Merge pull request #8652 from kareem-wolfssl/zd19563_2

douzzer · web-flow · commit 8c0b9314594b · 2025-04-18T14:04:29.000-05:00
Add some FPKI test OIDs which are currently being used in DoD JITC certificates.
diff --git a/certs/fpki-certpol-cert.der b/certs/fpki-certpol-cert.der
diff --git a/certs/renewcerts.sh b/certs/renewcerts.sh
@@ -29,6 +29,7 @@
 #                       client-crl-dist.pem
 #                       entity-no-ca-bool-cert.pem
 #                       fpki-cert.der
+#                       fpki-certpol-cert.der
 #                       rid-cert.der
 # updates the following crls:
 #                       crl/cliCrl.pem
diff --git a/certs/renewcerts/wolfssl.cnf b/certs/renewcerts/wolfssl.cnf
@@ -362,7 +362,7 @@ authorityKeyIdentifier = keyid
 keyUsage = critical, digitalSignature
 extendedKeyUsage = critical, clientAuth, 1.3.6.1.4.1.311.20.2.2, 1.3.6.1.5.2.3.4, 1.3.6.1.5.5.7.3.21
 subjectAltName = @FASC_UUID_altname
-certificatePolicies = 1.3.6.1.4.1.6449.1.2.1.3.4, 2.16.840.1.101.3.2.1.3.13, 2.16.840.1.101.3.2.1.3.40, 2.16.840.1.101.3.2.1.3.41, 2.16.840.1.101.3.2.1.3.45, 2.16.840.1.101.2.1.11.5, 2.16.840.1.101.2.1.11.9, 2.16.840.1.101.2.1.11.10, 2.16.840.1.101.2.1.11.17, 2.16.840.1.101.2.1.11.18, 2.16.840.1.101.2.1.11.19, 2.16.840.1.101.2.1.11.20, 2.16.840.1.101.2.1.11.31, 2.16.840.1.101.2.1.11.36, 2.16.840.1.101.2.1.11.37, 2.16.840.1.101.2.1.11.38, 2.16.840.1.101.2.1.11.39, 2.16.840.1.101.2.1.11.40, 2.16.840.1.101.2.1.11.41, 2.16.840.1.101.2.1.11.42, 2.16.840.1.101.2.1.11.43, 2.16.840.1.101.2.1.11.44, 2.16.840.1.101.2.1.11.59, 2.16.840.1.101.2.1.11.60, 2.16.840.1.101.2.1.11.61, 2.16.840.1.101.2.1.11.62, 2.16.840.1.101.3.2.1.12.1, 2.16.840.1.101.3.2.1.12.2, 2.16.840.1.101.3.2.1.12.3, 2.16.840.1.101.3.2.1.12.4, 2.16.840.1.101.3.2.1.12.5, 2.16.840.1.101.3.2.1.12.6, 2.16.840.1.101.3.2.1.12.8, 2.16.840.1.101.3.2.1.12.9, 2.16.840.1.101.3.2.1.12.10, 2.16.840.1.101.3.2.1.3.4, 2.16.840.1.101.3.2.1.3.7, 2.16.840.1.101.3.2.1.3.12, 2.16.840.1.101.3.2.1.3.13, 2.16.840.1.101.3.2.1.3.16, 2.16.840.1.101.3.2.1.3.18, 2.16.840.1.101.3.2.1.3.20, 2.16.840.1.101.3.2.1.3.36, 2.16.840.1.101.3.2.1.3.38, 2.16.840.1.101.3.2.1.3.39, 2.16.840.1.101.3.2.1.3.41, 2.16.840.1.101.3.2.1.3.45, 2.16.840.1.101.3.2.1.3.47, 2.16.840.1.101.3.2.1.6.4, 2.16.840.1.101.3.2.1.6.12, 2.16.840.1.101.3.2.1.6.38, 2.16.840.1.101.3.2.1.5.4, 2.16.840.1.101.3.2.1.5.5, 2.16.840.1.101.3.2.1.5.10, 2.16.840.1.101.3.2.1.5.12, 1.3.6.1.4.1.73.15.3.1.12, 1.3.6.1.4.1.73.15.3.1.17, 1.3.6.1.4.1.45606.3.1.12, 1.3.6.1.4.1.45606.3.1.20, 1.3.6.1.4.1.45606.3.1.22, 1.3.6.1.4.1.25054.3.1.12, 1.3.6.1.4.1.25054.3.1.14, 1.3.6.1.4.1.25054.3.1.20, 1.3.6.1.4.1.25054.3.1.22, 1.3.6.1.4.1.24019.1.1.1.2, 1.3.6.1.4.1.24019.1.1.1.3, 1.3.6.1.4.1.24019.1.1.1.7, 1.3.6.1.4.1.24019.1.1.1.9, 1.3.6.1.4.1.24019.1.1.1.18, 1.3.6.1.4.1.24019.1.1.1.19, 1.3.6.1.4.1.38099.1.1.1.2, 1.3.6.1.4.1.38099.1.1.1.5, 1.3.6.1.4.1.38099.1.1.1.7, 2.16.840.1.113733.1.7.23.3.1.7, 2.16.840.1.113733.1.7.23.3.1.13, 2.16.840.1.113733.1.7.23.3.1.18, 2.16.840.1.113733.1.7.23.3.1.20, 2.16.840.1.113733.1.7.23.3.1.36, 2.16.840.1.114027.200.3.10.7.2, 2.16.840.1.114027.200.3.10.7.4, 2.16.840.1.114027.200.3.10.7.6, 2.16.840.1.114027.200.3.10.7.9, 2.16.840.1.114027.200.3.10.7.16, 1.3.6.1.4.1.13948.1.1.1.6, 2.16.840.1.113839.0.100.12.1, 2.16.840.1.113839.0.100.12.2, 2.16.840.1.113839.0.100.18.0, 2.16.840.1.113839.0.100.18.1, 2.16.840.1.113839.0.100.18.2, 2.16.840.1.113839.0.100.20.1, 1.3.6.1.4.1.103.100.1.1.3.3, 1.3.6.1.4.1.16334.509.2.8, 1.3.6.1.4.1.16334.509.2.9, 1.3.6.1.4.1.16334.509.2.11, 1.3.6.1.4.1.16334.509.2.14, 1.3.6.1.4.1.1569.10.1.12, 1.3.6.1.4.1.1569.10.1.18, 1.3.6.1.4.1.26769.10.1.12, 1.3.6.1.4.1.26769.10.1.18, 1.3.6.1.4.1.3922.1.1.1.12, 1.3.6.1.4.1.3922.1.1.1.18, 1.3.6.1.4.1.3922.1.1.1.20, 1.3.6.1.4.1.3922.1.1.1.38, 1.2.36.1.334.1.2.1.2, 1.2.36.1.334.1.2.1.3, 1.2.36.1.334.1.2.2.2, 2.16.528.1.1003.1.2.5.1, 2.16.528.1.1003.1.2.5.2, 2.16.528.1.1003.1.2.5.3
+certificatePolicies = 1.3.6.1.4.1.6449.1.2.1.3.4, 2.16.840.1.101.3.2.1.3.13, 2.16.840.1.101.3.2.1.3.40, 2.16.840.1.101.3.2.1.3.41, 2.16.840.1.101.3.2.1.3.45, 2.16.840.1.101.2.1.11.5, 2.16.840.1.101.2.1.11.9, 2.16.840.1.101.2.1.11.10, 2.16.840.1.101.2.1.11.17, 2.16.840.1.101.2.1.11.18, 2.16.840.1.101.2.1.11.19, 2.16.840.1.101.2.1.11.20, 2.16.840.1.101.2.1.11.31, 2.16.840.1.101.2.1.11.36, 2.16.840.1.101.2.1.11.37, 2.16.840.1.101.2.1.11.38, 2.16.840.1.101.2.1.11.39, 2.16.840.1.101.2.1.11.40, 2.16.840.1.101.2.1.11.41, 2.16.840.1.101.2.1.11.42, 2.16.840.1.101.2.1.11.43, 2.16.840.1.101.2.1.11.44, 2.16.840.1.101.2.1.11.59, 2.16.840.1.101.2.1.11.60, 2.16.840.1.101.2.1.11.61, 2.16.840.1.101.2.1.11.62, 2.16.840.1.101.3.2.1.12.1, 2.16.840.1.101.3.2.1.12.2, 2.16.840.1.101.3.2.1.12.3, 2.16.840.1.101.3.2.1.12.4, 2.16.840.1.101.3.2.1.12.5, 2.16.840.1.101.3.2.1.12.6, 2.16.840.1.101.3.2.1.12.8, 2.16.840.1.101.3.2.1.12.9, 2.16.840.1.101.3.2.1.12.10, 2.16.840.1.101.3.2.1.3.4, 2.16.840.1.101.3.2.1.3.7, 2.16.840.1.101.3.2.1.3.12, 2.16.840.1.101.3.2.1.3.13, 2.16.840.1.101.3.2.1.3.16, 2.16.840.1.101.3.2.1.3.18, 2.16.840.1.101.3.2.1.3.20, 2.16.840.1.101.3.2.1.3.36, 2.16.840.1.101.3.2.1.3.38, 2.16.840.1.101.3.2.1.3.39, 2.16.840.1.101.3.2.1.3.41, 2.16.840.1.101.3.2.1.3.45, 2.16.840.1.101.3.2.1.3.47, 2.16.840.1.101.3.2.1.6.1, 2.16.840.1.101.3.2.1.6.2, 2.16.840.1.101.3.2.1.6.3, 2.16.840.1.101.3.2.1.6.4, 2.16.840.1.101.3.2.1.6.12, 2.16.840.1.101.3.2.1.6.38, 2.16.840.1.101.3.2.1.5.4, 2.16.840.1.101.3.2.1.5.5, 2.16.840.1.101.3.2.1.5.10, 2.16.840.1.101.3.2.1.5.12, 1.3.6.1.4.1.73.15.3.1.12, 1.3.6.1.4.1.73.15.3.1.17, 1.3.6.1.4.1.45606.3.1.12, 1.3.6.1.4.1.45606.3.1.20, 1.3.6.1.4.1.45606.3.1.22, 1.3.6.1.4.1.25054.3.1.12, 1.3.6.1.4.1.25054.3.1.14, 1.3.6.1.4.1.25054.3.1.20, 1.3.6.1.4.1.25054.3.1.22, 1.3.6.1.4.1.24019.1.1.1.2, 1.3.6.1.4.1.24019.1.1.1.3, 1.3.6.1.4.1.24019.1.1.1.7, 1.3.6.1.4.1.24019.1.1.1.9, 1.3.6.1.4.1.24019.1.1.1.18, 1.3.6.1.4.1.24019.1.1.1.19, 1.3.6.1.4.1.38099.1.1.1.2, 1.3.6.1.4.1.38099.1.1.1.5, 1.3.6.1.4.1.38099.1.1.1.7, 2.16.840.1.113733.1.7.23.3.1.7, 2.16.840.1.113733.1.7.23.3.1.13, 2.16.840.1.113733.1.7.23.3.1.18, 2.16.840.1.113733.1.7.23.3.1.20, 2.16.840.1.113733.1.7.23.3.1.36, 2.16.840.1.114027.200.3.10.7.2, 2.16.840.1.114027.200.3.10.7.4, 2.16.840.1.114027.200.3.10.7.6, 2.16.840.1.114027.200.3.10.7.9, 2.16.840.1.114027.200.3.10.7.16, 1.3.6.1.4.1.13948.1.1.1.6, 2.16.840.1.113839.0.100.12.1, 2.16.840.1.113839.0.100.12.2, 2.16.840.1.113839.0.100.18.0, 2.16.840.1.113839.0.100.18.1, 2.16.840.1.113839.0.100.18.2, 2.16.840.1.113839.0.100.20.1, 1.3.6.1.4.1.103.100.1.1.3.3, 1.3.6.1.4.1.16334.509.2.8, 1.3.6.1.4.1.16334.509.2.9, 1.3.6.1.4.1.16334.509.2.11, 1.3.6.1.4.1.16334.509.2.14, 1.3.6.1.4.1.1569.10.1.12, 1.3.6.1.4.1.1569.10.1.18, 1.3.6.1.4.1.26769.10.1.12, 1.3.6.1.4.1.26769.10.1.18, 1.3.6.1.4.1.3922.1.1.1.12, 1.3.6.1.4.1.3922.1.1.1.18, 1.3.6.1.4.1.3922.1.1.1.20, 1.3.6.1.4.1.3922.1.1.1.38, 1.2.36.1.334.1.2.1.2, 1.2.36.1.334.1.2.1.3, 1.2.36.1.334.1.2.2.2, 2.16.528.1.1003.1.2.5.1, 2.16.528.1.1003.1.2.5.2, 2.16.528.1.1003.1.2.5.3, 2.16.840.1.101.3.2.1.48.11, 2.16.840.1.101.3.2.1.48.13, 2.16.840.1.101.3.2.1.48.86, 2.16.840.1.101.3.2.1.48.109, 2.16.840.1.101.3.2.1.48.110
 subjectDirectoryAttributes = ASN1:SEQUENCE:SubjDirAttr
 policyConstraints = requireExplicitPolicy:0
 2.16.840.1.101.3.6.10.1 = ASN1:SEQUENCE:PIVCertExt
diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
@@ -4516,6 +4516,19 @@ static const byte extCertPolicyIsrgDomainValid[] =
     static const byte extCertPolicyFpkiPiviAuthOid[] =
             CERT_POLICY_TYPE_OID_BASE(45);
 
+    /* Federal PKI Test OIDs - 2.16.840.1.101.3.2.1.48.x */
+    #define TEST_CERT_POLICY_TYPE_OID_BASE(num) {96, 134, 72, 1, 101, 3, 2, 1, 48, num}
+    static const byte extCertPolicyFpkiAuthTestOid[] =
+        TEST_CERT_POLICY_TYPE_OID_BASE(11);
+    static const byte extCertPolicyFpkiCardauthTestOid[] =
+        TEST_CERT_POLICY_TYPE_OID_BASE(13);
+    static const byte extCertPolicyFpkiPivContentTestOid[] =
+        TEST_CERT_POLICY_TYPE_OID_BASE(86);
+    static const byte extCertPolicyFpkiAuthDerivedTestOid[] =
+        TEST_CERT_POLICY_TYPE_OID_BASE(109);
+    static const byte extCertPolicyFpkiAuthDerivedHwTestOid[] =
+        TEST_CERT_POLICY_TYPE_OID_BASE(110);
+
     /* DoD PKI OIDs - 2.16.840.1.101.2.1.11.X */
     #define DOD_POLICY_TYPE_OID_BASE(num) {96, 134, 72, 1, 101, 2, 1, 11, num}
     static const byte extCertPolicyDodMediumOid[] =
@@ -4584,6 +4597,12 @@ static const byte extCertPolicyIsrgDomainValid[] =
 
     /* Department of State PKI OIDs - 2.16.840.1.101.3.2.1.6.X */
     #define STATE_POLICY_TYPE_OID_BASE(num) {96, 134, 72, 1, 101, 3, 2, 1, 6, num}
+    static const byte extCertPolicyStateBasicOid[] =
+            STATE_POLICY_TYPE_OID_BASE(1);
+    static const byte extCertPolicyStateLowOid[] =
+            STATE_POLICY_TYPE_OID_BASE(2);
+    static const byte extCertPolicyStateModerateOid[] =
+            STATE_POLICY_TYPE_OID_BASE(3);
     static const byte extCertPolicyStateHighOid[] =
             STATE_POLICY_TYPE_OID_BASE(4);
     static const byte extCertPolicyStateMedHwOid[] =
@@ -5601,6 +5620,26 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz)
                     oid = extCertPolicyFpkiPiviAuthOid;
                     *oidSz = sizeof(extCertPolicyFpkiPiviAuthOid);
                     break;
+                case CP_FPKI_AUTH_TEST_OID:
+                    oid = extCertPolicyFpkiAuthTestOid;
+                    *oidSz = sizeof(extCertPolicyFpkiAuthTestOid);
+                    break;
+                case CP_FPKI_CARDAUTH_TEST_OID:
+                    oid = extCertPolicyFpkiCardauthTestOid;
+                    *oidSz = sizeof(extCertPolicyFpkiCardauthTestOid);
+                    break;
+                case CP_FPKI_PIV_CONTENT_TEST_OID:
+                    oid = extCertPolicyFpkiPivContentTestOid;
+                    *oidSz = sizeof(extCertPolicyFpkiPivContentTestOid);
+                    break;
+                case CP_FPKI_PIV_AUTH_DERIVED_TEST_OID:
+                    oid = extCertPolicyFpkiAuthDerivedTestOid;
+                    *oidSz = sizeof(extCertPolicyFpkiAuthDerivedTestOid);
+                    break;
+                case CP_FPKI_PIV_AUTH_DERIVED_HW_TEST_OID:
+                    oid = extCertPolicyFpkiAuthDerivedHwTestOid;
+                    *oidSz = sizeof(extCertPolicyFpkiAuthDerivedHwTestOid);
+                    break;
                 case CP_DOD_MEDIUM_OID:
                     oid = extCertPolicyDodMediumOid;
                     *oidSz = sizeof(extCertPolicyDodMediumOid);
@@ -5723,6 +5762,18 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz)
                     break;
 
                 /* Department of State PKI OIDs */
+                case CP_STATE_BASIC_OID:
+                    oid = extCertPolicyStateBasicOid;
+                    *oidSz = sizeof(extCertPolicyStateBasicOid);
+                    break;
+                case CP_STATE_LOW_OID:
+                    oid = extCertPolicyStateLowOid;
+                    *oidSz = sizeof(extCertPolicyStateLowOid);
+                    break;
+                case CP_STATE_MODERATE_OID:
+                    oid = extCertPolicyStateModerateOid;
+                    *oidSz = sizeof(extCertPolicyStateModerateOid);
+                    break;
                 case CP_STATE_HIGH_OID:
                     oid = extCertPolicyStateHighOid;
                     *oidSz = sizeof(extCertPolicyStateHighOid);
@@ -6636,6 +6687,12 @@ static word32 fpkiCertPolOid(const byte* oid, word32 oidSz, word32 oidSum) {
             sizeof(extCertPolicyComodoLtdOid)) == 0)
                 return CP_COMODO_OID;
             break;
+        case CP_FPKI_HIGH_ASSURANCE_OID:
+            if ((word32)sizeof(extCertPolicyStateBasicOid) == (word32)oidSz &&
+            XMEMCMP(oid, extCertPolicyStateBasicOid,
+            sizeof(extCertPolicyStateBasicOid)) == 0)
+                return CP_STATE_BASIC_OID;
+            break;
         case CP_FPKI_COMMON_DEVICES_HARDWARE_OID:
             if ((word32)sizeof(extCertPolicyDodPeerInteropOid) == (word32)oidSz &&
             XMEMCMP(oid, extCertPolicyDodPeerInteropOid,
@@ -6663,7 +6720,7 @@ static word32 fpkiCertPolOid(const byte* oid, word32 oidSz, word32 oidSum) {
                 XMEMCMP(oid, extCertPolicyDodMediumHardware112Oid,
                 sizeof(extCertPolicyDodMediumHardware112Oid)) == 0)
                     return CP_DOD_MEDIUM_HARDWARE_112_OID;
-            if ((word32)sizeof(extCertPolicyCertipathHighhwOid) == (word32)oidSz &&
+            else if ((word32)sizeof(extCertPolicyCertipathHighhwOid) == (word32)oidSz &&
                 XMEMCMP(oid, extCertPolicyCertipathHighhwOid,
                 sizeof(extCertPolicyCertipathHighhwOid)) == 0)
                     return CP_CERTIPATH_HIGHHW_OID;
@@ -6738,6 +6795,12 @@ static word32 fpkiCertPolOid(const byte* oid, word32 oidSz, word32 oidSum) {
             sizeof(extCertPolicyCarillonAivcontentOid)) == 0)
                 return CP_CARILLON_AIVCONTENT_OID;
             break;
+        case CP_TREAS_MEDIUMHW_OID:
+            if ((word32)sizeof(extCertPolicyStateModerateOid) == (word32)oidSz &&
+            XMEMCMP(oid, extCertPolicyStateModerateOid,
+            sizeof(extCertPolicyStateModerateOid)) == 0)
+                return CP_STATE_MODERATE_OID;
+            break;
         case CP_CIS_ICECAP_HW_OID:
             if ((word32)sizeof(extCertPolicyNlModIrrefutabilityOid) == (word32)oidSz &&
             XMEMCMP(oid, extCertPolicyNlModIrrefutabilityOid,
diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h
@@ -1442,6 +1442,13 @@ enum CertificatePolicy_Sum {
     CP_FPKI_PIVI_AUTH_OID            = 458, /* 2.16.840.1.101.3.2.1.3.45 */
     CP_FPKI_COMMON_PIVI_CONTENT_SIGNING_OID = 460, /* 2.16.840.1.101.3.2.1.3.47 */
 
+    /* Federal PKI Test OIDs */
+    CP_FPKI_AUTH_TEST_OID                   = 469, /* 2.16.840.1.101.3.2.1.48.11 */
+    CP_FPKI_CARDAUTH_TEST_OID               = 471, /* 2.16.840.1.101.3.2.1.48.13 */
+    CP_FPKI_PIV_CONTENT_TEST_OID            = 544, /* 2.16.840.1.101.3.2.1.48.86 */
+    CP_FPKI_PIV_AUTH_DERIVED_TEST_OID       = 567, /* 2.16.840.1.101.3.2.1.48.109 */
+    CP_FPKI_PIV_AUTH_DERIVED_HW_TEST_OID    = 568, /* 2.16.840.1.101.3.2.1.48.110 */
+
     /* DoD PKI OIDs */
     CP_DOD_MEDIUM_OID                = 423, /* 2.16.840.1.101.2.1.11.5 */
     CP_DOD_MEDIUM_HARDWARE_OID       = 427, /* 2.16.840.1.101.2.1.11.9 */
@@ -1477,6 +1484,9 @@ enum CertificatePolicy_Sum {
     CP_ECA_MEDIUM_HARDWARE_SHA256_OID = 432, /* 2.16.840.1.101.3.2.1.12.10 */
 
     /* Department of State PKI OIDs */
+    CP_STATE_BASIC_OID              = 100417, /* 2.16.840.1.101.3.2.1.6.1 */
+    CP_STATE_LOW_OID                = 418,    /* 2.16.840.1.101.3.2.1.6.2 */
+    CP_STATE_MODERATE_OID           = 100419, /* 2.16.840.1.101.3.2.1.6.3 */
     CP_STATE_HIGH_OID               = 100420, /* 2.16.840.1.101.3.2.1.6.4 */
     CP_STATE_MEDHW_OID              = 101428, /* 2.16.840.1.101.3.2.1.6.12 */
     CP_STATE_MEDDEVHW_OID           = 101454, /* 2.16.840.1.101.3.2.1.6.38 */
