Add TLS-ALPN-01 challenge cert support (RFC 8737 acmeId extension)

[lealem47]

Description

• Adds native support for the id-pe-acmeIdentifier extension (OID 1.3.6.1.5.5.7.1.31, RFC 8737 §3) — the X.509 extension carried in the self-signed challenge certificate a server presents during the TLS-ALPN-01 ACME validation handshake (RFC 8737 §4)

• Gated specifically on the new WOLFSSL_ACME_OID in addition to WOLFSSL_CERT_EXT

• Adds new --enable-tailscale option for tailscale wolfssl integration (enables WOLFSSL_ACME_OID among other things)

Testing

Tested via:

• New unit tests
• openssl x509 -in
• Tailscale integration & pebble

Checklist

• added tests
• updated/added doxygen
• updated appropriate READMEs
• Updated manual and documentation

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Adds support for the RFC 8737 id-pe-acmeIdentifier X.509 extension used by ACME TLS-ALPN-01 challenge certificates, plus a --enable-tailscale configure option to enable the required wolfSSL features.

Changes:

• Adds ACME OID constants and extends certificate encode/decode paths to emit/parse id-pe-acmeIdentifier.
• Introduces wc_SetAcmeIdentifierExt() API and corresponding unit test for round-trip validation.
• Adds --enable-tailscale configure flag that enables WOLFSSL_ACME_OID and related build options.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
wolfssl/wolfcrypt/oid_sum.h	Adds ACME_IDENTIFIER_OID to the extension OID switch mapping.
wolfssl/wolfcrypt/asn_public.h	Adds Cert fields + public API to set the ACME identifier extension.
wolfssl/wolfcrypt/asn.h	Extends DecodedCert to store parsed ACME identifier extension state/value.
wolfcrypt/src/asn.c	Implements encoding/decoding logic for id-pe-acmeIdentifier and the setter.
tests/api.c	Adds unit test for wc_SetAcmeIdentifierExt() and decode round-trip.
configure.ac	Adds --enable-tailscale and wires it to enable required build flags.

Comments suppressed due to low confidence (2)

wolfcrypt/src/asn.c:1

• The decoder verifies the inner OCTET STRING length, but it doesn't ensure the value consumes the entire sz (i.e., it may accept trailing bytes after the digest). For strict DER parsing (and to avoid accepting malformed/ambiguous extension encodings), add a check that hashIdx + hashLen == sz (or the equivalent for how GetOctetString reports indexes) and return ASN_PARSE_E if extra bytes remain.
  wolfcrypt/src/asn.c:1
• The ASN template entries for ACME (ACMEID_*) are included unconditionally, even when WOLFSSL_ACME_OID is disabled. If minimizing code size/data is a goal for non-ACME builds, consider wrapping these template entries (and their corresponding enum indices) in #ifdef WOLFSSL_ACME_OID so they are compiled out entirely when the feature is off. Tradeoff: you’ll need to conditionally adjust index enums or keep two variants of the template.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

MemBrowse Memory Report

No memory changes detected for:

• gcc-arm-cortex-m4
• gcc-arm-cortex-m4-baremetal
• gcc-arm-cortex-m4-min-ecc
• gcc-arm-cortex-m4-tls12

[lealem47]

Jenkins retest this please

[douzzer]

since --enable-tailscale depends on compkey, it's not compatible with FIPS v5, so the clause in configure.ac to enable it under enable-all-osp needs to be conditional:

diff --git a/configure.ac b/configure.ac
index 186c23c45..5aa32464d 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1298,7 +1298,10 @@ then
         AC_MSG_ERROR([--enable-all-osp is incompatible with --enable-linuxkm-defaults])
     fi
 
-    test "$enable_tailscale" = "" && enable_tailscale=yes
+    if test "$ENABLED_FIPS" = "no" || test "$HAVE_FIPS_VERSION" -ge 6
+    then
+        test "$enable_tailscale" = "" && enable_tailscale=yes
+    fi
     test "$enable_wolfguard" = "" && enable_wolfguard=yes
     test "$enable_webserver" = "" && enable_webserver=yes