Merge pull request #4459 from julek-wolfssl/missing-ext

Add x509 name attributes and extensions to DER parsing and generation

certs/renewcerts/wolfssl.cnf

@@ -278,7 +278,7 @@ keyUsage=critical, digitalSignature, keyEncipherment, keyAgreement
 extendedKeyUsage=serverAuth
 nsCertType=server
 
-# server-ecc extensions
+# client-ecc extensions
 [ client_ecc ]
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid:always

certs/test/cert-ext-ia.cfg

@@ -10,7 +10,7 @@ L             = Brisbane
 O             = wolfSSL Inc
 OU            = Engineering
 CN            = www.wolfssl.com
-emailAddress  = support@wolfsssl.com
+emailAddress  = support@wolfssl.com
 
 [ v3_ca ]
 inhibitAnyPolicy = critical,1

certs/test/cert-ext-ia.pem

@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEAzCCAuugAwIBAgIUSu44/nlA6ddYMKuTWT7jAAObXbwwDQYJKoZIhvcNAQEL
+BQAwgZ8xCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApRdWVlbnNsYW5kMREwDwYDVQQH
+DAhCcmlzYmFuZTEUMBIGA1UECgwLd29sZlNTTCBJbmMxFDASBgNVBAsMC0VuZ2lu
+ZWVyaW5nMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xIjAgBgkqhkiG9w0BCQEW
+E3N1cHBvcnRAd29sZnNzbC5jb20wHhcNMjExMDI2MTMzMzAzWhcNMjQwNzIyMTMz
+MzAzWjCBnzELMAkGA1UEBhMCQVUxEzARBgNVBAgMClF1ZWVuc2xhbmQxETAPBgNV
+BAcMCEJyaXNiYW5lMRQwEgYDVQQKDAt3b2xmU1NMIEluYzEUMBIGA1UECwwLRW5n
+aW5lZXJpbmcxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEiMCAGCSqGSIb3DQEJ
+ARYTc3VwcG9ydEB3b2xmc3NsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBAMCVCOFXQfJxbbfSRUEnAWXGRa7yvCQwuJXOL07W9hyIvHyf+6hnf/5c
+nFF194rKB+c1L4/hvXvAL3yrZKgX/Mpde7rgIeVyLm8uhtiVc9qsG1O5Xz/XGQ0l
+T+FjY1GLC2Q/rUO4pRxcNLOuAKBjxfZ/C1loeHOmjBipAm2vwxkBLrgQ48bMQLRp
+o0YzaYduxLsXpvPo3a1zvHsvIbX9ZlEMvVSz4W1fHLwjc9EJA4kU0hC5ZMMq0KGW
+Srzh1Bpbx6DAwWN4D0Q3MDKWgDIjlaF3uhPSl3PiXSXJag3DOWCktLBpQkIJ6dgI
+vDMgs1gip6rrxOHmYYPF0pbf2dBPrdcCAwEAAaM1MDMwDQYDVR02AQH/BAMCAQEw
+IgYJYIZIAYb4QgENBBUWE1Rlc3RpbmcgaW5oaWJpdCBhbnkwDQYJKoZIhvcNAQEL
+BQADggEBAEPJZmwD9Lr+f2zp4AT4Yq7C45EBvEjvYHyHqk+QzIhxVF+aT6+gsMtG
+irPW0GLjQEZtydpe9GeKvONvQRMEMovNJib/WuFiEKjRMgVGnRVNuL8Fya5RQgMy
+lHLOuufqGyw4zpm/BxItMx/ChTWCdLHS3LDxV8lheKaU4FdzgEhutHTGiVoJKbZX
+7lge6KTL8MtQ+A11dO5Eo6Yal5PoME/562AOe/0f0OZJQwW6t4XO1r+X5j7YX6dn
+MCfc8skCCpro0YM2xE1OYaBTEFXcRYJaEU7U6lvIbWu09lVlzXb1IRdyCxa5xenI
+i8/4jRVl9EDP3TBovy4o9BBhDXX4XZ8=
+-----END CERTIFICATE-----

certs/test/cert-ext-joi.pem

@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIIFXDCCBESgAwIBAgIUdtjq13Vf1QryOYup6Qniboz466gwDQYJKoZIhvcNAQEL
+BQAwgccxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdC
+b3plbWFuMREwDwYDVQQKDAhTYXd0b290aDETMBEGA1UECwwKQ29uc3VsdGluZzEY
+MBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMSAwHgYJKoZIhvcNAQkBFhFpbmZvQHdv
+bGZzc3NsLmNvbTETMBEGCysGAQQBgjc8AgEDEwJVUzEbMBkGCysGAQQBgjc8AgEC
+DApDYWxpZm9ybmlhMB4XDTIxMTAyNjEzMzMwM1oXDTI0MDcyMjEzMzMwM1owgccx
+CzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFu
+MREwDwYDVQQKDAhTYXd0b290aDETMBEGA1UECwwKQ29uc3VsdGluZzEYMBYGA1UE
+AwwPd3d3LndvbGZzc2wuY29tMSAwHgYJKoZIhvcNAQkBFhFpbmZvQHdvbGZzc3Ns
+LmNvbTETMBEGCysGAQQBgjc8AgEDEwJVUzEbMBkGCysGAQQBgjc8AgECDApDYWxp
+Zm9ybmlhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvwzKLRSyHoRC
+W804H0ryTXUQ8bY1n9/KfQOY06zeA2buKvHYsH1uB1QLEJghTYDLEiDnzE/eRX3J
+cncy6sqQu2lSEAMvqPOVxfGLYlYb72dvpBBBla0Km+OlwLDScHZQMFuo6AgsfO2n
+onqNOCkcrMft8nyVsJWCfUlcOM13Je+9gHVTlDw9ymNbnxW10x0TLxnRPNt2Osy4
+fcnlwtfaQG/YIdxzG0ItU5z+Gvx9q3o2P5jehHwFZ85qFDiHqfGMtWjLaH9xICv1
+oGP1Vi+jJtK3b7FaF9c4mQj+k1hv/sMTSQgWC6dNZwBSMWcjTpjtUUUduQTZC+zY
+KLNLve02eQIDAQABo4IBPDCCATgwHQYDVR0OBBYEFCeOZxF0wyYdP+0zY7Ok2B0w
+5ejVMIIBBwYDVR0jBIH/MIH8gBQnjmcRdMMmHT/tM2OzpNgdMOXo1aGBzaSByjCB
+xzELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVt
+YW4xETAPBgNVBAoMCFNhd3Rvb3RoMRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYD
+VQQDDA93d3cud29sZnNzbC5jb20xIDAeBgkqhkiG9w0BCQEWEWluZm9Ad29sZnNz
+c2wuY29tMRMwEQYLKwYBBAGCNzwCAQMTAlVTMRswGQYLKwYBBAGCNzwCAQIMCkNh
+bGlmb3JuaWGCFHbY6td1X9UK8jmLqekJ4m6M+OuoMAwGA1UdEwQFMAMBAf8wDQYJ
+KoZIhvcNAQELBQADggEBAKCwAqkAY84wjms5rRzLMdJSDBn3hnXyY+A1TctSMoxc
+9mgytzwEaYQnMzCpoyC4Dut1RCL7D5ws1MAfBLd3zeMdc4mpIEtqMy2n7UDEP/Kx
+6WCg6IRUTr+2ki0f+4egKrpZRdeJgZHhqn2rHP3MzxaLjWoGLbg5MDrX4xOwH+Kb
+/yhoHI4ukiWXjP9hUsg1SD6emlK9ws7QeTC8pw2w7ybzIAR6sz+Zc/edcQlpywu1
+FgqqhJ7n1zxrnda1j5Dd3qC5motPGtxigyn+pwEUHmguiwQFsZAePTdTzsdYHrNo
+y6g2C3CP8W7IdALiu8vxhMYXCs+6MCo8qkttJg/zoek=
+-----END CERTIFICATE-----

certs/test/cert-ext-multiple.cfg

@@ -0,0 +1,24 @@
+[ req ]
+distinguished_name = req_distinguished_name
+prompt             = no
+x509_extensions    = v3_ca
+
+[ req_distinguished_name ]
+C             = AU
+ST            = Queensland
+L             = Brisbane
+O             = wolfSSL Inc
+OU            = Engineering
+CN            = www.wolfssl.com
+emailAddress  = support@wolfssl.com
+postalCode    = 56-131
+street        = Main St
+
+[ v3_ca ]
+nsCertType       = server
+crlDistributionPoints = URI:http://www.wolfssl.com/crl.pem
+extendedKeyUsage = serverAuth
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer:always
+
+

certs/test/cert-ext-multiple.pem

@@ -0,0 +1,32 @@
+-----BEGIN CERTIFICATE-----
+MIIFmDCCBICgAwIBAgIUIYnKdgsnPTG1eUAZKAmpUcb9N/4wDQYJKoZIhvcNAQEL
+BQAwgcIxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApRdWVlbnNsYW5kMREwDwYDVQQH
+DAhCcmlzYmFuZTEUMBIGA1UECgwLd29sZlNTTCBJbmMxFDASBgNVBAsMC0VuZ2lu
+ZWVyaW5nMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xIjAgBgkqhkiG9w0BCQEW
+E3N1cHBvcnRAd29sZnNzbC5jb20xDzANBgNVBBEMBjU2LTEzMTEQMA4GA1UECQwH
+TWFpbiBTdDAeFw0yMTEwMjYxMzMzMDNaFw0yNDA3MjIxMzMzMDNaMIHCMQswCQYD
+VQQGEwJBVTETMBEGA1UECAwKUXVlZW5zbGFuZDERMA8GA1UEBwwIQnJpc2JhbmUx
+FDASBgNVBAoMC3dvbGZTU0wgSW5jMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEYMBYG
+A1UEAwwPd3d3LndvbGZzc2wuY29tMSIwIAYJKoZIhvcNAQkBFhNzdXBwb3J0QHdv
+bGZzc2wuY29tMQ8wDQYDVQQRDAY1Ni0xMzExEDAOBgNVBAkMB01haW4gU3QwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/DMotFLIehEJbzTgfSvJNdRDx
+tjWf38p9A5jTrN4DZu4q8diwfW4HVAsQmCFNgMsSIOfMT95FfclydzLqypC7aVIQ
+Ay+o85XF8YtiVhvvZ2+kEEGVrQqb46XAsNJwdlAwW6joCCx87aeieo04KRysx+3y
+fJWwlYJ9SVw4zXcl772AdVOUPD3KY1ufFbXTHRMvGdE823Y6zLh9yeXC19pAb9gh
+3HMbQi1TnP4a/H2rejY/mN6EfAVnzmoUOIep8Yy1aMtof3EgK/WgY/VWL6Mm0rdv
+sVoX1ziZCP6TWG/+wxNJCBYLp01nAFIxZyNOmO1RRR25BNkL7Ngos0u97TZ5AgMB
+AAGjggGCMIIBfjARBglghkgBhvhCAQEEBAMCBkAwLwYDVR0fBCgwJjAkoCKgIIYe
+aHR0cDovL3d3dy53b2xmc3NsLmNvbS9jcmwucGVtMBMGA1UdJQQMMAoGCCsGAQUF
+BwMBMB0GA1UdDgQWBBQnjmcRdMMmHT/tM2OzpNgdMOXo1TCCAQIGA1UdIwSB+jCB
+94AUJ45nEXTDJh0/7TNjs6TYHTDl6NWhgcikgcUwgcIxCzAJBgNVBAYTAkFVMRMw
+EQYDVQQIDApRdWVlbnNsYW5kMREwDwYDVQQHDAhCcmlzYmFuZTEUMBIGA1UECgwL
+d29sZlNTTCBJbmMxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93d3cu
+d29sZnNzbC5jb20xIjAgBgkqhkiG9w0BCQEWE3N1cHBvcnRAd29sZnNzbC5jb20x
+DzANBgNVBBEMBjU2LTEzMTEQMA4GA1UECQwHTWFpbiBTdIIUIYnKdgsnPTG1eUAZ
+KAmpUcb9N/4wDQYJKoZIhvcNAQELBQADggEBABYF8t1yWicD7C0ZktxBMPQ9yJ3I
+TBq/PdAJl18OthE33I9lyVmF65AEW4pJS8Xjss+WNs159IJLbKuT3tdiqmBA7V1H
+sV03vMnhfdBDF0+zWnsKZF0tw2Gb772P2LiN/YrBc4KktcDqJocEy8D+P4jRVNM6
+toMD7KkzBrv+FU3OjzhP8MfaiIlqsvb4u4qOqi+lLyy6jgUQzrDp99uU986SrybW
+ulnisYYRQGGZ0vyAKez8PzoKvodfTUg5lLkkqlBfITnCsI3gHcjyk+uT8F9nSDGy
+VZGdHNOS++/gbeWwPyJ97gyu65yotc3fL89iM8BrzDSTxADaS18i5afEZFI=
+-----END CERTIFICATE-----

certs/test/cert-ext-nc.pem

@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIENTCCAx2gAwIBAgIUFtCwMsYG2mHNWoLk3+8pf7piWZowDQYJKoZIhvcNAQEL
+BQAwezELMAkGA1UEBhMCQVUxEzARBgNVBAgMClF1ZWVuc2xhbmQxETAPBgNVBAcM
+CEJyaXNiYW5lMRQwEgYDVQQKDAt3b2xmU1NMIEluYzEUMBIGA1UECwwLRW5naW5l
+ZXJpbmcxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTAeFw0yMTEwMjYxMzMzMDNa
+Fw0yNDA3MjIxMzMzMDNaMHsxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApRdWVlbnNs
+YW5kMREwDwYDVQQHDAhCcmlzYmFuZTEUMBIGA1UECgwLd29sZlNTTCBJbmMxFDAS
+BgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20wggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDAlQjhV0HycW230kVBJwFlxkWu
+8rwkMLiVzi9O1vYciLx8n/uoZ3/+XJxRdfeKygfnNS+P4b17wC98q2SoF/zKXXu6
+4CHlci5vLobYlXParBtTuV8/1xkNJU/hY2NRiwtkP61DuKUcXDSzrgCgY8X2fwtZ
+aHhzpowYqQJtr8MZAS64EOPGzEC0aaNGM2mHbsS7F6bz6N2tc7x7LyG1/WZRDL1U
+s+FtXxy8I3PRCQOJFNIQuWTDKtChlkq84dQaW8egwMFjeA9ENzAyloAyI5Whd7oT
+0pdz4l0lyWoNwzlgpLSwaUJCCenYCLwzILNYIqeq68Th5mGDxdKW39nQT63XAgMB
+AAGjgbAwga0wHQYDVR0OBBYEFLMRMsmSmITiyfjQO24DQsofDo48MB8GA1UdIwQY
+MBaAFLMRMsmSmITiyfjQO24DQsofDo48MBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYD
+VR0PAQH/BAQDAgGGMB4GA1UdHgEB/wQUMBKgEDAOgQwud29sZnNzbC5jb20wJwYJ
+YIZIAYb4QgENBBoWGFRlc3RpbmcgbmFtZSBjb25zdHJhaW50czANBgkqhkiG9w0B
+AQsFAAOCAQEAgD7lONgXq4cY/e/TP3hNok+ANPOTmwexPgQxYGr3p7lmV9veNLBD
+xJE9J6kNb3T4Fge1wuSFFamnJyT5FbOdNn6v/RsCxIOm5snTUM8bXuA5Vw/lCB7C
+hccGiOPmEhxD8K+IQqZ4a1Zp6HUHZuPrs99PRt+lWA3M5PJbzpCKzHMiFDGRpkib
+RzC466/+V76ln7AtBbOh3w1QXAiHdIA2V40d0iX+q5e+L1X8sFGDvlxeTy+KXLwV
+/7fNVLgtDfdP2XO+jwhkQJeoOmpNJDxsvwm7xhouK0L5G87QUtsaIwK9SnR07Aj5
+5LHpvNCgLQHO5nmJyJ13RlEUDfnnaGXCbA==
+-----END CERTIFICATE-----

certs/test/cert-ext-nct.cfg

@@ -10,7 +10,7 @@ L             = Brisbane
 O             = wolfSSL Inc
 OU            = Engineering
 CN            = www.wolfssl.com
-emailAddress  = support@wolfsssl.com
+emailAddress  = support@wolfssl.com
 
 [ v3_ca ]
 nsCertType       = critical,server

certs/test/cert-ext-nct.pem

@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEGDCCAwCgAwIBAgIUN9zd5Z6FAMRqEkWPoS4D42402XowDQYJKoZIhvcNAQEL
+BQAwgZ8xCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApRdWVlbnNsYW5kMREwDwYDVQQH
+DAhCcmlzYmFuZTEUMBIGA1UECgwLd29sZlNTTCBJbmMxFDASBgNVBAsMC0VuZ2lu
+ZWVyaW5nMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xIjAgBgkqhkiG9w0BCQEW
+E3N1cHBvcnRAd29sZnNzbC5jb20wHhcNMjExMDI2MTMzMzAzWhcNMjQwNzIyMTMz
+MzAzWjCBnzELMAkGA1UEBhMCQVUxEzARBgNVBAgMClF1ZWVuc2xhbmQxETAPBgNV
+BAcMCEJyaXNiYW5lMRQwEgYDVQQKDAt3b2xmU1NMIEluYzEUMBIGA1UECwwLRW5n
+aW5lZXJpbmcxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEiMCAGCSqGSIb3DQEJ
+ARYTc3VwcG9ydEB3b2xmc3NsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBAMCVCOFXQfJxbbfSRUEnAWXGRa7yvCQwuJXOL07W9hyIvHyf+6hnf/5c
+nFF194rKB+c1L4/hvXvAL3yrZKgX/Mpde7rgIeVyLm8uhtiVc9qsG1O5Xz/XGQ0l
+T+FjY1GLC2Q/rUO4pRxcNLOuAKBjxfZ/C1loeHOmjBipAm2vwxkBLrgQ48bMQLRp
+o0YzaYduxLsXpvPo3a1zvHsvIbX9ZlEMvVSz4W1fHLwjc9EJA4kU0hC5ZMMq0KGW
+Srzh1Bpbx6DAwWN4D0Q3MDKWgDIjlaF3uhPSl3PiXSXJag3DOWCktLBpQkIJ6dgI
+vDMgs1gip6rrxOHmYYPF0pbf2dBPrdcCAwEAAaNKMEgwFAYJYIZIAYb4QgEBAQH/
+BAQDAgZAMDAGCWCGSAGG+EIBDQQjFiFUZXN0aW5nIE5ldHNjYXBlIENlcnRpZmlj
+YXRlIFR5cGUwDQYJKoZIhvcNAQELBQADggEBADvSHYLUd9cwFnqktCMOVggvPEvi
+QwiCn0Pfw5niwidHbdHeVqfcoA8hYYoLNFwSwiRpnlxoA6KBPkzmkat5s9ea4ATR
+gTMdhicrTpldWldJtrm0ReR8vtxlEg8Ts8ZJrKOoyJ5MP5qPbZj+a0vyS2Qb8rnL
+obou6pz2qbMhBrOYVP6gWnhZRHJmLplPNo/WEZMBXDgL62dca6oUiXWBpAO8j2PI
+VShex+u2l6DNy/KvDlaUYvW88A5FwI1ThuoeRU76Y8QhB6zaC0wQttVVguzOcf3G
+3c9jNLtz1Ydp3sLDmSJfHnI7dO4rRWd8go98GsGLt8O2ZhWZ1D8dkzRZfv0=
+-----END CERTIFICATE-----

certs/test/cert-ext-ndir-exc.pem

@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIE/TCCA+WgAwIBAgIUNPy5nImvNHMmLnekTFdBX87LWIcwDQYJKoZIhvcNAQEL
+BQAwgZUxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdC
+b3plbWFuMREwDwYDVQQKDAhTYXd0b290aDETMBEGA1UECwwKQ29uc3VsdGluZzEY
+MBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMSAwHgYJKoZIhvcNAQkBFhFpbmZvQHdv
+bGZzc3NsLmNvbTAeFw0yMTEwMjYxMzMzMDNaFw0yNDA3MjIxMzMzMDNaMIGVMQsw
+CQYDVQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjER
+MA8GA1UECgwIU2F3dG9vdGgxEzARBgNVBAsMCkNvbnN1bHRpbmcxGDAWBgNVBAMM
+D3d3dy53b2xmc3NsLmNvbTEgMB4GCSqGSIb3DQEJARYRaW5mb0B3b2xmc3NzbC5j
+b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/DMotFLIehEJbzTgf
+SvJNdRDxtjWf38p9A5jTrN4DZu4q8diwfW4HVAsQmCFNgMsSIOfMT95FfclydzLq
+ypC7aVIQAy+o85XF8YtiVhvvZ2+kEEGVrQqb46XAsNJwdlAwW6joCCx87aeieo04
+KRysx+3yfJWwlYJ9SVw4zXcl772AdVOUPD3KY1ufFbXTHRMvGdE823Y6zLh9yeXC
+19pAb9gh3HMbQi1TnP4a/H2rejY/mN6EfAVnzmoUOIep8Yy1aMtof3EgK/WgY/VW
+L6Mm0rdvsVoX1ziZCP6TWG/+wxNJCBYLp01nAFIxZyNOmO1RRR25BNkL7Ngos0u9
+7TZ5AgMBAAGjggFBMIIBPTAdBgNVHQ4EFgQUJ45nEXTDJh0/7TNjs6TYHTDl6NUw
+gdUGA1UdIwSBzTCByoAUJ45nEXTDJh0/7TNjs6TYHTDl6NWhgZukgZgwgZUxCzAJ
+BgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMREw
+DwYDVQQKDAhTYXd0b290aDETMBEGA1UECwwKQ29uc3VsdGluZzEYMBYGA1UEAwwP
+d3d3LndvbGZzc2wuY29tMSAwHgYJKoZIhvcNAQkBFhFpbmZvQHdvbGZzc3NsLmNv
+bYIUNPy5nImvNHMmLnekTFdBX87LWIcwDAYDVR0TBAUwAwEB/zA2BgNVHR4BAf8E
+LDAqoSgwJqQkMCIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMA0G
+CSqGSIb3DQEBCwUAA4IBAQCOsVInwF8jwAT/YzOZppX9UfOVKxRkJSaXWLKyskDY
+NKsq2nY1bxn4QwZL7G/Blq0dBCpaW7wkpTrkeSOrYCtl+nkdNA+I40ek9W+M889L
+WoDTh5gbm1pN4w/Y9Sn5eJG0jzg7eUgQ8dCbAqoEP/6R33TccMJIxG3eT9VeZSag
+bra51uVAfZuU5ec1EHomC2QdFAW6ekf7Bk7mejkhkA4EtM0784Srjk7azYR3kc0n
+ow2o9qwtA6lQnGmrZO0AArXosFW/MuZzBEIJxRCkATF/ZxMpAVvYb9h26GguiDu2
+B+LV1qS/UnQfqE78jojSA5JZ/wIHiDHwBiTaBTBx5Ub4
+-----END CERTIFICATE-----

certs/test/cert-ext-ndir.pem

@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIE6DCCA9CgAwIBAgIUUjnwSvtRITn8DePk5BV3FpOSt/EwDQYJKoZIhvcNAQEL
+BQAwgZUxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdC
+b3plbWFuMREwDwYDVQQKDAhTYXd0b290aDETMBEGA1UECwwKQ29uc3VsdGluZzEY
+MBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMSAwHgYJKoZIhvcNAQkBFhFpbmZvQHdv
+bGZzc3NsLmNvbTAeFw0yMTEwMjYxMzMzMDNaFw0yNDA3MjIxMzMzMDNaMIGVMQsw
+CQYDVQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjER
+MA8GA1UECgwIU2F3dG9vdGgxEzARBgNVBAsMCkNvbnN1bHRpbmcxGDAWBgNVBAMM
+D3d3dy53b2xmc3NsLmNvbTEgMB4GCSqGSIb3DQEJARYRaW5mb0B3b2xmc3NzbC5j
+b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/DMotFLIehEJbzTgf
+SvJNdRDxtjWf38p9A5jTrN4DZu4q8diwfW4HVAsQmCFNgMsSIOfMT95FfclydzLq
+ypC7aVIQAy+o85XF8YtiVhvvZ2+kEEGVrQqb46XAsNJwdlAwW6joCCx87aeieo04
+KRysx+3yfJWwlYJ9SVw4zXcl772AdVOUPD3KY1ufFbXTHRMvGdE823Y6zLh9yeXC
+19pAb9gh3HMbQi1TnP4a/H2rejY/mN6EfAVnzmoUOIep8Yy1aMtof3EgK/WgY/VW
+L6Mm0rdvsVoX1ziZCP6TWG/+wxNJCBYLp01nAFIxZyNOmO1RRR25BNkL7Ngos0u9
+7TZ5AgMBAAGjggEsMIIBKDAdBgNVHQ4EFgQUJ45nEXTDJh0/7TNjs6TYHTDl6NUw
+gdUGA1UdIwSBzTCByoAUJ45nEXTDJh0/7TNjs6TYHTDl6NWhgZukgZgwgZUxCzAJ
+BgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMREw
+DwYDVQQKDAhTYXd0b290aDETMBEGA1UECwwKQ29uc3VsdGluZzEYMBYGA1UEAwwP
+d3d3LndvbGZzc2wuY29tMSAwHgYJKoZIhvcNAQkBFhFpbmZvQHdvbGZzc3NsLmNv
+bYIUUjnwSvtRITn8DePk5BV3FpOSt/EwDAYDVR0TBAUwAwEB/zAhBgNVHR4BAf8E
+FzAVoBMwEaQPMA0xCzAJBgNVBAYTAlVTMA0GCSqGSIb3DQEBCwUAA4IBAQCftSer
+x/DD+8l32zkBpvuVQtRcEpQ6w7Cl1PD8TaiXe0W9eqKeBmxOgJ+a0kyKIcYSJU5R
+K8enk17q1FFiqdgU0lEo3tdOdvfxFyLTbdCVz/Q0KRhhELU+9ZQRl0NOj3NSRR+/
+QI0tHo9UvsojdlRUW2LTaVdHAz8yBp5dC73KM/7Y3bS4q8MDjVvXD+TiJdfbcbQo
+1eBm5eEsmoYQoOqQAt8n9bmEAe6syFi/sBJU5PqBWuNlBVLlySxEzCA8vPXyvL95
+3eStUcicaHWFA3dljObenJ8m9UWLlZTf+XPA9BrUwXHSG3945Rb8/gAdPUgsIT67
+UQJbTMyGRwalE97X
+-----END CERTIFICATE-----

certs/test/gen-ext-certs.sh

@@ -5,20 +5,22 @@ TMP="/tmp/`basename $0`"
 KEY=certs/server-key.der
 gen_cert() {
     openssl req -x509 -keyform DER -key $KEY \
-      -days 1000 -new -outform DER -out $OUT -config $CONFIG \
+      -days 1000 -new -outform DER -out $OUT.der -config $CONFIG \
         >$TMP 2>&1
 
-    if [ "$?" = "0" -a -f $OUT ]; then
+    if [ "$?" = "0" -a -f $OUT.der ]; then
         echo "Created: $OUT"
     else
         cat $TMP
         echo "Failed:  $OUT"
     fi
 
+    openssl x509 -in $OUT.der -inform DER -outform PEM > $OUT.pem
+
     rm $TMP
 }
 
-OUT=certs/test/cert-ext-nc.der
+OUT=certs/test/cert-ext-nc
 KEYFILE=certs/test/cert-ext-nc-key.der
 CONFIG=certs/test/cert-ext-nc.cfg
 tee >$CONFIG <<EOF
@@ -47,7 +49,7 @@ EOF
 gen_cert
 
 
-OUT=certs/test/cert-ext-mnc.der
+OUT=certs/test/cert-ext-mnc
 KEYFILE=certs/test/cert-ext-mnc-key.der
 CONFIG=certs/test/cert-ext-mnc.cfg
 tee >$CONFIG <<EOF
@@ -76,7 +78,7 @@ EOF
 gen_cert
 
 
-OUT=certs/test/cert-ext-ncdns.der
+OUT=certs/test/cert-ext-ncdns
 KEYFILE=certs/test/cert-ext-nc-key.der
 CONFIG=certs/test/cert-ext-ncdns.cfg
 tee >$CONFIG <<EOF
@@ -104,7 +106,7 @@ nsComment       = "Testing name constraints"
 EOF
 gen_cert
 
-OUT=certs/test/cert-ext-ncmixed.der
+OUT=certs/test/cert-ext-ncmixed
 KEYFILE=certs/test/cert-ext-ncmixed-key.der
 CONFIG=certs/test/cert-ext-ncmixed.cfg
 tee >$CONFIG <<EOF
@@ -132,7 +134,7 @@ nsComment       = "Testing name constraints"
 EOF
 gen_cert
 
-OUT=certs/test/cert-ext-ia.der
+OUT=certs/test/cert-ext-ia
 KEYFILE=certs/test/cert-ext-ia-key.der
 CONFIG=certs/test/cert-ext-ia.cfg
 tee >$CONFIG <<EOF
@@ -148,7 +150,7 @@ L             = Brisbane
 O             = wolfSSL Inc
 OU            = Engineering
 CN            = www.wolfssl.com
-emailAddress  = support@wolfsssl.com
+emailAddress  = support@wolfssl.com
 
 [ v3_ca ]
 inhibitAnyPolicy = critical,1
@@ -157,7 +159,7 @@ nsComment        = "Testing inhibit any"
 EOF
 gen_cert
 
-OUT=certs/test/cert-ext-nct.der
+OUT=certs/test/cert-ext-nct
 KEYFILE=certs/test/cert-ext-mct-key.der
 CONFIG=certs/test/cert-ext-nct.cfg
 tee >$CONFIG <<EOF
@@ -173,7 +175,7 @@ L             = Brisbane
 O             = wolfSSL Inc
 OU            = Engineering
 CN            = www.wolfssl.com
-emailAddress  = support@wolfsssl.com
+emailAddress  = support@wolfssl.com
 
 [ v3_ca ]
 nsCertType       = critical,server
@@ -183,7 +185,7 @@ EOF
 gen_cert
 
 KEY=certs/ca-key.der
-OUT=certs/test/cert-ext-ndir.der
+OUT=certs/test/cert-ext-ndir
 KEYFILE=certs/ca-key.der
 CONFIG=certs/test/cert-ext-ndir.cfg
 tee >$CONFIG <<EOF
@@ -213,7 +215,7 @@ countryName = US
 EOF
 gen_cert
 
-OUT=certs/test/cert-ext-ndir-exc.der
+OUT=certs/test/cert-ext-ndir-exc
 KEYFILE=certs/ca-key.der
 CONFIG=certs/test/cert-ext-ndir-exc.cfg
 tee >$CONFIG <<EOF
@@ -244,7 +246,7 @@ stateOrProvinceName = California
 EOF
 gen_cert
 
-OUT=certs/test/cert-ext-joi.der
+OUT=certs/test/cert-ext-joi
 KEYFILE=certs/ca-key.der
 CONFIG=certs/test/cert-ext-joi.cfg
 tee >$CONFIG <<EOF
@@ -272,4 +274,34 @@ basicConstraints=CA:TRUE
 EOF
 gen_cert
 
+OUT=certs/test/cert-ext-multiple
+KEYFILE=certs/test/cert-ext-mct-key.der
+CONFIG=certs/test/cert-ext-multiple.cfg
+tee >$CONFIG <<EOF
+[ req ]
+distinguished_name = req_distinguished_name
+prompt             = no
+x509_extensions    = v3_ca
+
+[ req_distinguished_name ]
+C             = AU
+ST            = Queensland
+L             = Brisbane
+O             = wolfSSL Inc
+OU            = Engineering
+CN            = www.wolfssl.com
+emailAddress  = support@wolfssl.com
+postalCode    = 56-131
+street        = Main St
+
+[ v3_ca ]
+nsCertType       = server
+crlDistributionPoints = URI:http://www.wolfssl.com/crl.pem
+extendedKeyUsage = serverAuth
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer:always
+
+
+EOF
+gen_cert
 

certs/test/include.am

@@ -5,22 +5,31 @@
 EXTRA_DIST += \
          certs/test/cert-ext-ia.cfg \
          certs/test/cert-ext-ia.der \
+         certs/test/cert-ext-ia.pem \
          certs/test/cert-ext-nc.cfg \
          certs/test/cert-ext-nc.der \
+         certs/test/cert-ext-nc.pem \
          certs/test/cert-ext-ncdns.der \
          certs/test/cert-ext-ncmixed.der \
          certs/test/cert-ext-mnc.der \
          certs/test/cert-ext-nct.cfg \
          certs/test/cert-ext-nct.der \
+         certs/test/cert-ext-nct.pem \
          certs/test/cert-ext-ndir.cfg \
          certs/test/cert-ext-ndir.der \
+         certs/test/cert-ext-ndir.pem \
          certs/test/cert-ext-ns.der \
          certs/test/cert-ext-ndir-exc.cfg \
          certs/test/cert-ext-ndir-exc.der \
+         certs/test/cert-ext-ndir-exc.pem \
          certs/test/gen-ext-certs.sh \
          certs/test/server-duplicate-policy.pem \
          certs/test/cert-ext-joi.der \
-         certs/test/cert-ext-joi.cfg
+         certs/test/cert-ext-joi.pem \
+         certs/test/cert-ext-joi.cfg \
+         certs/test/cert-ext-multiple.cfg \
+         certs/test/cert-ext-multiple.der \
+         certs/test/cert-ext-multiple.pem
 
 # The certs/server-cert with the last byte (signature byte) changed
 EXTRA_DIST += \

configure.ac

@@ -6795,6 +6795,7 @@ then
   AM_CFLAGS="-DOPENSSL_EXTRA -DWOLFSSL_ALWAYS_VERIFY_CB $AM_CFLAGS"
   AM_CFLAGS="-DWOLFSSL_VERIFY_CB_ALL_CERTS -DWOLFSSL_EXTRA_ALERTS $AM_CFLAGS"
   AM_CFLAGS="-DHAVE_EXT_CACHE -DWOLFSSL_FORCE_CACHE_ON_TICKET $AM_CFLAGS"
+  AM_CFLAGS="-DWOLFSSL_AKID_NAME $AM_CFLAGS"
 fi
 
 if test "$ENABLED_OPENSSLEXTRA" = "x509small"

src/internal.c

@@ -3895,7 +3895,13 @@ void FreeX509(WOLFSSL_X509* x509)
     XFREE(x509->sig.buffer, x509->heap, DYNAMIC_TYPE_SIGNATURE);
     x509->sig.buffer = NULL;
     #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
+        if (x509->authKeyIdSrc != NULL) {
+            XFREE(x509->authKeyIdSrc, x509->heap, DYNAMIC_TYPE_X509_EXT);
+        }
+        else {
             XFREE(x509->authKeyId, x509->heap, DYNAMIC_TYPE_X509_EXT);
+        }
+        x509->authKeyIdSrc = NULL;
         x509->authKeyId = NULL;
         XFREE(x509->subjKeyId, x509->heap, DYNAMIC_TYPE_X509_EXT);
         x509->subjKeyId = NULL;
@@ -3903,6 +3909,10 @@ void FreeX509(WOLFSSL_X509* x509)
             XFREE(x509->authInfo, x509->heap, DYNAMIC_TYPE_X509_EXT);
             x509->authInfo = NULL;
         }
+        if (x509->rawCRLInfo != NULL) {
+            XFREE(x509->rawCRLInfo, x509->heap, DYNAMIC_TYPE_X509_EXT);
+            x509->rawCRLInfo = NULL;
+        }
         if (x509->CRLInfo != NULL) {
             XFREE(x509->CRLInfo, x509->heap, DYNAMIC_TYPE_X509_EXT);
             x509->CRLInfo = NULL;
@@ -10649,6 +10659,17 @@ int CopyDecodedToX509(WOLFSSL_X509* x509, DecodedCert* dCert)
 
     x509->CRLdistSet = dCert->extCRLdistSet;
     x509->CRLdistCrit = dCert->extCRLdistCrit;
+    if (dCert->extCrlInfoRaw != NULL && dCert->extCrlInfoRawSz > 0) {
+        x509->rawCRLInfo = (byte*)XMALLOC(dCert->extCrlInfoRawSz, x509->heap,
+            DYNAMIC_TYPE_X509_EXT);
+        if (x509->rawCRLInfo != NULL) {
+            XMEMCPY(x509->rawCRLInfo, dCert->extCrlInfoRaw, dCert->extCrlInfoRawSz);
+            x509->rawCRLInfoSz = dCert->extCrlInfoRawSz;
+        }
+        else {
+            ret = MEMORY_E;
+        }
+    }
     if (dCert->extCrlInfo != NULL && dCert->extCrlInfoSz > 0) {
         x509->CRLInfo = (byte*)XMALLOC(dCert->extCrlInfoSz, x509->heap,
             DYNAMIC_TYPE_X509_EXT);
@@ -10694,6 +10715,27 @@ int CopyDecodedToX509(WOLFSSL_X509* x509, DecodedCert* dCert)
     x509->authKeyIdSet = dCert->extAuthKeyIdSet;
     x509->authKeyIdCrit = dCert->extAuthKeyIdCrit;
     if (dCert->extAuthKeyIdSrc != NULL && dCert->extAuthKeyIdSz != 0) {
+    #ifdef WOLFSSL_AKID_NAME
+        if (dCert->extRawAuthKeyIdSrc != NULL &&
+                dCert->extAuthKeyIdSrc > dCert->extRawAuthKeyIdSrc &&
+                dCert->extAuthKeyIdSrc <
+                    (dCert->extRawAuthKeyIdSrc + dCert->extRawAuthKeyIdSz)) {
+            /* Confirmed: extAuthKeyIdSrc points inside extRawAuthKeyIdSrc */
+            x509->authKeyIdSrc = (byte*)XMALLOC(dCert->extRawAuthKeyIdSz,
+                    x509->heap, DYNAMIC_TYPE_X509_EXT);
+            if (x509->authKeyIdSrc != NULL) {
+                XMEMCPY(x509->authKeyIdSrc, dCert->extRawAuthKeyIdSrc,
+                        dCert->extRawAuthKeyIdSz);
+                x509->authKeyIdSrcSz = dCert->extRawAuthKeyIdSz;
+                /* Set authKeyId to same offset inside authKeyIdSrc */
+                x509->authKeyId = x509->authKeyIdSrc +
+                        (dCert->extAuthKeyIdSrc - dCert->extRawAuthKeyIdSrc);
+                x509->authKeyIdSz = dCert->extAuthKeyIdSz;
+            }
+            else
+                ret = MEMORY_E;
+        }
+    #else
         x509->authKeyId = (byte*)XMALLOC(dCert->extAuthKeyIdSz, x509->heap,
                                          DYNAMIC_TYPE_X509_EXT);
         if (x509->authKeyId != NULL) {
@@ -10701,6 +10743,7 @@ int CopyDecodedToX509(WOLFSSL_X509* x509, DecodedCert* dCert)
                                  dCert->extAuthKeyIdSrc, dCert->extAuthKeyIdSz);
             x509->authKeyIdSz = dCert->extAuthKeyIdSz;
         }
+    #endif
         else
             ret = MEMORY_E;
     }
@@ -10725,6 +10768,7 @@ int CopyDecodedToX509(WOLFSSL_X509* x509, DecodedCert* dCert)
         if (x509->extKeyUsageSrc != NULL) {
             XMEMCPY(x509->extKeyUsageSrc, dCert->extExtKeyUsageSrc,
                                                        dCert->extExtKeyUsageSz);
+            x509->extKeyUsage      = dCert->extExtKeyUsage;
             x509->extKeyUsageSz    = dCert->extExtKeyUsageSz;
             x509->extKeyUsageCrit  = dCert->extExtKeyUsageCrit;
             x509->extKeyUsageCount = dCert->extExtKeyUsageCount;
@@ -10733,6 +10777,9 @@ int CopyDecodedToX509(WOLFSSL_X509* x509, DecodedCert* dCert)
             ret = MEMORY_E;
         }
     }
+    #ifndef IGNORE_NETSCAPE_CERT_TYPE
+    x509->nsCertType = dCert->nsCertType;
+    #endif
     #if defined(WOLFSSL_SEP) || defined(WOLFSSL_QT)
         x509->certPolicySet = dCert->extCertPolicySet;
         x509->certPolicyCrit = dCert->extCertPolicyCrit;

src/ssl.c

@@ -8839,58 +8839,24 @@ unsigned int wolfSSL_X509_get_key_usage(WOLFSSL_X509* x509)
 unsigned int wolfSSL_X509_get_extended_key_usage(WOLFSSL_X509* x509)
 {
     int ret = 0;
-    int rc;
-    word32 idx = 0;
-    word32 oid;
 
     WOLFSSL_ENTER("wolfSSL_X509_get_extended_key_usage");
 
-    if (x509 == NULL) {
+    if (x509 != NULL) {
-        WOLFSSL_MSG("x509 is NULL");
+        if (x509->extKeyUsage & EXTKEYUSE_OCSP_SIGN)
-    }
-    else if (x509->extKeyUsageSrc != NULL) {
-        while (idx < x509->extKeyUsageSz) {
-            rc = GetObjectId(x509->extKeyUsageSrc, &idx, &oid,
-                    oidCertKeyUseType, x509->extKeyUsageSz);
-            if (rc == ASN_UNKNOWN_OID_E) {
-                continue;
-            }
-            else if (rc < 0) {
-                WOLFSSL_MSG("GetObjectId failed");
-                ret = -1;
-                break;
-            }
-
-            switch (oid) {
-                case EKU_ANY_OID:
-                    ret |= XKU_ANYEKU;
-                    break;
-                case EKU_SERVER_AUTH_OID:
-                    ret |= XKU_SSL_SERVER;
-                    break;
-                case EKU_CLIENT_AUTH_OID:
-                    ret |= XKU_SSL_CLIENT;
-                    break;
-                case EKU_CODESIGNING_OID:
-                    ret |= XKU_CODE_SIGN;
-                    break;
-                case EKU_EMAILPROTECT_OID:
-                    ret |= XKU_SMIME;
-                    break;
-                case EKU_TIMESTAMP_OID:
-                    ret |= XKU_TIMESTAMP;
-                    break;
-                case EKU_OCSP_SIGN_OID:
             ret |= XKU_OCSP_SIGN;
-                    break;
+        if (x509->extKeyUsage & EXTKEYUSE_TIMESTAMP)
-                default:
+            ret |= XKU_TIMESTAMP;
-                    break;
+        if (x509->extKeyUsage & EXTKEYUSE_EMAILPROT)
-            }
+            ret |= XKU_SMIME;
-        }
+        if (x509->extKeyUsage & EXTKEYUSE_CODESIGN)
-    }
+            ret |= XKU_CODE_SIGN;
-    else {
+        if (x509->extKeyUsage & EXTKEYUSE_CLIENT_AUTH)
-        WOLFSSL_MSG("x509->extKeyUsageSrc is NULL");
+            ret |= XKU_SSL_CLIENT;
-        ret = -1;
+        if (x509->extKeyUsage & EXTKEYUSE_SERVER_AUTH)
+            ret |= XKU_SSL_SERVER;
+        if (x509->extKeyUsage & EXTKEYUSE_ANY)
+            ret |= XKU_ANYEKU;
     }
 
     WOLFSSL_LEAVE("wolfSSL_X509_get_extended_key_usage", ret);
@@ -9792,6 +9758,13 @@ int wolfSSL_X509_add_ext(WOLFSSL_X509 *x509, WOLFSSL_X509_EXTENSION *ext, int lo
 
     switch (ext->obj->type) {
     case NID_authority_key_identifier:
+        if (x509->authKeyIdSrc != NULL) {
+            /* If authKeyId points into authKeyIdSrc then free it and
+             * revert to old functionality */
+            XFREE(x509->authKeyIdSrc, x509->heap, DYNAMIC_TYPE_X509_EXT);
+            x509->authKeyIdSrc = NULL;
+            x509->authKeyId = NULL;
+        }
         if (asn1_string_copy_to_buffer(&ext->value, &x509->authKeyId,
                 &x509->authKeyIdSz, x509->heap) != WOLFSSL_SUCCESS) {
             WOLFSSL_MSG("asn1_string_copy_to_buffer error");
@@ -31420,6 +31393,8 @@ const WOLFSSL_ObjectInfo wolfssl_object_info[] = {
     { NID_localityName, NID_localityName, oidCertNameType, "L", "localityName"},
     { NID_stateOrProvinceName, NID_stateOrProvinceName, oidCertNameType, "ST",
                                                         "stateOrProvinceName"},
+    { NID_streetAddress, NID_streetAddress, oidCertNameType, "street",
+                                                        "streetAddress"},
     { NID_organizationName, NID_organizationName, oidCertNameType, "O",
                                                         "organizationName"},
     { NID_organizationalUnitName, NID_organizationalUnitName, oidCertNameType,
@@ -31436,6 +31411,7 @@ const WOLFSSL_ObjectInfo wolfssl_object_info[] = {
                                                             "jurisdictionCountryName"},
     { NID_jurisdictionStateOrProvinceName, NID_jurisdictionStateOrProvinceName,
             oidCertNameType, "jurisdictionST", "jurisdictionStateOrProvinceName"},
+    { NID_postalCode, NID_postalCode, oidCertNameType, "postalCode", "postalCode"},
 
 #ifdef WOLFSSL_CERT_REQ
     { NID_pkcs9_challengePassword, CHALLENGE_PASSWORD_OID,
@@ -41882,12 +41858,21 @@ void* wolfSSL_GetDhAgreeCtx(WOLFSSL* ssl)
             return WOLFSSL_FAILURE;
         }
 
-        if (x509->authKeyIdSz < CTC_MAX_AKID_SIZE) {
+        if (x509->authKeyIdSz < sizeof(cert->akid)) {
+        #ifdef WOLFSSL_AKID_NAME
+            cert->rawAkid = 0;
+            if (x509->authKeyIdSrc) {
+                XMEMCPY(cert->akid, x509->authKeyIdSrc, x509->authKeyIdSrcSz);
+                cert->akidSz = (int)x509->authKeyIdSrcSz;
+                cert->rawAkid = 1;
+            }
+            else
+        #endif
             if (x509->authKeyId) {
                 XMEMCPY(cert->akid, x509->authKeyId, x509->authKeyIdSz);
-            }
                 cert->akidSz = (int)x509->authKeyIdSz;
             }
+        }
         else {
             WOLFSSL_MSG("Auth Key ID too large");
             return WOLFSSL_FAILURE;
@@ -41907,6 +41892,17 @@ void* wolfSSL_GetDhAgreeCtx(WOLFSSL* ssl)
         cert->certPoliciesNb = (word16)x509->certPoliciesNb;
 
         cert->keyUsage = x509->keyUsage;
+        cert->extKeyUsage = x509->extKeyUsage;
+        cert->nsCertType = x509->nsCertType;
+
+        if (x509->rawCRLInfo != NULL) {
+            if (x509->rawCRLInfoSz > CTC_MAX_CRLINFO_SZ) {
+                WOLFSSL_MSG("CRL Info too large");
+                return WOLFSSL_FAILURE;
+            }
+            XMEMCPY(cert->crlInfo, x509->rawCRLInfo, x509->rawCRLInfoSz);
+            cert->crlInfoSz = x509->rawCRLInfoSz;
+        }
     #endif /* WOLFSSL_CERT_EXT */
 
     #ifdef WOLFSSL_CERT_REQ
@@ -42446,12 +42442,14 @@ static int ConvertNIDToWolfSSL(int nid)
         case NID_countryName: return ASN_COUNTRY_NAME;
         case NID_localityName: return ASN_LOCALITY_NAME;
         case NID_stateOrProvinceName: return ASN_STATE_NAME;
+        case NID_streetAddress: return ASN_STREET_ADDR;
         case NID_organizationName: return ASN_ORG_NAME;
         case NID_organizationalUnitName: return ASN_ORGUNIT_NAME;
         case NID_emailAddress: return ASN_EMAIL_NAME;
         case NID_serialNumber: return ASN_SERIAL_NUMBER;
         case NID_businessCategory: return ASN_BUS_CAT;
         case NID_domainComponent: return ASN_DOMAIN_COMPONENT;
+        case NID_postalCode: return ASN_POSTAL_CODE;
         default:
             WOLFSSL_MSG("Attribute NID not found");
             return -1;
@@ -46006,6 +46004,9 @@ int wolfSSL_PEM_write_bio_X509(WOLFSSL_BIO *bio, WOLFSSL_X509 *cert)
     /* write the PEM to BIO */
     ret = wolfSSL_BIO_write(bio, pem, pemSz);
     XFREE(pem, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    #ifdef WOLFSSL_SMALL_STACK
+    XFREE(der, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    #endif
 
     if (ret <= 0) return WOLFSSL_FAILURE;
     return WOLFSSL_SUCCESS;

tests/api.c

@@ -343,8 +343,11 @@
 #endif
 
 #if (defined(SESSION_CERTS) && defined(TEST_PEER_CERT_CHAIN)) || \
-    defined(HAVE_SESSION_TICKET)
+    defined(HAVE_SESSION_TICKET) || (defined(OPENSSL_EXTRA) && \
-    /* for testing SSL_get_peer_cert_chain, or SESSION_TICKET_HINT_DEFAULT */
+    defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_CERT_GEN) && \
+    !defined(WOLFSSL_ASN_TEMPLATE))
+    /* for testing SSL_get_peer_cert_chain, or SESSION_TICKET_HINT_DEFAULT,
+     * or for setting authKeyIdSrc in WOLFSSL_X509 */
 #include "wolfssl/internal.h"
 #endif
 
@@ -35677,140 +35680,208 @@ static void test_wolfSSL_X509_sign2(void)
     time_t t;
 
     const unsigned char expected[] = {
-        0x30, 0x82, 0x04, 0x25, 0x30, 0x82, 0x03, 0x0D,
+#ifdef WOLFSSL_AKID_NAME
-        0xA0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x09, 0x00,
+        0x30, 0x82, 0x04, 0xfd, 0x30, 0x82, 0x03, 0xe5, 0xa0, 0x03, 0x02, 0x01,
-        0xF1, 0x5C, 0x99, 0x43, 0x66, 0x3D, 0x96, 0x04,
+        0x02, 0x02, 0x09, 0x00, 0xf1, 0x5c, 0x99, 0x43, 0x66, 0x3d, 0x96, 0x04,
-        0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86,
+        0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
-        0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00, 0x30,
+        0x0b, 0x05, 0x00, 0x30, 0x81, 0x94, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,
-        0x81, 0x94, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03,
+        0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0e, 0x06,
-        0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31,
+        0x03, 0x55, 0x04, 0x08, 0x0c, 0x07, 0x4d, 0x6f, 0x6e, 0x74, 0x61, 0x6e,
-        0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x08,
+        0x61, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x07,
-        0x0C, 0x07, 0x4D, 0x6F, 0x6E, 0x74, 0x61, 0x6E,
+        0x42, 0x6f, 0x7a, 0x65, 0x6d, 0x61, 0x6e, 0x31, 0x11, 0x30, 0x0f, 0x06,
-        0x61, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55,
+        0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x53, 0x61, 0x77, 0x74, 0x6f, 0x6f,
-        0x04, 0x07, 0x0C, 0x07, 0x42, 0x6F, 0x7A, 0x65,
+        0x74, 0x68, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c,
-        0x6D, 0x61, 0x6E, 0x31, 0x11, 0x30, 0x0F, 0x06,
+        0x0a, 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x74, 0x69, 0x6e, 0x67, 0x31,
-        0x03, 0x55, 0x04, 0x0A, 0x0C, 0x08, 0x53, 0x61,
+        0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, 0x77, 0x77,
-        0x77, 0x74, 0x6F, 0x6F, 0x74, 0x68, 0x31, 0x13,
+        0x77, 0x2e, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f,
-        0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x0C,
+        0x6d, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
-        0x0A, 0x43, 0x6F, 0x6E, 0x73, 0x75, 0x6C, 0x74,
+        0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6e, 0x66, 0x6f, 0x40, 0x77,
-        0x69, 0x6E, 0x67, 0x31, 0x18, 0x30, 0x16, 0x06,
+        0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e,
-        0x03, 0x55, 0x04, 0x03, 0x0C, 0x0F, 0x77, 0x77,
+        0x17, 0x0d, 0x30, 0x30, 0x30, 0x32, 0x31, 0x35, 0x32, 0x30, 0x33, 0x30,
-        0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73,
+        0x30, 0x30, 0x5a, 0x17, 0x0d, 0x30, 0x31, 0x30, 0x32, 0x31, 0x34, 0x32,
-        0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F, 0x30,
+        0x30, 0x33, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x81, 0x9e, 0x31, 0x0b, 0x30,
-        0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7,
+        0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10,
-        0x0D, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6E,
+        0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x07, 0x4d, 0x6f, 0x6e,
-        0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, 0x66, 0x73,
+        0x74, 0x61, 0x6e, 0x61, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04,
-        0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x30, 0x1E,
+        0x07, 0x0c, 0x07, 0x42, 0x6f, 0x7a, 0x65, 0x6d, 0x61, 0x6e, 0x31, 0x15,
-        0x17, 0x0D, 0x30, 0x30, 0x30, 0x32, 0x31, 0x35,
+        0x30, 0x13, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0c, 0x77, 0x6f, 0x6c,
-        0x32, 0x30, 0x33, 0x30, 0x30, 0x30, 0x5A, 0x17,
+        0x66, 0x53, 0x53, 0x4c, 0x5f, 0x32, 0x30, 0x34, 0x38, 0x31, 0x19, 0x30,
-        0x0D, 0x30, 0x31, 0x30, 0x32, 0x31, 0x34, 0x32,
+        0x17, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x10, 0x50, 0x72, 0x6f, 0x67,
-        0x30, 0x33, 0x30, 0x30, 0x30, 0x5A, 0x30, 0x81,
+        0x72, 0x61, 0x6d, 0x6d, 0x69, 0x6e, 0x67, 0x2d, 0x32, 0x30, 0x34, 0x38,
-        0x9E, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55,
+        0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, 0x77,
-        0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10,
+        0x77, 0x77, 0x2e, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63,
-        0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C,
+        0x6f, 0x6d, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
-        0x07, 0x4D, 0x6F, 0x6E, 0x74, 0x61, 0x6E, 0x61,
+        0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6e, 0x66, 0x6f, 0x40,
-        0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04,
+        0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x30,
-        0x07, 0x0C, 0x07, 0x42, 0x6F, 0x7A, 0x65, 0x6D,
+        0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
-        0x61, 0x6E, 0x31, 0x15, 0x30, 0x13, 0x06, 0x03,
+        0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30,
-        0x55, 0x04, 0x0A, 0x0C, 0x0C, 0x77, 0x6F, 0x6C,
+        0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xc3, 0x03, 0xd1, 0x2b,
-        0x66, 0x53, 0x53, 0x4C, 0x5F, 0x32, 0x30, 0x34,
+        0xfe, 0x39, 0xa4, 0x32, 0x45, 0x3b, 0x53, 0xc8, 0x84, 0x2b, 0x2a, 0x7c,
-        0x38, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55,
+        0x74, 0x9a, 0xbd, 0xaa, 0x2a, 0x52, 0x07, 0x47, 0xd6, 0xa6, 0x36, 0xb2,
-        0x04, 0x0B, 0x0C, 0x10, 0x50, 0x72, 0x6F, 0x67,
+        0x07, 0x32, 0x8e, 0xd0, 0xba, 0x69, 0x7b, 0xc6, 0xc3, 0x44, 0x9e, 0xd4,
-        0x72, 0x61, 0x6D, 0x6D, 0x69, 0x6E, 0x67, 0x2D,
+        0x81, 0x48, 0xfd, 0x2d, 0x68, 0xa2, 0x8b, 0x67, 0xbb, 0xa1, 0x75, 0xc8,
-        0x32, 0x30, 0x34, 0x38, 0x31, 0x18, 0x30, 0x16,
+        0x36, 0x2c, 0x4a, 0xd2, 0x1b, 0xf7, 0x8b, 0xba, 0xcf, 0x0d, 0xf9, 0xef,
-        0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x0F, 0x77,
+        0xec, 0xf1, 0x81, 0x1e, 0x7b, 0x9b, 0x03, 0x47, 0x9a, 0xbf, 0x65, 0xcc,
-        0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66, 0x73,
+        0x7f, 0x65, 0x24, 0x69, 0xa6, 0xe8, 0x14, 0x89, 0x5b, 0xe4, 0x34, 0xf7,
-        0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F,
+        0xc5, 0xb0, 0x14, 0x93, 0xf5, 0x67, 0x7b, 0x3a, 0x7a, 0x78, 0xe1, 0x01,
-        0x30, 0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86,
+        0x56, 0x56, 0x91, 0xa6, 0x13, 0x42, 0x8d, 0xd2, 0x3c, 0x40, 0x9c, 0x4c,
-        0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69,
+        0xef, 0xd1, 0x86, 0xdf, 0x37, 0x51, 0x1b, 0x0c, 0xa1, 0x3b, 0xf5, 0xf1,
-        0x6E, 0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, 0x66,
+        0xa3, 0x4a, 0x35, 0xe4, 0xe1, 0xce, 0x96, 0xdf, 0x1b, 0x7e, 0xbf, 0x4e,
-        0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x30,
+        0x97, 0xd0, 0x10, 0xe8, 0xa8, 0x08, 0x30, 0x81, 0xaf, 0x20, 0x0b, 0x43,
-        0x82, 0x01, 0x22, 0x30, 0x0D, 0x06, 0x09, 0x2A,
+        0x14, 0xc5, 0x74, 0x67, 0xb4, 0x32, 0x82, 0x6f, 0x8d, 0x86, 0xc2, 0x88,
-        0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01,
+        0x40, 0x99, 0x36, 0x83, 0xba, 0x1e, 0x40, 0x72, 0x22, 0x17, 0xd7, 0x52,
-        0x05, 0x00, 0x03, 0x82, 0x01, 0x0F, 0x00, 0x30,
+        0x65, 0x24, 0x73, 0xb0, 0xce, 0xef, 0x19, 0xcd, 0xae, 0xff, 0x78, 0x6c,
-        0x82, 0x01, 0x0A, 0x02, 0x82, 0x01, 0x01, 0x00,
+        0x7b, 0xc0, 0x12, 0x03, 0xd4, 0x4e, 0x72, 0x0d, 0x50, 0x6d, 0x3b, 0xa3,
-        0xC3, 0x03, 0xD1, 0x2B, 0xFE, 0x39, 0xA4, 0x32,
+        0x3b, 0xa3, 0x99, 0x5e, 0x9d, 0xc8, 0xd9, 0x0c, 0x85, 0xb3, 0xd9, 0x8a,
-        0x45, 0x3B, 0x53, 0xC8, 0x84, 0x2B, 0x2A, 0x7C,
+        0xd9, 0x54, 0x26, 0xdb, 0x6d, 0xfa, 0xac, 0xbb, 0xff, 0x25, 0x4c, 0xc4,
-        0x74, 0x9A, 0xBD, 0xAA, 0x2A, 0x52, 0x07, 0x47,
+        0xd1, 0x79, 0xf4, 0x71, 0xd3, 0x86, 0x40, 0x18, 0x13, 0xb0, 0x63, 0xb5,
-        0xD6, 0xA6, 0x36, 0xB2, 0x07, 0x32, 0x8E, 0xD0,
+        0x72, 0x4e, 0x30, 0xc4, 0x97, 0x84, 0x86, 0x2d, 0x56, 0x2f, 0xd7, 0x15,
-        0xBA, 0x69, 0x7B, 0xC6, 0xC3, 0x44, 0x9E, 0xD4,
+        0xf7, 0x7f, 0xc0, 0xae, 0xf5, 0xfc, 0x5b, 0xe5, 0xfb, 0xa1, 0xba, 0xd3,
-        0x81, 0x48, 0xFD, 0x2D, 0x68, 0xA2, 0x8B, 0x67,
+        0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x44, 0x30, 0x82, 0x01,
-        0xBB, 0xA1, 0x75, 0xC8, 0x36, 0x2C, 0x4A, 0xD2,
+        0x40, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x05, 0x30, 0x03,
-        0x1B, 0xF7, 0x8B, 0xBA, 0xCF, 0x0D, 0xF9, 0xEF,
+        0x01, 0x01, 0xff, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x1d, 0x11, 0x04, 0x15,
-        0xEC, 0xF1, 0x81, 0x1E, 0x7B, 0x9B, 0x03, 0x47,
+        0x30, 0x13, 0x82, 0x0b, 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x2e,
-        0x9A, 0xBF, 0x65, 0xCC, 0x7F, 0x65, 0x24, 0x69,
+        0x63, 0x6f, 0x6d, 0x87, 0x04, 0x7f, 0x00, 0x00, 0x01, 0x30, 0x1d, 0x06,
-        0xA6, 0xE8, 0x14, 0x89, 0x5B, 0xE4, 0x34, 0xF7,
+        0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x33, 0xd8, 0x45, 0x66,
-        0xC5, 0xB0, 0x14, 0x93, 0xF5, 0x67, 0x7B, 0x3A,
+        0xd7, 0x68, 0x87, 0x18, 0x7e, 0x54, 0x0d, 0x70, 0x27, 0x91, 0xc7, 0x26,
-        0x7A, 0x78, 0xE1, 0x01, 0x56, 0x56, 0x91, 0xA6,
+        0xd7, 0x85, 0x65, 0xc0, 0x30, 0x81, 0xd3, 0x06, 0x03, 0x55, 0x1d, 0x23,
-        0x13, 0x42, 0x8D, 0xD2, 0x3C, 0x40, 0x9C, 0x4C,
+        0x04, 0x81, 0xcb, 0x30, 0x81, 0xc8, 0x80, 0x14, 0x33, 0xd8, 0x45, 0x66,
-        0xEF, 0xD1, 0x86, 0xDF, 0x37, 0x51, 0x1B, 0x0C,
+        0xd7, 0x68, 0x87, 0x18, 0x7e, 0x54, 0x0d, 0x70, 0x27, 0x91, 0xc7, 0x26,
-        0xA1, 0x3B, 0xF5, 0xF1, 0xA3, 0x4A, 0x35, 0xE4,
+        0xd7, 0x85, 0x65, 0xc0, 0xa1, 0x81, 0xa4, 0xa4, 0x81, 0xa1, 0x30, 0x81,
-        0xE1, 0xCE, 0x96, 0xDF, 0x1B, 0x7E, 0xBF, 0x4E,
+        0x9e, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
-        0x97, 0xD0, 0x10, 0xE8, 0xA8, 0x08, 0x30, 0x81,
+        0x55, 0x53, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c,
-        0xAF, 0x20, 0x0B, 0x43, 0x14, 0xC5, 0x74, 0x67,
+        0x07, 0x4d, 0x6f, 0x6e, 0x74, 0x61, 0x6e, 0x61, 0x31, 0x10, 0x30, 0x0e,
-        0xB4, 0x32, 0x82, 0x6F, 0x8D, 0x86, 0xC2, 0x88,
+        0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x07, 0x42, 0x6f, 0x7a, 0x65, 0x6d,
-        0x40, 0x99, 0x36, 0x83, 0xBA, 0x1E, 0x40, 0x72,
+        0x61, 0x6e, 0x31, 0x15, 0x30, 0x13, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c,
-        0x22, 0x17, 0xD7, 0x52, 0x65, 0x24, 0x73, 0xB0,
+        0x0c, 0x77, 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x5f, 0x32, 0x30, 0x34,
-        0xCE, 0xEF, 0x19, 0xCD, 0xAE, 0xFF, 0x78, 0x6C,
+        0x38, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x10,
-        0x7B, 0xC0, 0x12, 0x03, 0xD4, 0x4E, 0x72, 0x0D,
+        0x50, 0x72, 0x6f, 0x67, 0x72, 0x61, 0x6d, 0x6d, 0x69, 0x6e, 0x67, 0x2d,
-        0x50, 0x6D, 0x3B, 0xA3, 0x3B, 0xA3, 0x99, 0x5E,
+        0x32, 0x30, 0x34, 0x38, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04,
-        0x9D, 0xC8, 0xD9, 0x0C, 0x85, 0xB3, 0xD9, 0x8A,
+        0x03, 0x0c, 0x0f, 0x77, 0x77, 0x77, 0x2e, 0x77, 0x6f, 0x6c, 0x66, 0x73,
-        0xD9, 0x54, 0x26, 0xDB, 0x6D, 0xFA, 0xAC, 0xBB,
+        0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09,
-        0xFF, 0x25, 0x4C, 0xC4, 0xD1, 0x79, 0xF4, 0x71,
+        0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69,
-        0xD3, 0x86, 0x40, 0x18, 0x13, 0xB0, 0x63, 0xB5,
+        0x6e, 0x66, 0x6f, 0x40, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e,
-        0x72, 0x4E, 0x30, 0xC4, 0x97, 0x84, 0x86, 0x2D,
+        0x63, 0x6f, 0x6d, 0x82, 0x09, 0x00, 0xf1, 0x5c, 0x99, 0x43, 0x66, 0x3d,
-        0x56, 0x2F, 0xD7, 0x15, 0xF7, 0x7F, 0xC0, 0xAE,
+        0x96, 0x04, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x25, 0x04, 0x16, 0x30,
-        0xF5, 0xFC, 0x5B, 0xE5, 0xFB, 0xA1, 0xBA, 0xD3,
+        0x14, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x01, 0x06,
-        0x02, 0x03, 0x01, 0x00, 0x01, 0xA3, 0x6E, 0x30,
+        0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x02, 0x30, 0x0d, 0x06,
-        0x6C, 0x30, 0x0C, 0x06, 0x03, 0x55, 0x1D, 0x13,
+        0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00,
-        0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xFF, 0x30,
+        0x03, 0x82, 0x01, 0x01, 0x00, 0x59, 0x2e, 0xd1, 0xec, 0xbc, 0x99, 0xfe,
-        0x1C, 0x06, 0x03, 0x55, 0x1D, 0x11, 0x04, 0x15,
+        0x50, 0x38, 0x47, 0x47, 0x88, 0x51, 0xcf, 0xe4, 0x88, 0x76, 0xdf, 0x89,
-        0x30, 0x13, 0x82, 0x0B, 0x65, 0x78, 0x61, 0x6D,
+        0x8f, 0xea, 0x91, 0xbc, 0xd6, 0xc6, 0x91, 0xc9, 0xcc, 0x33, 0x77, 0x5d,
-        0x70, 0x6C, 0x65, 0x2E, 0x63, 0x6F, 0x6D, 0x87,
+        0xdd, 0x4b, 0xc9, 0xf6, 0x10, 0x54, 0xe2, 0x04, 0x89, 0x51, 0xdb, 0xe1,
-        0x04, 0x7F, 0x00, 0x00, 0x01, 0x30, 0x1D, 0x06,
+        0x00, 0x0c, 0x61, 0x03, 0x26, 0x86, 0x35, 0xac, 0x96, 0x23, 0x9d, 0xef,
-        0x03, 0x55, 0x1D, 0x0E, 0x04, 0x16, 0x04, 0x14,
+        0xd9, 0x95, 0xe4, 0xb4, 0x83, 0x9e, 0x0f, 0x47, 0x30, 0x08, 0x96, 0x28,
-        0x33, 0xD8, 0x45, 0x66, 0xD7, 0x68, 0x87, 0x18,
+        0x7f, 0x2d, 0xe3, 0x23, 0x30, 0x3b, 0xb0, 0x46, 0xe8, 0x21, 0x78, 0xb4,
-        0x7E, 0x54, 0x0D, 0x70, 0x27, 0x91, 0xC7, 0x26,
+        0xc0, 0xbc, 0x9f, 0x60, 0x02, 0xd4, 0x16, 0x2d, 0xe5, 0x5a, 0x00, 0x65,
-        0xD7, 0x85, 0x65, 0xC0, 0x30, 0x1F, 0x06, 0x03,
+        0x15, 0x95, 0x81, 0x93, 0x80, 0x06, 0x3e, 0xf7, 0xdf, 0x0c, 0x2b, 0x3f,
-        0x55, 0x1D, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80,
+        0x14, 0xfc, 0xc3, 0x79, 0xfd, 0x59, 0x5c, 0xa7, 0xc3, 0xe0, 0xa8, 0xd4,
-        0x14, 0x33, 0xD8, 0x45, 0x66, 0xD7, 0x68, 0x87,
+        0x53, 0x4f, 0x13, 0x0a, 0xa3, 0xfe, 0x1d, 0x63, 0x4e, 0x84, 0xb2, 0x98,
-        0x18, 0x7E, 0x54, 0x0D, 0x70, 0x27, 0x91, 0xC7,
+        0x19, 0x06, 0xe0, 0x60, 0x3a, 0xc9, 0x49, 0x73, 0x00, 0xe3, 0x72, 0x2f,
-        0x26, 0xD7, 0x85, 0x65, 0xC0, 0x30, 0x0D, 0x06,
+        0x68, 0x27, 0x9f, 0x14, 0x18, 0xb7, 0x57, 0xb9, 0x1d, 0xa8, 0xb3, 0x05,
-        0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01,
+        0x6c, 0xf5, 0x4b, 0x0e, 0xac, 0x26, 0x7a, 0xfe, 0xc1, 0xab, 0x1f, 0x27,
-        0x01, 0x0B, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01,
+        0xf1, 0x1e, 0x21, 0x33, 0x31, 0xb6, 0x43, 0xb0, 0xf8, 0x74, 0x69, 0x6a,
-        0x00, 0x79, 0x81, 0x5D, 0xAB, 0xDB, 0x44, 0x70,
+        0xb1, 0x9b, 0xcb, 0xe4, 0xd3, 0xa2, 0x8e, 0x8a, 0x55, 0xef, 0x81, 0xf3,
-        0xD6, 0x39, 0x4F, 0xA6, 0xBA, 0x09, 0x99, 0xBB,
+        0x4a, 0x44, 0x90, 0x4d, 0x08, 0xb8, 0x31, 0x90, 0x1a, 0x82, 0x52, 0x56,
-        0xCB, 0x82, 0xF9, 0x17, 0x34, 0xBD, 0x3E, 0xB1,
+        0xeb, 0xf0, 0x50, 0x5b, 0x9f, 0x87, 0x98, 0x54, 0xfe, 0x6a, 0x60, 0x41,
-        0x18, 0xA8, 0xF9, 0x10, 0x16, 0x2A, 0xE0, 0x74,
+        0x16, 0xdb, 0xdc, 0xff, 0x89, 0x4c, 0x98, 0x00, 0xb1, 0x87, 0x6c, 0xe7,
-        0xC6, 0xCF, 0xB3, 0x5F, 0xC6, 0x2C, 0xFB, 0xE3,
+        0xec, 0xba, 0x3b, 0xa4, 0xfe, 0xa1, 0xfd, 0x26, 0x19, 0x7c, 0x2d, 0x14,
-        0x5D, 0x38, 0x2B, 0x99, 0x02, 0x98, 0x9D, 0x55,
+        0x91, 0x91, 0x61, 0x30, 0x3e, 0xf4, 0x5c, 0x97, 0x4c, 0x06, 0x84, 0xab,
-        0x95, 0x65, 0xC3, 0xEB, 0x77, 0x13, 0xA0, 0x75,
+        0x94, 0xa8, 0x17, 0x6c, 0xec, 0x19, 0xc0, 0x87, 0xd0
-        0x35, 0x68, 0x1F, 0x08, 0xE8, 0x82, 0x3E, 0xF1,
+#else
-        0xEF, 0x4B, 0xE7, 0x6E, 0xAD, 0xC1, 0x7C, 0x57,
+        0x30, 0x82, 0x04, 0x46, 0x30, 0x82, 0x03, 0x2e, 0xa0, 0x03, 0x02, 0x01,
-        0xCE, 0xF5, 0x24, 0x4E, 0x2F, 0xC4, 0xF7, 0x46,
+        0x02, 0x02, 0x09, 0x00, 0xf1, 0x5c, 0x99, 0x43, 0x66, 0x3d, 0x96, 0x04,
-        0xED, 0x0E, 0x27, 0x1D, 0xD2, 0x12, 0x5D, 0x9A,
+        0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
-        0xE5, 0x82, 0xB8, 0x92, 0x42, 0x8F, 0x9E, 0x4D,
+        0x0b, 0x05, 0x00, 0x30, 0x81, 0x94, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,
-        0x9B, 0x31, 0x85, 0x2E, 0xE0, 0x5E, 0x83, 0xFB,
+        0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0e, 0x06,
-        0xA4, 0x33, 0x32, 0x34, 0x2A, 0xAD, 0x38, 0x7A,
+        0x03, 0x55, 0x04, 0x08, 0x0c, 0x07, 0x4d, 0x6f, 0x6e, 0x74, 0x61, 0x6e,
-        0x6D, 0xD5, 0x02, 0xAE, 0x77, 0xCB, 0x26, 0x76,
+        0x61, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x07,
-        0x7B, 0xFA, 0xE0, 0x91, 0x9B, 0x6F, 0xF4, 0xC4,
+        0x42, 0x6f, 0x7a, 0x65, 0x6d, 0x61, 0x6e, 0x31, 0x11, 0x30, 0x0f, 0x06,
-        0xA1, 0x54, 0xB1, 0x13, 0x80, 0x6E, 0xFB, 0x70,
+        0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x53, 0x61, 0x77, 0x74, 0x6f, 0x6f,
-        0x4C, 0x7F, 0x4F, 0x58, 0x39, 0xFA, 0x5B, 0x3D,
+        0x74, 0x68, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c,
-        0x60, 0x63, 0xDF, 0xEF, 0x90, 0xB3, 0x9B, 0x9A,
+        0x0a, 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x74, 0x69, 0x6e, 0x67, 0x31,
-        0xEE, 0x8E, 0x34, 0xFB, 0x8B, 0x75, 0x5F, 0xC7,
+        0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, 0x77, 0x77,
-        0xE4, 0xDB, 0x7C, 0x63, 0x84, 0xE4, 0x6C, 0xC7,
+        0x77, 0x2e, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f,
-        0xD8, 0xC8, 0xA9, 0xA4, 0x42, 0x64, 0x93, 0x65,
+        0x6d, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
-        0x17, 0x58, 0xC2, 0x51, 0x3E, 0x8E, 0x2A, 0x68,
+        0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6e, 0x66, 0x6f, 0x40, 0x77,
-        0x37, 0xC6, 0x59, 0x75, 0x68, 0xD4, 0x16, 0x6A,
+        0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e,
-        0x17, 0x87, 0xC0, 0xA8, 0x9A, 0x1F, 0x07, 0xCF,
+        0x17, 0x0d, 0x30, 0x30, 0x30, 0x32, 0x31, 0x35, 0x32, 0x30, 0x33, 0x30,
-        0x43, 0x58, 0xF4, 0xEA, 0xFE, 0xFB, 0xB2, 0x3F,
+        0x30, 0x30, 0x5a, 0x17, 0x0d, 0x30, 0x31, 0x30, 0x32, 0x31, 0x34, 0x32,
-        0x7E, 0xC0, 0xF4, 0x83, 0x67, 0x85, 0x30, 0xF2,
+        0x30, 0x33, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x81, 0x9e, 0x31, 0x0b, 0x30,
-        0xE1, 0x60, 0x37, 0x39, 0x45, 0x2A, 0x21, 0x51,
+        0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10,
-        0x0C, 0x4F, 0xFB, 0x0C, 0x0A, 0xFA, 0x7D, 0xD9,
+        0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x07, 0x4d, 0x6f, 0x6e,
-        0xB4, 0x72, 0x86, 0x9C, 0x0D, 0x2A, 0x25, 0x0E,
+        0x74, 0x61, 0x6e, 0x61, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04,
-        0xBB, 0x45, 0xEC, 0x5D, 0xFB, 0x7A, 0xAA, 0x67,
+        0x07, 0x0c, 0x07, 0x42, 0x6f, 0x7a, 0x65, 0x6d, 0x61, 0x6e, 0x31, 0x15,
-        0x49, 0x4F, 0x36, 0xAB, 0xDE, 0x4B, 0x57, 0x35,
+        0x30, 0x13, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0c, 0x77, 0x6f, 0x6c,
-        0xF3
+        0x66, 0x53, 0x53, 0x4c, 0x5f, 0x32, 0x30, 0x34, 0x38, 0x31, 0x19, 0x30,
+        0x17, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x10, 0x50, 0x72, 0x6f, 0x67,
+        0x72, 0x61, 0x6d, 0x6d, 0x69, 0x6e, 0x67, 0x2d, 0x32, 0x30, 0x34, 0x38,
+        0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, 0x77,
+        0x77, 0x77, 0x2e, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63,
+        0x6f, 0x6d, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
+        0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6e, 0x66, 0x6f, 0x40,
+        0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x30,
+        0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
+        0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30,
+        0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xc3, 0x03, 0xd1, 0x2b,
+        0xfe, 0x39, 0xa4, 0x32, 0x45, 0x3b, 0x53, 0xc8, 0x84, 0x2b, 0x2a, 0x7c,
+        0x74, 0x9a, 0xbd, 0xaa, 0x2a, 0x52, 0x07, 0x47, 0xd6, 0xa6, 0x36, 0xb2,
+        0x07, 0x32, 0x8e, 0xd0, 0xba, 0x69, 0x7b, 0xc6, 0xc3, 0x44, 0x9e, 0xd4,
+        0x81, 0x48, 0xfd, 0x2d, 0x68, 0xa2, 0x8b, 0x67, 0xbb, 0xa1, 0x75, 0xc8,
+        0x36, 0x2c, 0x4a, 0xd2, 0x1b, 0xf7, 0x8b, 0xba, 0xcf, 0x0d, 0xf9, 0xef,
+        0xec, 0xf1, 0x81, 0x1e, 0x7b, 0x9b, 0x03, 0x47, 0x9a, 0xbf, 0x65, 0xcc,
+        0x7f, 0x65, 0x24, 0x69, 0xa6, 0xe8, 0x14, 0x89, 0x5b, 0xe4, 0x34, 0xf7,
+        0xc5, 0xb0, 0x14, 0x93, 0xf5, 0x67, 0x7b, 0x3a, 0x7a, 0x78, 0xe1, 0x01,
+        0x56, 0x56, 0x91, 0xa6, 0x13, 0x42, 0x8d, 0xd2, 0x3c, 0x40, 0x9c, 0x4c,
+        0xef, 0xd1, 0x86, 0xdf, 0x37, 0x51, 0x1b, 0x0c, 0xa1, 0x3b, 0xf5, 0xf1,
+        0xa3, 0x4a, 0x35, 0xe4, 0xe1, 0xce, 0x96, 0xdf, 0x1b, 0x7e, 0xbf, 0x4e,
+        0x97, 0xd0, 0x10, 0xe8, 0xa8, 0x08, 0x30, 0x81, 0xaf, 0x20, 0x0b, 0x43,
+        0x14, 0xc5, 0x74, 0x67, 0xb4, 0x32, 0x82, 0x6f, 0x8d, 0x86, 0xc2, 0x88,
+        0x40, 0x99, 0x36, 0x83, 0xba, 0x1e, 0x40, 0x72, 0x22, 0x17, 0xd7, 0x52,
+        0x65, 0x24, 0x73, 0xb0, 0xce, 0xef, 0x19, 0xcd, 0xae, 0xff, 0x78, 0x6c,
+        0x7b, 0xc0, 0x12, 0x03, 0xd4, 0x4e, 0x72, 0x0d, 0x50, 0x6d, 0x3b, 0xa3,
+        0x3b, 0xa3, 0x99, 0x5e, 0x9d, 0xc8, 0xd9, 0x0c, 0x85, 0xb3, 0xd9, 0x8a,
+        0xd9, 0x54, 0x26, 0xdb, 0x6d, 0xfa, 0xac, 0xbb, 0xff, 0x25, 0x4c, 0xc4,
+        0xd1, 0x79, 0xf4, 0x71, 0xd3, 0x86, 0x40, 0x18, 0x13, 0xb0, 0x63, 0xb5,
+        0x72, 0x4e, 0x30, 0xc4, 0x97, 0x84, 0x86, 0x2d, 0x56, 0x2f, 0xd7, 0x15,
+        0xf7, 0x7f, 0xc0, 0xae, 0xf5, 0xfc, 0x5b, 0xe5, 0xfb, 0xa1, 0xba, 0xd3,
+        0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x81, 0x8e, 0x30, 0x81, 0x8b, 0x30,
+        0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01,
+        0xff, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x1d, 0x11, 0x04, 0x15, 0x30, 0x13,
+        0x82, 0x0b, 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f,
+        0x6d, 0x87, 0x04, 0x7f, 0x00, 0x00, 0x01, 0x30, 0x1d, 0x06, 0x03, 0x55,
+        0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x33, 0xd8, 0x45, 0x66, 0xd7, 0x68,
+        0x87, 0x18, 0x7e, 0x54, 0x0d, 0x70, 0x27, 0x91, 0xc7, 0x26, 0xd7, 0x85,
+        0x65, 0xc0, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30,
+        0x16, 0x80, 0x14, 0x33, 0xd8, 0x45, 0x66, 0xd7, 0x68, 0x87, 0x18, 0x7e,
+        0x54, 0x0d, 0x70, 0x27, 0x91, 0xc7, 0x26, 0xd7, 0x85, 0x65, 0xc0, 0x30,
+        0x1d, 0x06, 0x03, 0x55, 0x1d, 0x25, 0x04, 0x16, 0x30, 0x14, 0x06, 0x08,
+        0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x01, 0x06, 0x08, 0x2b, 0x06,
+        0x01, 0x05, 0x05, 0x07, 0x03, 0x02, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86,
+        0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01,
+        0x01, 0x00, 0x98, 0x2a, 0x3d, 0x94, 0x37, 0xae, 0xd6, 0x28, 0x12, 0xed,
+        0x6d, 0x95, 0xc9, 0x05, 0x89, 0x4b, 0x5c, 0x5e, 0x88, 0xed, 0x9e, 0x14,
+        0x89, 0x79, 0x65, 0x7b, 0x5c, 0xdb, 0xcd, 0x21, 0xc5, 0xfc, 0x7a, 0x05,
+        0xd2, 0x33, 0x54, 0xa1, 0x1b, 0xb2, 0xc6, 0xd8, 0x3e, 0x88, 0x7d, 0x58,
+        0xfd, 0xd0, 0xca, 0x71, 0x58, 0xd5, 0x37, 0x81, 0xe0, 0xef, 0x65, 0xfc,
+        0x1b, 0xf1, 0x5d, 0xdd, 0x26, 0x68, 0x12, 0xfb, 0x12, 0x24, 0xd5, 0x45,
+        0x4f, 0x41, 0xad, 0xee, 0x3f, 0x16, 0x40, 0xb2, 0x59, 0xe6, 0x5b, 0x76,
+        0xe7, 0x47, 0x11, 0xa4, 0xe1, 0x2f, 0x0d, 0xe8, 0x13, 0x13, 0x49, 0xb0,
+        0x01, 0x11, 0x15, 0xb5, 0xb3, 0x93, 0x4f, 0x28, 0xdc, 0xd0, 0x30, 0x03,
+        0x48, 0x02, 0x95, 0x2d, 0xd9, 0x26, 0x87, 0x1f, 0x19, 0xa1, 0x03, 0x5c,
+        0x7c, 0xde, 0x54, 0xd4, 0x98, 0x85, 0x34, 0xcc, 0x54, 0xf1, 0x24, 0x43,
+        0xa6, 0x87, 0xfa, 0xb6, 0x62, 0xee, 0xa3, 0x4a, 0xb3, 0xce, 0x1c, 0x2e,
+        0xbf, 0x94, 0xef, 0x4c, 0x75, 0x75, 0x55, 0x1d, 0xc9, 0xc2, 0xe4, 0xe5,
+        0x24, 0xb2, 0x0a, 0x93, 0xf0, 0xff, 0x2e, 0x43, 0x99, 0xad, 0x4e, 0x83,
+        0x11, 0x52, 0xf4, 0xb9, 0x92, 0x30, 0xe1, 0x02, 0x2f, 0xa5, 0xf2, 0x21,
+        0xb1, 0xf4, 0xe9, 0x57, 0xbd, 0xba, 0x17, 0x56, 0xd7, 0x31, 0xcb, 0x63,
+        0xa3, 0xd5, 0xcf, 0xc9, 0xd9, 0xa6, 0x4f, 0x51, 0x6c, 0x52, 0x4c, 0x53,
+        0x88, 0x9a, 0x2e, 0xb9, 0x72, 0x02, 0x6e, 0x1b, 0x21, 0x93, 0xa1, 0x88,
+        0x1b, 0x35, 0x0e, 0x9e, 0x2b, 0x63, 0x81, 0xba, 0xb4, 0x6b, 0x28, 0x01,
+        0x56, 0xe1, 0x0e, 0x13, 0x73, 0xf6, 0xd6, 0xa0, 0xd2, 0xfd, 0xc9, 0x4d,
+        0xbd, 0xa8, 0xa9, 0x22, 0x9e, 0xc7, 0x13, 0x76, 0x5a, 0x9c, 0xd3, 0x9a,
+        0xf4, 0x0c, 0x52, 0xe6, 0x47, 0xcb
+#endif
     };
 
     printf(testingFmt, "wolfSSL_X509_sign2");
@@ -37526,6 +37597,76 @@ static void test_wolfSSL_i2t_ASN1_OBJECT(void)
 #endif /* OPENSSL_EXTRA && WOLFSSL_CERT_EXT && WOLFSSL_CERT_GEN */
 }
 
+static void test_wolfSSL_PEM_write_bio_X509(void)
+{
+#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_AKID_NAME) && \
+    defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_CERT_GEN)
+    /* This test contains the hard coded expected
+     * lengths. Update if necessary */
+
+    BIO* input;
+    BIO* output;
+    X509* x509 = NULL;
+    int expectedLen;
+
+    printf(testingFmt, "wolfSSL_PEM_write_bio_X509()");
+
+    AssertNotNull(input = BIO_new_file(
+            "certs/test/cert-ext-multiple.pem", "rb"));
+    AssertIntEQ(wolfSSL_BIO_get_len(input), 2000);
+
+    AssertNotNull(output = BIO_new(wolfSSL_BIO_s_mem()));
+
+    AssertNotNull(PEM_read_bio_X509(input, &x509, NULL, NULL));
+
+    AssertIntEQ(PEM_write_bio_X509(output, x509), WOLFSSL_SUCCESS);
+
+#ifdef WOLFSSL_ALT_NAMES
+    /* Here we copy the validity struct from the original */
+    expectedLen = 2000;
+#else
+    /* Only difference is that we generate the validity in generalized
+     * time. Generating UTCTime vs Generalized time should be fixed in
+     * the future */
+    expectedLen = 2004;
+#endif
+    AssertIntEQ(wolfSSL_BIO_get_len(output), expectedLen);
+
+    /* Reset output buffer */
+    BIO_free(output);
+    AssertNotNull(output = BIO_new(wolfSSL_BIO_s_mem()));
+
+    /* Test forcing the AKID to be generated just from KeyIdentifier */
+    if (x509->authKeyIdSrc != NULL) {
+        XMEMMOVE(x509->authKeyIdSrc, x509->authKeyId, x509->authKeyIdSz);
+        x509->authKeyId = x509->authKeyIdSrc;
+        x509->authKeyIdSrc = NULL;
+        x509->authKeyIdSrcSz = 0;
+    }
+
+    AssertIntEQ(PEM_write_bio_X509(output, x509), WOLFSSL_SUCCESS);
+
+    /* Check that we generate a smaller output since the AKID will
+     * only contain the KeyIdentifier without any additional
+     * information */
+
+#ifdef WOLFSSL_ALT_NAMES
+    /* Here we copy the validity struct from the original */
+    expectedLen = 1688;
+#else
+    /* UTCTime vs Generalized time */
+    expectedLen = 1692;
+#endif
+    AssertIntEQ(wolfSSL_BIO_get_len(output), expectedLen);
+
+    X509_free(x509);
+    BIO_free(input);
+    BIO_free(output);
+
+    printf(resultFmt, passed);
+#endif
+}
+
 static void test_wolfSSL_X509_NAME_ENTRY(void)
 {
 #if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_FILESYSTEM) && \
@@ -51454,6 +51595,7 @@ void ApiTest(void)
     test_wolfSSL_OBJ_txt2nid();
     test_wolfSSL_OBJ_txt2obj();
     test_wolfSSL_i2t_ASN1_OBJECT();
+    test_wolfSSL_PEM_write_bio_X509();
     test_wolfSSL_X509_NAME_ENTRY();
     test_wolfSSL_X509_set_name();
     test_wolfSSL_X509_set_notAfter();

wolfcrypt/src/asn.c

@@ -74,6 +74,8 @@ ASN Options:
  * WOLFSSL_ASN_TEMPLATE_TYPE_CHECK: Use ASN functions to better test compiler
     type issues for testing
  * CRLDP_VALIDATE_DATA: For ASN template only, validates the reason data
+ * WOLFSSL_AKID_NAME: Enable support for full AuthorityKeyIdentifier extension.
+ *  Only supports copying full AKID from an existing certificate.
 */
 
 #ifndef NO_ASN
@@ -612,8 +614,8 @@ static void SizeASN_CalcDataLength(const ASNItem* asn, ASNSetData *data,
             /* The length of a header only item doesn't include the data unless
              * a replacement buffer is supplied.
              */
-            if (asn[j].headerOnly && data[j].dataType !=
+            if (asn[j].headerOnly && data[j].data.buffer.data == NULL &&
-                                                 ASN_DATA_TYPE_REPLACE_BUFFER) {
+                    data[j].dataType != ASN_DATA_TYPE_REPLACE_BUFFER) {
                 data[idx].data.buffer.length += data[j].data.buffer.length;
             }
         }
@@ -685,9 +687,17 @@ int SizeASN_Items(const ASNItem* asn, ASNSetData *data, int count, int* encSz)
                  * Mostly used for constructed items.
                  */
                 if (asn[i].headerOnly) {
-                    /* Calculate data length from items below. */
+                    if (data[i].data.buffer.data != NULL) {
+                        /* Force all child nodes to be ignored. Buffer
+                         * overwrites children. */
+                        SetASNItem_NoOutBelow(data, asn, i, count);
+                    }
+                    else {
+                        /* Calculate data length from items below if no buffer
+                         * supplied. */
                         SizeASN_CalcDataLength(asn, data, i, count);
                     }
+                }
                 if (asn[i].tag == ASN_BOOLEAN) {
                     dataLen = 1;
                 }
@@ -705,8 +715,9 @@ int SizeASN_Items(const ASNItem* asn, ASNSetData *data, int count, int* encSz)
                 }
                 /* Add in the size of tag and length. */
                 len += SizeASNHeader(dataLen);
-                /* Include data in length if not header only. */
+                /* Include data in length if not header only or if
-                if (!asn[i].headerOnly) {
+                 * buffer supplied. */
+                if (!asn[i].headerOnly || data[i].data.buffer.data != NULL) {
                     len += dataLen;
                 }
                 break;
@@ -933,8 +944,10 @@ int SetASN_Items(const ASNItem* asn, ASNSetData *data, int count, byte* output)
                     if (data[i].data.buffer.data == NULL) {
                         data[i].data.buffer.data = out + idx;
                     }
-                    /* Copy supplied data if not putting out header only. */
+                    /* Copy supplied data if not putting out header only or
-                    else if (!asn[i].headerOnly) {
+                     * if buffer supplied. */
+                    else if (!asn[i].headerOnly ||
+                            data[i].data.buffer.data != NULL) {
                         /* Allow data to come from output buffer. */
                         XMEMMOVE(out + idx, data[i].data.buffer.data,
                                  data[i].data.buffer.length);
@@ -3239,7 +3252,7 @@ word32 SetBitString(word32 len, byte unusedBits, byte* output)
     idx += ASN_TAG_SZ;
 
     /* Encode length - passing NULL for output will not encode.
-     * Add one to length for unsued bits. */
+     * Add one to length for unused bits. */
     idx += SetLength(len + 1, output ? output + idx : NULL);
     if (output) {
         /* Write out unused bits. */
@@ -10113,8 +10126,6 @@ static int GetHashId(const byte* id, int length, byte* hash)
 #endif /* !NO_CERTS */
 
 #ifdef WOLFSSL_ASN_TEMPLATE
-/* Id for street address - not used. */
-#define ASN_STREET    9
 /* Id for email address. */
 #define ASN_EMAIL     0x100
 /* Id for user id. */
@@ -10146,6 +10157,10 @@ static int GetHashId(const byte* id, int length, byte* hash)
 #define GetCertNameSubjectNID(id) \
     (certNameSubject[(id) - 3].nid)
 
+#define ValidCertNameSubject(id) \
+    ((id - 3) >= 0 && (id - 3) < certNameSubjectSz && \
+            (certNameSubject[(id) - 3].strLen > 0))
+
 /* Mapping of certificate name component to useful information. */
 typedef struct CertNameData {
     /* Type string of name component. */
@@ -10240,16 +10255,16 @@ static const CertNameData certNameSubject[] = {
         NID_stateOrProvinceName
 #endif
     },
-    /* Undefined - Street */
+    /* Street Address */
     {
-        NULL, 0,
+        "/street=", 8,
 #ifdef WOLFSSL_CERT_GEN
-        0,
+        OFFSETOF(DecodedCert, subjectStreet),
-        0,
+        OFFSETOF(DecodedCert, subjectStreetLen),
-        0,
+        OFFSETOF(DecodedCert, subjectStreetEnc),
 #endif
 #ifdef WOLFSSL_X509_NAME_AVAILABLE
-        0,
+        NID_streetAddress
 #endif
     },
     /* Organization Name */
@@ -10328,10 +10343,43 @@ static const CertNameData certNameSubject[] = {
 #endif
 #ifdef WOLFSSL_X509_NAME_AVAILABLE
         NID_businessCategory
+#endif
+    },
+    /* Undefined */
+    {
+        NULL, 0,
+#ifdef WOLFSSL_CERT_GEN
+        0,
+        0,
+        0,
+#endif
+#ifdef WOLFSSL_X509_NAME_AVAILABLE
+        0,
+#endif
+    },
+    /* Postal Code */
+    {
+        "/postalCode=", 12,
+#ifdef WOLFSSL_CERT_GEN
+#ifdef WOLFSSL_CERT_EXT
+        OFFSETOF(DecodedCert, subjectPC),
+        OFFSETOF(DecodedCert, subjectPCLen),
+        OFFSETOF(DecodedCert, subjectPCEnc),
+#else
+        0,
+        0,
+        0,
+#endif
+#endif
+#ifdef WOLFSSL_X509_NAME_AVAILABLE
+        NID_postalCode
 #endif
     },
 };
 
+static const int certNameSubjectSz =
+        (int) (sizeof(certNameSubject) / sizeof(CertNameData));
+
 /* Full email OID. */
 static const byte emailOid[] = {
     0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01
@@ -10527,8 +10575,7 @@ static int GetRDN(DecodedCert* cert, char* full, word32* idx, int* nid,
     if ((oidSz == 3) && (oid[0] == 0x55) && (oid[1] == 0x04)) {
         id = oid[2];
         /* Check range of supported ids in table. */
-        if (((id >= ASN_COMMON_NAME) && (id <= ASN_ORGUNIT_NAME) &&
+        if (ValidCertNameSubject(id)) {
-                (id != ASN_STREET)) || (id == ASN_BUS_CAT)) {
             /* Get the type string, length and NID from table. */
             typeStr = GetCertNameSubjectStr(id);
             typeStrLen = GetCertNameSubjectStrLen(id);
@@ -10887,6 +10934,22 @@ static int GetCertName(DecodedCert* cert, char* full, byte* hash, int nameType,
                 #endif /* OPENSSL_EXTRA */
             }
         #ifdef WOLFSSL_CERT_EXT
+            else if (id == ASN_STREET_ADDR) {
+                copy = WOLFSSL_STREET_ADDR_NAME;
+                copyLen = sizeof(WOLFSSL_STREET_ADDR_NAME) - 1;
+                #ifdef WOLFSSL_CERT_GEN
+                    if (nameType == SUBJECT) {
+                        cert->subjectStreet = (char*)&input[srcIdx];
+                        cert->subjectStreetLen = strLen;
+                        cert->subjectStreetEnc = b;
+                    }
+                #endif /* WOLFSSL_CERT_GEN */
+                #if (defined(OPENSSL_EXTRA) || \
+                        defined(OPENSSL_EXTRA_X509_SMALL)) \
+                        && !defined(WOLFCRYPT_ONLY)
+                    nid = NID_streetAddress;
+                #endif /* OPENSSL_EXTRA */
+            }
             else if (id == ASN_BUS_CAT) {
                 copy = WOLFSSL_BUS_CAT;
                 copyLen = sizeof(WOLFSSL_BUS_CAT) - 1;
@@ -10902,6 +10965,22 @@ static int GetCertName(DecodedCert* cert, char* full, byte* hash, int nameType,
                 nid = NID_businessCategory;
             #endif /* OPENSSL_EXTRA */
             }
+            else if (id == ASN_POSTAL_CODE) {
+                copy = WOLFSSL_POSTAL_NAME;
+                copyLen = sizeof(WOLFSSL_POSTAL_NAME) - 1;
+                #ifdef WOLFSSL_CERT_GEN
+                    if (nameType == SUBJECT) {
+                        cert->subjectPC = (char*)&input[srcIdx];
+                        cert->subjectPCLen = strLen;
+                        cert->subjectPCEnc = b;
+                    }
+                #endif /* WOLFSSL_CERT_GEN */
+                #if (defined(OPENSSL_EXTRA) || \
+                        defined(OPENSSL_EXTRA_X509_SMALL)) \
+                        && !defined(WOLFCRYPT_ONLY)
+                    nid = NID_postalCode;
+                #endif /* OPENSSL_EXTRA */
+            }
         #endif /* WOLFSSL_CERT_EXT */
         }
     #ifdef WOLFSSL_CERT_EXT
@@ -14533,6 +14612,9 @@ static int DecodeCrlDist(const byte* input, int sz, DecodedCert* cert)
 
     WOLFSSL_ENTER("DecodeCrlDist");
 
+    cert->extCrlInfoRaw = input;
+    cert->extCrlInfoRawSz = sz;
+
     /* Unwrap the list of Distribution Points*/
     if (GetSequence(input, &idx, &length, sz) < 0)
         return ASN_PARSE_E;
@@ -14625,6 +14707,9 @@ static int DecodeCrlDist(const byte* input, int sz, DecodedCert* cert)
 
     CALLOC_ASNGETDATA(dataASN, crlDistASN_Length, ret, cert->heap);
 
+    cert->extCrlInfoRaw = input;
+    cert->extCrlInfoRawSz = sz;
+
     if  (ret == 0) {
         /* Get the GeneralName choice */
         GetASN_Choice(&dataASN[4], generalNameChoice);
@@ -14869,6 +14954,10 @@ static int DecodeAuthKeyId(const byte* input, int sz, DecodedCert* cert)
     }
 
 #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
+#ifdef WOLFSSL_AKID_NAME
+    cert->extRawAuthKeyIdSrc = input;
+    cert->extRawAuthKeyIdSz = sz;
+#endif
     cert->extAuthKeyIdSrc = &input[idx];
     cert->extAuthKeyIdSz = length;
 #endif /* OPENSSL_EXTRA */
@@ -14895,7 +14984,11 @@ static int DecodeAuthKeyId(const byte* input, int sz, DecodedCert* cert)
         }
         else {
 #ifdef OPENSSL_EXTRA
-            /* Store the autority key id. */
+            /* Store the authority key id. */
+#ifdef WOLFSSL_AKID_NAME
+            cert->extRawAuthKeyIdSrc = input;
+            cert->extRawAuthKeyIdSz = sz;
+#endif
             GetASN_GetConstRef(&dataASN[1], &cert->extAuthKeyIdSrc,
                                &cert->extAuthKeyIdSz);
 #endif /* OPENSSL_EXTRA */
@@ -15163,6 +15256,26 @@ static int DecodeExtKeyUsage(const byte* input, int sz, DecodedCert* cert)
 #endif /* WOLFSSL_ASN_TEMPLATE */
 }
 
+#ifndef IGNORE_NETSCAPE_CERT_TYPE
+
+static int DecodeNsCertType(const byte* input, int sz, DecodedCert* cert)
+{
+    word32 idx = 0;
+    int len = 0;
+
+    WOLFSSL_ENTER("DecodeNsCertType");
+    if (CheckBitString(input, &idx, &len, (word32)sz, 0, NULL) < 0) {
+        return ASN_PARSE_E;
+    }
+
+    /* Don't need to worry about unused bits as CheckBitString makes sure
+     * they're zero. */
+    cert->nsCertType = input[idx];
+
+    return 0;
+}
+#endif
+
 
 #ifndef IGNORE_NAME_CONSTRAINTS
 #ifdef WOLFSSL_ASN_TEMPLATE
@@ -15976,11 +16089,8 @@ static int DecodeExtensionType(const byte* input, int length, word32 oid,
    #ifndef IGNORE_NETSCAPE_CERT_TYPE
         /* Netscape's certificate type. */
         case NETSCAPE_CT_OID:
-            WOLFSSL_MSG("Netscape certificate type extension not supported "
+            if (DecodeNsCertType(input, length, cert) < 0)
-                        "yet.");
-            if (CheckBitString(input, &idx, &length, length, 0, NULL) < 0) {
                 ret = ASN_PARSE_E;
-            }
             break;
     #endif
     #ifdef HAVE_OCSP
@@ -19927,10 +20037,18 @@ typedef struct DerCert {
     byte extensions[MAX_EXTENSIONS_SZ]; /* all extensions */
 #ifdef WOLFSSL_CERT_EXT
     byte skid[MAX_KID_SZ];             /* Subject Key Identifier extension */
-    byte akid[MAX_KID_SZ];             /* Authority Key Identifier extension */
+    byte akid[MAX_KID_SZ
+#ifdef WOLFSSL_AKID_NAME
+              + sizeof(CertName) + CTC_SERIAL_SIZE
+#endif
+              ]; /* Authority Key Identifier extension */
     byte keyUsage[MAX_KEYUSAGE_SZ];    /* Key Usage extension */
     byte extKeyUsage[MAX_EXTKEYUSAGE_SZ]; /* Extended Key Usage extension */
+#ifndef IGNORE_NETSCAPE_CERT_TYPE
+    byte nsCertType[MAX_NSCERTTYPE_SZ]; /* Extended Key Usage extension */
+#endif
     byte certPolicies[MAX_CERTPOL_NB*MAX_CERTPOL_SZ]; /* Certificate Policies */
+    byte crlInfo[CTC_MAX_CRLINFO_SZ];  /* CRL Distribution Points */
 #endif
 #ifdef WOLFSSL_CERT_REQ
     byte attrib[MAX_ATTRIB_SZ];        /* Cert req attributes encoded */
@@ -19952,7 +20070,12 @@ typedef struct DerCert {
     int  akidSz;                       /* encoded SKID extension length */
     int  keyUsageSz;                   /* encoded KeyUsage extension length */
     int  extKeyUsageSz;                /* encoded ExtendedKeyUsage extension length */
+#ifndef IGNORE_NETSCAPE_CERT_TYPE
+    int  nsCertTypeSz;                 /* encoded Netscape Certifcate Type
+                                        * extension length */
+#endif
     int  certPoliciesSz;               /* encoded CertPolicies extension length*/
+    int  crlInfoSz;                    /* encoded CRL Dist Points length */
 #endif
 #ifdef WOLFSSL_ALT_NAMES
     int  altNamesSz;                   /* encoded AltNames extension length */
@@ -20621,28 +20744,34 @@ const char* GetOneCertName(CertName* name, int idx)
        return name->state;
 
     case 2:
-       return name->locality;
+       return name->street;
 
     case 3:
-       return name->sur;
+       return name->locality;
 
     case 4:
-       return name->org;
+       return name->sur;
 
     case 5:
-       return name->unit;
+       return name->org;
 
     case 6:
-       return name->commonName;
+       return name->unit;
 
     case 7:
-       return name->serialDev;
+       return name->commonName;
 
     case 8:
+       return name->serialDev;
+
+    case 9:
+       return name->postalCode;
+
+    case 10:
 #ifdef WOLFSSL_CERT_EXT
        return name->busCat;
 
-    case 9:
+    case 11:
 #endif
        return name->email;
 
@@ -20663,28 +20792,34 @@ static char GetNameType(CertName* name, int idx)
        return name->stateEnc;
 
     case 2:
-       return name->localityEnc;
+       return name->postalCodeEnc;
 
     case 3:
-       return name->surEnc;
+       return name->localityEnc;
 
     case 4:
-       return name->orgEnc;
+       return name->surEnc;
 
     case 5:
-       return name->unitEnc;
+       return name->orgEnc;
 
     case 6:
-       return name->commonNameEnc;
+       return name->unitEnc;
 
     case 7:
-       return name->serialDevEnc;
+       return name->commonNameEnc;
 
     case 8:
+       return name->serialDevEnc;
+
+    case 9:
+       return name->postalCodeEnc;
+
+    case 10:
 #ifdef WOLFSSL_CERT_EXT
        return name->busCatEnc;
 
-    case 9:
+    case 11:
 #endif
         /* FALL THROUGH */
         /* The last index, email name, does not have encoding type.
@@ -20706,28 +20841,34 @@ byte GetCertNameId(int idx)
        return ASN_STATE_NAME;
 
     case 2:
-       return ASN_LOCALITY_NAME;
+       return ASN_STREET_ADDR;
 
     case 3:
-       return ASN_SUR_NAME;
+       return ASN_LOCALITY_NAME;
 
     case 4:
-       return ASN_ORG_NAME;
+       return ASN_SUR_NAME;
 
     case 5:
-       return ASN_ORGUNIT_NAME;
+       return ASN_ORG_NAME;
 
     case 6:
-       return ASN_COMMON_NAME;
+       return ASN_ORGUNIT_NAME;
 
     case 7:
-       return ASN_SERIAL_NUMBER;
+       return ASN_COMMON_NAME;
 
     case 8:
+       return ASN_SERIAL_NUMBER;
+
+    case 9:
+       return ASN_POSTAL_CODE;
+
+    case 10:
 #ifdef WOLFSSL_CERT_EXT
         return ASN_BUS_CAT;
 
-    case 9:
+    case 11:
 #endif
         return ASN_EMAIL_NAME;
 
@@ -20890,36 +21031,60 @@ static int SetSKID(byte* output, word32 outSz, const byte *input, word32 length)
 
 /* encode Authority Key Identifier, return total bytes written
  * RFC5280 : non-critical */
-static int SetAKID(byte* output, word32 outSz,
+static int SetAKID(byte* output, word32 outSz, byte *input, word32 length,
-                                         byte *input, word32 length, void* heap)
+                   byte rawAkid)
 {
+    int     enc_valSz, inSeqSz;
+    byte enc_val_buf[MAX_KID_SZ];
     byte* enc_val;
-    int     ret, enc_valSz;
+    const byte akid_oid[] = { 0x06, 0x03, 0x55, 0x1d, 0x23 };
-    const byte akid_oid[] = { 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04 };
     const byte akid_cs[] = { 0x80 };
+    word32 idx;
 
-    (void)heap;
+    (void)rawAkid;
 
     if (output == NULL || input == NULL)
         return BAD_FUNC_ARG;
 
+#ifdef WOLFSSL_AKID_NAME
+    if (rawAkid) {
+        enc_val = input;
+        enc_valSz = length;
+    }
+    else
+#endif
+    {
+        enc_val = enc_val_buf;
         enc_valSz = length + 3 + sizeof(akid_cs);
-    enc_val = (byte *)XMALLOC(enc_valSz, heap, DYNAMIC_TYPE_TMP_BUFFER);
+        if (enc_valSz > (int)sizeof(enc_val_buf))
-    if (enc_val == NULL)
+            return BAD_FUNC_ARG;
-        return MEMORY_E;
 
         /* sequence for ContentSpec & value */
-    ret = SetOidValue(enc_val, enc_valSz, akid_cs, sizeof(akid_cs),
+        enc_valSz = SetOidValue(enc_val, enc_valSz, akid_cs, sizeof(akid_cs),
                           input, length);
-    if (ret > 0) {
+        if (enc_valSz <= 0)
-        enc_valSz = ret;
+            return enc_valSz;
-
-        ret = SetOidValue(output, outSz, akid_oid, sizeof(akid_oid),
-                          enc_val, enc_valSz);
     }
 
-    XFREE(enc_val, heap, DYNAMIC_TYPE_TMP_BUFFER);
+    /* The size of the extension sequence contents */
-    return ret;
+    inSeqSz = sizeof(akid_oid) + SetOctetString(enc_valSz, NULL) +
+            enc_valSz;
+
+    if (SetSequence(inSeqSz, NULL) + inSeqSz > outSz)
+        return BAD_FUNC_ARG;
+
+    /* Write out the sequence header */
+    idx = SetSequence(inSeqSz, output);
+
+    /* Write out OID */
+    XMEMCPY(output + idx, akid_oid, sizeof(akid_oid));
+    idx += sizeof(akid_oid);
+
+    /* Write out AKID */
+    idx += SetOctetString(enc_valSz, output + idx);
+    XMEMCPY(output + idx, enc_val, enc_valSz);
+
+    return idx + enc_valSz;
 }
 
 /* encode Key Usage, return total bytes written
@@ -21163,6 +21328,89 @@ static int SetExtKeyUsage(Cert* cert, byte* output, word32 outSz, byte input)
 #endif
 }
 
+#ifndef IGNORE_NETSCAPE_CERT_TYPE
+#ifndef WOLFSSL_ASN_TEMPLATE
+static int SetNsCertType(Cert* cert, byte* output, word32 outSz, byte input)
+{
+    word32 idx;
+    byte unusedBits = 0;
+    byte nsCertType = input;
+    word32 totalSz;
+    word32 bitStrSz;
+    const byte nscerttype_oid[] = { 0x06, 0x09, 0x60, 0x86, 0x48, 0x01,
+                                    0x86, 0xF8, 0x42, 0x01, 0x01 };
+
+    if (cert == NULL || output == NULL ||
+            input == 0)
+        return BAD_FUNC_ARG;
+
+    totalSz = sizeof(nscerttype_oid);
+
+    /* Get amount of lsb zero's */
+    for (;(input & 1) == 0; input >>= 1)
+        unusedBits++;
+
+    /* 1 byte of NS Cert Type extension */
+    bitStrSz = SetBitString(1, unusedBits, NULL) + 1;
+    totalSz += SetOctetString(bitStrSz, NULL) + bitStrSz;
+
+    if (SetSequence(totalSz, NULL) + totalSz > outSz)
+        return BAD_FUNC_ARG;
+
+    /* 1. Seq + Total Len */
+    idx = SetSequence(totalSz, output);
+
+    /* 2. Object ID */
+    XMEMCPY(&output[idx], nscerttype_oid, sizeof(nscerttype_oid));
+    idx += sizeof(nscerttype_oid);
+
+    /* 3. Octet String */
+    idx += SetOctetString(bitStrSz, &output[idx]);
+
+    /* 4. Bit String */
+    idx += SetBitString(1, unusedBits, &output[idx]);
+    output[idx++] = nsCertType;
+
+    return idx;
+}
+#endif
+#endif
+
+#ifndef WOLFSSL_ASN_TEMPLATE
+static int SetCRLInfo(Cert* cert, byte* output, word32 outSz, byte* input,
+                      int inSz)
+{
+    word32 idx;
+    word32 totalSz;
+    const byte crlinfo_oid[] = { 0x06, 0x03, 0x55, 0x1D, 0x1F };
+
+    if (cert == NULL || output == NULL ||
+            input == 0 || inSz <= 0)
+        return BAD_FUNC_ARG;
+
+    totalSz = sizeof(crlinfo_oid) + SetOctetString(inSz, NULL) + inSz;
+
+    if (SetSequence(totalSz, NULL) + totalSz > outSz)
+        return BAD_FUNC_ARG;
+
+    /* 1. Seq + Total Len */
+    idx = SetSequence(totalSz, output);
+
+    /* 2. Object ID */
+    XMEMCPY(&output[idx], crlinfo_oid, sizeof(crlinfo_oid));
+    idx += sizeof(crlinfo_oid);
+
+    /* 3. Octet String */
+    idx += SetOctetString(inSz, &output[idx]);
+
+    /* 4. CRL Info */
+    XMEMCPY(&output[idx], input, inSz);
+    idx += inSz;
+
+    return idx;
+}
+#endif
+
 /* encode Certificate Policies, return total bytes written
  * each input value must be ITU-T X.690 formatted : a.b.c...
  * input must be an array of values with a NULL terminated for the latest
@@ -21625,6 +21873,7 @@ int wc_EncodeName(EncodedName* name, const char* nameStr, char nameType,
 static const byte nameOid[NAME_ENTRIES - 1][NAME_OID_SZ] = {
     { 0x55, 0x04, ASN_COUNTRY_NAME },
     { 0x55, 0x04, ASN_STATE_NAME },
+    { 0x55, 0x04, ASN_STREET_ADDR },
     { 0x55, 0x04, ASN_LOCALITY_NAME },
     { 0x55, 0x04, ASN_SUR_NAME },
     { 0x55, 0x04, ASN_ORG_NAME },
@@ -21634,6 +21883,7 @@ static const byte nameOid[NAME_ENTRIES - 1][NAME_OID_SZ] = {
 #ifdef WOLFSSL_CERT_EXT
     { 0x55, 0x04, ASN_BUS_CAT },
 #endif
+    { 0x55, 0x04, ASN_POSTAL_CODE },
     /* Email OID is much longer. */
 };
 
@@ -22042,6 +22292,15 @@ static const ASNItem certExtsASN[] = {
 /* 28 */            { 2, ASN_OBJECT_ID, 0, 0, 0 },
 /* 29 */            { 2, ASN_OCTET_STRING, 0, 1, 0 },
 /* 30 */                { 3, ASN_SEQUENCE, 0, 0, 0 },
+                /* Netscape Certificate Type */
+/* 31 */        { 1, ASN_SEQUENCE, 1, 1, 0 },
+/* 32 */            { 2, ASN_OBJECT_ID, 0, 0, 0 },
+/* 33 */            { 2, ASN_OCTET_STRING, 0, 1, 0 },
+/* 34 */                { 3, ASN_BIT_STRING, 0, 0, 0 },
+/* 35 */        { 1, ASN_SEQUENCE, 1, 1, 0 },
+/* 36 */            { 2, ASN_OBJECT_ID, 0, 0, 0 },
+/* 37 */            { 2, ASN_OCTET_STRING, 0, 0, 0 },
+
 #endif
 };
 
@@ -22064,6 +22323,9 @@ static int EncodeExtensions(Cert* cert, byte* output, word32 maxSz,
     static const byte kuOID[]   = { 0x55, 0x1d, 0x0f };
     static const byte ekuOID[]  = { 0x55, 0x1d, 0x25 };
     static const byte cpOID[]   = { 0x55, 0x1d, 0x20 };
+    static const byte nsCertOID[] = { 0x60, 0x86, 0x48, 0x01,
+                                    0x86, 0xF8, 0x42, 0x01, 0x01 };
+    static const byte crlInfoOID[] = { 0x55, 0x1D, 0x1F };
 #endif
 
     (void)forRequest;
@@ -22107,8 +22369,16 @@ static int EncodeExtensions(Cert* cert, byte* output, word32 maxSz,
         if (cert->akidSz > 0) {
             /* Set Authority Key Identifier OID and data. */
             SetASN_Buffer(&dataASN[15], akidOID, sizeof(akidOID));
+            if (cert->rawAkid) {
+                SetASN_Buffer(&dataASN[16], cert->akid, cert->akidSz);
+                /* cert->akid contains the internal ext structure */
+                SetASNItem_NoOutBelow(dataASN, certExtsASN, 16,
+                        certExtsASN_Length);
+            }
+            else {
                 SetASN_Buffer(&dataASN[18], cert->akid, cert->akidSz);
             }
+        }
         else {
             /* Don't write out Authority Key Identifier extension items. */
             SetASNItem_NoOut(dataASN, 14, 18);
@@ -22156,6 +22426,28 @@ static int EncodeExtensions(Cert* cert, byte* output, word32 maxSz,
             /* Don't write out Certificate Policies extension items. */
             SetASNItem_NoOut(dataASN, 27, 30);
         }
+    #ifndef IGNORE_NETSCAPE_CERT_TYPE
+        /* Netscape Certificate Type */
+        if (cert->nsCertType != 0) {
+            /* Set Netscape Certificate Type OID and data. */
+            SetASN_Buffer(&dataASN[32], nsCertOID, sizeof(nsCertOID));
+            SetASN_Buffer(&dataASN[34], &cert->nsCertType, 1);
+        }
+        else
+    #endif
+        {
+            /* Don't write out Netscape Certificate Type. */
+            SetASNItem_NoOut(dataASN, 31, 34);
+        }
+        if (cert->crlInfoSz > 0) {
+            /* Set CRL Distribution Points OID and data. */
+            SetASN_Buffer(&dataASN[36], crlInfoOID, sizeof(crlInfoOID));
+            SetASN_Buffer(&dataASN[37], cert->crlInfo, cert->crlInfoSz);
+        }
+        else {
+            /* Don't write out CRL Distribution Points. */
+            SetASNItem_NoOut(dataASN, 35, 37);
+        }
     #endif
     }
 
@@ -22179,7 +22471,7 @@ static int EncodeExtensions(Cert* cert, byte* output, word32 maxSz,
         SetASN_Items(certExtsASN, dataASN, certExtsASN_Length, output);
 
     #ifdef WOLFSSL_CERT_EXT
-        if (cert->keyUsage != 0){
+        if (cert->extKeyUsage != 0){
             /* Encode Extended Key Usage into space provided. */
             if (SetExtKeyUsage(cert, (byte*)dataASN[26].data.buffer.data,
                 dataASN[26].data.buffer.length, cert->extKeyUsage) <= 0) {
@@ -22209,6 +22501,10 @@ static int EncodeExtensions(Cert* cert, byte* output, word32 maxSz,
 #ifndef WOLFSSL_ASN_TEMPLATE
 /* Set Date validity from now until now + daysValid
  * return size in bytes written to output, 0 on error */
+/* TODO https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.5
+ * "MUST always encode certificate validity dates through the year 2049 as
+ *  UTCTime; certificate validity dates in 2050 or later MUST be encoded as
+ *  GeneralizedTime." */
 static int SetValidity(byte* output, int daysValid)
 {
 #ifndef NO_ASN_TIME
@@ -22562,11 +22858,25 @@ static int EncodeCert(Cert* cert, DerCert* der, RsaKey* rsaKey, ecc_key* eccKey,
     /* AKID */
     if (cert->akidSz) {
         /* check the provided AKID size */
-        if (cert->akidSz > (int)min(CTC_MAX_AKID_SIZE, sizeof(der->akid)))
+        if ((
+#ifdef WOLFSSL_AKID_NAME
+             !cert->rawAkid &&
+#endif
+              cert->akidSz > (int)min(CTC_MAX_AKID_SIZE, sizeof(der->akid)))
+#ifdef WOLFSSL_AKID_NAME
+          || (cert->rawAkid && cert->akidSz > (int)sizeof(der->akid))
+#endif
+             )
             return AKID_E;
 
-        der->akidSz = SetAKID(der->akid, sizeof(der->akid),
+        der->akidSz = SetAKID(der->akid, sizeof(der->akid), cert->akid,
-                              cert->akid, cert->akidSz, cert->heap);
+                                cert->akidSz,
+#ifdef WOLFSSL_AKID_NAME
+                                cert->rawAkid
+#else
+                                0
+#endif
+                                );
         if (der->akidSz <= 0)
             return AKID_E;
 
@@ -22599,6 +22909,31 @@ static int EncodeCert(Cert* cert, DerCert* der, RsaKey* rsaKey, ecc_key* eccKey,
     else
         der->extKeyUsageSz = 0;
 
+#ifndef IGNORE_NETSCAPE_CERT_TYPE
+    /* Netscape Certificate Type */
+    if (cert->nsCertType != 0) {
+        der->nsCertTypeSz = SetNsCertType(cert, der->nsCertType,
+                                sizeof(der->nsCertType), cert->nsCertType);
+        if (der->nsCertTypeSz <= 0)
+            return EXTENSIONS_E;
+
+        der->extensionsSz += der->nsCertTypeSz;
+    }
+    else
+        der->nsCertTypeSz = 0;
+#endif
+
+    if (cert->crlInfoSz > 0) {
+        der->crlInfoSz = SetCRLInfo(cert, der->crlInfo, sizeof(der->crlInfo),
+                                cert->crlInfo, cert->crlInfoSz);
+        if (der->crlInfoSz <= 0)
+            return EXTENSIONS_E;
+
+        der->extensionsSz += der->crlInfoSz;
+    }
+    else
+        der->crlInfoSz = 0;
+
     /* Certificate Policies */
     if (cert->certPoliciesNb != 0) {
         der->certPoliciesSz = SetCertificatePolicies(der->certPolicies,
@@ -22664,6 +22999,15 @@ static int EncodeCert(Cert* cert, DerCert* der, RsaKey* rsaKey, ecc_key* eccKey,
                 return EXTENSIONS_E;
         }
 
+        /* put CRL Distribution Points */
+        if (der->crlInfoSz) {
+            ret = SetExtensions(der->extensions, sizeof(der->extensions),
+                                &der->extensionsSz,
+                                der->crlInfo, der->crlInfoSz);
+            if (ret <= 0)
+                return EXTENSIONS_E;
+        }
+
         /* put KeyUsage */
         if (der->keyUsageSz) {
             ret = SetExtensions(der->extensions, sizeof(der->extensions),
@@ -22682,6 +23026,17 @@ static int EncodeCert(Cert* cert, DerCert* der, RsaKey* rsaKey, ecc_key* eccKey,
                 return EXTENSIONS_E;
         }
 
+        /* put Netscape Cert Type */
+#ifndef IGNORE_NETSCAPE_CERT_TYPE
+        if (der->nsCertTypeSz) {
+            ret = SetExtensions(der->extensions, sizeof(der->extensions),
+                                &der->extensionsSz,
+                                der->nsCertType, der->nsCertTypeSz);
+            if (ret <= 0)
+                return EXTENSIONS_E;
+        }
+#endif
+
         /* put Certificate Policies */
         if (der->certPoliciesSz) {
             ret = SetExtensions(der->extensions, sizeof(der->extensions),
@@ -26957,16 +27312,20 @@ static int DecodeAsymKeyPublic(const byte* input, word32* inOutIdx, word32 inSz,
         return ASN_PARSE_E;
 
     /* key header */
-    ret = CheckBitString(input, inOutIdx, NULL, inSz, 1, NULL);
+    ret = CheckBitString(input, inOutIdx, &length, inSz, 1, NULL);
     if (ret != 0)
         return ret;
 
     /* check that the value found is not too large for pubKey buffer */
-    if (inSz - *inOutIdx > *pubKeyLen)
+    if ((word32)length > *pubKeyLen)
+        return ASN_PARSE_E;
+
+    /* check that input buffer is exhausted */
+    if (*inOutIdx + (word32)length != inSz)
         return ASN_PARSE_E;
 
     /* This is the raw point data compressed or uncompressed. */
-    *pubKeyLen = inSz - *inOutIdx;
+    *pubKeyLen = length;
     XMEMCPY(pubKey, input + *inOutIdx, *pubKeyLen);
 #else
     len = inSz - *inOutIdx;
@@ -26982,9 +27341,11 @@ static int DecodeAsymKeyPublic(const byte* input, word32* inOutIdx, word32 inSz,
         /* Decode Ed25519 private key. */
         ret = GetASN_Items(edPubKeyASN, dataASN, edPubKeyASN_Length, 1, input,
                 inOutIdx, inSz);
-        if (ret != 0) {
+        if (ret != 0)
+            ret = ASN_PARSE_E;
+        /* check that input buffer is exhausted */
+        if (*inOutIdx != inSz)
             ret = ASN_PARSE_E;
-        }
     }
     /* Check the public value length is correct. */
     if ((ret == 0) && (dataASN[3].data.ref.length > *pubKeyLen)) {

wolfcrypt/test/test.c

@@ -12289,18 +12289,20 @@ static void initDefaultName(void)
 static const CertName certDefaultName = {
     "US",               CTC_PRINTABLE,  /* country */
     "Oregon",           CTC_UTF8,       /* state */
+    "Main St",          CTC_UTF8,       /* street */
     "Portland",         CTC_UTF8,       /* locality */
     "Test",             CTC_UTF8,       /* sur */
     "wolfSSL",          CTC_UTF8,       /* org */
     "Development",      CTC_UTF8,       /* unit */
     "www.wolfssl.com",  CTC_UTF8,       /* commonName */
     "wolfSSL12345",     CTC_PRINTABLE,  /* serial number of device */
+    "12-456",           CTC_PRINTABLE,  /* Postal Code */
 #ifdef WOLFSSL_CERT_EXT
     "Private Organization", CTC_UTF8,   /* businessCategory */
     "US",               CTC_PRINTABLE,  /* jurisdiction country */
     "Oregon",           CTC_PRINTABLE,  /* jurisdiction state */
 #endif
-    "info@wolfssl.com"                  /* email */
+    "info@wolfssl.com",                 /* email */
 };
 #endif /* WOLFSSL_MULTI_ATTRIB */
 

wolfssl/internal.h

@@ -3854,12 +3854,14 @@ struct WOLFSSL_X509 {
 #ifdef HAVE_EX_DATA
     WOLFSSL_CRYPTO_EX_DATA ex_data;
 #endif
-    byte*            authKeyId;
+    byte*            authKeyId; /* Points into authKeyIdSrc */
+    byte*            authKeyIdSrc;
     byte*            subjKeyId;
     byte*            extKeyUsageSrc;
 #ifdef OPENSSL_ALL
     byte*            subjAltNameSrc;
 #endif
+    byte*            rawCRLInfo;
     byte*            CRLInfo;
     byte*            authInfo;
 #if defined(OPENSSL_ALL) || defined(WOLFSSL_QT)
@@ -3868,12 +3870,18 @@ struct WOLFSSL_X509 {
 #endif
     word32           pathLength;
     word16           keyUsage;
+    int              rawCRLInfoSz;
     int              CRLInfoSz;
     int              authInfoSz;
     word32           authKeyIdSz;
+    word32           authKeyIdSrcSz;
     word32           subjKeyIdSz;
+    byte             extKeyUsage;
     word32           extKeyUsageSz;
     word32           extKeyUsageCount;
+#ifndef IGNORE_NETSCAPE_CERT_TYPE
+    byte             nsCertType;
+#endif
 #ifdef OPENSSL_ALL
     word32           subjAltNameSz;
 #endif

wolfssl/openssl/x509v3.h

@@ -57,8 +57,8 @@
 #define X509_PURPOSE_SSL_CLIENT       0
 #define X509_PURPOSE_SSL_SERVER       1
 
-#define NS_SSL_CLIENT                 0
+#define NS_SSL_CLIENT                 WC_NS_SSL_CLIENT
-#define NS_SSL_SERVER                 1
+#define NS_SSL_SERVER                 WC_NS_SSL_SERVER
 
 /* Forward reference */
 

wolfssl/wolfcrypt/asn.h

@@ -166,7 +166,9 @@ typedef struct ASNItem {
     byte tag;
     /* Whether the ASN.1 item is constructed. */
     byte constructed:1;
-    /* Whether to parse the header only or skip data. */
+    /* Whether to parse the header only or skip data. If
+     * ASNSetData.data.buffer.data is supplied then this option gets
+     * overwritten and the child nodes get ignored. */
     byte headerOnly:1;
     /* Whether ASN.1 item is optional.
      *  - 0 means not optional
@@ -587,6 +589,23 @@ WOLFSSL_LOCAL void SetASN_OID(ASNSetData *dataASN, int oid, int oidType);
     }                                                                  \
     while (0)
 
+/* Set the data items below node to not be encoded.
+ *
+ * @param [in] dataASN  Dynamic ASN data item.
+ * @param [in] node     Node who's children should not be encoded.
+ * @param [in] dataASNLen Number of items in dataASN.
+ */
+#define SetASNItem_NoOutBelow(dataASN, asn, node, dataASNLen)          \
+    do {                                                               \
+        int ii;                                                        \
+        for (ii = node + 1; ii < (int)(dataASNLen); ii++) {            \
+            if (asn[ii].depth <= asn[node].depth)                      \
+                break;                                                 \
+            dataASN[ii].noOut = 1;                                     \
+        }                                                              \
+    }                                                                  \
+    while (0)
+
 #endif /* WOLFSSL_ASN_TEMPLATE */
 
 
@@ -598,9 +617,11 @@ enum DN_Tags {
     ASN_COUNTRY_NAME  = 0x06,   /* C  */
     ASN_LOCALITY_NAME = 0x07,   /* L  */
     ASN_STATE_NAME    = 0x08,   /* ST */
+    ASN_STREET_ADDR   = 0x09,   /* street */
     ASN_ORG_NAME      = 0x0a,   /* O  */
     ASN_ORGUNIT_NAME  = 0x0b,   /* OU */
     ASN_BUS_CAT       = 0x0f,   /* businessCategory */
+    ASN_POSTAL_CODE   = 0x11,   /* postalCode */
     ASN_EMAIL_NAME    = 0x98,   /* not oid number there is 97 in 2.5.4.0-97 */
 
     /* pilot attribute types
@@ -636,6 +657,9 @@ extern const WOLFSSL_ObjectInfo wolfssl_object_info[];
 #define WOLFSSL_LN_LOCALITY_NAME "/localityName="
 #define WOLFSSL_STATE_NAME       "/ST="
 #define WOLFSSL_LN_STATE_NAME    "/stateOrProvinceName="
+#define WOLFSSL_STREET_ADDR_NAME "/street="
+#define WOLFSSL_LN_STREET_ADDR_NAME "/streetAddress="
+#define WOLFSSL_POSTAL_NAME      "/postalCode="
 #define WOLFSSL_ORG_NAME         "/O="
 #define WOLFSSL_LN_ORG_NAME      "/organizationName="
 #define WOLFSSL_ORGUNIT_NAME     "/OU="
@@ -715,12 +739,14 @@ enum
     NID_countryName = 0x06,            /* C  */
     NID_localityName = 0x07,           /* L  */
     NID_stateOrProvinceName = 0x08,    /* ST */
+    NID_streetAddress = ASN_STREET_ADDR, /* street */
     NID_organizationName = 0x0a,       /* O  */
     NID_organizationalUnitName = 0x0b, /* OU */
     NID_jurisdictionCountryName = 0xc,
     NID_jurisdictionStateOrProvinceName = 0xd,
     NID_businessCategory = ASN_BUS_CAT,
     NID_domainComponent = ASN_DOMAIN_COMPONENT,
+    NID_postalCode = ASN_POSTAL_CODE,  /* postalCode */
     NID_favouriteDrink = 462,
     NID_userId = 458,
     NID_emailAddress = 0x30,           /* emailAddress */
@@ -857,6 +883,10 @@ enum Misc_ASN {
                           CTC_MAX_EKU_OID_SZ, /* Max encoded ExtKeyUsage
                           (SEQ/LEN + OBJID + OCTSTR/LEN + SEQ +
                           (6 * (SEQ + OID))) */
+#ifndef IGNORE_NETSCAPE_CERT_TYPE
+    MAX_NSCERTTYPE_SZ   = MAX_SEQ_SZ + 17, /* SEQ + OID + OCTET STR +
+                                            * NS BIT STR */
+#endif
     MAX_CERTPOL_NB      = CTC_MAX_CERTPOL_NB,/* Max number of Cert Policy */
     MAX_CERTPOL_SZ      = CTC_MAX_CERTPOL_SZ,
 #endif
@@ -1127,6 +1157,15 @@ enum CsrAttrType {
 #define EXTKEYUSE_SERVER_AUTH 0x02
 #define EXTKEYUSE_ANY         0x01
 
+#define WC_NS_SSL_CLIENT      0x80
+#define WC_NS_SSL_SERVER      0x40
+#define WC_NS_SMIME           0x20
+#define WC_NS_OBJSIGN         0x10
+#define WC_NS_SSL_CA          0x04
+#define WC_NS_SMIME_CA        0x02
+#define WC_NS_OBJSIGN_CA      0x01
+
+
 typedef struct DNS_entry   DNS_entry;
 
 struct DNS_entry {
@@ -1382,6 +1421,10 @@ struct DecodedCert {
     const byte* extAuthInfoCaIssuer; /* Authority Info Access caIssuer URI */
     int     extAuthInfoCaIssuerSz;   /* length of the caIssuer URI         */
 #endif
+    const byte* extCrlInfoRaw;       /* Entire CRL Distribution Points
+                                      * Extension. This is useful when
+                                      * re-generating the DER. */
+    int     extCrlInfoRawSz;         /* length of the extension          */
     const byte* extCrlInfo;          /* CRL Distribution Points          */
     int     extCrlInfoSz;            /* length of the URI                */
     byte    extSubjKeyId[KEYID_SIZE]; /* Subject Key ID                  */
@@ -1398,6 +1441,10 @@ struct DecodedCert {
     const byte* extExtKeyUsageSrc;
     word32  extExtKeyUsageSz;
     word32  extExtKeyUsageCount;
+#ifdef WOLFSSL_AKID_NAME
+    const byte* extRawAuthKeyIdSrc;
+    word32  extRawAuthKeyIdSz;
+#endif
     const byte* extAuthKeyIdSrc;
     word32  extAuthKeyIdSz;
     const byte* extSubjKeyIdSrc;
@@ -1447,6 +1494,9 @@ struct DecodedCert {
     int     subjectSNDLen;
     char    subjectSNDEnc;
 #ifdef WOLFSSL_CERT_EXT
+    char*   subjectStreet;
+    int     subjectStreetLen;
+    char    subjectStreetEnc;
     char*   subjectBC;
     int     subjectBCLen;
     char    subjectBCEnc;
@@ -1456,10 +1506,13 @@ struct DecodedCert {
     char*   subjectJS;
     int     subjectJSLen;
     char    subjectJSEnc;
+    char*   subjectPC;
+    int     subjectPCLen;
+    char    subjectPCEnc;
 #endif
     char*   subjectEmail;
     int     subjectEmailLen;
-#endif /* WOLFSSL_CERT_GEN */
+#endif /* defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT) */
 #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
     /* WOLFSSL_X509_NAME structures (used void* to avoid including ssl.h) */
     void* issuerName;
@@ -1476,7 +1529,10 @@ struct DecodedCert {
 #ifdef WOLFSSL_CERT_EXT
     char    extCertPolicies[MAX_CERTPOL_NB][MAX_CERTPOL_SZ];
     int     extCertPoliciesNb;
-#endif /* defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT) */
+#endif /* WOLFSSL_CERT_EXT */
+#ifndef IGNORE_NETSCAPE_CERT_TYPE
+    byte    nsCertType;
+#endif
 
 #ifdef WOLFSSL_CERT_REQ
     /* CSR attributes */
@@ -1880,9 +1936,9 @@ WOLFSSL_LOCAL int wc_MIME_free_hdrs(MimeHdr* head);
 
 enum cert_enums {
 #ifdef WOLFSSL_CERT_EXT
-    NAME_ENTRIES    =  10,
+    NAME_ENTRIES    =  12,
 #else
-    NAME_ENTRIES    =  9,
+    NAME_ENTRIES    =  11,
 #endif
     JOINT_LEN       =  2,
     EMAIL_JOINT_LEN =  9,

wolfssl/wolfcrypt/asn_public.h

@@ -197,7 +197,9 @@ enum Ctc_Misc {
     CTC_MAX_SKID_SIZE = 32, /* SHA256_DIGEST_SIZE */
     CTC_MAX_AKID_SIZE = 32, /* SHA256_DIGEST_SIZE */
     CTC_MAX_CERTPOL_SZ = 64,
-    CTC_MAX_CERTPOL_NB = 2 /* Max number of Certificate Policy */
+    CTC_MAX_CERTPOL_NB = 2, /* Max number of Certificate Policy */
+    CTC_MAX_CRLINFO_SZ = 200, /* Arbitrary size that should be enough for at
+                               * least two distribution points. */
 #endif /* WOLFSSL_CERT_EXT */
 };
 
@@ -305,6 +307,8 @@ typedef struct CertName {
     char countryEnc;
     char state[CTC_NAME_SIZE];
     char stateEnc;
+    char street[CTC_NAME_SIZE];
+    char streetEnc;
     char locality[CTC_NAME_SIZE];
     char localityEnc;
     char sur[CTC_NAME_SIZE];
@@ -317,6 +321,8 @@ typedef struct CertName {
     char commonNameEnc;
     char serialDev[CTC_NAME_SIZE];
     char serialDevEnc;
+    char postalCode[CTC_NAME_SIZE];
+    char postalCodeEnc;
 #ifdef WOLFSSL_CERT_EXT
     char busCat[CTC_NAME_SIZE];
     char busCatEnc;
@@ -357,10 +363,24 @@ typedef struct Cert {
 #ifdef WOLFSSL_CERT_EXT
     byte    skid[CTC_MAX_SKID_SIZE];     /* Subject Key Identifier */
     int     skidSz;                      /* SKID size in bytes */
-    byte    akid[CTC_MAX_AKID_SIZE];     /* Authority Key Identifier */
+    byte    akid[CTC_MAX_AKID_SIZE
+#ifdef WOLFSSL_AKID_NAME
+              + sizeof(CertName) + CTC_SERIAL_SIZE
+#endif
+              ]; /* Authority Key
+                                                         * Identifier */
     int     akidSz;                      /* AKID size in bytes */
+#ifdef WOLFSSL_AKID_NAME
+    byte    rawAkid;                     /* Set to true if akid is a
+                                          * AuthorityKeyIdentifier object.
+                                          * Set to false if akid is just a
+                                          * KeyIdentifier object. */
+#endif
     word16  keyUsage;                    /* Key Usage */
     byte    extKeyUsage;                 /* Extended Key Usage */
+#ifndef IGNORE_NETSCAPE_CERT_TYPE
+    byte    nsCertType;                  /* Netscape Certificate Type */
+#endif
 #ifdef WOLFSSL_EKU_OID
     /* Extended Key Usage OIDs */
     byte    extKeyUsageOID[CTC_MAX_EKU_NB][CTC_MAX_EKU_OID_SZ];
@@ -368,6 +388,8 @@ typedef struct Cert {
 #endif
     char    certPolicies[CTC_MAX_CERTPOL_NB][CTC_MAX_CERTPOL_SZ];
     word16  certPoliciesNb;              /* Number of Cert Policy */
+    byte    crlInfo[CTC_MAX_CRLINFO_SZ]; /* CRL Distribution points */
+    int     crlInfoSz;
 #endif
 #if defined(WOLFSSL_CERT_EXT) || defined(OPENSSL_EXTRA) || \
     defined(WOLFSSL_CERT_REQ)