From f313edb4cfa7227f1bd1bf4fa40bf51162ee2f15 Mon Sep 17 00:00:00 2001
From: Kareem <kareem@wolfssl.com>
Date: Thu, 27 Mar 2025 12:13:57 -0700
Subject: [PATCH] Add a test certificate for all of the FPKI certificate policy
 OIDs.

---
 certs/fpki-certpol-cert.der  | Bin 0 -> 2874 bytes
 certs/include.am             |   1 +
 certs/renewcerts.sh          |  14 ++++++++++++++
 certs/renewcerts/wolfssl.cnf |  12 ++++++++++++
 tests/api.c                  |  24 ++++++++++++++++++++++++
 wolfcrypt/src/asn.c          |  20 ++++++++++----------
 6 files changed, 61 insertions(+), 10 deletions(-)
 create mode 100644 certs/fpki-certpol-cert.der

diff --git a/certs/fpki-certpol-cert.der b/certs/fpki-certpol-cert.der
new file mode 100644
index 0000000000000000000000000000000000000000..f3fe08341769a6fb92fde97bae3d8c7c99133de6
GIT binary patch
literal 2874
zcmbu>dr%Wc7y$6>-Q_M%$V-qSMI^jmn*ahzQ9%?RMFDMX)oM%#P$d}+Ot4^u$b?pr
zTBkur9gT0)A}TsXg${~np=uSW(pqb=K2T}vSS!{(?A;-7oBq}5fBAji?(N>@+uegU
z@n~ohz3Rj<fMEbYDJcxKr`h|Y0EqcKSoVoV422{<n;@0g>@1B8x-k$)sMpP=0-Z@W
z5TPVgviZI2e4R-nhwe-pkwlQCvlf`m1-Tj}lrtf*M3iDSSqhgF<e73b!=VQg#3k-l
zt2NSUUShOZmPG2!`5Is7GdK+)@Q~%1jOOv22Jlr+sWuiyYvVKtFfJzMZJKc!tycSz
zux#yrpZ3dF6G<p$q^zvz8YvX_&zhJtbJ~>uGhZ7R#a&sz=ixTs&Vx1}!fXKWnjM1f
zHzzz^n*Uix>VzPWeKz&r<3=@Xa9oT^zxs5<2aP4${;0`W`S-jn8HIhT+o^l8Q6F_T
z6*otf95B>){@Fgi_{0x>ca}w(Bkf%d%eS9;XB}TK?wXf0U`DrIpRq=47+0IpuzSS3
znEHb}r@r;+O7UB{MV394!}nqNbuC^XvO)Ia+4JL%=IxvmomXKxbJBCquRS+vEse!d
ze#ibYW=NW5)pzGF7}4l&xh%v#RCUOX8(KmyZLgl%*xmWc+;h(6Q~DzJiE&U{U8?nW
zY`30Jc5JZRnjg^iuCyg#;jW{H@{*H<_qzm*(Ie~UjM}^Z;hFBcx>c<m)i=MnG^6$!
zh65hhX``y4jam;S^s4(P2|lEYl1G;UEjPl0P}R$|ZR<Cd-)ehyX{-rPZufPoN`$^l
z+Ml3{sZ<qIl_M``3G^BFQ?$N*SC<dG)AKc3us-epydVf1qe@{c(;<Ly7z`l=VI<)5
zDI6n3^e+O~;#3$$QcM)XiNW+RSXR#TlM^dovD1&!7<Vcqa-&XPVBuD%Gl&!{w5Ne=
zoFtvzgxBSGSyymfxU4*O*!J8x!F8C-zN7qJLd!#YMBy^in8Lz5!x&?{#t>uFWk<vr
zvh@)fjR8jJ;zq|tK&XTI1WoqnMMiqBl7Y-TMiMsChlUruSfc)cFn~)D1tSVU6hW7^
zknM-j`<x3Q7a}g?Tqw9ua-rhFmkTu)0bB%f5yV9>7a?4PauLQwI2U8NNaW%*E|R#*
zBLRpoL^vV>5g!qWNPtL)NW>M6JQJsooCFd2hs%(h0+9-l8c`skAVjWZ!!5TcZc7rG
zHHplVL`L8vE&0fr@sX9_vrl37<rH@uppw%ks<?m8-VS7v2vsOO23gkf4!1E&H#9rc
zm(6<6M~H+SsO)4G0046_?qbTtLKiDstQ@p$ANu@$^Ih^3eZNYXy=#A#3Mfw;{3{@J
zZJ}@ts9Xc;!NBvyWofvG!dwG{Yk+hO2welR!FBB|p%;#1$WHwCD4v1dWC$^Y3LZ+d
zu>x(ZVzcaDlw$w@$C<t?U!<>EfeBCwQHoKzF-6Vxt@IOdN{*3YuxZ(4Ig=b1hUHLp
zYbO1+Ls^zC*`XR^v+MyFss^@nK!1oa2h#v>4zT`{s9Xjr76Xjme@YDq&Ee3SxhI5#
z3M!y%;2ska8iM(bqu-HEs+lXcl)hqpU)}{cDFOuDoG!Tj%K;~a^qah(-;?`QNPoKk
zp6-6qrX!#8R!+IAFrF`pA7&^{#=!AJ&l_O}it3)9UNd#o$E(~NlY5lK;X$#zjwk82
zuLtBdR~->liJUjfPV3WmeAhXvRqFq|Su}m~X7w)f;Xs|7s<u|79tycF9l83!Qt6JT
z%Qvliu<h`45Zh3mwEn`EUtDSF)Q;V~s40zicEj?>I^u$wSGw`Z-UTJ$?J4|=S9vBy
z>-A=dEOS~z?ac{=wcr1o_tlfBb03|WQPH<FX<E{Q__k*=CudexFAH3o``dm&#-4R!
z>fU##Q$W+<WMJ%^*xlEY?RVvkN7~Kyh8yR8$$I4QK33UVlvp!Lcfxz?mVB#je&*3D
K3C7-<%zps9@uU|3

literal 0
HcmV?d00001

diff --git a/certs/include.am b/certs/include.am
index 1c622e8c3..d9cb8f314 100644
--- a/certs/include.am
+++ b/certs/include.am
@@ -75,6 +75,7 @@ EXTRA_DIST += \
              certs/x942dh2048.der \
              certs/x942dh2048.pem \
              certs/fpki-cert.der \
+             certs/fpki-certpol-cert.der \
              certs/rid-cert.der \
              certs/dh-priv-2048.der \
              certs/dh-priv-2048.pem \
diff --git a/certs/renewcerts.sh b/certs/renewcerts.sh
index cf5154217..49c03f189 100755
--- a/certs/renewcerts.sh
+++ b/certs/renewcerts.sh
@@ -373,6 +373,20 @@ run_renewcerts(){
     echo "End of section"
     echo "---------------------------------------------------------------------"
     ###########################################################
+    ########## update and sign fpki-certpol-cert.der ################
+    ###########################################################
+    echo "Updating fpki-certpol-cert.der"
+    echo ""
+    #pipe the following arguments to openssl req...
+    echo -e "US\\nMontana\\nBozeman\\nwolfSSL\\nFPKI\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key server-key.pem -config ./wolfssl.cnf -nodes > fpki-certpol-req.pem
+    check_result $? "Step 1"
+
+    openssl x509 -req -in fpki-certpol-req.pem -extfile wolfssl.cnf -extensions fpki_ext_certpol -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out fpki-certpol-cert.der -outform DER
+    check_result $? "Step 2"
+    rm fpki-certpol-req.pem
+    echo "End of section"
+    echo "---------------------------------------------------------------------"
+    ###########################################################
     ########## update and sign rid-cert.der ################
     ###########################################################
     echo "Updating rid-cert.der"
diff --git a/certs/renewcerts/wolfssl.cnf b/certs/renewcerts/wolfssl.cnf
index e955ba59c..5738bf768 100644
--- a/certs/renewcerts/wolfssl.cnf
+++ b/certs/renewcerts/wolfssl.cnf
@@ -355,6 +355,18 @@ subjectDirectoryAttributes = ASN1:SEQUENCE:SubjDirAttr
 policyConstraints = requireExplicitPolicy:0
 2.16.840.1.101.3.6.10.1 = ASN1:SEQUENCE:PIVCertExt
 
+[fpki_ext_certpol]
+basicConstraints = CA:FALSE,pathlen:0
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid
+keyUsage = critical, digitalSignature
+extendedKeyUsage = critical, clientAuth, 1.3.6.1.4.1.311.20.2.2, 1.3.6.1.5.2.3.4, 1.3.6.1.5.5.7.3.21
+subjectAltName = @FASC_UUID_altname
+certificatePolicies = 2.16.840.1.101.3.2.1.3.13, 2.16.840.1.101.3.2.1.3.40, 2.16.840.1.101.3.2.1.3.41, 2.16.840.1.101.3.2.1.3.45, 2.16.840.1.101.2.1.11.5, 2.16.840.1.101.2.1.11.9, 2.16.840.1.101.2.1.11.10, 2.16.840.1.101.2.1.11.17, 2.16.840.1.101.2.1.11.18, 2.16.840.1.101.2.1.11.19, 2.16.840.1.101.2.1.11.20, 2.16.840.1.101.2.1.11.31, 2.16.840.1.101.2.1.11.36, 2.16.840.1.101.2.1.11.37, 2.16.840.1.101.2.1.11.38, 2.16.840.1.101.2.1.11.39, 2.16.840.1.101.2.1.11.40, 2.16.840.1.101.2.1.11.41, 2.16.840.1.101.2.1.11.42, 2.16.840.1.101.2.1.11.43, 2.16.840.1.101.2.1.11.44, 2.16.840.1.101.2.1.11.59, 2.16.840.1.101.2.1.11.60, 2.16.840.1.101.2.1.11.61, 2.16.840.1.101.2.1.11.62, 2.16.840.1.101.3.2.1.12.1, 2.16.840.1.101.3.2.1.12.2, 2.16.840.1.101.3.2.1.12.3, 2.16.840.1.101.3.2.1.12.4, 2.16.840.1.101.3.2.1.12.5, 2.16.840.1.101.3.2.1.12.6, 2.16.840.1.101.3.2.1.12.8, 2.16.840.1.101.3.2.1.12.9, 2.16.840.1.101.3.2.1.12.10, 2.16.840.1.101.3.2.1.3.4, 2.16.840.1.101.3.2.1.3.7, 2.16.840.1.101.3.2.1.3.12, 2.16.840.1.101.3.2.1.3.13, 2.16.840.1.101.3.2.1.3.16, 2.16.840.1.101.3.2.1.3.18, 2.16.840.1.101.3.2.1.3.20, 2.16.840.1.101.3.2.1.3.36, 2.16.840.1.101.3.2.1.3.38, 2.16.840.1.101.3.2.1.3.39, 2.16.840.1.101.3.2.1.3.41, 2.16.840.1.101.3.2.1.3.45, 2.16.840.1.101.3.2.1.3.47, 2.16.840.1.101.3.2.1.6.4, 2.16.840.1.101.3.2.1.6.12, 2.16.840.1.101.3.2.1.6.38, 2.16.840.1.101.3.2.1.5.4, 2.16.840.1.101.3.2.1.5.5, 2.16.840.1.101.3.2.1.5.10, 2.16.840.1.101.3.2.1.5.12, 1.3.6.1.4.1.73.15.3.1.12, 1.3.6.1.4.1.73.15.3.1.17, 1.3.6.1.4.1.45606.3.1.12, 1.3.6.1.4.1.45606.3.1.20, 1.3.6.1.4.1.45606.3.1.22, 1.3.6.1.4.1.25054.3.1.12, 1.3.6.1.4.1.25054.3.1.14, 1.3.6.1.4.1.25054.3.1.20, 1.3.6.1.4.1.25054.3.1.22, 1.3.6.1.4.1.24019.1.1.1.2, 1.3.6.1.4.1.24019.1.1.1.3, 1.3.6.1.4.1.24019.1.1.1.7, 1.3.6.1.4.1.24019.1.1.1.9, 1.3.6.1.4.1.24019.1.1.1.18, 1.3.6.1.4.1.24019.1.1.1.19, 1.3.6.1.4.1.38099.1.1.1.2, 1.3.6.1.4.1.38099.1.1.1.5, 1.3.6.1.4.1.38099.1.1.1.7, 2.16.840.1.113733.1.7.23.3.1.7, 2.16.840.1.113733.1.7.23.3.1.13, 2.16.840.1.113733.1.7.23.3.1.18, 2.16.840.1.113733.1.7.23.3.1.20, 2.16.840.1.113733.1.7.23.3.1.36, 2.16.840.1.114027.200.3.10.7.2, 2.16.840.1.114027.200.3.10.7.4, 2.16.840.1.114027.200.3.10.7.6, 2.16.840.1.114027.200.3.10.7.9, 2.16.840.1.114027.200.3.10.7.16, 1.3.6.1.4.1.13948.1.1.1.6, 2.16.840.1.113839.0.100.12.1, 2.16.840.1.113839.0.100.12.2, 2.16.840.1.113839.0.100.18.0, 2.16.840.1.113839.0.100.18.1, 2.16.840.1.113839.0.100.18.2, 2.16.840.1.113839.0.100.20.1, 1.3.6.1.4.1.103.100.1.1.3.3, 1.3.6.1.4.1.16334.509.2.8, 1.3.6.1.4.1.16334.509.2.9, 1.3.6.1.4.1.16334.509.2.11, 1.3.6.1.4.1.16334.509.2.14, 1.3.6.1.4.1.1569.10.1.12, 1.3.6.1.4.1.1569.10.1.18, 1.3.6.1.4.1.26769.10.1.12, 1.3.6.1.4.1.26769.10.1.18, 1.3.6.1.4.1.3922.1.1.1.12, 1.3.6.1.4.1.3922.1.1.1.18, 1.3.6.1.4.1.3922.1.1.1.20, 1.3.6.1.4.1.3922.1.1.1.38, 1.2.36.1.334.1.2.1.2, 1.2.36.1.334.1.2.1.3, 1.2.36.1.334.1.2.2.2, 2.16.528.1.1003.1.2.5.1, 2.16.528.1.1003.1.2.5.2, 2.16.528.1.1003.1.2.5.3
+subjectDirectoryAttributes = ASN1:SEQUENCE:SubjDirAttr
+policyConstraints = requireExplicitPolicy:0
+2.16.840.1.101.3.6.10.1 = ASN1:SEQUENCE:PIVCertExt
+
 # using example UUID from RFC4122
 [FASC_UUID_altname]
 otherName.1 = 1.3.6.1.4.1.311.20.2.3;UTF8:facts@wolfssl.com
diff --git a/tests/api.c b/tests/api.c
index 3d6ad8284..c0ebce887 100644
--- a/tests/api.c
+++ b/tests/api.c
@@ -4908,6 +4908,7 @@ static int test_wolfSSL_FPKI(void)
 #if defined(WOLFSSL_FPKI) && !defined(NO_RSA) && !defined(NO_FILESYSTEM)
     XFILE f = XBADFILE;
     const char* fpkiCert = "./certs/fpki-cert.der";
+    const char* fpkiCertPolCert = "./certs/fpki-certpol-cert.der";
     DecodedCert cert;
     byte buf[4096];
     byte* uuid = NULL;
@@ -4934,6 +4935,29 @@ static int test_wolfSSL_FPKI(void)
     ExpectIntEQ(wc_GetUUIDFromCert(&cert, uuid, &uuidSz), 0);
     XFREE(uuid, NULL, DYNAMIC_TYPE_TMP_BUFFER);
     wc_FreeDecodedCert(&cert);
+
+    XMEMSET(buf, 0, 4096);
+    fascnSz = uuidSz = bytes = 0;
+    f = XBADFILE;
+
+    ExpectTrue((f = XFOPEN(fpkiCertPolCert, "rb")) != XBADFILE);
+    ExpectIntGT(bytes = (int)XFREAD(buf, 1, sizeof(buf), f), 0);
+    if (f != XBADFILE)
+        XFCLOSE(f);
+
+    wc_InitDecodedCert(&cert, buf, (word32)bytes, NULL);
+    ExpectIntEQ(wc_ParseCert(&cert, CERT_TYPE, 0, NULL), 0);
+    ExpectIntEQ(wc_GetFASCNFromCert(&cert, NULL, &fascnSz), WC_NO_ERR_TRACE(LENGTH_ONLY_E));
+    ExpectNotNull(fascn = (byte*)XMALLOC(fascnSz, NULL,
+        DYNAMIC_TYPE_TMP_BUFFER));
+    ExpectIntEQ(wc_GetFASCNFromCert(&cert, fascn, &fascnSz), 0);
+    XFREE(fascn, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+
+    ExpectIntEQ(wc_GetUUIDFromCert(&cert, NULL, &uuidSz), WC_NO_ERR_TRACE(LENGTH_ONLY_E));
+    ExpectNotNull(uuid = (byte*)XMALLOC(uuidSz, NULL, DYNAMIC_TYPE_TMP_BUFFER));
+    ExpectIntEQ(wc_GetUUIDFromCert(&cert, uuid, &uuidSz), 0);
+    XFREE(uuid, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    wc_FreeDecodedCert(&cert);
 #endif
 
     return EXPECT_RESULT();
diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index af3636fd2..4c65ee4b8 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -5724,7 +5724,7 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz)
                     oid = extCertPolicyStateMediumDeviceHardwareOid;
                     *oidSz = sizeof(extCertPolicyStateMediumDeviceHardwareOid);
                     break;
-                    
+
                 /* U.S. Treasury SSP PKI OIDs */
                 case CP_TREAS_MEDIUMHW_OID:
                     oid = extCertPolicyTreasuryMediumHardwareOid;
@@ -5742,7 +5742,7 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz)
                     oid = extCertPolicyTreasuryPiviContentSigningOid;
                     *oidSz = sizeof(extCertPolicyTreasuryPiviContentSigningOid);
                     break;
-                    
+
                 /* Boeing PKI OIDs */
                 case CP_BOEING_MEDIUMHW_SHA256_OID:
                     oid = extCertPolicyBoeingMediumHardwareSha256Oid;
@@ -5752,7 +5752,7 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz)
                     oid = extCertPolicyBoeingMediumHardwareContentSigningSha256Oid;
                     *oidSz = sizeof(extCertPolicyBoeingMediumHardwareContentSigningSha256Oid);
                     break;
-                    
+
                 /* DigiCert NFI PKI OIDs */
                 case CP_DIGICERT_NFSSP_MEDIUMHW_OID:
                     oid = extCertPolicyDigicertNfiMediumHardwareOid;
@@ -5774,7 +5774,7 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz)
                     oid = extCertPolicyDigicertNfiMediumDevicesHardwareOid;
                     *oidSz = sizeof(extCertPolicyDigicertNfiMediumDevicesHardwareOid);
                     break;
-                    
+
                 /* Entrust Managed Services NFI PKI OIDs */
                 case CP_ENTRUST_NFSSP_MEDIUMHW_OID:
                     oid = extCertPolicyEntrustNfiMediumHardwareOid;
@@ -5796,19 +5796,19 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz)
                     oid = extCertPolicyEntrustNfiMediumDevicesHwOid;
                     *oidSz = sizeof(extCertPolicyEntrustNfiMediumDevicesHwOid);
                     break;
-                    
+
                 /* Exostar LLC PKI OIDs */
                 case CP_EXOSTAR_MEDIUMHW_SHA2_OID:
                     oid = extCertPolicyExostarMediumHardwareSha2Oid;
                     *oidSz = sizeof(extCertPolicyExostarMediumHardwareSha2Oid);
                     break;
-                    
+
                 /* Lockheed Martin PKI OIDs */
                 case CP_LOCKHEED_MEDIUMHW_OID:
                     oid = extCertPolicyLockheedMediumAssuranceHardwareOid;
                     *oidSz = sizeof(extCertPolicyLockheedMediumAssuranceHardwareOid);
                     break;
-                    
+
                 /* Northrop Grumman PKI OIDs */
                 case CP_NORTHROP_MEDIUM_256_HW_OID:
                     oid = extCertPolicyNorthropMediumAssurance256HardwareTokenOid;
@@ -5826,7 +5826,7 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz)
                     oid = extCertPolicyNorthropMediumAssurance384HardwareTokenOid;
                     *oidSz = sizeof(extCertPolicyNorthropMediumAssurance384HardwareTokenOid);
                     break;
-                    
+
                 /* Raytheon PKI OIDs */
                 case CP_RAYTHEON_MEDIUMHW_OID:
                     oid = extCertPolicyRaytheonMediumHardwareOid;
@@ -5844,7 +5844,7 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz)
                     oid = extCertPolicyRaytheonSha2MediumDeviceHardwareOid;
                    *oidSz = sizeof(extCertPolicyRaytheonSha2MediumDeviceHardwareOid);
                     break;
-                    
+
                 /* WidePoint NFI PKI OIDs */
                 case CP_WIDEPOINT_MEDIUMHW_OID:
                     oid = extCertPolicyWidepointNfiMediumHardwareOid;
@@ -5862,7 +5862,7 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz)
                     oid = extCertPolicyWidepointNfiMediumDevicesHardwareOid;
                     *oidSz = sizeof(extCertPolicyWidepointNfiMediumDevicesHardwareOid);
                     break;
-                    
+
                 /* Australian Defence Organisation PKI OIDs */
                 case CP_ADO_MEDIUM_OID:
                     oid = extCertPolicyAdoIndividualMediumAssuranceOid;