.5.7.1.11 */ + SUBJ_INFO_ACC_OID = 79, /* 1.3.6.1.5.5.7.1.11 */ POLICY_MAP_OID = 147, /* 2.5.29.33 */ POLICY_CONST_OID = 150, /* 2.5.29.36 */ ISSUE_ALT_NAMES_OID = 132, /* 2.5.29.18 */ @@ -1136,13 +1141,20 @@ enum Extensions_Sum { NETSCAPE_CT_OID = 753, /* 2.16.840.1.113730.1.1 */ OCSP_NOCHECK_OID = 121, /* 1.3.6.1.5.5.7.48.1.5 id-pkix-ocsp-nocheck */ + SUBJ_DIR_ATTR_OID = 123, /* 2.5.29.9 */ AKEY_PACKAGE_OID = 1048 /* 2.16.840.1.101.2.1.2.78.5 RFC 5958 - Asymmetric Key Packages */ }; enum CertificatePolicy_Sum { - CP_ANY_OID = 146 /* id-ce 32 0 */ + CP_ANY_OID = 146, /* id-ce 32 0 */ +#ifdef WOLFSSL_FPKI + CP_FPKI_COMMON_AUTH_OID = 426, /* 2.16.840.1.101.3.2.1.3.13 */ + CP_FPKI_PIV_AUTH_OID = 453, /* 2.16.840.1.101.3.2.1.3.40 */ + CP_FPKI_PIV_AUTH_HW_OID = 454, /* 2.16.840.1.101.3.2.1.3.41 */ + CP_FPKI_PIVI_AUTH_OID = 458 /* 2.16.840.1.101.3.2.1.3.45 */ +#endif /* WOLFSSL_FPKI */ }; enum SepHardwareName_Sum { @@ -1150,10 +1162,15 @@ enum SepHardwareName_Sum { }; enum AuthInfo_Sum { - AIA_OCSP_OID = 116, /* 1.3.6.1.5.5.7.48.1 */ - AIA_CA_ISSUER_OID = 117 /* 1.3.6.1.5.5.7.48.2 */ + AIA_OCSP_OID = 116, /* 1.3.6.1.5.5.7.48.1, id-ad-ocsp */ + AIA_CA_ISSUER_OID = 117, /* 1.3.6.1.5.5.7.48.2, id-ad-caIssuers */ + #ifdef WOLFSSL_SUBJ_INFO_ACC + AIA_CA_REPO_OID = 120 /* 1.3.6.1.5.5.7.48.5, id-ad-caRepository */ + #endif /* WOLFSSL_SUBJ_INFO_ACC */ }; +#define ID_PKIX(num) (67+(num)) /* 1.3.6.1.5.5.7.num, id-pkix num */ +#define ID_KP(num) (ID_PKIX(3)+(num)) /* 1.3.6.1.5.5.7.3.num, id-kp num */ enum ExtKeyUsage_Sum { /* From RFC 5280 */ EKU_ANY_OID = 151, /* 2.5.29.37.0, anyExtendedKeyUsage */ EKU_SERVER_AUTH_OID = 71, /* 1.3.6.1.5.5.7.3.1, id-kp-serverAuth */ @@ -1161,9 +1178,27 @@ enum ExtKeyUsage_Sum { /* From RFC 5280 */ EKU_CODESIGNING_OID = 73, /* 1.3.6.1.5.5.7.3.3, id-kp-codeSigning */ EKU_EMAILPROTECT_OID = 74, /* 1.3.6.1.5.5.7.3.4, id-kp-emailProtection */ EKU_TIMESTAMP_OID = 78, /* 1.3.6.1.5.5.7.3.8, id-kp-timeStamping */ - EKU_OCSP_SIGN_OID = 79 /* 1.3.6.1.5.5.7.3.9, id-kp-OCSPSigning */ + EKU_OCSP_SIGN_OID = 79, /* 1.3.6.1.5.5.7.3.9, id-kp-OCSPSigning */ + + /* From RFC 6187: X.509v3 Certificates for Secure Shell Authenticaiton */ + EKU_SSH_CLIENT_AUTH_OID = ID_KP(21), /* id-kp-secureShellClient */ + EKU_SSH_MSCL_OID = 264, + /* 1.3.6.1.4.1.311.20.2.2, MS Smart Card Logon */ + EKU_SSH_KP_CLIENT_AUTH_OID = 64 + /* 1.3.6.1.5.2.3.4, id-pkinit-KPClientAuth*/ }; +#ifdef WOLFSSL_SUBJ_DIR_ATTR +#define ID_PDA(num) (ID_PKIX(9)+(num)) /* 1.3.6.1.5.5.7.9.num, id-pda num */ +enum SubjDirAttr_Sum { /* From RFC 3739, section 3.3.2 */ + SDA_DOB_OID = ID_PDA(1), /* id-pda-dateOfBirth */ + SDA_POB_OID = ID_PDA(2), /* id-pda-placeOfBirth */ + SDA_GENDER_OID = ID_PDA(3), /* id-pda-gender */ + SDA_COC_OID = ID_PDA(4), /* id-pda-countryOfCitizenship */ + SDA_COR_OID = ID_PDA(5) /* id-pda-countryOfResidence */ +}; +#endif /* WOLFSSL_SUBJ_DIR_ATTR */ + #ifdef HAVE_LIBZ enum CompressAlg_Sum { ZLIBc = 679 /* 1.2.840.113549.1.9.16.3.8, id-alg-zlibCompress */ @@ -1218,6 +1253,11 @@ enum CsrAttrType { #define EXTKEYUSE_CLIENT_AUTH 0x04 #define EXTKEYUSE_SERVER_AUTH 0x02 #define EXTKEYUSE_ANY 0x01 +#ifdef WOLFSSL_WOLFSSH + #define EXTKEYUSE_SSH_CLIENT_AUTH 0x01 + #define EXTKEYUSE_SSH_MSCL 0x02 + #define EXTKEYUSE_SSH_KP_CLIENT_AUTH 0x04 +#endif /* WOLFSSL_WOLFSSH */ #define WC_NS_SSL_CLIENT 0x80 #define WC_NS_SSL_SERVER 0x40 @@ -1530,6 +1570,9 @@ struct DecodedCert { byte policyConstSkip; /* Policy Constraints skip certs value */ word16 extKeyUsage; /* Key usage bitfield */ byte extExtKeyUsage; /* Extended Key usage bitfield */ +#ifdef WOLFSSL_WOLFSSH + byte extExtKeyUsageSsh; /* Extended Key Usage bitfield for SSH */ +#endif /* WOLFSSL_WOLFSSH */ #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) const byte* extExtKeyUsageSrc; @@ -1548,6 +1591,21 @@ struct DecodedCert { const byte* extSubjAltNameSrc; word32 extSubjAltNameSz; #endif +#ifdef WOLFSSL_SUBJ_DIR_ATTR + char countryOfCitizenship[COUNTRY_CODE_LEN+1]; /* ISO 3166 Country Code */ + #ifdef OPENSSL_ALL + const byte* extSubjDirAttrSrc; + word32 extSubjDirAttrSz; + #endif +#endif /* WOLFSSL_SUBJ_DIR_ATTR */ +#ifdef WOLFSSL_SUBJ_INFO_ACC + const byte* extSubjInfoAccCaRepo; + word32 extSubjInfoAccCaRepoSz; + #ifdef OPENSSL_ALL + const byte* extSubjInfoAccSrc; + word32 extSubjInfoAccSz; + #endif +#endif /* WOLFSSL_SUBJ_INFO_ACC */ #if defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_ED448) word32 pkCurveOID; /* Public Key's curve OID */ @@ -1717,6 +1775,12 @@ struct DecodedCert { byte extSubjKeyIdCrit : 1; byte extKeyUsageCrit : 1; byte extExtKeyUsageCrit : 1; +#ifdef WOLFSSL_SUBJ_DIR_ATTR + byte extSubjDirAttrSet : 1; +#endif +#ifdef WOLFSSL_SUBJ_INFO_ACC + byte extSubjInfoAccSet : 1; +#endif #if defined(WOLFSSL_SEP) || defined(WOLFSSL_QT) byte extCertPolicyCrit : 1; #endif