From aa020f39c49b6c231ddb404cb1eaa4d15d6289f3 Mon Sep 17 00:00:00 2001 From: Paul Adelsbach Date: Mon, 26 Jan 2026 15:46:09 -0800 Subject: [PATCH 1/2] Extend AIA interface --- certs/aia/ca-issuers-cert.pem | 20 ++++++++++++++++++++ src/x509.c | 28 ++++++++++++++++++++++++++++ tests/api.c | 26 ++++++++++++++++++++++++++ wolfssl/openssl/ssl.h | 3 +++ wolfssl/openssl/x509v3.h | 4 ++++ wolfssl/ssl.h | 4 ++++ 6 files changed, 85 insertions(+) create mode 100644 certs/aia/ca-issuers-cert.pem diff --git a/certs/aia/ca-issuers-cert.pem b/certs/aia/ca-issuers-cert.pem new file mode 100644 index 00000000000..22630fc3664 --- /dev/null +++ b/certs/aia/ca-issuers-cert.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDUDCCAjigAwIBAgIUQy4lyOzJcvFVekNsQWuUegW0kGgwDQYJKoZIhvcNAQEL +BQAwGzEZMBcGA1UEAwwQd29sZnNzbC1haWEtdGVzdDAeFw0yNjAxMjYyMzE1NTZa +Fw0yNzAxMjYyMzE1NTZaMBsxGTAXBgNVBAMMEHdvbGZzc2wtYWlhLXRlc3QwggEi +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDM1vUyiX+qtPFhhEqZq3bCUKpd +6QtswO7YWj+us79yh99mIGE7EZlSfTv0n3rn2//m5bQ7a+TSYMkDyNjPEH6Z+ub2 +qW4EJyc4J9DfC+T9gJM4dvsij+F8TUne/o5iCwFdiZEycEj0vtyYh53du3oqlZTY +yt8q4k5INoTl+ELCX/L0YqR/+Fl2qaloK7YHUb3EdSqBEGoa/IEfnxHMreZWhVYd +pSdDnT9rfNqT5Kb2e+eZbZZSouEmebhx9ioRfIXDadSCCa1JNp4fO3YlcDmmEahx +6TcjEmhUt80+hjhJhqrh4vPlxI24qHmfOe+k2qSimpJse/AUuz7wGRjx6ktfAgMB +AAGjgYswgYgwHQYDVR0OBBYEFMvT3KE5dvI6t3KNrcuctkm6wvXMMB8GA1UdIwQY +MBaAFMvT3KE5dvI6t3KNrcuctkm6wvXMMA8GA1UdEwEB/wQFMAMBAf8wNQYIKwYB +BQUHAQEEKTAnMCUGCCsGAQUFBzAChhlodHRwOi8vZXhhbXBsZS5jb20vY2EucGVt +MA0GCSqGSIb3DQEBCwUAA4IBAQCjxEHOlxVfmE8xgcQCnr1b4IK5EBuIMUaS7lko +AHmHvj7z9rr2cxbJhGYQxcttZ4/SQldRqpmiB0cUmko4LbD9yos4FKlyGe3xWvKa +W17SdpJU2PREShGLLqP7bwiWV6wVyo6puwDHLYSjH5vYr+IcSNNc0GuMZg1OhTWt +2PYG2vGbHoNR0/UyNibGmaPBimg0nb2GTizY7yWm+N/yXnWa6Wc5yyiF1zExw/GO +8O/rF0Lg/Gy/v6LnnNmhSOr9ENPKgQEAHFmJRXBXqDYUNhcm2U3PzlfBa06SHFcr +b59n5jgJmcNSwYDJAYKEhMvjBL40DmiWaRfol2DPoIZ7YtRf +-----END CERTIFICATE----- diff --git a/src/x509.c b/src/x509.c index 291cd37ba2c..78e91338cb2 100644 --- a/src/x509.c +++ b/src/x509.c @@ -15021,6 +15021,34 @@ WOLF_STACK_OF(WOLFSSL_STRING) *wolfSSL_X509_get1_ocsp(WOLFSSL_X509 *x) return list; } +#ifdef WOLFSSL_ASN_CA_ISSUER +WOLF_STACK_OF(WOLFSSL_STRING) *wolfSSL_X509_get1_ca_issuers(WOLFSSL_X509 *x) +{ + WOLFSSL_STACK* list = NULL; + char* url; + + if (x == NULL || x->authInfoCaIssuerSz == 0) + return NULL; + + list = (WOLFSSL_STACK*)XMALLOC(sizeof(WOLFSSL_STACK) + + x->authInfoCaIssuerSz + 1, + NULL, DYNAMIC_TYPE_OPENSSL); + if (list == NULL) + return NULL; + + url = (char*)list; + url += sizeof(WOLFSSL_STACK); + XMEMCPY(url, x->authInfoCaIssuer, x->authInfoCaIssuerSz); + url[x->authInfoCaIssuerSz] = '\0'; + + list->data.string = url; + list->next = NULL; + list->num = 1; + + return list; +} +#endif /* WOLFSSL_ASN_CA_ISSUER */ + int wolfSSL_X509_check_issued(WOLFSSL_X509 *issuer, WOLFSSL_X509 *subject) { WOLFSSL_X509_NAME *issuerName = wolfSSL_X509_get_issuer_name(subject); diff --git a/tests/api.c b/tests/api.c index 95b5f377139..49478e41089 100644 --- a/tests/api.c +++ b/tests/api.c @@ -19199,6 +19199,31 @@ static int test_wolfSSL_OCSP_REQ_CTX(void) return EXPECT_RESULT(); } +static int test_wolfSSL_X509_get1_ca_issuers(void) +{ + EXPECT_DECLS; +#if (defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL) || \ + defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)) && \ + defined(WOLFSSL_ASN_CA_ISSUER) && !defined(NO_FILESYSTEM) + X509* cert = NULL; + STACK_OF(WOLFSSL_STRING) *skStr = NULL; + WOLFSSL_STRING url = NULL; + const char* expected = "http://example.com/ca.pem"; + + ExpectNull(wolfSSL_X509_get1_ca_issuers(NULL)); + ExpectNotNull(cert = wolfSSL_X509_load_certificate_file( + "certs/aia/ca-issuers-cert.pem", WOLFSSL_FILETYPE_PEM)); + ExpectNotNull(skStr = wolfSSL_X509_get1_ca_issuers(cert)); + ExpectIntEQ(wolfSSL_sk_WOLFSSL_STRING_num(skStr), 1); + ExpectNotNull(url = wolfSSL_sk_WOLFSSL_STRING_value(skStr, 0)); + ExpectIntEQ(XSTRCMP(url, expected), 0); + + wolfSSL_X509_email_free(skStr); + wolfSSL_X509_free(cert); +#endif + return EXPECT_RESULT(); +} + static int test_no_op_functions(void) { EXPECT_DECLS; @@ -31666,6 +31691,7 @@ TEST_CASE testCases[] = { TEST_DECL(test_wolfSSL_OCSP_resp_get0), TEST_DECL(test_wolfSSL_OCSP_parse_url), TEST_DECL(test_wolfSSL_OCSP_REQ_CTX), + TEST_DECL(test_wolfSSL_X509_get1_ca_issuers), TEST_DECL(test_wolfSSL_PEM_read), diff --git a/wolfssl/openssl/ssl.h b/wolfssl/openssl/ssl.h index 5b8175564e0..093be3a47cb 100644 --- a/wolfssl/openssl/ssl.h +++ b/wolfssl/openssl/ssl.h @@ -565,6 +565,9 @@ typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS; #define X509_get_ex_data wolfSSL_X509_get_ex_data #define X509_set_ex_data wolfSSL_X509_set_ex_data #define X509_get1_ocsp wolfSSL_X509_get1_ocsp +#ifdef WOLFSSL_ASN_CA_ISSUER +#define X509_get1_ca_issuers wolfSSL_X509_get1_ca_issuers +#endif /* WOLFSSL_ASN_CA_ISSUER */ #define X509_get_version wolfSSL_X509_get_version #define X509_get_signature_nid wolfSSL_X509_get_signature_nid #define X509_set_subject_name wolfSSL_X509_set_subject_name diff --git a/wolfssl/openssl/x509v3.h b/wolfssl/openssl/x509v3.h index c6a05172fca..857a9be41dd 100644 --- a/wolfssl/openssl/x509v3.h +++ b/wolfssl/openssl/x509v3.h @@ -224,6 +224,10 @@ typedef struct WOLFSSL_NAME_CONSTRAINTS NAME_CONSTRAINTS; #define X509V3_EXT_print wolfSSL_X509V3_EXT_print #define X509V3_EXT_conf_nid wolfSSL_X509V3_EXT_conf_nid #define X509V3_set_ctx wolfSSL_X509V3_set_ctx +#define X509_get1_ocsp wolfSSL_X509_get1_ocsp +#ifdef WOLFSSL_ASN_CA_ISSUER +#define X509_get1_ca_issuers wolfSSL_X509_get1_ca_issuers +#endif /* WOLFSSL_ASN_CA_ISSUER */ #ifndef NO_WOLFSSL_STUB #define X509V3_set_nconf(ctx, conf) WC_DO_NOTHING #define X509V3_EXT_cleanup() WC_DO_NOTHING diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 08989907c32..5e80404d323 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -5796,6 +5796,10 @@ WOLFSSL_API int wolfSSL_X509_STORE_CTX_get1_issuer(WOLFSSL_X509 **issuer, WOLFSSL_API void wolfSSL_X509_email_free(WOLF_STACK_OF(WOLFSSL_STRING) *sk); WOLFSSL_API WOLF_STACK_OF(WOLFSSL_STRING) *wolfSSL_X509_get1_ocsp(WOLFSSL_X509 *x); +#ifdef WOLFSSL_ASN_CA_ISSUER +WOLFSSL_API WOLF_STACK_OF(WOLFSSL_STRING) *wolfSSL_X509_get1_ca_issuers( + WOLFSSL_X509 *x); +#endif /* WOLFSSL_ASN_CA_ISSUER */ WOLFSSL_API int wolfSSL_X509_check_issued(WOLFSSL_X509 *issuer, WOLFSSL_X509 *subject); From 396866998ce70fcf570a33342523b7f2d6ac21e7 Mon Sep 17 00:00:00 2001 From: Paul Adelsbach Date: Mon, 26 Jan 2026 17:59:33 -0800 Subject: [PATCH 2/2] Enable 8 combined OCSP and URLs instead of 1 of each --- .gitignore | 3 + certs/aia/multi-aia-cert.pem | 23 +++++++ certs/aia/overflow-aia-cert.pem | 26 ++++++++ certs/crl/include.am | 4 +- certs/include.am | 6 +- certs/renewcerts.sh | 57 ++++++++++++++++ certs/renewcerts/wolfssl.cnf | 40 ++++++++++- src/internal.c | 28 ++++++++ src/x509.c | 115 +++++++++++++++++++++++--------- tests/api.c | 80 +++++++++++++++++++++- wolfcrypt/src/asn.c | 75 +++++++++++++++------ wolfssl/internal.h | 16 +++++ wolfssl/openssl/ssl.h | 3 - wolfssl/openssl/x509v3.h | 4 -- wolfssl/ssl.h | 1 + wolfssl/wolfcrypt/asn.h | 17 +++++ 16 files changed, 433 insertions(+), 65 deletions(-) create mode 100644 certs/aia/multi-aia-cert.pem create mode 100644 certs/aia/overflow-aia-cert.pem diff --git a/.gitignore b/.gitignore index 0ef96441751..52d8cb69f15 100644 --- a/.gitignore +++ b/.gitignore @@ -470,3 +470,6 @@ wolfssl/debug-trace-error-codes.h wolfssl/debug-untrace-error-codes.h AGENTS.md + +# Code navigation files +compile_commands.json diff --git a/certs/aia/multi-aia-cert.pem b/certs/aia/multi-aia-cert.pem new file mode 100644 index 00000000000..d0722788f10 --- /dev/null +++ b/certs/aia/multi-aia-cert.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIIDwTCCAqmgAwIBAgIUEcNoHSMtIkVhW/MmkmUEsVoJVQEwDQYJKoZIhvcNAQEL +BQAwITEfMB0GA1UEAwwWd29sZnNzbC1haWEtbXVsdGktdGVzdDAeFw0yNjAxMjcw +MTUwNDRaFw0yNzAxMjcwMTUwNDRaMCExHzAdBgNVBAMMFndvbGZzc2wtYWlhLW11 +bHRpLXRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCpVdogPQ2I +/nErbxSaNGoYhkwoj1qt+Be1/qWnvZzJ0EBOG4EdioMRIkJzP6W3HoAhkGBrueXf +riN07M3XLocRfE+9C1+jZQxBGRxysns9z7K+i0pBtPN/AXV2RCSz13FFyVyLhLks +2YAL9By36X9R0wsL+Nd4EAQ4ouf0GglmTmtb5rHf2GIno4xFg9tpWosiUTytwgDC +K9lQEQnTnPG6E43N2bszqBc4roOPrYDnd7raNTqcv9yTHM8zwffGJuCogE/Fbr2R +yVubLW28n5/O1Pb47hHuPJv6oHMZgct2SV5OB/mwVgI0eoFMSQZ35o6BpHD0C497 +L2IcoMi8A9rFAgMBAAGjgfAwge0wDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAoQw +gbAGCCsGAQUFBwEBBIGjMIGgMCIGCCsGAQUFBzABhhZodHRwOi8vMTI3LjAuMC4x +OjIyMjIxMCIGCCsGAQUFBzABhhZodHRwOi8vMTI3LjAuMC4xOjIyMjIyMCkGCCsG +AQUFBzAChh1odHRwOi8vd3d3LndvbGZzc2wuY29tL2NhLnBlbTArBggrBgEFBQcw +AoYfaHR0cHM6Ly93d3cud29sZnNzbC5jb20vY2EyLnBlbTAdBgNVHQ4EFgQU1GNm +eP/LXQk0tFaTeWoNHyLhLZkwDQYJKoZIhvcNAQELBQADggEBACwuXdKYI2Q/Vhd7 +TJFvKdp7BuUopQGEQ+4vR+FoesYXc9MHjZJfMqEffv1MArTeY46At/zvcTeszagi +io+jjGBLOutsAf9WK3PnKMIkGGfro6btZ8QFyKiZ6unMMlqe6cGqrCrNKp8jLP3k +CKZltR5c+MIPhpjoOhNDMOcPMwZBGQJWubwOb4uOu3wv7UWJk/ovKP9WJCUn6wLH +soDs+MHMICkxOvDfPf+F4URVqTbzE8IvSMv38z4cAqsyEfWxr32Dg34S/NmeePFV +7sSDpksvyITGsxjnQulSuUFSmldumQ6GnA4ZUXvCNdJ0zbD/Iib9ud6K05VdWYZP +uyCRkjY= +-----END CERTIFICATE----- diff --git a/certs/aia/overflow-aia-cert.pem b/certs/aia/overflow-aia-cert.pem new file mode 100644 index 00000000000..1054df14ea1 --- /dev/null +++ b/certs/aia/overflow-aia-cert.pem @@ -0,0 +1,26 @@ +-----BEGIN CERTIFICATE----- +MIIEcDCCA1igAwIBAgIUN5kIU1GLRP5bRKctP271p7IGFVowDQYJKoZIhvcNAQEL +BQAwJDEiMCAGA1UEAwwZd29sZnNzbC1haWEtb3ZlcmZsb3ctdGVzdDAeFw0yNjAx +MjcwMTU1NTBaFw0yNzAxMjcwMTU1NTBaMCQxIjAgBgNVBAMMGXdvbGZzc2wtYWlh +LW92ZXJmbG93LXRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDS +eHeAzVuCe44SU8bcyIWLwkA2AABw/ctSBWKAFEd7DYHduRr3diblHERU1Fv5JzYx +JnZquj1IO/qsnSFJYDc9sQmYea89iW8KNPVXKDzdbzhpiQLZL7Yq71ICxxqVLfRr +91lyAj0+Syncrp96olSpMJochVnQ6PqLcc/Gq7CMtrKn5KAN7Mn3+LdAQYU8JjRa +zqEJ8fmkBKbS5watzgnkP2o5jWSpWzpDOxTdw85hju4H9m5Gmun3XVO9dEAN/dqK +vklkzgQGvAMMQMIcgOzw0HxAuvsSNtjgEpIlOir0M7YiC0pYqtMO+thSCmVCvsDR +/nG/iqe6YBSXh6oszGwTAgMBAAGjggGYMIIBlDAMBgNVHRMEBTADAQH/MAsGA1Ud +DwQEAwIChDCCAVYGCCsGAQUFBwEBBIIBSDCCAUQwIgYIKwYBBQUHMAGGFmh0dHA6 +Ly8xMjcuMC4wLjE6MjIyMjAwIgYIKwYBBQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6 +MjIyMjEwIgYIKwYBBQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6MjIyMjIwIgYIKwYB +BQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6MjIyMjMwIgYIKwYBBQUHMAGGFmh0dHA6 +Ly8xMjcuMC4wLjE6MjIyMjQwIgYIKwYBBQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6 +MjIyMjUwIgYIKwYBBQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6MjIyMjYwIgYIKwYB +BQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6MjIyMjcwIgYIKwYBBQUHMAGGFmh0dHA6 +Ly8xMjcuMC4wLjE6MjIyMjgwHQYDVR0OBBYEFJt6TNgqMFBebotXaauIYPpUJi1S +MA0GCSqGSIb3DQEBCwUAA4IBAQA5noHB343sKQqVmmLds0gC/k1UhVA5iftAGmes +uRdNOOCdo2i739DmRAXggetgtatcjDfjxkrvq0Qi+geozZra6uX9FT/hgfw6kDpU +HKzJFy4E0G0HTM8mtJi+aGDZL3Lts+h272eahkT1jVKGAPFugqfz7fKRsMce6eCE +UD5cvtQXX16fGhBxxmUCZPnxMKcj2oNl7RliHphK6ofXuNbKjqjVQfxsTUXSQDyS +ApH5w6iUnAvC5l19qYrBcCVOB6CNJ2CdmvFI//Ox8Jc56HRYYDIdVp2Q3FFA5Z4s +gTLvlumVgihAekD+0zVF9q+AJ4TSbE3cqsQgHF/+p84KxWid +-----END CERTIFICATE----- diff --git a/certs/crl/include.am b/certs/crl/include.am index 6f7f6f26bfa..f3ca111ecf2 100644 --- a/certs/crl/include.am +++ b/certs/crl/include.am @@ -22,7 +22,9 @@ EXTRA_DIST += \ EXTRA_DIST += \ certs/crl/crl.revoked \ certs/crl/extra-crls/ca-int-cert-revoked.pem \ - certs/crl/extra-crls/general-server-crl.pem + certs/crl/extra-crls/general-server-crl.pem \ + certs/crl/extra-crls/large_crlnum.pem \ + certs/crl/extra-crls/large_crlnum2.pem # Intermediate cert CRL's EXTRA_DIST += \ diff --git a/certs/include.am b/certs/include.am index 68fcd1e2ea1..26c5f959d26 100644 --- a/certs/include.am +++ b/certs/include.am @@ -85,6 +85,11 @@ EXTRA_DIST += \ certs/dh-pub-2048.pem \ certs/dsa2048.pem +EXTRA_DIST += \ + certs/aia/ca-issuers-cert.pem \ + certs/aia/multi-aia-cert.pem \ + certs/aia/overflow-aia-cert.pem + EXTRA_DIST += \ certs/ca-key.der \ certs/ca-cert.der \ @@ -154,4 +159,3 @@ include certs/sphincs/include.am include certs/rpk/include.am include certs/acert/include.am include certs/mldsa/include.am - diff --git a/certs/renewcerts.sh b/certs/renewcerts.sh index 5aed648817a..535ae8ff738 100755 --- a/certs/renewcerts.sh +++ b/certs/renewcerts.sh @@ -31,6 +31,9 @@ # fpki-cert.der # fpki-certpol-cert.der # rid-cert.der +# aia/ca-issuers-cert.pem +# aia/multi-aia-cert.pem +# aia/overflow-aia-cert.pem # updates the following crls: # crl/cliCrl.pem # crl/crl.pem @@ -292,6 +295,60 @@ run_renewcerts(){ echo "End of section" echo "---------------------------------------------------------------------" ############################################################ + ########## update AIA test certs ########################### + ############################################################ + echo "Updating AIA test certs" + echo "" + mkdir -p aia + + echo "Updating aia/ca-issuers-cert.pem" + echo "" + openssl req -new -newkey rsa:2048 -nodes -keyout aia/ca-issuers-key.pem -subj "/CN=wolfssl-aia-test" -out aia/ca-issuers-cert.csr + check_result $? "Step AIA-1" + + openssl x509 -req -in aia/ca-issuers-cert.csr -days 365 -extfile wolfssl.cnf -extensions aia_ca_issuers -signkey aia/ca-issuers-key.pem -out aia/ca-issuers-cert.pem + check_result $? "Step AIA-2" + rm aia/ca-issuers-cert.csr + + openssl x509 -in aia/ca-issuers-cert.pem -text > tmp.pem + check_result $? "Step AIA-3" + mv tmp.pem aia/ca-issuers-cert.pem + rm aia/ca-issuers-key.pem + echo "End of section" + echo "---------------------------------------------------------------------" + + echo "Updating aia/multi-aia-cert.pem" + echo "" + openssl req -new -newkey rsa:2048 -nodes -keyout aia/multi-aia-key.pem -subj "/CN=wolfssl-aia-multi-test" -out aia/multi-aia-cert.csr + check_result $? "Step AIA-4" + + openssl x509 -req -in aia/multi-aia-cert.csr -days 365 -extfile wolfssl.cnf -extensions aia_multi -signkey aia/multi-aia-key.pem -out aia/multi-aia-cert.pem + check_result $? "Step AIA-5" + rm aia/multi-aia-cert.csr + + openssl x509 -in aia/multi-aia-cert.pem -text > tmp.pem + check_result $? "Step AIA-6" + mv tmp.pem aia/multi-aia-cert.pem + rm aia/multi-aia-key.pem + echo "End of section" + echo "---------------------------------------------------------------------" + + echo "Updating aia/overflow-aia-cert.pem" + echo "" + openssl req -new -newkey rsa:2048 -nodes -keyout aia/overflow-aia-key.pem -subj "/CN=wolfssl-aia-overflow-test" -out aia/overflow-aia-cert.csr + check_result $? "Step AIA-7" + + openssl x509 -req -in aia/overflow-aia-cert.csr -days 365 -extfile wolfssl.cnf -extensions aia_overflow -signkey aia/overflow-aia-key.pem -out aia/overflow-aia-cert.pem + check_result $? "Step AIA-8" + rm aia/overflow-aia-cert.csr + + openssl x509 -in aia/overflow-aia-cert.pem -text > tmp.pem + check_result $? "Step AIA-9" + mv tmp.pem aia/overflow-aia-cert.pem + rm aia/overflow-aia-key.pem + echo "End of section" + echo "---------------------------------------------------------------------" + ############################################################ ########## update the self-signed ca-cert-chain.der ######## ############################################################ echo "Updating ca-cert-chain.der" diff --git a/certs/renewcerts/wolfssl.cnf b/certs/renewcerts/wolfssl.cnf index a4d5b274264..f02081d1433 100644 --- a/certs/renewcerts/wolfssl.cnf +++ b/certs/renewcerts/wolfssl.cnf @@ -321,6 +321,45 @@ keyUsage=critical, digitalSignature, keyCertSign, cRLSign [ crl_dist_points ] crlDistributionPoints=URI:http://www.wolfssl.com/crl.pem +# AIA test certs +[ aia_ca_issuers ] +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always,issuer:always +basicConstraints=critical,CA:true +authorityInfoAccess=@aia_ca_issuers_info + +[ aia_ca_issuers_info ] +caIssuers;URI.0=http://example.com/ca.pem + +[ aia_multi ] +subjectKeyIdentifier=hash +basicConstraints=CA:true +keyUsage=digitalSignature, keyCertSign +authorityInfoAccess=@aia_multi_info + +[ aia_multi_info ] +OCSP;URI.0=http://127.0.0.1:22221 +OCSP;URI.1=http://127.0.0.1:22222 +caIssuers;URI.0=http://www.wolfssl.com/ca.pem +caIssuers;URI.1=https://www.wolfssl.com/ca2.pem + +[ aia_overflow ] +subjectKeyIdentifier=hash +basicConstraints=CA:true +keyUsage=digitalSignature, keyCertSign +authorityInfoAccess=@aia_overflow_info + +[ aia_overflow_info ] +OCSP;URI.0=http://127.0.0.1:22220 +OCSP;URI.1=http://127.0.0.1:22221 +OCSP;URI.2=http://127.0.0.1:22222 +OCSP;URI.3=http://127.0.0.1:22223 +OCSP;URI.4=http://127.0.0.1:22224 +OCSP;URI.5=http://127.0.0.1:22225 +OCSP;URI.6=http://127.0.0.1:22226 +OCSP;URI.7=http://127.0.0.1:22227 +OCSP;URI.8=http://127.0.0.1:22228 + #tsa default [ tsa ] default_tsa = tsa_config1 @@ -404,4 +443,3 @@ DNS.1 = www.example.org URI.1 = https://www.wolfssl.com/ otherName.2 = 2.16.840.1.101.3.6.6;FORMAT:HEX,OCT:D1:38:10:D8:28:AF:2C:10:84:35:15:A1:68:58:28:AF:02:10:86:A2:84:E7:39:C3:EB - diff --git a/src/internal.c b/src/internal.c index 74f59faff90..818f6e0d5df 100644 --- a/src/internal.c +++ b/src/internal.c @@ -13848,6 +13848,34 @@ int CopyDecodedToX509(WOLFSSL_X509* x509, DecodedCert* dCert) } x509->authInfoSet = dCert->extAuthInfoSet; x509->authInfoCrit = dCert->extAuthInfoCrit; + x509->authInfoListSz = dCert->extAuthInfoListSz; + x509->authInfoListOverflow = dCert->extAuthInfoListOverflow; + if (x509->authInfoListSz > WOLFSSL_MAX_AIA_ENTRIES) { + x509->authInfoListSz = WOLFSSL_MAX_AIA_ENTRIES; + x509->authInfoListOverflow = 1; + } + if (x509->authInfoListSz > 0) { + int i; + for (i = 0; i < x509->authInfoListSz; i++) { + x509->authInfoList[i].method = dCert->extAuthInfoList[i].method; + x509->authInfoList[i].uriSz = dCert->extAuthInfoList[i].uriSz; + x509->authInfoList[i].uri = NULL; + + if (dCert->extAuthInfoList[i].uri != NULL && + dCert->source != NULL && dCert->maxIdx > 0 && + x509->derCert != NULL && x509->derCert->buffer != NULL) { + word32 offset = (word32) + (dCert->extAuthInfoList[i].uri - dCert->source); + if (offset < (word32)dCert->maxIdx) { + x509->authInfoList[i].uri = + x509->derCert->buffer + offset; + } + else { + x509->authInfoList[i].uriSz = 0; + } + } + } + } if (dCert->extAuthInfo != NULL && dCert->extAuthInfoSz > 0) { x509->authInfo = (byte*)XMALLOC(dCert->extAuthInfoSz, x509->heap, DYNAMIC_TYPE_X509_EXT); diff --git a/src/x509.c b/src/x509.c index 78e91338cb2..5fb44703070 100644 --- a/src/x509.c +++ b/src/x509.c @@ -14996,56 +14996,107 @@ void wolfSSL_X509_email_free(WOLF_STACK_OF(WOLFSSL_STRING) *sk) } } -WOLF_STACK_OF(WOLFSSL_STRING) *wolfSSL_X509_get1_ocsp(WOLFSSL_X509 *x) +static WOLFSSL_STACK* x509_aia_append_string(WOLFSSL_STACK** head, + const byte* uri, word32 uriSz) { - WOLFSSL_STACK* list = NULL; + WOLFSSL_STACK* node; char* url; - if (x == NULL || x->authInfoSz == 0) - return NULL; - - list = (WOLFSSL_STACK*)XMALLOC(sizeof(WOLFSSL_STACK) + x->authInfoSz + 1, - NULL, DYNAMIC_TYPE_OPENSSL); - if (list == NULL) + node = (WOLFSSL_STACK*)XMALLOC(sizeof(WOLFSSL_STACK) + uriSz + 1, NULL, + DYNAMIC_TYPE_OPENSSL); + if (node == NULL) return NULL; - url = (char*)list; + url = (char*)node; url += sizeof(WOLFSSL_STACK); - XMEMCPY(url, x->authInfo, x->authInfoSz); - url[x->authInfoSz] = '\0'; + XMEMCPY(url, uri, uriSz); + url[uriSz] = '\0'; - list->data.string = url; - list->next = NULL; - list->num = 1; + node->data.string = url; + node->next = NULL; + node->num = 1; - return list; + if (*head == NULL) { + *head = node; + } + else { + WOLFSSL_STACK* cur = *head; + while (cur->next != NULL) { + cur->num++; + cur = cur->next; + } + cur->num++; + cur->next = node; + } + + return node; } -#ifdef WOLFSSL_ASN_CA_ISSUER -WOLF_STACK_OF(WOLFSSL_STRING) *wolfSSL_X509_get1_ca_issuers(WOLFSSL_X509 *x) +static WOLFSSL_STACK* x509_get1_aia_by_method(WOLFSSL_X509* x, word32 method, + const byte* fallback, int fallbackSz) { - WOLFSSL_STACK* list = NULL; - char* url; + WOLFSSL_STACK* head = NULL; + int i; - if (x == NULL || x->authInfoCaIssuerSz == 0) + if (x == NULL) return NULL; - list = (WOLFSSL_STACK*)XMALLOC(sizeof(WOLFSSL_STACK) + - x->authInfoCaIssuerSz + 1, - NULL, DYNAMIC_TYPE_OPENSSL); - if (list == NULL) + /* Build from multi-entry list when available; otherwise fall back to the + * legacy single-entry fields to preserve previous behavior. */ + if (x->authInfoListSz > 0) { + for (i = 0; i < x->authInfoListSz; i++) { + if (x->authInfoList[i].method != method || + x->authInfoList[i].uri == NULL || + x->authInfoList[i].uriSz == 0) { + continue; + } + + if (x509_aia_append_string(&head, x->authInfoList[i].uri, + x->authInfoList[i].uriSz) == NULL) { + wolfSSL_X509_email_free(head); + return NULL; + } + } + } + if (head == NULL && fallback != NULL && fallbackSz > 0) { + if (x509_aia_append_string(&head, fallback, (word32)fallbackSz) == NULL) { + wolfSSL_X509_email_free(head); + return NULL; + } + } + + return head; +} + +WOLF_STACK_OF(WOLFSSL_STRING) *wolfSSL_X509_get1_ocsp(WOLFSSL_X509 *x) +{ + if (x == NULL) return NULL; + return x509_get1_aia_by_method(x, AIA_OCSP_OID, x->authInfo, x->authInfoSz); +} - url = (char*)list; - url += sizeof(WOLFSSL_STACK); - XMEMCPY(url, x->authInfoCaIssuer, x->authInfoCaIssuerSz); - url[x->authInfoCaIssuerSz] = '\0'; +int wolfSSL_X509_get_aia_overflow(WOLFSSL_X509 *x) +{ + int overflow = 0; - list->data.string = url; - list->next = NULL; - list->num = 1; + WOLFSSL_ENTER("wolfSSL_X509_get_aia_overflow"); - return list; + if (x != NULL) { + overflow = x->authInfoListOverflow; + } + + WOLFSSL_LEAVE("wolfSSL_X509_get_aia_overflow", overflow); + + return overflow; +} + +#ifdef WOLFSSL_ASN_CA_ISSUER +WOLF_STACK_OF(WOLFSSL_STRING) *wolfSSL_X509_get1_ca_issuers(WOLFSSL_X509 *x) +{ + if (x == NULL) + return NULL; + return x509_get1_aia_by_method(x, AIA_CA_ISSUER_OID, x->authInfoCaIssuer, + x->authInfoCaIssuerSz); } #endif /* WOLFSSL_ASN_CA_ISSUER */ diff --git a/tests/api.c b/tests/api.c index 49478e41089..889b20c7833 100644 --- a/tests/api.c +++ b/tests/api.c @@ -19204,7 +19204,8 @@ static int test_wolfSSL_X509_get1_ca_issuers(void) EXPECT_DECLS; #if (defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL) || \ defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)) && \ - defined(WOLFSSL_ASN_CA_ISSUER) && !defined(NO_FILESYSTEM) + defined(WOLFSSL_ASN_CA_ISSUER) && !defined(NO_FILESYSTEM) && \ + !defined(NO_RSA) X509* cert = NULL; STACK_OF(WOLFSSL_STRING) *skStr = NULL; WOLFSSL_STRING url = NULL; @@ -19224,6 +19225,81 @@ static int test_wolfSSL_X509_get1_ca_issuers(void) return EXPECT_RESULT(); } +static int test_wolfSSL_X509_get1_aia_multi(void) +{ + EXPECT_DECLS; +#if (defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL) || \ + defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)) && \ + defined(WOLFSSL_ASN_CA_ISSUER) && !defined(NO_FILESYSTEM) && \ + !defined(NO_RSA) + X509* cert = NULL; + STACK_OF(WOLFSSL_STRING) *ocsp = NULL; + STACK_OF(WOLFSSL_STRING) *ca = NULL; + const char* ocspExp1 = "http://127.0.0.1:22221"; + const char* ocspExp2 = "http://127.0.0.1:22222"; + const char* caExp1 = "http://www.wolfssl.com/ca.pem"; + const char* caExp2 = "https://www.wolfssl.com/ca2.pem"; + int i; + int ocspFound1 = 0, ocspFound2 = 0; + int caFound1 = 0, caFound2 = 0; + + ExpectNotNull(cert = wolfSSL_X509_load_certificate_file( + "certs/aia/multi-aia-cert.pem", WOLFSSL_FILETYPE_PEM)); + + ExpectNotNull(ocsp = wolfSSL_X509_get1_ocsp(cert)); + ExpectIntEQ(wolfSSL_sk_WOLFSSL_STRING_num(ocsp), 2); + for (i = 0; i < wolfSSL_sk_WOLFSSL_STRING_num(ocsp); i++) { + WOLFSSL_STRING url = wolfSSL_sk_WOLFSSL_STRING_value(ocsp, i); + if (url == NULL) + continue; + if (XSTRCMP(url, ocspExp1) == 0) ocspFound1 = 1; + if (XSTRCMP(url, ocspExp2) == 0) ocspFound2 = 1; + } + ExpectIntEQ(ocspFound1, 1); + ExpectIntEQ(ocspFound2, 1); + + ExpectNotNull(ca = wolfSSL_X509_get1_ca_issuers(cert)); + ExpectIntEQ(wolfSSL_sk_WOLFSSL_STRING_num(ca), 2); + for (i = 0; i < wolfSSL_sk_WOLFSSL_STRING_num(ca); i++) { + WOLFSSL_STRING url = wolfSSL_sk_WOLFSSL_STRING_value(ca, i); + if (url == NULL) + continue; + if (XSTRCMP(url, caExp1) == 0) caFound1 = 1; + if (XSTRCMP(url, caExp2) == 0) caFound2 = 1; + } + ExpectIntEQ(caFound1, 1); + ExpectIntEQ(caFound2, 1); + + wolfSSL_X509_email_free(ocsp); + wolfSSL_X509_email_free(ca); + wolfSSL_X509_free(cert); +#endif + return EXPECT_RESULT(); +} + +static int test_wolfSSL_X509_get1_aia_overflow(void) +{ + EXPECT_DECLS; +#if (defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL) || \ + defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)) && \ + !defined(NO_FILESYSTEM) && !defined(NO_RSA) + X509* cert = NULL; + STACK_OF(WOLFSSL_STRING) *ocsp = NULL; + int count; + + ExpectNotNull(cert = wolfSSL_X509_load_certificate_file( + "certs/aia/overflow-aia-cert.pem", WOLFSSL_FILETYPE_PEM)); + + ExpectNotNull(ocsp = wolfSSL_X509_get1_ocsp(cert)); + count = wolfSSL_sk_WOLFSSL_STRING_num(ocsp); + ExpectIntEQ(count, 8); + + wolfSSL_X509_email_free(ocsp); + wolfSSL_X509_free(cert); +#endif + return EXPECT_RESULT(); +} + static int test_no_op_functions(void) { EXPECT_DECLS; @@ -31692,6 +31768,8 @@ TEST_CASE testCases[] = { TEST_DECL(test_wolfSSL_OCSP_parse_url), TEST_DECL(test_wolfSSL_OCSP_REQ_CTX), TEST_DECL(test_wolfSSL_X509_get1_ca_issuers), + TEST_DECL(test_wolfSSL_X509_get1_aia_multi), + TEST_DECL(test_wolfSSL_X509_get1_aia_overflow), TEST_DECL(test_wolfSSL_PEM_read), diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 4ea0743ce6e..8a2d103abca 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -21195,6 +21195,7 @@ static int DecodeAuthInfo(const byte* input, word32 sz, DecodedCert* cert) int length = 0; byte b = 0; word32 oid; + int aiaIdx; WOLFSSL_ENTER("DecodeAuthInfo"); @@ -21219,14 +21220,29 @@ static int DecodeAuthInfo(const byte* input, word32 sz, DecodedCert* cert) if (GetLength(input, &idx, &length, sz) < 0) return ASN_PARSE_E; - /* Set ocsp entry */ + if (b == GENERALNAME_URI) { + /* Add to AIA list if space. */ + aiaIdx = cert->extAuthInfoListSz; + if (aiaIdx < WOLFSSL_MAX_AIA_ENTRIES) { + cert->extAuthInfoList[aiaIdx].method = oid; + cert->extAuthInfoList[aiaIdx].uri = input + idx; + cert->extAuthInfoList[aiaIdx].uriSz = (word32)length; + cert->extAuthInfoListSz++; + } + else { + cert->extAuthInfoListOverflow = 1; + WOLFSSL_MSG("AIA list overflow"); + } + } + + /* Set first ocsp entry */ if (b == GENERALNAME_URI && oid == AIA_OCSP_OID && cert->extAuthInfo == NULL) { cert->extAuthInfoSz = length; cert->extAuthInfo = input + idx; } #ifdef WOLFSSL_ASN_CA_ISSUER - /* Set CaIssuers entry */ + /* Set first CaIssuers entry */ else if ((b == GENERALNAME_URI) && oid == AIA_CA_ISSUER_OID && cert->extAuthInfoCaIssuer == NULL) { @@ -21242,6 +21258,7 @@ static int DecodeAuthInfo(const byte* input, word32 sz, DecodedCert* cert) word32 idx = 0; int length = 0; int ret = 0; + int aiaIdx; WOLFSSL_ENTER("DecodeAuthInfo"); @@ -21263,27 +21280,41 @@ static int DecodeAuthInfo(const byte* input, word32 sz, DecodedCert* cert) if (ret == 0) { word32 sz32; - /* Check we have OCSP and URI. */ - if ((dataASN[ACCESSDESCASN_IDX_METH].data.oid.sum == AIA_OCSP_OID) && - (dataASN[ACCESSDESCASN_IDX_LOC].tag == GENERALNAME_URI) && - (cert->extAuthInfo == NULL)) { - /* Store URI for OCSP lookup. */ - GetASN_GetConstRef(&dataASN[ACCESSDESCASN_IDX_LOC], - &cert->extAuthInfo, &sz32); - cert->extAuthInfoSz = (int)sz32; - } - #ifdef WOLFSSL_ASN_CA_ISSUER - /* Check we have CA Issuer and URI. */ - else if ((dataASN[ACCESSDESCASN_IDX_METH].data.oid.sum == - AIA_CA_ISSUER_OID) && - (dataASN[ACCESSDESCASN_IDX_LOC].tag == GENERALNAME_URI) && - (cert->extAuthInfoCaIssuer == NULL)) { - /* Set CaIssuers entry */ - GetASN_GetConstRef(&dataASN[ACCESSDESCASN_IDX_LOC], - &cert->extAuthInfoCaIssuer, &sz32); - cert->extAuthInfoCaIssuerSz = (int)sz32; + if (dataASN[ACCESSDESCASN_IDX_LOC].tag == GENERALNAME_URI) { + const byte* uri = NULL; + + GetASN_GetConstRef(&dataASN[ACCESSDESCASN_IDX_LOC], &uri, &sz32); + + /* Add to AIA list if space. */ + aiaIdx = cert->extAuthInfoListSz; + if (aiaIdx < WOLFSSL_MAX_AIA_ENTRIES) { + cert->extAuthInfoList[aiaIdx].method = + dataASN[ACCESSDESCASN_IDX_METH].data.oid.sum; + cert->extAuthInfoList[aiaIdx].uri = uri; + cert->extAuthInfoList[aiaIdx].uriSz = sz32; + cert->extAuthInfoListSz++; + } + else { + cert->extAuthInfoListOverflow = 1; + WOLFSSL_MSG("AIA list overflow"); + } + + /* Set first OCSP entry. */ + if ((dataASN[ACCESSDESCASN_IDX_METH].data.oid.sum == + AIA_OCSP_OID) && (cert->extAuthInfo == NULL)) { + cert->extAuthInfo = uri; + cert->extAuthInfoSz = (int)sz32; + } + #ifdef WOLFSSL_ASN_CA_ISSUER + /* Set first CA Issuer entry. */ + else if ((dataASN[ACCESSDESCASN_IDX_METH].data.oid.sum == + AIA_CA_ISSUER_OID) && + (cert->extAuthInfoCaIssuer == NULL)) { + cert->extAuthInfoCaIssuer = uri; + cert->extAuthInfoCaIssuerSz = (int)sz32; + } + #endif } - #endif /* Otherwise skip. */ } } diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 59fb268aefd..5eca832149a 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -5335,6 +5335,19 @@ struct WOLFSSL_X509_NAME { #endif #endif +#ifndef WOLFSSL_AIA_ENTRY_DEFINED +#ifndef WOLFSSL_MAX_AIA_ENTRIES + #define WOLFSSL_MAX_AIA_ENTRIES 8 +#endif + +#define WOLFSSL_AIA_ENTRY_DEFINED +typedef struct WOLFSSL_AIA_ENTRY { + word32 method; /* AIA method OID sum (e.g., AIA_OCSP_OID). */ + const byte* uri; /* Pointer into cert DER for the URI. */ + word32 uriSz; /* Length of URI data. */ +} WOLFSSL_AIA_ENTRY; +#endif /* WOLFSSL_AIA_ENTRY_DEFINED */ + struct WOLFSSL_X509 { int version; int serialSz; @@ -5405,6 +5418,9 @@ struct WOLFSSL_X509 { byte* authInfoCaIssuer; int authInfoCaIssuerSz; #endif + WOLFSSL_AIA_ENTRY authInfoList[WOLFSSL_MAX_AIA_ENTRIES]; + byte authInfoListSz:7; + byte authInfoListOverflow:1; word32 pathLength; word16 keyUsage; int rawCRLInfoSz; diff --git a/wolfssl/openssl/ssl.h b/wolfssl/openssl/ssl.h index 093be3a47cb..5b8175564e0 100644 --- a/wolfssl/openssl/ssl.h +++ b/wolfssl/openssl/ssl.h @@ -565,9 +565,6 @@ typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS; #define X509_get_ex_data wolfSSL_X509_get_ex_data #define X509_set_ex_data wolfSSL_X509_set_ex_data #define X509_get1_ocsp wolfSSL_X509_get1_ocsp -#ifdef WOLFSSL_ASN_CA_ISSUER -#define X509_get1_ca_issuers wolfSSL_X509_get1_ca_issuers -#endif /* WOLFSSL_ASN_CA_ISSUER */ #define X509_get_version wolfSSL_X509_get_version #define X509_get_signature_nid wolfSSL_X509_get_signature_nid #define X509_set_subject_name wolfSSL_X509_set_subject_name diff --git a/wolfssl/openssl/x509v3.h b/wolfssl/openssl/x509v3.h index 857a9be41dd..c6a05172fca 100644 --- a/wolfssl/openssl/x509v3.h +++ b/wolfssl/openssl/x509v3.h @@ -224,10 +224,6 @@ typedef struct WOLFSSL_NAME_CONSTRAINTS NAME_CONSTRAINTS; #define X509V3_EXT_print wolfSSL_X509V3_EXT_print #define X509V3_EXT_conf_nid wolfSSL_X509V3_EXT_conf_nid #define X509V3_set_ctx wolfSSL_X509V3_set_ctx -#define X509_get1_ocsp wolfSSL_X509_get1_ocsp -#ifdef WOLFSSL_ASN_CA_ISSUER -#define X509_get1_ca_issuers wolfSSL_X509_get1_ca_issuers -#endif /* WOLFSSL_ASN_CA_ISSUER */ #ifndef NO_WOLFSSL_STUB #define X509V3_set_nconf(ctx, conf) WC_DO_NOTHING #define X509V3_EXT_cleanup() WC_DO_NOTHING diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 5e80404d323..e5fa2c188c0 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -5796,6 +5796,7 @@ WOLFSSL_API int wolfSSL_X509_STORE_CTX_get1_issuer(WOLFSSL_X509 **issuer, WOLFSSL_API void wolfSSL_X509_email_free(WOLF_STACK_OF(WOLFSSL_STRING) *sk); WOLFSSL_API WOLF_STACK_OF(WOLFSSL_STRING) *wolfSSL_X509_get1_ocsp(WOLFSSL_X509 *x); +WOLFSSL_API int wolfSSL_X509_get_aia_overflow(WOLFSSL_X509 *x); #ifdef WOLFSSL_ASN_CA_ISSUER WOLFSSL_API WOLF_STACK_OF(WOLFSSL_STRING) *wolfSSL_X509_get1_ca_issuers( WOLFSSL_X509 *x); diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index 992c715e7cd..3953e323ee9 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -1702,6 +1702,19 @@ typedef struct TrustedPeerCert TrustedPeerCert; #endif /* WOLFSSL_TRUST_PEER_CERT */ typedef struct SignatureCtx SignatureCtx; +#ifndef WOLFSSL_AIA_ENTRY_DEFINED +#ifndef WOLFSSL_MAX_AIA_ENTRIES + #define WOLFSSL_MAX_AIA_ENTRIES 8 +#endif + +#define WOLFSSL_AIA_ENTRY_DEFINED +typedef struct WOLFSSL_AIA_ENTRY { + word32 method; /* AIA method OID sum (e.g., AIA_OCSP_OID). */ + const byte* uri; /* Pointer into cert DER for the URI. */ + word32 uriSz; /* Length of URI data. */ +} WOLFSSL_AIA_ENTRY; +#endif /* WOLFSSL_AIA_ENTRY_DEFINED */ + #ifdef WC_ASN_UNKNOWN_EXT_CB typedef int (*wc_UnknownExtCallback)(const word16* oid, word32 oidSz, int crit, const unsigned char* der, word32 derSz); @@ -2060,6 +2073,10 @@ struct DecodedCert { WC_BITFIELD extAltSigAlgCrit:1; WC_BITFIELD extAltSigValCrit:1; #endif /* WOLFSSL_DUAL_ALG_CERTS */ + + WOLFSSL_AIA_ENTRY extAuthInfoList[WOLFSSL_MAX_AIA_ENTRIES]; + byte extAuthInfoListSz:7; + byte extAuthInfoListOverflow:1; }; #if defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3)