wolfSSL · JacobBarthelmeh · Apr 2, 2025 · Mar 25, 2025 · Mar 25, 2025 · Mar 25, 2025
diff --git a/certs/fpki-certpol-cert.der b/certs/fpki-certpol-cert.der
diff --git a/certs/include.am b/certs/include.am
@@ -75,6 +75,7 @@ EXTRA_DIST += \
              certs/x942dh2048.der \
              certs/x942dh2048.pem \
              certs/fpki-cert.der \
+             certs/fpki-certpol-cert.der \
              certs/rid-cert.der \
              certs/dh-priv-2048.der \
              certs/dh-priv-2048.pem \

diff --git a/certs/renewcerts.sh b/certs/renewcerts.sh
@@ -373,6 +373,20 @@ run_renewcerts(){
     echo "End of section"
     echo "---------------------------------------------------------------------"
     ###########################################################
+    ########## update and sign fpki-certpol-cert.der ################
+    ###########################################################
+    echo "Updating fpki-certpol-cert.der"
+    echo ""
+    #pipe the following arguments to openssl req...
+    echo -e "US\\nMontana\\nBozeman\\nwolfSSL\\nFPKI\\nwww.wolfssl.com\\[email protected]\\n.\\n.\\n" | openssl req -new -key server-key.pem -config ./wolfssl.cnf -nodes > fpki-certpol-req.pem
+    check_result $? "Step 1"
+
+    openssl x509 -req -in fpki-certpol-req.pem -extfile wolfssl.cnf -extensions fpki_ext_certpol -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out fpki-certpol-cert.der -outform DER
+    check_result $? "Step 2"
+    rm fpki-certpol-req.pem
+    echo "End of section"
+    echo "---------------------------------------------------------------------"
+    ###########################################################
     ########## update and sign rid-cert.der ################
     ###########################################################
     echo "Updating rid-cert.der"

diff --git a/certs/renewcerts/wolfssl.cnf b/certs/renewcerts/wolfssl.cnf
@@ -355,6 +355,18 @@ subjectDirectoryAttributes = ASN1:SEQUENCE:SubjDirAttr
 policyConstraints = requireExplicitPolicy:0
 2.16.840.1.101.3.6.10.1 = ASN1:SEQUENCE:PIVCertExt
 
+[fpki_ext_certpol]
+basicConstraints = CA:FALSE,pathlen:0
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid
+keyUsage = critical, digitalSignature
+extendedKeyUsage = critical, clientAuth, 1.3.6.1.4.1.311.20.2.2, 1.3.6.1.5.2.3.4, 1.3.6.1.5.5.7.3.21
+subjectAltName = @FASC_UUID_altname
+certificatePolicies = 2.16.840.1.101.3.2.1.3.13, 2.16.840.1.101.3.2.1.3.40, 2.16.840.1.101.3.2.1.3.41, 2.16.840.1.101.3.2.1.3.45, 2.16.840.1.101.2.1.11.5, 2.16.840.1.101.2.1.11.9, 2.16.840.1.101.2.1.11.10, 2.16.840.1.101.2.1.11.17, 2.16.840.1.101.2.1.11.18, 2.16.840.1.101.2.1.11.19, 2.16.840.1.101.2.1.11.20, 2.16.840.1.101.2.1.11.31, 2.16.840.1.101.2.1.11.36, 2.16.840.1.101.2.1.11.37, 2.16.840.1.101.2.1.11.38, 2.16.840.1.101.2.1.11.39, 2.16.840.1.101.2.1.11.40, 2.16.840.1.101.2.1.11.41, 2.16.840.1.101.2.1.11.42, 2.16.840.1.101.2.1.11.43, 2.16.840.1.101.2.1.11.44, 2.16.840.1.101.2.1.11.59, 2.16.840.1.101.2.1.11.60, 2.16.840.1.101.2.1.11.61, 2.16.840.1.101.2.1.11.62, 2.16.840.1.101.3.2.1.12.1, 2.16.840.1.101.3.2.1.12.2, 2.16.840.1.101.3.2.1.12.3, 2.16.840.1.101.3.2.1.12.4, 2.16.840.1.101.3.2.1.12.5, 2.16.840.1.101.3.2.1.12.6, 2.16.840.1.101.3.2.1.12.8, 2.16.840.1.101.3.2.1.12.9, 2.16.840.1.101.3.2.1.12.10, 2.16.840.1.101.3.2.1.3.4, 2.16.840.1.101.3.2.1.3.7, 2.16.840.1.101.3.2.1.3.12, 2.16.840.1.101.3.2.1.3.13, 2.16.840.1.101.3.2.1.3.16, 2.16.840.1.101.3.2.1.3.18, 2.16.840.1.101.3.2.1.3.20, 2.16.840.1.101.3.2.1.3.36, 2.16.840.1.101.3.2.1.3.38, 2.16.840.1.101.3.2.1.3.39, 2.16.840.1.101.3.2.1.3.41, 2.16.840.1.101.3.2.1.3.45, 2.16.840.1.101.3.2.1.3.47, 2.16.840.1.101.3.2.1.6.4, 2.16.840.1.101.3.2.1.6.12, 2.16.840.1.101.3.2.1.6.38, 2.16.840.1.101.3.2.1.5.4, 2.16.840.1.101.3.2.1.5.5, 2.16.840.1.101.3.2.1.5.10, 2.16.840.1.101.3.2.1.5.12, 1.3.6.1.4.1.73.15.3.1.12, 1.3.6.1.4.1.73.15.3.1.17, 1.3.6.1.4.1.45606.3.1.12, 1.3.6.1.4.1.45606.3.1.20, 1.3.6.1.4.1.45606.3.1.22, 1.3.6.1.4.1.25054.3.1.12, 1.3.6.1.4.1.25054.3.1.14, 1.3.6.1.4.1.25054.3.1.20, 1.3.6.1.4.1.25054.3.1.22, 1.3.6.1.4.1.24019.1.1.1.2, 1.3.6.1.4.1.24019.1.1.1.3, 1.3.6.1.4.1.24019.1.1.1.7, 1.3.6.1.4.1.24019.1.1.1.9, 1.3.6.1.4.1.24019.1.1.1.18, 1.3.6.1.4.1.24019.1.1.1.19, 1.3.6.1.4.1.38099.1.1.1.2, 1.3.6.1.4.1.38099.1.1.1.5, 1.3.6.1.4.1.38099.1.1.1.7, 2.16.840.1.113733.1.7.23.3.1.7, 2.16.840.1.113733.1.7.23.3.1.13, 2.16.840.1.113733.1.7.23.3.1.18, 2.16.840.1.113733.1.7.23.3.1.20, 2.16.840.1.113733.1.7.23.3.1.36, 2.16.840.1.114027.200.3.10.7.2, 2.16.840.1.114027.200.3.10.7.4, 2.16.840.1.114027.200.3.10.7.6, 2.16.840.1.114027.200.3.10.7.9, 2.16.840.1.114027.200.3.10.7.16, 1.3.6.1.4.1.13948.1.1.1.6, 2.16.840.1.113839.0.100.12.1, 2.16.840.1.113839.0.100.12.2, 2.16.840.1.113839.0.100.18.0, 2.16.840.1.113839.0.100.18.1, 2.16.840.1.113839.0.100.18.2, 2.16.840.1.113839.0.100.20.1, 1.3.6.1.4.1.103.100.1.1.3.3, 1.3.6.1.4.1.16334.509.2.8, 1.3.6.1.4.1.16334.509.2.9, 1.3.6.1.4.1.16334.509.2.11, 1.3.6.1.4.1.16334.509.2.14, 1.3.6.1.4.1.1569.10.1.12, 1.3.6.1.4.1.1569.10.1.18, 1.3.6.1.4.1.26769.10.1.12, 1.3.6.1.4.1.26769.10.1.18, 1.3.6.1.4.1.3922.1.1.1.12, 1.3.6.1.4.1.3922.1.1.1.18, 1.3.6.1.4.1.3922.1.1.1.20, 1.3.6.1.4.1.3922.1.1.1.38, 1.2.36.1.334.1.2.1.2, 1.2.36.1.334.1.2.1.3, 1.2.36.1.334.1.2.2.2, 2.16.528.1.1003.1.2.5.1, 2.16.528.1.1003.1.2.5.2, 2.16.528.1.1003.1.2.5.3
+subjectDirectoryAttributes = ASN1:SEQUENCE:SubjDirAttr
+policyConstraints = requireExplicitPolicy:0
+2.16.840.1.101.3.6.10.1 = ASN1:SEQUENCE:PIVCertExt
+
 # using example UUID from RFC4122
 [FASC_UUID_altname]
 otherName.1 = 1.3.6.1.4.1.311.20.2.3;UTF8:[email protected]

diff --git a/tests/api.c b/tests/api.c
@@ -4908,6 +4908,7 @@ static int test_wolfSSL_FPKI(void)
 #if defined(WOLFSSL_FPKI) && !defined(NO_RSA) && !defined(NO_FILESYSTEM)
     XFILE f = XBADFILE;
     const char* fpkiCert = "./certs/fpki-cert.der";
+    const char* fpkiCertPolCert = "./certs/fpki-certpol-cert.der";
     DecodedCert cert;
     byte buf[4096];
     byte* uuid = NULL;
@@ -4934,6 +4935,29 @@ static int test_wolfSSL_FPKI(void)
     ExpectIntEQ(wc_GetUUIDFromCert(&cert, uuid, &uuidSz), 0);
     XFREE(uuid, NULL, DYNAMIC_TYPE_TMP_BUFFER);
     wc_FreeDecodedCert(&cert);
+
+    XMEMSET(buf, 0, 4096);
+    fascnSz = uuidSz = bytes = 0;
+    f = XBADFILE;
+
+    ExpectTrue((f = XFOPEN(fpkiCertPolCert, "rb")) != XBADFILE);
+    ExpectIntGT(bytes = (int)XFREAD(buf, 1, sizeof(buf), f), 0);
+    if (f != XBADFILE)
+        XFCLOSE(f);
+
+    wc_InitDecodedCert(&cert, buf, (word32)bytes, NULL);
+    ExpectIntEQ(wc_ParseCert(&cert, CERT_TYPE, 0, NULL), 0);
+    ExpectIntEQ(wc_GetFASCNFromCert(&cert, NULL, &fascnSz), WC_NO_ERR_TRACE(LENGTH_ONLY_E));
+    ExpectNotNull(fascn = (byte*)XMALLOC(fascnSz, NULL,
+        DYNAMIC_TYPE_TMP_BUFFER));
+    ExpectIntEQ(wc_GetFASCNFromCert(&cert, fascn, &fascnSz), 0);
+    XFREE(fascn, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+
+    ExpectIntEQ(wc_GetUUIDFromCert(&cert, NULL, &uuidSz), WC_NO_ERR_TRACE(LENGTH_ONLY_E));
+    ExpectNotNull(uuid = (byte*)XMALLOC(uuidSz, NULL, DYNAMIC_TYPE_TMP_BUFFER));
+    ExpectIntEQ(wc_GetUUIDFromCert(&cert, uuid, &uuidSz), 0);
+    XFREE(uuid, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    wc_FreeDecodedCert(&cert);
 #endif
 
     return EXPECT_RESULT();