WolfSSL
/
wolfssl
mirror of https://github.com/wolfSSL/wolfssl.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Add a test certificate for all of the FPKI certificate policy OIDs.

pull/8599/head
Kareem 2025-03-27 12:13:57 -07:00
parent eb3b4751ac
commit f313edb4cf
6 changed files with 61 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
certs/fpki-certpol-cert.der 100644
View File

Binary file not shown.

1
certs/include.am
View File

@ -75,6 +75,7 @@ EXTRA_DIST += \
certs/x942dh2048.der \
certs/x942dh2048.pem \
certs/fpki-cert.der \
certs/fpki-certpol-cert.der \
certs/rid-cert.der \
certs/dh-priv-2048.der \
certs/dh-priv-2048.pem \

14
certs/renewcerts.sh
View File

@ -373,6 +373,20 @@ run_renewcerts(){
echo "End of section"
echo "---------------------------------------------------------------------"
###########################################################
########## update and sign fpki-certpol-cert.der ################
###########################################################
echo "Updating fpki-certpol-cert.der"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\\nMontana\\nBozeman\\nwolfSSL\\nFPKI\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key server-key.pem -config ./wolfssl.cnf -nodes > fpki-certpol-req.pem
check_result $? "Step 1"
openssl x509 -req -in fpki-certpol-req.pem -extfile wolfssl.cnf -extensions fpki_ext_certpol -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out fpki-certpol-cert.der -outform DER
check_result $? "Step 2"
rm fpki-certpol-req.pem
echo "End of section"
echo "---------------------------------------------------------------------"
###########################################################
########## update and sign rid-cert.der ################
###########################################################
echo "Updating rid-cert.der"

12
certs/renewcerts/wolfssl.cnf
View File

@ -355,6 +355,18 @@ subjectDirectoryAttributes = ASN1:SEQUENCE:SubjDirAttr
policyConstraints = requireExplicitPolicy:0
2.16.840.1.101.3.6.10.1 = ASN1:SEQUENCE:PIVCertExt
[fpki_ext_certpol]
basicConstraints = CA:FALSE,pathlen:0
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, clientAuth, 1.3.6.1.4.1.311.20.2.2, 1.3.6.1.5.2.3.4, 1.3.6.1.5.5.7.3.21
subjectAltName = @FASC_UUID_altname
certificatePolicies = 2.16.840.1.101.3.2.1.3.13, 2.16.840.1.101.3.2.1.3.40, 2.16.840.1.101.3.2.1.3.41, 2.16.840.1.101.3.2.1.3.45, 2.16.840.1.101.2.1.11.5, 2.16.840.1.101.2.1.11.9, 2.16.840.1.101.2.1.11.10, 2.16.840.1.101.2.1.11.17, 2.16.840.1.101.2.1.11.18, 2.16.840.1.101.2.1.11.19, 2.16.840.1.101.2.1.11.20, 2.16.840.1.101.2.1.11.31, 2.16.840.1.101.2.1.11.36, 2.16.840.1.101.2.1.11.37, 2.16.840.1.101.2.1.11.38, 2.16.840.1.101.2.1.11.39, 2.16.840.1.101.2.1.11.40, 2.16.840.1.101.2.1.11.41, 2.16.840.1.101.2.1.11.42, 2.16.840.1.101.2.1.11.43, 2.16.840.1.101.2.1.11.44, 2.16.840.1.101.2.1.11.59, 2.16.840.1.101.2.1.11.60, 2.16.840.1.101.2.1.11.61, 2.16.840.1.101.2.1.11.62, 2.16.840.1.101.3.2.1.12.1, 2.16.840.1.101.3.2.1.12.2, 2.16.840.1.101.3.2.1.12.3, 2.16.840.1.101.3.2.1.12.4, 2.16.840.1.101.3.2.1.12.5, 2.16.840.1.101.3.2.1.12.6, 2.16.840.1.101.3.2.1.12.8, 2.16.840.1.101.3.2.1.12.9, 2.16.840.1.101.3.2.1.12.10, 2.16.840.1.101.3.2.1.3.4, 2.16.840.1.101.3.2.1.3.7, 2.16.840.1.101.3.2.1.3.12, 2.16.840.1.101.3.2.1.3.13, 2.16.840.1.101.3.2.1.3.16, 2.16.840.1.101.3.2.1.3.18, 2.16.840.1.101.3.2.1.3.20, 2.16.840.1.101.3.2.1.3.36, 2.16.840.1.101.3.2.1.3.38, 2.16.840.1.101.3.2.1.3.39, 2.16.840.1.101.3.2.1.3.41, 2.16.840.1.101.3.2.1.3.45, 2.16.840.1.101.3.2.1.3.47, 2.16.840.1.101.3.2.1.6.4, 2.16.840.1.101.3.2.1.6.12, 2.16.840.1.101.3.2.1.6.38, 2.16.840.1.101.3.2.1.5.4, 2.16.840.1.101.3.2.1.5.5, 2.16.840.1.101.3.2.1.5.10, 2.16.840.1.101.3.2.1.5.12, 1.3.6.1.4.1.73.15.3.1.12, 1.3.6.1.4.1.73.15.3.1.17, 1.3.6.1.4.1.45606.3.1.12, 1.3.6.1.4.1.45606.3.1.20, 1.3.6.1.4.1.45606.3.1.22, 1.3.6.1.4.1.25054.3.1.12, 1.3.6.1.4.1.25054.3.1.14, 1.3.6.1.4.1.25054.3.1.20, 1.3.6.1.4.1.25054.3.1.22, 1.3.6.1.4.1.24019.1.1.1.2, 1.3.6.1.4.1.24019.1.1.1.3, 1.3.6.1.4.1.24019.1.1.1.7, 1.3.6.1.4.1.24019.1.1.1.9, 1.3.6.1.4.1.24019.1.1.1.18, 1.3.6.1.4.1.24019.1.1.1.19, 1.3.6.1.4.1.38099.1.1.1.2, 1.3.6.1.4.1.38099.1.1.1.5, 1.3.6.1.4.1.38099.1.1.1.7, 2.16.840.1.113733.1.7.23.3.1.7, 2.16.840.1.113733.1.7.23.3.1.13, 2.16.840.1.113733.1.7.23.3.1.18, 2.16.840.1.113733.1.7.23.3.1.20, 2.16.840.1.113733.1.7.23.3.1.36, 2.16.840.1.114027.200.3.10.7.2, 2.16.840.1.114027.200.3.10.7.4, 2.16.840.1.114027.200.3.10.7.6, 2.16.840.1.114027.200.3.10.7.9, 2.16.840.1.114027.200.3.10.7.16, 1.3.6.1.4.1.13948.1.1.1.6, 2.16.840.1.113839.0.100.12.1, 2.16.840.1.113839.0.100.12.2, 2.16.840.1.113839.0.100.18.0, 2.16.840.1.113839.0.100.18.1, 2.16.840.1.113839.0.100.18.2, 2.16.840.1.113839.0.100.20.1, 1.3.6.1.4.1.103.100.1.1.3.3, 1.3.6.1.4.1.16334.509.2.8, 1.3.6.1.4.1.16334.509.2.9, 1.3.6.1.4.1.16334.509.2.11, 1.3.6.1.4.1.16334.509.2.14, 1.3.6.1.4.1.1569.10.1.12, 1.3.6.1.4.1.1569.10.1.18, 1.3.6.1.4.1.26769.10.1.12, 1.3.6.1.4.1.26769.10.1.18, 1.3.6.1.4.1.3922.1.1.1.12, 1.3.6.1.4.1.3922.1.1.1.18, 1.3.6.1.4.1.3922.1.1.1.20, 1.3.6.1.4.1.3922.1.1.1.38, 1.2.36.1.334.1.2.1.2, 1.2.36.1.334.1.2.1.3, 1.2.36.1.334.1.2.2.2, 2.16.528.1.1003.1.2.5.1, 2.16.528.1.1003.1.2.5.2, 2.16.528.1.1003.1.2.5.3
subjectDirectoryAttributes = ASN1:SEQUENCE:SubjDirAttr
policyConstraints = requireExplicitPolicy:0
2.16.840.1.101.3.6.10.1 = ASN1:SEQUENCE:PIVCertExt
# using example UUID from RFC4122
[FASC_UUID_altname]
otherName.1 = 1.3.6.1.4.1.311.20.2.3;UTF8:facts@wolfssl.com

24
tests/api.c
View File

@ -4908,6 +4908,7 @@ static int test_wolfSSL_FPKI(void)
#if defined(WOLFSSL_FPKI) && !defined(NO_RSA) && !defined(NO_FILESYSTEM)
XFILE f = XBADFILE;
const char* fpkiCert = "./certs/fpki-cert.der";
const char* fpkiCertPolCert = "./certs/fpki-certpol-cert.der";
DecodedCert cert;
byte buf[4096];
byte* uuid = NULL;
@ -4934,6 +4935,29 @@ static int test_wolfSSL_FPKI(void)
ExpectIntEQ(wc_GetUUIDFromCert(&cert, uuid, &uuidSz), 0);
XFREE(uuid, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wc_FreeDecodedCert(&cert);
XMEMSET(buf, 0, 4096);
fascnSz = uuidSz = bytes = 0;
f = XBADFILE;
ExpectTrue((f = XFOPEN(fpkiCertPolCert, "rb")) != XBADFILE);
ExpectIntGT(bytes = (int)XFREAD(buf, 1, sizeof(buf), f), 0);
if (f != XBADFILE)
XFCLOSE(f);
wc_InitDecodedCert(&cert, buf, (word32)bytes, NULL);
ExpectIntEQ(wc_ParseCert(&cert, CERT_TYPE, 0, NULL), 0);
ExpectIntEQ(wc_GetFASCNFromCert(&cert, NULL, &fascnSz), WC_NO_ERR_TRACE(LENGTH_ONLY_E));
ExpectNotNull(fascn = (byte*)XMALLOC(fascnSz, NULL,
DYNAMIC_TYPE_TMP_BUFFER));
ExpectIntEQ(wc_GetFASCNFromCert(&cert, fascn, &fascnSz), 0);
XFREE(fascn, NULL, DYNAMIC_TYPE_TMP_BUFFER);
ExpectIntEQ(wc_GetUUIDFromCert(&cert, NULL, &uuidSz), WC_NO_ERR_TRACE(LENGTH_ONLY_E));
ExpectNotNull(uuid = (byte*)XMALLOC(uuidSz, NULL, DYNAMIC_TYPE_TMP_BUFFER));
ExpectIntEQ(wc_GetUUIDFromCert(&cert, uuid, &uuidSz), 0);
XFREE(uuid, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wc_FreeDecodedCert(&cert);
#endif
return EXPECT_RESULT();

20
wolfcrypt/src/asn.c
View File

@ -5724,7 +5724,7 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz)
oid = extCertPolicyStateMediumDeviceHardwareOid;
*oidSz = sizeof(extCertPolicyStateMediumDeviceHardwareOid);
break;
/* U.S. Treasury SSP PKI OIDs */
case CP_TREAS_MEDIUMHW_OID:
oid = extCertPolicyTreasuryMediumHardwareOid;
@ -5742,7 +5742,7 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz)
oid = extCertPolicyTreasuryPiviContentSigningOid;
*oidSz = sizeof(extCertPolicyTreasuryPiviContentSigningOid);
break;
/* Boeing PKI OIDs */
case CP_BOEING_MEDIUMHW_SHA256_OID:
oid = extCertPolicyBoeingMediumHardwareSha256Oid;
@ -5752,7 +5752,7 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz)
oid = extCertPolicyBoeingMediumHardwareContentSigningSha256Oid;
*oidSz = sizeof(extCertPolicyBoeingMediumHardwareContentSigningSha256Oid);
break;
/* DigiCert NFI PKI OIDs */
case CP_DIGICERT_NFSSP_MEDIUMHW_OID:
oid = extCertPolicyDigicertNfiMediumHardwareOid;
@ -5774,7 +5774,7 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz)
oid = extCertPolicyDigicertNfiMediumDevicesHardwareOid;
*oidSz = sizeof(extCertPolicyDigicertNfiMediumDevicesHardwareOid);
break;
/* Entrust Managed Services NFI PKI OIDs */
case CP_ENTRUST_NFSSP_MEDIUMHW_OID:
oid = extCertPolicyEntrustNfiMediumHardwareOid;
@ -5796,19 +5796,19 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz)
oid = extCertPolicyEntrustNfiMediumDevicesHwOid;
*oidSz = sizeof(extCertPolicyEntrustNfiMediumDevicesHwOid);
break;
/* Exostar LLC PKI OIDs */
case CP_EXOSTAR_MEDIUMHW_SHA2_OID:
oid = extCertPolicyExostarMediumHardwareSha2Oid;
*oidSz = sizeof(extCertPolicyExostarMediumHardwareSha2Oid);
break;
/* Lockheed Martin PKI OIDs */
case CP_LOCKHEED_MEDIUMHW_OID:
oid = extCertPolicyLockheedMediumAssuranceHardwareOid;
*oidSz = sizeof(extCertPolicyLockheedMediumAssuranceHardwareOid);
break;
/* Northrop Grumman PKI OIDs */
case CP_NORTHROP_MEDIUM_256_HW_OID:
oid = extCertPolicyNorthropMediumAssurance256HardwareTokenOid;
@ -5826,7 +5826,7 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz)
oid = extCertPolicyNorthropMediumAssurance384HardwareTokenOid;
*oidSz = sizeof(extCertPolicyNorthropMediumAssurance384HardwareTokenOid);
break;
/* Raytheon PKI OIDs */
case CP_RAYTHEON_MEDIUMHW_OID:
oid = extCertPolicyRaytheonMediumHardwareOid;
@ -5844,7 +5844,7 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz)
oid = extCertPolicyRaytheonSha2MediumDeviceHardwareOid;
*oidSz = sizeof(extCertPolicyRaytheonSha2MediumDeviceHardwareOid);
break;
/* WidePoint NFI PKI OIDs */
case CP_WIDEPOINT_MEDIUMHW_OID:
oid = extCertPolicyWidepointNfiMediumHardwareOid;
@ -5862,7 +5862,7 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz)
oid = extCertPolicyWidepointNfiMediumDevicesHardwareOid;
*oidSz = sizeof(extCertPolicyWidepointNfiMediumDevicesHardwareOid);
break;
/* Australian Defence Organisation PKI OIDs */
case CP_ADO_MEDIUM_OID:
oid = extCertPolicyAdoIndividualMediumAssuranceOid;