Browse Source

Move ASN.1 APIs out to separate file: ssl_asn1.c

Implementations of ASN.1 APIs reworked.

Added tests.

Added wolfssl_bn_set_neg for ASN.1 code.
Added wolfssl_sk_new_type() and wolfssl_sk_pop_type() to generically
handle creating and popping a stack of elements of a type.

No longer freeing pathlen field of ASN1 OBJECT in
wolfSSL_X509_EXTENSION_free(). This is happening in
wolfSSL_ASN1_OBJECT_free().
Stop wolfSSL_i2d_X509_NAME_canon from double freeing ASN.1 STRING's data
field.

Fixed up GetFormattedTime() to be better code.
Added ASN_CLASS_MASK to mask off the class part of an ASN.1 tag.
NO_ASN_TIME means no implementation to get the current time. Disable
features that won'r work without time.
Sean Parkinson 1 year ago
parent
commit
8489095057
12 changed files with 6501 additions and 1271 deletions
  1. 1 0
      src/include.am
  2. 14 1199
      src/ssl.c
  3. 4026 0
      src/ssl_asn1.c
  4. 29 0
      src/ssl_bn.c
  5. 0 5
      src/x509.c
  6. 2343 0
      tests/api.c
  7. 67 58
      wolfcrypt/src/asn.c
  8. 5 0
      wolfssl/internal.h
  9. 6 7
      wolfssl/ssl.h
  10. 1 0
      wolfssl/wolfcrypt/asn.h
  11. 2 2
      wolfssl/wolfcrypt/asn_public.h
  12. 7 0
      wolfssl/wolfcrypt/settings.h

+ 1 - 0
src/include.am

@@ -19,6 +19,7 @@ MAINTAINERCLEANFILES+= $(FIPS_FILES)
 EXTRA_DIST += src/bio.c
 EXTRA_DIST += src/conf.c
 EXTRA_DIST += src/pk.c
+EXTRA_DIST += src/ssl_asn1.c
 EXTRA_DIST += src/ssl_bn.c
 EXTRA_DIST += src/ssl_misc.c
 EXTRA_DIST += src/x509.c

File diff suppressed because it is too large
+ 14 - 1199
src/ssl.c


+ 4026 - 0
src/ssl_asn1.c

@@ -0,0 +1,4026 @@
+/* ssl_asn1.c
+ *
+ * Copyright (C) 2006-2023 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+#ifdef HAVE_CONFIG_H
+    #include <config.h>
+#endif
+
+#include <wolfssl/wolfcrypt/settings.h>
+
+ #include <wolfssl/internal.h>
+#ifndef WC_NO_RNG
+    #include <wolfssl/wolfcrypt/random.h>
+#endif
+
+#if !defined(WOLFSSL_SSL_ASN1_INCLUDED)
+    #ifndef WOLFSSL_IGNORE_FILE_WARN
+        #warning ssl_asn1.c does not need to be compiled separately from ssl.c
+    #endif
+#else
+
+/*******************************************************************************
+ * ASN1_item APIs
+ ******************************************************************************/
+
+#ifdef OPENSSL_EXTRA
+
+#ifdef OPENSSL_ALL
+
+/* Create an ASN1 item of the specified type.
+ *
+ * @param [out] item  Pointer to location to place new ASN1 item.
+ * @param [in]  type  Type of ASN1 item to create.
+ * @return  0 on success.
+ * @return  1 when item type not supported.
+ * @return  1 when item type allocation fails.
+ */
+static int wolfssl_asn1_item_new(void** item, int type)
+{
+    int err = 0;
+
+    switch (type) {
+        case WOLFSSL_X509_ALGOR_ASN1:
+            *(WOLFSSL_X509_ALGOR**)item = wolfSSL_X509_ALGOR_new();
+            break;
+        case WOLFSSL_ASN1_BIT_STRING_ASN1:
+            *(WOLFSSL_ASN1_BIT_STRING**)item = wolfSSL_ASN1_BIT_STRING_new();
+            break;
+        default:
+            WOLFSSL_MSG("Type not supported in wolfSSL_ASN1_item_new");
+            *(void**)item = NULL;
+    }
+    /* Check whether an item was put in. */
+    if (*(void**)item == NULL) {
+        err = 1;
+    }
+
+    return err;
+}
+
+/* Create a new ASN1 item based on a template.
+ *
+ * @param [in] tpl  Template of ASN1 items.
+ * @return  A new ASN1 item on success.
+ * @return  NULL when tpl is NULL, dynamic memory allocation fails or ASN1
+ *          item type not supported.
+ */
+void* wolfSSL_ASN1_item_new(const WOLFSSL_ASN1_ITEM* tpl)
+{
+    int err = 0;
+    void* ret = NULL;
+    const WOLFSSL_ASN1_TEMPLATE *mem = NULL;
+    size_t i;
+
+    WOLFSSL_ENTER("wolfSSL_ASN1_item_new");
+
+    if (tpl != NULL) {
+        ret = (void *)XMALLOC(tpl->size, NULL, DYNAMIC_TYPE_OPENSSL);
+    }
+
+    if (ret != NULL) {
+        XMEMSET(ret, 0, tpl->size);
+        for (mem = tpl->members, i = 0; i < tpl->mcount; mem++, i++) {
+            if ((err = wolfssl_asn1_item_new(
+                    (void**)(((byte*)ret) + mem->offset), mem->type))) {
+                break;
+            }
+        }
+    }
+
+    if (err) {
+        wolfSSL_ASN1_item_free(ret, tpl);
+        ret = NULL;
+    }
+    return ret;
+}
+
+/* Dispose of an ASN1 item of the specified type.
+ *
+ * @param [in, out] item  Pointer to an anonymized ASN1 item to free.
+ * @param [in]      type  Type of ASN1 item to free.
+ */
+static void wolfssl_asn1_item_free(void** item, int type)
+{
+    switch (type) {
+        case WOLFSSL_X509_ALGOR_ASN1:
+            wolfSSL_X509_ALGOR_free(*(WOLFSSL_X509_ALGOR**)item);
+            break;
+        case WOLFSSL_ASN1_BIT_STRING_ASN1:
+            wolfSSL_ASN1_BIT_STRING_free(*(WOLFSSL_ASN1_BIT_STRING**)item);
+            break;
+        default:
+            WOLFSSL_MSG("Type not supported in wolfSSL_ASN1_item_free");
+    }
+}
+
+/* Dispose of ASN1 item based on a template.
+ *
+ * @param [in, out] val  ASN item to free.
+ * @param [in,      tpl  Template of ASN1 items.
+ */
+void wolfSSL_ASN1_item_free(void *items, const WOLFSSL_ASN1_ITEM *tpl)
+{
+    const WOLFSSL_ASN1_TEMPLATE *mem = NULL;
+    size_t i;
+
+    WOLFSSL_ENTER("wolfSSL_ASN1_item_free");
+
+    if (items != NULL) {
+        for (mem = tpl->members, i = 0; i < tpl->mcount; mem++, i++) {
+            wolfssl_asn1_item_free((void**)(((byte*)items) + mem->offset),
+                mem->type);
+        }
+    }
+    XFREE(items, NULL, DYNAMIC_TYPE_OPENSSL);
+}
+
+/* Offset buf if not NULL or NULL. */
+#define bufLenOrNull(buf, len) ((buf != NULL) ? ((buf) + (len)) : NULL)
+
+/* Encode X509 algorithm as DER.
+ *
+ * @param [in]      algor  X509 algorithm object.
+ * @param [in, out] buf    Buffer to encode into. May be NULL.
+ * @return  Length of DER encoding on success.
+ * @return  0 on failure.
+ */
+static int wolfSSL_i2d_X509_ALGOR(const WOLFSSL_X509_ALGOR* algor, byte* buf)
+{
+    int ret;
+    word32 oid = 0;
+    word32 idx = 0;
+
+    if (algor->algorithm == 0) {
+        WOLFSSL_MSG("X509_ALGOR algorithm not set");
+        ret = 0;
+    }
+    else if (GetObjectId(algor->algorithm->obj, &idx, &oid,
+            algor->algorithm->grp, algor->algorithm->objSz) < 0) {
+        WOLFSSL_MSG("Issue getting OID of object");
+        ret = 0;
+    }
+    else {
+        ret = SetAlgoID(oid, buf, algor->algorithm->grp, 0);
+    }
+
+    return ret;
+}
+
+/* Encode ASN.1 BIT_STRING as DER.
+ *
+ * @param [in]      bit_str  BIT_STRING object.
+ * @param [in, out] buf      Buffer to encode into. May be NULL.
+ * @return  Length of DER encoding on success.
+ */
+static int wolfSSL_i2d_ASN1_BIT_STRING(const WOLFSSL_ASN1_BIT_STRING* bit_str,
+    byte* buf)
+{
+    int len;
+
+    len = SetBitString(bit_str->length, 0, buf);
+    if ((buf != NULL) && (bit_str->data != NULL)) {
+        XMEMCPY(buf + len, bit_str->data, bit_str->length);
+    }
+
+    return len + bit_str->length;
+}
+
+/* Encode ASN item as DER.
+ *
+ * @param [in]      item  Pointer to anonymized ASN item.
+ * @param [in, out] buf   Buffer to encode into. May be NULL.
+ * @return  Length of DER encoding on success.
+ * @return  0 on failure.
+ */
+static int wolfssl_i2d_asn1_item(void** item, int type, byte* buf)
+{
+    int len;
+
+    switch (type) {
+        case WOLFSSL_X509_ALGOR_ASN1:
+            len = wolfSSL_i2d_X509_ALGOR(*(const WOLFSSL_X509_ALGOR**)item,
+                buf);
+            break;
+        case WOLFSSL_ASN1_BIT_STRING_ASN1:
+            len = wolfSSL_i2d_ASN1_BIT_STRING(
+                *(const WOLFSSL_ASN1_BIT_STRING**)item, buf);
+            break;
+        default:
+            WOLFSSL_MSG("Type not support in processMembers");
+            len = 0;
+    }
+
+    return len;
+}
+
+/* Encode members of an ASN.1 SEQUENCE as DER.
+ *
+ * @param [in]      src      ASN1 items to encode.
+ * @param [in, out] buf      Buffer to encode into. May be NULL.
+ * @param [in]      members  ASN1 template members.
+ * @param [in]      mcount   Count of template members.
+ * @return  Length of DER encoding on success.
+ * @return  0 on failure.
+ */
+static int wolfssl_i2d_asn1_items(const void* src, byte*buf,
+    const WOLFSSL_ASN1_TEMPLATE* members, size_t mcount)
+{
+    const WOLFSSL_ASN1_TEMPLATE* mem = NULL;
+    int len = 0;
+    int ret;
+    size_t i;
+
+    WOLFSSL_ENTER("wolfssl_i2d_asn1_items");
+
+    for (mem = members, i = 0; i < mcount; mem++, i++) {
+        ret = wolfssl_i2d_asn1_item((void**)(((byte*)src) + mem->offset),
+            mem->type, bufLenOrNull(buf, len));
+        if (ret == 0) {
+            len = 0;
+            break;
+        }
+        len += ret;
+    }
+
+    WOLFSSL_LEAVE("wolfssl_i2d_asn1_items", len);
+
+    return len;
+}
+
+/* Encode sequence and items under it.
+ *
+ * @param [in]      src  ASN1 items to encode.
+ * @param [in, out] buf  Buffer to encode into. May be NULL.
+ * @param [in]      tpl  Template of ASN1 items.
+ * @return  Length of DER encoding on success.
+ * @return  0 on failure.
+ */
+static int i2d_ASN_SEQUENCE(const void* src, byte* buf,
+    const WOLFSSL_ASN1_ITEM* tpl)
+{
+    int seq_len;
+    int len = 0;
+
+    seq_len = wolfssl_i2d_asn1_items(src, NULL, tpl->members, tpl->mcount);
+    if (seq_len != 0) {
+        len = SetSequence(seq_len, buf);
+        if (buf != NULL) {
+            wolfssl_i2d_asn1_items(src, buf + len, tpl->members, tpl->mcount);
+        }
+        len += seq_len;
+    }
+
+    return len;
+}
+
+/* Encode ASN1 template item.
+ *
+ * @param [in]      src  ASN1 items to encode.
+ * @param [in, out] buf  Buffer to encode into. May be NULL.
+ * @param [in]      tpl  Template of ASN1 items.
+ * @return  Length of DER encoding on success.
+ * @return  0 on failure.
+ */
+static int wolfssl_asn1_item_encode(const void* src, byte* buf,
+    const WOLFSSL_ASN1_ITEM* tpl)
+{
+    int len;
+
+    switch (tpl->type) {
+        case ASN_SEQUENCE:
+            len = i2d_ASN_SEQUENCE(src, buf, tpl);
+            break;
+        default:
+            WOLFSSL_MSG("Type not supported in wolfSSL_ASN1_item_i2d");
+            len = 0;
+    }
+
+    return len;
+}
+
+/* Encode ASN1 template.
+ *
+ * @param [in]      src   ASN1 items to encode.
+ * @param [in, out] dest  Pointer to buffer to encode into. May be NULL.
+ * @param [in]      tpl   Template of ASN1 items.
+ * @return  Length of DER encoding on success.
+ * @return  0 on failure.
+ */
+int wolfSSL_ASN1_item_i2d(const void* src, byte** dest,
+    const WOLFSSL_ASN1_ITEM* tpl)
+{
+    int ret = 1;
+    int len = 0;
+    byte* buf = NULL;
+
+    WOLFSSL_ENTER("wolfSSL_ASN1_item_i2d");
+
+    /* Validate parameters. */
+    if ((src == NULL) || (tpl == NULL)) {
+        ret = 0;
+    }
+
+    if ((ret == 1) && ((len = wolfssl_asn1_item_encode(src, NULL, tpl)) == 0)) {
+        ret = 0;
+    }
+
+    if ((ret == 1) && (dest != NULL)) {
+        if (*dest == NULL) {
+            buf = (byte*)XMALLOC(len, NULL, DYNAMIC_TYPE_ASN1);
+            if (buf == NULL)
+                ret = 0;
+            *dest = buf;
+        }
+
+        if (ret == 1) {
+            len = wolfssl_asn1_item_encode(src, *dest, tpl);
+        }
+    }
+
+    if (ret == 0) {
+        XFREE(buf, NULL, DYNAMIC_TYPE_ASN1);
+        len = 0;
+    }
+    WOLFSSL_LEAVE("wolfSSL_ASN1_item_i2d", len);
+    return len;
+}
+
+#endif /* OPENSSL_ALL */
+
+#endif /* OPENSSL_EXTRA */
+
+/*******************************************************************************
+ * ASN1_BIT_STRING APIs
+ ******************************************************************************/
+
+#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL)
+/* Create a new ASN.1 BIT_STRING object.
+ *
+ * @return  ASN.1 BIT_STRING object on success.
+ * @return  NULL when dynamic memory allocation fails.
+ */
+WOLFSSL_ASN1_BIT_STRING* wolfSSL_ASN1_BIT_STRING_new(void)
+{
+    WOLFSSL_ASN1_BIT_STRING* bitStr;
+
+    bitStr = (WOLFSSL_ASN1_BIT_STRING*)XMALLOC(sizeof(WOLFSSL_ASN1_BIT_STRING),
+        NULL, DYNAMIC_TYPE_OPENSSL);
+    if (bitStr) {
+        XMEMSET(bitStr, 0, sizeof(WOLFSSL_ASN1_BIT_STRING));
+    }
+
+    return bitStr;
+}
+
+/* Dispose of ASN.1 BIT_STRING object.
+ *
+ * Do not use bitStr after calling this function.
+ *
+ * @param [in, out] bitStr  ASN.1 BIT_STRING to free. May be NULL.
+ */
+void wolfSSL_ASN1_BIT_STRING_free(WOLFSSL_ASN1_BIT_STRING* bitStr)
+{
+    if (bitStr != NULL) {
+        /* Dispose of any data allocated in BIT_STRING. */
+        XFREE(bitStr->data, NULL, DYNAMIC_TYPE_OPENSSL);
+    }
+    /* Dispose of the ASN.1 BIT_STRING object. */
+    XFREE(bitStr, NULL, DYNAMIC_TYPE_OPENSSL);
+}
+
+/* Get the value of the bit from the ASN.1 BIT_STRING at specified index.
+ *
+ * A NULL object a value of 0 for the bit at all indices.
+ * A negative index has a value of 0 for the bit.
+ *
+ * @param [in] bitStr  ASN.1 BIT_STRING object.
+ * @param [in] i       Index of bit.
+ * @return  Value of bit.
+ */
+int wolfSSL_ASN1_BIT_STRING_get_bit(const WOLFSSL_ASN1_BIT_STRING* bitStr,
+    int i)
+{
+    int bit = 0;
+
+    /* Check for data and whether index is in range. */
+    if ((bitStr != NULL) && (bitStr->data != NULL) && (i >= 0) &&
+            (bitStr->length > (i / 8))) {
+        bit = (bitStr->data[i / 8] & (1 << (7 - (i % 8)))) ? 1 : 0;
+    }
+
+    return bit;
+}
+#endif /* OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL */
+
+#if defined(OPENSSL_ALL) && !defined(NO_CERTS)
+
+/* Grow data to require length.
+ *
+ * @param [in] bitStr  ASN.1 BIT_STRING object.
+ * @param [in] len     Length, in bytes, of data required.
+ * @return  1 on success.
+ * @return  0 when dynamic memory allocation fails.
+ */
+static int wolfssl_asn1_bit_string_grow(WOLFSSL_ASN1_BIT_STRING* bitStr,
+    int len)
+{
+    int ret = 1;
+    byte* tmp;
+
+    /* Realloc to length required. */
+    tmp = (byte*)XREALLOC(bitStr->data, len, NULL, DYNAMIC_TYPE_OPENSSL);
+    if (tmp == NULL) {
+        ret = 0;
+    }
+    else {
+        /* Clear out new, top bytes. */
+        XMEMSET(tmp + bitStr->length, 0, len - bitStr->length);
+        bitStr->data = tmp;
+        bitStr->length = len;
+    }
+
+    return ret;
+}
+
+/* Set the value of a bit in the ASN.1 BIT_STRING at specified index.
+ *
+ * @param [in] bitStr  ASN.1 BIT_STRING object.
+ * @param [in] idx     Index of bit to set.
+ * @param [in] val     Value of bit to set. Valid values: 0 or 1.
+ * @return  1 on success.
+ * @return  0 when bitStr is NULL, idx is negative, val is not 0 or 1, or
+ *          dynamic memory allocation fails.
+ */
+int wolfSSL_ASN1_BIT_STRING_set_bit(WOLFSSL_ASN1_BIT_STRING* bitStr, int idx,
+    int val)
+{
+    int ret = 1;
+    int i = 0;
+
+    /* Validate parameters. */
+    if ((bitStr == NULL) || (idx < 0) || ((val != 0) && (val != 1))) {
+        ret = 0;
+    }
+
+    if (ret == 1) {
+        i = idx / 8;
+
+        /* Check if we need to extend data range. */
+        if ((i >= bitStr->length) && (val != 0)) {
+            /* Realloc data to handle having bit set at index. */
+            ret = wolfssl_asn1_bit_string_grow(bitStr, i + 1);
+        }
+    }
+    if ((ret == 1) && (i < bitStr->length)) {
+        /* Bit on at index. */
+        byte bit = 1 << (7 - (idx % 8));
+
+        /* Clear bit and set to value. */
+        bitStr->data[i] &= ~bit;
+        bitStr->data[i] |= bit & (byte)(0 - val);
+    }
+
+    return ret;
+}
+
+#endif /* OPENSSL_ALL && !NO_CERTS */
+
+/*******************************************************************************
+ * ASN1_INTEGER APIs
+ ******************************************************************************/
+
+#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL)
+/* Create a new empty ASN.1 INTEGER object.
+ *
+ * @return  ASN.1 INTEGER object on success.
+ * @return  NULL when dynamic memory allocation fails.
+ */
+WOLFSSL_ASN1_INTEGER* wolfSSL_ASN1_INTEGER_new(void)
+{
+    WOLFSSL_ASN1_INTEGER* a;
+
+    /* Allocate a new ASN.1 INTEGER object. */
+    a = (WOLFSSL_ASN1_INTEGER*)XMALLOC(sizeof(WOLFSSL_ASN1_INTEGER), NULL,
+        DYNAMIC_TYPE_OPENSSL);
+    if (a != NULL) {
+        XMEMSET(a, 0, sizeof(WOLFSSL_ASN1_INTEGER));
+        /* Use fixed buffer field for data. */
+        a->data      = a->intData;
+        a->isDynamic = 0;
+        /* Maximum supported by fixed buffer. */
+        a->dataMax   = WOLFSSL_ASN1_INTEGER_MAX;
+        /* No value set - no data. */
+        a->length    = 0;
+    }
+
+    return a;
+}
+
+/* Free the ASN.1 INTEGER object and any dynamically allocated data.
+ *
+ * @param [in, out] in  ASN.1 INTEGER object.
+ */
+void wolfSSL_ASN1_INTEGER_free(WOLFSSL_ASN1_INTEGER* in)
+{
+    if ((in != NULL) && (in->isDynamic)) {
+        /* Dispose of any data allocated in BIT_STRING. */
+        XFREE(in->data, NULL, DYNAMIC_TYPE_OPENSSL);
+    }
+    /* Dispose of the ASN.1 INTEGER object. */
+    XFREE(in, NULL, DYNAMIC_TYPE_OPENSSL);
+}
+
+/* Reset the data of ASN.1 INTEGER object back to empty fixed array.
+ *
+ * @param [in] a  ASN.1 INTEGER object.
+ */
+static void wolfssl_asn1_integer_reset_data(WOLFSSL_ASN1_INTEGER* a)
+{
+    /* Don't use dynamic buffer anymore. */
+    if (a->isDynamic) {
+        /* Cache pointer to allocated data. */
+        unsigned char* data = a->data;
+        /* No longer dynamic. */
+        a->isDynamic = 0;
+        /* Point data at fixed array. */
+        a->data = a->intData;
+        /* Set maximum length to fixed array size. */
+        a->dataMax = (unsigned int)sizeof(a->intData);
+        /* Dispose of dynamically allocated data. */
+        XFREE(data, NULL, DYNAMIC_TYPE_OPENSSL);
+    }
+    /* Clear out data from fixed array. */
+    XMEMSET(a->intData, 0, sizeof(a->intData));
+    /* No data, no length. */
+    a->length = 0;
+    /* No data, not negative. */
+    a->negative = 0;
+    /* Set type to positive INTEGER. */
+    a->type = V_ASN1_INTEGER;
+}
+
+/* Setup ASN.1 INTEGER object to handle data of required length.
+ *
+ * @param [in, out] a    ASN.1 INTEGER object.
+ * @param [in]      len  Required length in bytes.
+ * @return  1 on success.
+ * @return  0 on dynamic memory allocation failure.
+ */
+static int wolfssl_asn1_integer_require_len(WOLFSSL_ASN1_INTEGER* a, int len,
+    int keepOldData)
+{
+    int ret = 1;
+    byte* data;
+    byte* oldData = a->intData;
+    int oldLen = a->length;
+
+    if (a->isDynamic && (len > (int)a->dataMax)) {
+        oldData = a->data;
+        a->isDynamic = 0;
+        a->data = a->intData;
+        a->dataMax = (unsigned int)sizeof(a->intData);
+    }
+    a->length = 0;
+    if ((!a->isDynamic) && (len > (int)a->dataMax)) {
+        /* Create a new buffer to hold large integer value. */
+        data = (byte*)XMALLOC(len, NULL, DYNAMIC_TYPE_OPENSSL);
+        if (a->data == NULL) {
+            ret = 0;
+        }
+        else {
+            /* Indicate data is dynamic and copy data over. */
+            a->isDynamic = 1;
+            a->data = data;
+            a->dataMax = len;
+        }
+    }
+    if (keepOldData) {
+         if (oldData != a->data) {
+             /* Copy old data into new buffer. */
+             XMEMCPY(a->data, oldData, oldLen);
+         }
+         /* Restore old length. */
+         a->length = oldLen;
+    }
+    if (oldData != a->intData) {
+         /* Dispose of the old dynamic data. */
+         XFREE(oldData, NULL, DYNAMIC_TYPE_OPENSSL);
+    }
+
+    return ret;
+}
+
+/* Duplicate the ASN.1 INTEGER object into a newly allocated one.
+ *
+ * @param [in] src  ASN.1 INTEGER object to copy.
+ * @return  ASN.1 INTEGER object on success.
+ * @return  NULL when src is NULL or dynamic memory allocation fails.
+ */
+WOLFSSL_ASN1_INTEGER* wolfSSL_ASN1_INTEGER_dup(const WOLFSSL_ASN1_INTEGER* src)
+{
+    WOLFSSL_ASN1_INTEGER* dup = NULL;
+
+    WOLFSSL_ENTER("wolfSSL_ASN1_INTEGER_dup");
+
+    /* Check for object to duplicate. */
+    if (src != NULL) {
+        /* Create a new ASN.1 INTEGER object to be copied into. */
+        dup = wolfSSL_ASN1_INTEGER_new();
+    }
+    /* Check for object to copy into. */
+    if (dup != NULL) {
+        /* Copy simple fields. */
+        dup->length   = src->length;
+        dup->negative = src->negative;
+        dup->type     = src->type;
+
+        if (!src->isDynamic) {
+            /* Copy over data from/to fixed buffer. */
+            XMEMCPY(dup->intData, src->intData, WOLFSSL_ASN1_INTEGER_MAX);
+        }
+        else if (wolfssl_asn1_integer_require_len(dup, src->length, 0) == 0) {
+            wolfSSL_ASN1_INTEGER_free(dup);
+            dup = NULL;
+        }
+        else {
+            XMEMCPY(dup->data, src->data, src->length);
+        }
+    }
+
+    return dup;
+}
+#endif /* OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL */
+
+#if defined(OPENSSL_EXTRA)
+
+/* Compare values in two ASN.1 INTEGER objects.
+ *
+ * @param [in] a  First ASN.1 INTEGER object.
+ * @param [in] b  Second ASN.1 INTEGER object.
+ * @return Negative value when a is less than b.
+ * @return 0 when a equals b.
+ * @return Positive value when a is greater than b.
+ * @return -1 when a or b is NULL.
+ */
+int wolfSSL_ASN1_INTEGER_cmp(const WOLFSSL_ASN1_INTEGER* a,
+    const WOLFSSL_ASN1_INTEGER* b)
+{
+    int ret = 0;
+
+    WOLFSSL_ENTER("wolfSSL_ASN1_INTEGER_cmp");
+
+    /* Validate parameters. */
+    if ((a == NULL) || (b == NULL)) {
+        WOLFSSL_MSG("Bad parameter.");
+        ret = -1;
+    }
+    /* Negative value < Positive value */
+    else if (a->negative && !b->negative) {
+        ret = -1;
+    }
+    /* Positive value > Negative value */
+    else if (!a->negative && b->negative) {
+        ret = 1;
+    }
+    else {
+        /* Check for difference in length. */
+        if (a->length != b->length) {
+            ret = a->length - b->length;
+        }
+        else {
+            /* Compare data given they are the same length. */
+            ret = XMEMCMP(a->data, b->data, a->length);
+        }
+        /* Reverse comparison result when both negative. */
+        if (a->negative) {
+            ret = -ret;
+        }
+    }
+
+    WOLFSSL_LEAVE("wolfSSL_ASN1_INTEGER_cmp", ret);
+
+    return ret;
+}
+
+
+/* Calculate 2's complement of DER encoding.
+ *
+ * @param [in]  data    Array that is number.
+ * @param [in]  length  Number of bytes in array.
+ * @return  0 on success.
+ * @return  -1 when get length from DER header failed.
+ */
+static void wolfssl_twos_compl(byte* data, int length)
+{
+    int i;
+
+    /* Invert bits - 1's complement. */
+    for (i = 0; i < length; ++i) {
+        data[i] = ~data[i];
+    }
+    /* 2's complement - add 1. */
+    for (i = length - 1; (++data[i]) == 0; --i) {
+        /* Do nothing. */
+    }
+}
+
+/* Calculate 2's complement of DER encoding.
+ *
+ * @param [in]  data    Array that is number.
+ * @param [in]  length  Number of bytes in array.
+ * @param [out] neg     When NULL, 2's complement data.
+ *                      When not NULL, check for negative first and return.
+ * @return  0 on success.
+ * @return  -1 when get length from DER header failed.
+ */
+static int wolfssl_asn1_int_twos_compl(byte* data, int length, byte* neg)
+{
+    int ret = 0;
+    word32 idx = 1;     /* Skip tag. */
+    int len;
+
+    /* Get length from DER header. */
+    if (GetLength(data, &idx, &len, length) < 0) {
+        ret = -1;
+    }
+    else {
+        if (neg != NULL) {
+            *neg = data[idx] & 0x80;
+        }
+        if ((neg == NULL) || (*neg != 0)) {
+            wolfssl_twos_compl(data + idx, length - idx);
+        }
+    }
+
+    return ret;
+}
+
+/* Encode ASN.1 INTEGER as DER without tag.
+ *
+ * When out points to NULL, a new buffer is allocated and returned.
+ *
+ * @param [in]      a    ASN.1 INTEGER object.
+ * @param [in, out] out  Pointer to buffer to hold encoding. May point to NULL.
+ * @return  Length of encoding on success.
+ * @return  -1 when a is NULL or no data, out is NULL, dynamic memory allocation
+ *          fails or encoding length fails.
+ */
+int wolfSSL_i2d_ASN1_INTEGER(WOLFSSL_ASN1_INTEGER* a, unsigned char** out)
+{
+    int ret = 0;
+    byte* buf = NULL;
+
+    WOLFSSL_ENTER("wolfSSL_i2d_ASN1_INTEGER");
+
+    /* Validate parameters. */
+    if ((a == NULL) || (a->data == NULL) || (a->length <= 0) || (out == NULL)) {
+        WOLFSSL_MSG("Bad parameter.");
+        ret = -1;
+    }
+
+    if ((ret == 0) && (*out == NULL)) {
+        /* Allocate buffer to hold encoding. */
+        buf = (unsigned char*)XMALLOC(a->length, NULL, DYNAMIC_TYPE_ASN1);
+        if (buf == NULL) {
+            WOLFSSL_MSG("Failed to allocate output buffer.");
+            ret = -1;
+        }
+        /* Return any allocated buffer. */
+        *out = buf;
+    }
+    if (ret == 0) {
+        /* Copy the data (including tag and length) into output buffer. */
+        XMEMCPY(*out, a->data, a->length);
+        /* Only magnitude of the number stored (i.e. the sign isn't encoded).
+         * The "negative" field is 1 if the value must be interpreted as
+         * negative and we need to output the 2's complement of the value in
+         * the DER output.
+         */
+        if (a->negative) {
+            ret = wolfssl_asn1_int_twos_compl(*out, a->length, NULL);
+        }
+    }
+    if (ret == 0) {
+        ret = a->length;
+        /* Move pointer on passed encoding when buffer passed in. */
+        if (buf == NULL) {
+            *out += a->length;
+        }
+    }
+    /* Dispose of any dynamically allocated data on error. */
+    else if (buf != NULL) {
+        /* Dispose of buffer allocated locally on error. */
+        XFREE(buf, NULL, DYNAMIC_TYPE_ASN1);
+        /* Don't return freed buffer. */
+        *out = NULL;
+    }
+
+    WOLFSSL_LEAVE("wolfSSL_i2d_ASN1_INTEGER", ret);
+
+    return ret;
+}
+
+/* Decode DER encoding of ASN.1 INTEGER.
+ *
+ * @param [out]     a     ASN.1 INTEGER object. May be NULL.
+ * @param [in, out] in    Pointer to buffer containing DER encoding.
+ * @param [in]      inSz  Length of data in buffer.
+ * @return  ASN.1 INTEGER object on success.
+ * @return  NULL when in or *in is NULL, inSz is less than or equal to 2 or
+ *          parsing DER failed.
+ */
+WOLFSSL_ASN1_INTEGER* wolfSSL_d2i_ASN1_INTEGER(WOLFSSL_ASN1_INTEGER** a,
+    const unsigned char** in, long inSz)
+{
+    WOLFSSL_ASN1_INTEGER* ret = NULL;
+    int err = 0;
+    word32 idx = 1;
+    int len = 0;
+
+    WOLFSSL_ENTER("wolfSSL_d2i_ASN1_INTEGER");
+
+    /* Validate parameters. */
+    if ((in == NULL) || (*in == NULL) || (inSz <= 2)) {
+        WOLFSSL_MSG("Bad parameter");
+        err = 1;
+    }
+
+    /* Check that the tag is correct. */
+    if ((!err) && (*in)[0] != ASN_INTEGER) {
+        WOLFSSL_MSG("Tag doesn't indicate integer type.");
+        err = 1;
+    }
+    /* Check that length and use this instead of inSz. */
+    if ((!err) && (GetLength(*in, &idx, &len, (word32)inSz) <= 0)) {
+        WOLFSSL_MSG("ASN.1 length not valid.");
+        err = 1;
+    }
+    /* Allocate a new ASN.1 INTEGER object. */
+    if ((!err) && ((ret = wolfSSL_ASN1_INTEGER_new()) == NULL)) {
+        err = 1;
+    }
+    if ((!err) && (wolfssl_asn1_integer_require_len(ret, idx + len, 0) != 1)) {
+        err = 1;
+    }
+    if (!err) {
+        /* Set type. */
+        ret->type = V_ASN1_INTEGER;
+
+        /* Copy DER encoding and length. */
+        XMEMCPY(ret->data, *in, idx + len);
+        ret->length = idx + len;
+        /* Do 2's complement if number is negative. */
+        if (wolfssl_asn1_int_twos_compl(ret->data, ret->length, &ret->negative)
+                != 0) {
+            err = 1;
+        }
+    }
+    if ((!err) && ret->negative) {
+        /* Update type if number was negative. */
+        ret->type |= V_ASN1_NEG_INTEGER;
+    }
+
+    if (err) {
+        /* Dispose of dynamically allocated data on error. */
+        wolfSSL_ASN1_INTEGER_free(ret);
+        ret = NULL;
+    }
+    else {
+        if (a != NULL) {
+            /* Return ASN.1 INTEGER through a. */
+            *a = ret;
+        }
+        *in += ret->length;
+    }
+
+    return ret;
+}
+
+#ifndef NO_BIO
+
+/* Get length of leading hexadecimal characters.
+ *
+ * Looks for continuation character before carriage returns and line feeds.
+ *
+ * @param [in]  str   String with input.
+ * @param [in]  len   Length of string.
+ * @param [out] cont  Line continuation character at end of line before
+ *                    carriage returns and line feeds.
+ * @return  Number of leading hexadecimal characters in string.
+ */
+static int wolfssl_a2i_asn1_integer_clear_to_eol(char* str, int len, int* cont)
+{
+    byte num;
+    word32 nLen;
+    int i;
+
+    /* Strip off trailing carriage returns and line feeds. */
+    while ((len > 0) && ((str[len - 1] == '\n') || (str[len - 1] == '\r'))) {
+        len--;
+    }
+    /* Check for line continuation character. */
+    if ((len > 0) && (str[len - 1] == '\\')) {
+        *cont = 1;
+        len--;
+    }
+    else {
+        *cont = 0;
+    }
+
+    /* Find end of hexadecimal characters. */
+    nLen = 1;
+    for (i = 0; i < len; i++) {
+        /* Check if character is a hexadecimal character. */
+        if (Base16_Decode((const byte*)str + i, 1, &num, &nLen) == ASN_INPUT_E)
+        {
+            /* Found end of hexadecimal characters, return count. */
+            len = i;
+            break;
+        }
+    }
+
+    return len;
+}
+
+/* Read number from BIO as a string.
+ *
+ * Line continuation character at end of line means next line must be read.
+ *
+ * @param [in]      bio   BIO to read from.
+ * @param [in]      asn1  ASN.1 INTEGER object to put number into.
+ * @param [in, out] buf   Buffer to use when reading.
+ * @param [in]      size  Length of buffer in bytes.
+ * @return  1 on success.
+ * @return  0 on failure.
+ */
+int wolfSSL_a2i_ASN1_INTEGER(WOLFSSL_BIO *bio, WOLFSSL_ASN1_INTEGER *asn1,
+    char *buf, int size)
+{
+    int ret = 1;
+    int readNextLine = 1;
+    int lineLen;
+    int len;
+    word32 outLen = 0;
+    const int hdrSz = 1 + MAX_LENGTH_SZ;
+
+    WOLFSSL_ENTER("wolfSSL_a2i_ASN1_INTEGER");
+
+    if ((bio == NULL) || (asn1 == NULL) || (buf == NULL) || (size <= 0)) {
+        WOLFSSL_MSG("Bad parameter");
+        ret = 0;
+    }
+
+    while ((ret == 1) && readNextLine) {
+        /* Assume we won't be reading any more. */
+        readNextLine = 0;
+
+        /* Read a line. */
+        lineLen = wolfSSL_BIO_gets(bio, buf, size);
+        if (lineLen <= 0) {
+            WOLFSSL_MSG("wolfSSL_BIO_gets error");
+            ret = 0;
+        }
+
+        if (ret == 1) {
+            /* Find length of hexadecimal digits in string. */
+            lineLen = wolfssl_a2i_asn1_integer_clear_to_eol(buf, lineLen,
+                &readNextLine);
+            /* Check we have a valid hexadecimal string to process. */
+            if ((lineLen == 0) || ((lineLen % 2) != 0)) {
+                WOLFSSL_MSG("Invalid line length");
+                ret = 0;
+            }
+        }
+        if (ret == 1) {
+            /* Calculate length of complete number so far. */
+            len = asn1->length + (lineLen / 2);
+            /* Make sure enough space for number and maximum header. */
+            if (wolfssl_asn1_integer_require_len(asn1, len + hdrSz, outLen != 0)
+                    != 1) {
+                ret = 0;
+            }
+        }
+        if (ret == 1) {
+            /* Decode string and append to data. */
+            outLen = (word32)(lineLen / 2);
+            (void)Base16_Decode((byte*)buf, lineLen, asn1->data + asn1->length,
+                &outLen);
+        }
+        if (ret == 1) {
+            /* Update length of data. */
+            asn1->length += outLen;
+        }
+    }
+
+    if (ret == 1) {
+        int idx;
+
+        /* Get ASN.1 header length. */
+        idx = SetASNInt(asn1->length, asn1->data[0], NULL);
+        /* Move data to be after ASN.1 header. */
+        XMEMMOVE(asn1->data + idx, asn1->data, asn1->length);
+        /* Encode ASN.1 header. */
+        SetASNInt(asn1->length, asn1->data[idx], asn1->data);
+        /* Update length of data. */
+        asn1->length += idx;
+    }
+
+    return ret;
+}
+
+/* Write out number in ASN.1 INTEGER object to BIO as string.
+ *
+ * @param [in] bp  BIO to write to.
+ * @param [in] a   ASN.1 INTEGER object.
+ * @return  Number of characters written on success.
+ * @return  0 when bp or a is NULL.
+ * @return  0 DER header in data is invalid.
+ */
+int wolfSSL_i2a_ASN1_INTEGER(BIO *bp, const WOLFSSL_ASN1_INTEGER *a)
+{
+    int err = 0;
+    word32 idx = 1;     /* Skip ASN.1 INTEGER tag byte. */
+    int len = 0;
+    byte buf[WOLFSSL_ASN1_INTEGER_MAX * 2 + 1];
+    word32 bufLen;
+
+    WOLFSSL_ENTER("wolfSSL_i2a_ASN1_INTEGER");
+
+    /* Validate parameters. */
+    if ((bp == NULL) || (a == NULL)) {
+         err = 1;
+    }
+
+    if (!err) {
+        /* Read DER length - must be at least 1 byte. */
+        if (GetLength(a->data, &idx, &len, a->length) <= 0) {
+            err = 1;
+        }
+    }
+
+    /* Keep encoding and writing while no error and bytes in data. */
+    while ((!err) && (idx < (word32)a->length)) {
+        /* Number of bytes left to encode. */
+        int encLen = a->length - idx;
+        /* Reduce to maximum buffer size if necessary. */
+        if (encLen > (int)sizeof(buf) / 2) {
+            encLen = (int)sizeof(buf) / 2;
+        }
+
+        /* Encode bytes from data into buffer. */
+        bufLen = (int)sizeof(buf);
+        (void)Base16_Encode(a->data + idx, encLen, buf, &bufLen);
+        /* Update index to next bytes to encoded. */
+        idx += encLen;
+
+        /* Write out characters but not NUL char. */
+        if (wolfSSL_BIO_write(bp, buf, bufLen - 1) != (int)(bufLen - 1)) {
+            err = 1;
+        }
+    }
+
+    if (err) {
+        /* Return 0 on error. */
+        len = 0;
+    }
+    /* Return total number of characters written. */
+    return len * 2;
+}
+#endif /* !NO_BIO */
+
+#ifndef NO_ASN
+/* Determine if a pad byte is required and its value for a number.
+ *
+ * Assumes values pointed to by pad and padVal are both 0.
+ *
+ * @param [in]       data    Number encoded as big-endian bytes.
+ * @param [in]       len     Length of number in bytes.
+ * @param [in, out]  neg     Indicates number is negative.
+ * @param [out]      pad     Number of padding bytes required.
+ * @param [out]      padVal  Padding byte to preprend.
+ */
+static void wolfssl_asn1_integer_pad(unsigned char* data, int len,
+    unsigned char* neg, char* pad, unsigned char* padVal)
+{
+    /* Check for empty data. */
+    if (len == 0) {
+        *pad = 1;
+        *padVal = 0x00;
+        *neg = 0;
+    }
+    else {
+        /* Get first, most significant, byte of encoded number. */
+        unsigned char firstByte = data[0];
+
+        /* 0 can't be negative. */
+        if ((len == 1) && (firstByte == 0x00)) {
+            *neg = 0;
+        }
+        /* Positive value must not have top bit of first byte set. */
+        if ((!*neg) && (firstByte >= 0x80)) {
+            *pad = 1;
+            *padVal = 0x00;
+        }
+        /* Negative numbers are two's complemented.
+         * Two's complement value must have top bit set.
+         */
+        else if (*neg && (firstByte > 0x80)) {
+            *pad = 1;
+            *padVal = 0xff;
+        }
+        /* Checking for: 0x80[00]*
+         * when negative that when two's complemented will be: 0x80[00]*
+         * and therefore doesn't require pad byte.
+         */
+        else if (*neg && (firstByte == 0x80)) {
+            int i;
+            /* Check rest of bytes. */
+            for (i = 1; i < len; i++) {
+                if (data[i] != 0x00) {
+                    /* Not 0x80[00]* */
+                    *pad = 1;
+                    *padVal = 0xff;
+                    break;
+                }
+            }
+        }
+    }
+}
+
+/* Convert ASN.1 INTEGER object into content octets.
+ *
+ * TODO: compatibility with OpenSSL? OpenSSL assumes data not DER encoded.
+ *
+ * When pp points to a buffer, on success pp will point to after the encoded
+ * data.
+ *
+ * @param [in]      a   ASN.1 INTEGER object.
+ * @param [in, out] pp  Pointer to buffer. May be NULL. Cannot point to NULL.
+ * @return  Length of encoding on success.
+ * @return  0 when a is NULL, pp points to NULL or DER length encoding invalid.
+ */
+int wolfSSL_i2c_ASN1_INTEGER(WOLFSSL_ASN1_INTEGER *a, unsigned char **pp)
+{
+    int err = 0;
+    int len = 0;
+    char pad = 0;
+    unsigned char padVal = 0;
+    word32 idx = 1;
+
+    WOLFSSL_ENTER("wolfSSL_i2c_ASN1_INTEGER");
+
+    /* Validate parameters. */
+    if ((a == NULL) || ((pp != NULL) && (*pp == NULL))) {
+        err = 1;
+    }
+
+    /* Get length from DER encoding. */
+    if ((!err) && (GetLength_ex(a->data, &idx, &len, a->dataMax, 0) < 0)) {
+        err = 1;
+    }
+
+    if (!err) {
+        /* Determine pad length and value. */
+        wolfssl_asn1_integer_pad(a->data + idx, len, &a->negative, &pad,
+            &padVal);
+        /* Total encoded length is number length plus one when padding. */
+        len += (int)pad;
+    }
+
+    /* Check buffer supplied to write into. */
+    if ((!err) && (pp != NULL)) {
+        /* Put in any pad byte. */
+        if (pad) {
+            (*pp)[0] = padVal;
+        }
+        /* Copy remaining bytes into output buffer. */
+        XMEMCPY(*pp + pad, a->data + idx, len - pad);
+        /* Two's complement copied bytes when negative. */
+        if (a->negative) {
+            wolfssl_twos_compl(*pp + pad, len - pad);
+        }
+        /* Move pointer past encoded data. */
+        *pp += len;
+    }
+
+    return len;
+}
+
+/* Make a big number with the value in the ASN.1 INTEGER object.
+ *
+ * A new big number object is allocated when bn is NULL.
+ *
+ * @param [in] ai  ASN.1 INTEGER object.
+ * @param [in] bn  Big number object. May be NULL.
+ * @return  Big number object on success.
+ * @return  NULL when ai is NULL or converting from binary fails.
+ */
+WOLFSSL_BIGNUM *wolfSSL_ASN1_INTEGER_to_BN(const WOLFSSL_ASN1_INTEGER *ai,
+    WOLFSSL_BIGNUM *bn)
+{
+    int err = 0;
+    word32 idx = 1;
+    int len = 0;
+    WOLFSSL_BIGNUM* ret = NULL;
+
+    WOLFSSL_ENTER("wolfSSL_ASN1_INTEGER_to_BN");
+
+    /* Validate parameters. */
+    if (ai == NULL) {
+        err = 1;
+    }
+
+    if (!err) {
+        /* Get the length of ASN.1 INTEGER number. */
+        if ((ai->data[0] != ASN_INTEGER) || (GetLength(ai->data, &idx, &len,
+                ai->length) <= 0)) {
+        #if defined(WOLFSSL_QT) || defined(WOLFSSL_HAPROXY)
+            idx = 0;
+            len = ai->length;
+        #else
+            WOLFSSL_MSG("Data in WOLFSSL_ASN1_INTEGER not DER encoded");
+            err = 1;
+        #endif
+        }
+    }
+    if (!err) {
+        /* Convert binary to big number. */
+        ret = wolfSSL_BN_bin2bn(ai->data + idx, len, bn);
+        if (ret != NULL) {
+            /* Handle negative. */
+            (void)wolfssl_bn_set_neg(ret, ai->negative);
+        }
+    }
+
+    return ret;
+}
+#endif /* !NO_ASN */
+
+/* Create an ASN.1 INTEGER object from big number.
+ *
+ * Allocates a new ASN.1 INTEGER object when ai is NULL.
+ *
+ * @param [in] bn  Big number to encode.
+ * @param [in] ai  ASN.1 INTEGER object. May be NULL.
+ * @return  ASN.1 INTEGER object on success.
+ * @return  NULL when dynamic memory allocation fails.
+ */
+WOLFSSL_ASN1_INTEGER* wolfSSL_BN_to_ASN1_INTEGER(const WOLFSSL_BIGNUM *bn,
+    WOLFSSL_ASN1_INTEGER *ai)
+{
+    int err = 0;
+    WOLFSSL_ASN1_INTEGER* a = NULL;
+    int len = 0;
+    int numBits = 0;
+    byte firstByte = 0;
+
+    WOLFSSL_ENTER("wolfSSL_BN_to_ASN1_INTEGER");
+
+    /* Validate parameters. */
+    if (bn == NULL) {
+        err = 1;
+    }
+    /* Use ASN.1 INTEGER object if provided. */
+    else if (ai != NULL) {
+        a = ai;
+    }
+    /* Create an ASN.1 INTEGER object to return. */
+    else {
+        a = wolfSSL_ASN1_INTEGER_new();
+        if (a == NULL) {
+            err = 1;
+        }
+    }
+
+    /* Check we have an ASN.1 INTEGER object to set. */
+    if (!err) {
+        int length;
+
+        /* Set type and negative. */
+        a->type = V_ASN1_INTEGER;
+        if (wolfSSL_BN_is_negative(bn) && !wolfSSL_BN_is_zero(bn)) {
+            a->negative = 1;
+            a->type |= V_ASN1_NEG_INTEGER;
+        }
+
+        /* Get length in bytes of encoded number. */
+        len = wolfSSL_BN_num_bytes(bn);
+        if (len == 0) {
+            len = 1;
+        }
+        /* Get length in bits of encoded number. */
+        numBits = wolfSSL_BN_num_bits(bn);
+        /* Leading zero required if most-significant byte has top bit set. */
+        if ((numBits % 8) == 7) {
+            firstByte = 0x80;
+        }
+        /* Get length of header based on length of number. */
+        length = SetASNInt(len, firstByte, NULL);
+        if (firstByte != 0) {
+            /* Add one for leading zero. */
+            length++;
+        }
+        /* Add number of bytes to encode number. */
+        length += len;
+
+        /* Update data field to handle length. */
+        if (wolfssl_asn1_integer_require_len(a, length, 0) != 1) {
+            err = 1;
+        }
+    }
+    if (!err) {
+        /* Write ASN.1 header. */
+        int idx = SetASNInt(len, firstByte, a->data);
+
+        /* Populate data. */
+        if (numBits == 0) {
+            a->data[idx] = 0;
+        }
+        else {
+            if (firstByte != 0) {
+                a->data[idx++] = 0;
+            }
+            /* Add encoded number. */
+            len = wolfSSL_BN_bn2bin(bn, a->data + idx);
+            if (len < 0) {
+                err = 1;
+            }
+        }
+
+        /* Set length to encoded length. */
+        a->length = idx + len;
+    }
+
+    if (err) {
+        /* Can't use ASN.1 INTEGER object. */
+        if (a != ai) {
+            wolfSSL_ASN1_INTEGER_free(a);
+        }
+        a = NULL;
+    }
+    return a;
+}
+
+/* Get the value of the ASN.1 INTEGER as a long.
+ *
+ * Returning 0 on NULL and -1 on error is consistent with OpenSSL.
+ *
+ * @param [in] a  ASN.1 INTEGER object.
+ * @return  Value as a long.
+ * @return  0 when a is NULL.
+ * @return  -1 when a big number operation fails.
+ */
+long wolfSSL_ASN1_INTEGER_get(const WOLFSSL_ASN1_INTEGER* a)
+{
+    long ret = 1;
+    WOLFSSL_BIGNUM* bn = NULL;
+
+    WOLFSSL_ENTER("wolfSSL_ASN1_INTEGER_get");
+
+    /* Validate parameter. */
+    if (a == NULL) {
+        ret = 0;
+    }
+
+    if (ret > 0) {
+        /* Create a big number from the DER encoding. */
+        bn = wolfSSL_ASN1_INTEGER_to_BN(a, NULL);
+        if (bn == NULL) {
+            ret = -1;
+        }
+    }
+    if (ret > 0) {
+        /* Get the big number as a word. */
+        ret = wolfSSL_BN_get_word(bn);
+        /* Negate number of ASN.1 INTEGER was negative. */
+        if (a->negative == 1) {
+            ret = -ret;
+        }
+    }
+
+    /* Dispose of big number as no longer needed. */
+    if (bn != NULL) {
+        wolfSSL_BN_free(bn);
+    }
+
+    WOLFSSL_LEAVE("wolfSSL_ASN1_INTEGER_get", (int)ret);
+
+    return ret;
+}
+
+
+/* Sets the value of the ASN.1 INTEGER object to the long value.
+ *
+ * @param [in, out] a  ASN.1 INTEGER object.
+ * @param [in]      v  Value to set.
+ * @return  1 on success.
+ * @return  0 when a is NULL.
+ */
+int wolfSSL_ASN1_INTEGER_set(WOLFSSL_ASN1_INTEGER *a, long v)
+{
+    int ret = 1;
+    byte j;
+    unsigned int i = 0;
+    byte tmp[sizeof(long)];
+    byte pad = 0;
+
+    /* Validate parameters. */
+    if (a == NULL) {
+        ret = 0;
+    }
+    if (ret == 1) {
+        wolfssl_asn1_integer_reset_data(a);
+
+        /* Check for negative. */
+        if (v < 0) {
+            /* Set negative and 2's complement the value. */
+            a->negative = 1;
+            a->type |= V_ASN1_NEG;
+            v = -v;
+        }
+
+        /* Put value into temporary buffer - at least one byte encoded. */
+        tmp[0] = (byte)(v & 0xff);
+        v >>= 8;
+        for (j = 1; j < (byte)sizeof(long); j++) {
+            if (v == 0) {
+                break;
+            }
+            tmp[j] = (byte)(v & 0xff);
+            v >>= 8;
+        }
+        /* Pad with 0x00 to indicate positive number when top bit set. */
+        if ((!a->negative) && (tmp[j-1] & 0x80)) {
+            pad = 1;
+        }
+
+        /* Set tag. */
+        a->data[i++] = ASN_INTEGER;
+        /* Set length of encoded value. */
+        a->data[i++] = pad + j;
+        /* Set length of DER encoding. +2 for tag and length */
+        a->length = 2 + pad + j;
+
+        /* Add pad byte if required. */
+        if (pad == 1) {
+            a->data[i++] = 0;
+        }
+        /* Copy in data. */
+        for (; j > 0; j--) {
+            a->data[i++] = tmp[j-1];
+        }
+    }
+
+    return ret;
+}
+
+#endif /* OPENSSL_EXTRA */
+
+/*******************************************************************************
+ * ASN1_OBJECT APIs
+ ******************************************************************************/
+
+#if !defined(NO_ASN)
+#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
+/* Create a new ASN.1 OBJECT_ID object.
+ *
+ * @return  ASN.1 OBJECT_ID object on success.
+ * @return  NULL when dynamic memory allocation fails.
+ */
+WOLFSSL_ASN1_OBJECT* wolfSSL_ASN1_OBJECT_new(void)
+{
+    WOLFSSL_ASN1_OBJECT* obj;
+
+    /* Allocate memory for new ASN.1 OBJECT. */
+    obj = (WOLFSSL_ASN1_OBJECT*)XMALLOC(sizeof(WOLFSSL_ASN1_OBJECT), NULL,
+        DYNAMIC_TYPE_ASN1);
+    if (obj != NULL) {
+        XMEMSET(obj, 0, sizeof(WOLFSSL_ASN1_OBJECT));
+        /* Setup pointers. */
+        obj->d.ia5 = &(obj->d.ia5_internal);
+    #if defined(OPENSSL_ALL)
+        obj->d.iPAddress = &(obj->d.iPAddress_internal);
+    #endif
+        /* Object was allocated. */
+        obj->dynamic |= WOLFSSL_ASN1_DYNAMIC;
+    }
+
+    return obj;
+}
+
+/* Dispose of any ASN.1 OBJECT_ID dynamically allocated data.
+ *
+ * Do not use obj after calling this function.
+ *
+ * @param [in, out] obj  ASN.1 OBJECT_ID object.
+ */
+void wolfSSL_ASN1_OBJECT_free(WOLFSSL_ASN1_OBJECT* obj)
+{
+    if (obj != NULL) {
+        /* Check for dynamically allocated copy of encoded data. */
+        if ((obj->dynamic & WOLFSSL_ASN1_DYNAMIC_DATA) != 0) {
+        #ifdef WOLFSSL_DEBUG_OPENSSL
+            WOLFSSL_MSG("Freeing ASN1 data");
+        #endif
+            XFREE((void*)obj->obj, obj->heap, DYNAMIC_TYPE_ASN1);
+            obj->obj = NULL;
+        }
+    #if defined(OPENSSL_EXTRA)
+        /* Check for path length ASN.1 INTEGER - X.509 extension. */
+        if (obj->pathlen != NULL) {
+            wolfSSL_ASN1_INTEGER_free(obj->pathlen);
+            obj->pathlen = NULL;
+        }
+    #endif
+        /* Check whether object was dynamically allocated. */
+        if ((obj->dynamic & WOLFSSL_ASN1_DYNAMIC) != 0) {
+    #ifdef WOLFSSL_DEBUG_OPENSSL
+            WOLFSSL_MSG("Freeing ASN1 OBJECT");
+    #endif
+            XFREE(obj, NULL, DYNAMIC_TYPE_ASN1);
+        }
+    }
+}
+
+/* Duplicate the ASN.1 OBJECT_ID object.
+ *
+ * @param [in] obj  ASN.1 OBJECT_ID object to copy.
+ * @return  New ASN.1 OBJECT_ID object on success.
+ * @return  NULL when obj is NULL or dynamic memory allocation fails.
+ */
+WOLFSSL_ASN1_OBJECT* wolfSSL_ASN1_OBJECT_dup(WOLFSSL_ASN1_OBJECT* obj)
+{
+    WOLFSSL_ASN1_OBJECT* dupl = NULL;
+
+    WOLFSSL_ENTER("wolfSSL_ASN1_OBJECT_dup");
+
+    /* Validate parameter. */
+    if (obj == NULL) {
+        WOLFSSL_MSG("Bad parameter");
+    }
+    /* Create a new ASN.1 OBJECT_ID object to return. */
+    else if ((dupl = wolfSSL_ASN1_OBJECT_new()) == NULL) {
+        WOLFSSL_MSG("wolfSSL_ASN1_OBJECT_new error");
+    }
+    if (dupl != NULL) {
+        /* Copy short name. */
+        XMEMCPY(dupl->sName, obj->sName, WOLFSSL_MAX_SNAME);
+        /* Copy simple fields. */
+        dupl->type  = obj->type;
+        dupl->grp   = obj->grp;
+        dupl->nid   = obj->nid;
+        dupl->objSz = obj->objSz;
+        /* Check for encoding. */
+        if (obj->obj) {
+            /* Allocate memory for ASN.1 OBJECT_ID DER encoding. */
+            dupl->obj = (const unsigned char*)XMALLOC(obj->objSz, NULL,
+                DYNAMIC_TYPE_ASN1);
+            if (dupl->obj == NULL) {
+                WOLFSSL_MSG("ASN1 obj malloc error");
+                wolfSSL_ASN1_OBJECT_free(dupl);
+                dupl = NULL;
+            }
+            else {
+                /* Encoding buffer was dynamically allocated. */
+                dupl->dynamic |= WOLFSSL_ASN1_DYNAMIC_DATA;
+                /* Copy DER encoding. */
+                XMEMCPY((byte*)dupl->obj, obj->obj, obj->objSz);
+            }
+        }
+    }
+
+    return dupl;
+}
+#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */
+#endif /* !NO_ASN */
+
+#ifdef OPENSSL_EXTRA
+
+/**
+ * Parse DER encoding and return header information.
+ *
+ * *in is moved to the value of the ASN1 object
+ *
+ * @param [in, out] in     Pointer to BER encoded data.
+ * @param [out]     len    Length of parsed ASN1 object
+ * @param [out]     tag    Tag value of parsed ASN1 object
+ * @param [out]     cls    Class of parsed ASN1 object
+ * @param [in]      inLen  Length of *in buffer
+ * @return int  Depends on which bits are set in the returned int:
+ *              0x80 an error occurred during parsing.
+ *              0x20 parsed object is constructed.
+ *              0x01 the parsed object length is indefinite.
+ */
+int wolfSSL_ASN1_get_object(const unsigned char **in, long *len, int *tag,
+    int *cls, long inLen)
+{
+    int err = 0;
+    word32 inOutIdx = 0;
+    int l = 0;
+    byte t = 0;
+    int ret = 0x80;
+
+    WOLFSSL_ENTER("wolfSSL_ASN1_get_object");
+
+    if ((in == NULL) || (*in == NULL) || (len == NULL) || (tag == NULL) ||
+            (cls == NULL) || (inLen <= 0)) {
+        WOLFSSL_MSG("Bad parameter");
+        err = 1;
+    }
+    if (!err) {
+        /* Length at least 1, parameters valid - cannot fail to get tag. */
+        GetASNTag(*in, &inOutIdx, &t, (word32)inLen);
+        /* Get length in DER encoding. */
+        if (GetLength_ex(*in, &inOutIdx, &l, (word32)inLen, 0) < 0) {
+            WOLFSSL_MSG("GetLength error");
+            err = 1;
+        }
+    }
+    if (!err) {
+        /* Return header information. */
+        *tag = t & ASN_TYPE_MASK;  /* Tag number is 5 lsb */
+        *cls = t & ASN_CLASS_MASK; /* Class is 2 msb */
+        *len = l;
+        ret = t & ASN_CONSTRUCTED;
+
+        if (l > (int)(inLen - inOutIdx)) {
+            /* Still return other values but indicate error in msb */
+            ret |= 0x80;
+        }
+
+        /* Move pointer to after DER header. */
+        *in += inOutIdx;
+    }
+
+    return ret;
+}
+
+/* Creates and ASN.1 OBJECT_ID object from DER encoding.
+ *
+ * @param [out]     a       Pointer to return new ASN.1 OBJECT_ID through.
+ * @param [in, out] der     Pointer to buffer holding DER encoding.
+ * @param [in]      length  Length of DER encoding in bytes.
+ * @return  New ASN.1 OBJECT_ID object on success.
+ * @return  NULL when der or *der is NULL or length is less than or equal zero.
+ * @return  NULL when not an OBJECT_ID or decoding fails.
+ * @return  NULL when dynamic memory allocation fails.
+ */
+WOLFSSL_ASN1_OBJECT *wolfSSL_d2i_ASN1_OBJECT(WOLFSSL_ASN1_OBJECT **a,
+    const unsigned char **der, long length)
+{
+    WOLFSSL_ASN1_OBJECT* ret = NULL;
+    int err = 0;
+    const unsigned char *d;
+    long len = 0;
+    int tag = 0;
+    int cls;
+
+    WOLFSSL_ENTER("wolfSSL_d2i_ASN1_OBJECT");
+
+    /* Validate parameters. */
+    if ((der == NULL) || (*der == NULL) || (length <= 0)) {
+        WOLFSSL_MSG("Bad parameter");
+        err = 1;
+    }
+    if (!err) {
+        /* Get pointer to be modified along the way. */
+        d = *der;
+
+        /* Move d to value and get length and tag. */
+        if (wolfSSL_ASN1_get_object(&d, &len, &tag, &cls, length) & 0x80) {
+            WOLFSSL_MSG("wolfSSL_ASN1_get_object error");
+            err = 1;
+        }
+    }
+    /* Check it DER encoding is of an OBJECT_ID. */
+    if ((!err) && (tag != ASN_OBJECT_ID)) {
+        WOLFSSL_MSG("Not an ASN object");
+        err = 1;
+    }
+    /* Create an ASN.1 OBJECT_ID_object from value. TODO: not DER encoding? */
+    if ((!err) && ((ret = wolfSSL_c2i_ASN1_OBJECT(a, &d, len)) != NULL)) {
+        /* Update pointer to after decoded bytes. */
+        *der = d;
+    }
+
+    return ret;
+}
+
+/* Write out DER encoding of ASN.1 OBJECT_ID.
+ *
+ * When pp is NULL, length is returned.
+ * When pp points to NULL, a new buffer is allocated and returned through pp.
+ * When pp points to a buffer, it is moved on past encoded data on success.
+ *
+ * @param [in]      a   ASN.1 OBJECT_ID object.
+ * @param [in, out] pp  Pointer to buffer to write to. May be NULL.
+ * @return  Length of encoding on success.
+ * @return  0 when a or encoding buffer is NULL.
+ * @return  0 when dynamic memory allocation fails.
+ */
+int wolfSSL_i2d_ASN1_OBJECT(WOLFSSL_ASN1_OBJECT *a, unsigned char **pp)
+{
+    int len = 0;
+
+    WOLFSSL_ENTER("wolfSSL_i2d_ASN1_OBJECT");
+
+    /* Validate parameters */
+    if ((a == NULL) || (a->obj == NULL)) {
+        WOLFSSL_MSG("Bad parameters");
+    }
+    /* Only return length when no pointer supplied. */
+    else if (pp == NULL) {
+        len = (int)a->objSz;
+    }
+    else {
+        byte *p = NULL;
+
+        /* Check if we have a buffer to encode into. */
+        if (*pp == NULL) {
+            /* Allocate a new buffer to return. */
+            p = (byte*)XMALLOC(a->objSz, NULL, DYNAMIC_TYPE_OPENSSL);
+            if (p == NULL) {
+                WOLFSSL_MSG("Bad malloc");
+            }
+            else {
+                /* Return allocated buffer. */
+                *pp = p;
+            }
+        }
+
+        /* Check we have a buffer to encode into. */
+        if (*pp != NULL) {
+            /* Copy in DER encoding. */
+            XMEMCPY(*pp, a->obj, a->objSz);
+            /* Move on pointer if user supplied. */
+            if (p == NULL) {
+                *pp += a->objSz;
+            }
+            /* Return length of DER encoding. */
+            len = a->objSz;
+        }
+    }
+
+    return len;
+}
+
+/* Create an ASN.1 OBJECT_ID object from the content octets.
+ *
+ * @param [out]     a    Pointer to return ASN.1 OBJECT_ID object.
+ * @param [in, out] pp   Pointer to buffer holding content octets.
+ * @param [in]      len  Length of content octets in bytes.
+ * @return  New ASN.1 OBJECT_ID object on success.
+ * @return  NULL when pp or *pp is NULL or length is less than or equal zero.
+ * @return  NULL when dynamic memory allocation fails.
+ */
+WOLFSSL_ASN1_OBJECT *wolfSSL_c2i_ASN1_OBJECT(WOLFSSL_ASN1_OBJECT **a,
+        const unsigned char **pp, long len)
+{
+    int err = 0;
+    WOLFSSL_ASN1_OBJECT* ret = NULL;
+
+    WOLFSSL_ENTER("wolfSSL_c2i_ASN1_OBJECT");
+
+    /* Validate parameters. */
+    if ((pp == NULL) || (*pp == NULL) || (len <= 0)) {
+        WOLFSSL_MSG("Bad parameter");
+        err = 1;
+    }
+
+    /* Create a new ASN.1 OBJECT_ID object. */
+    if ((!err) && ((ret = wolfSSL_ASN1_OBJECT_new()) == NULL)) {
+        WOLFSSL_MSG("wolfSSL_ASN1_OBJECT_new error");
+        err = 1;
+    }
+
+    if (!err) {
+        /* Allocate memory for content octets. */
+        ret->obj = (const unsigned char*)XMALLOC(len, NULL, DYNAMIC_TYPE_ASN1);
+        if (ret->obj == NULL) {
+            WOLFSSL_MSG("error allocating asn data memory");
+            wolfSSL_ASN1_OBJECT_free(ret);
+            ret = NULL;
+            err = 1;
+        }
+    }
+
+    if (!err) {
+        /* Content octets buffer was dynamically allocated. */
+        ret->dynamic |= WOLFSSL_ASN1_DYNAMIC_DATA;
+        /* Copy in content octets and set size. */
+        XMEMCPY((byte*)ret->obj, *pp, len);
+        ret->objSz = (unsigned int)len;
+
+        /* Move pointer to after data copied out. */
+        *pp += len;
+        /* Return ASN.1 OBJECT_ID object through a if required. */
+        if (a != NULL) {
+            *a = ret;
+        }
+    }
+
+    return ret;
+}
+
+/* Write at most buf_len bytes of textual representation of ASN.1 OBJECT_ID.
+ *
+ * @param [in, out] buf      Buffer to write to.
+ * @param [in]      buf_len  Length of buffer in bytes.
+ * @param [in]      a        ASN.1 OBJECT_ID object.
+ * @return  Number of bytes written on success.
+ * @return  0 on failure.
+ */
+int wolfSSL_i2t_ASN1_OBJECT(char *buf, int buf_len, WOLFSSL_ASN1_OBJECT *a)
+{
+    WOLFSSL_ENTER("wolfSSL_i2t_ASN1_OBJECT");
+
+    return wolfSSL_OBJ_obj2txt(buf, buf_len, a, 0);
+}
+
+#ifndef NO_BIO
+/* Write out the text encoding of the ASN.1 OBJECT_ID.
+ *
+ * @param [in] bp  BIO to write to.
+ * @param [in] a   ASN.1 OBJECT_ID object.
+ * @return  Number of bytes written on success.
+ * @return  0 on failure.
+ */
+int wolfSSL_i2a_ASN1_OBJECT(WOLFSSL_BIO *bp, WOLFSSL_ASN1_OBJECT *a)
+{
+    int done = 0;
+    int length = 0;
+    int cLen = 0;
+    word32 idx = 0;
+    const char null_str[] = "NULL";
+    const char invalid_str[] = "<INVALID>";
+    char buf[80];
+
+    WOLFSSL_ENTER("wolfSSL_i2a_ASN1_OBJECT");
+
+    /* Validate parameters. */
+    if (bp == NULL) {
+        done = 1;
+    }
+
+    /* NULL object is written as "NULL". */
+    if ((!done) && (a == NULL)) {
+        /* Write "NULL" - as done in OpenSSL. */
+        length = wolfSSL_BIO_write(bp, null_str, (int)XSTRLEN(null_str));
+        done = 1;
+    }
+
+    /* Try getting text version and write it out. */
+    if ((!done) && ((length = i2t_ASN1_OBJECT(buf, sizeof(buf), a)) > 0)) {
+        length = wolfSSL_BIO_write(bp, buf, length);
+        done = 1;
+    }
+
+    /* Look for DER header. */
+    if ((!done) && ((a->obj == NULL) || (a->obj[idx++] != ASN_OBJECT_ID))) {
+        WOLFSSL_MSG("Bad ASN1 Object");
+        done = 1;
+    }
+
+    /* Get length from DER header. */
+    if ((!done) && (GetLength((const byte*)a->obj, &idx, &cLen, a->objSz) < 0))
+    {
+        length = 0;
+        done = 1;
+    }
+
+    if (!done) {
+        /* Write out "<INVALID>" and dump content. */
+        length = wolfSSL_BIO_write(bp, invalid_str, (int)XSTRLEN(invalid_str));
+        length += wolfSSL_BIO_dump(bp, (const char*)(a->obj + idx), cLen);
+    }
+
+    return length;
+}
+#endif /* !NO_BIO */
+
+#endif /* OPENSSL_EXTRA */
+
+/*******************************************************************************
+ * ASN1_SK_OBJECT APIs
+ ******************************************************************************/
+
+#if defined(OPENSSL_EXTRA) && !defined(NO_ASN)
+/* Create a new WOLFSSL_ASN1_OBJECT stack.
+ *
+ * @return  New WOLFSSL_ASN1_OBJECT stack on success.
+ * @return  NULL when dynamic memory allocation fails.
+ */
+WOLFSSL_STACK* wolfSSL_sk_new_asn1_obj(void)
+{
+    WOLFSSL_ENTER("wolfSSL_sk_new_asn1_obj");
+
+    return wolfssl_sk_new_type(STACK_TYPE_OBJ);
+}
+
+/* Dispose of WOLFSL_ASN1_OBJECT stack.
+ *
+ * @param [in, out] sk  Stack to free nodes in.
+ */
+void wolfSSL_sk_ASN1_OBJECT_free(WOLF_STACK_OF(WOLFSSL_ASN1_OBJECT)* sk)
+{
+    /* Dispose of stack. */
+    wolfSSL_sk_free(sk);
+}
+
+/* Dispose of all ASN.1 OBJECT_ID objects in ASN1_OBJECT stack.
+ *
+ * This is different then wolfSSL_ASN1_OBJECT_free in that it allows for
+ * choosing the function to use when freeing an ASN1_OBJECT stack.
+ *
+ * @param [in, out] sk  ASN.1 OBJECT_ID stack to free.
+ * @param [in]      f   Free function to apply to each ASN.1 OBJECT_ID object.
+ */
+void wolfSSL_sk_ASN1_OBJECT_pop_free(WOLF_STACK_OF(WOLFSSL_ASN1_OBJECT)* sk,
+    void (*f) (WOLFSSL_ASN1_OBJECT*))
+{
+    WOLFSSL_ENTER("wolfSSL_sk_ASN1_OBJECT_pop_free");
+    wolfSSL_sk_pop_free(sk, (wolfSSL_sk_freefunc)f);
+}
+
+/* Push a WOLFSSL_ASN1_OBJECT onto stack.
+ *
+ * @param [in, out] sk   ASN.1 OBJECT_ID stack.
+ * @param [in]      obj  ASN.1 OBJECT_ID object to push on. Cannot be NULL.
+ * @return  1 on success.
+ * @return  0 when sk or obj is NULL.
+ * @return  0 when dynamic memory allocation fails.
+ */
+int wolfSSL_sk_ASN1_OBJECT_push(WOLF_STACK_OF(WOLFSSL_ASN1_OBJECT)* sk,
+    WOLFSSL_ASN1_OBJECT* obj)
+{
+    int ret = 0;
+
+    WOLFSSL_ENTER("wolfSSL_sk_ASN1_OBJECT_push");
+
+    /* Push on when we have a stack and object to work with. */
+    if ((sk != NULL) && (obj != NULL)) {
+        ret = wolfSSL_sk_push(sk, obj);
+    }
+
+    return ret;
+}
+
+/* Pop off a WOLFSSL_ASN1_OBJECT from the stack.
+ *
+ * @param [in, out] sk  ASN.1 OBJECT_ID stack.
+ * @return  ASN.1 OBJECT_ID object on success.
+ * @return  NULL when stack is NULL or no nodes left in stack.
+ */
+WOLFSSL_ASN1_OBJECT* wolfSSL_sk_ASN1_OBJECT_pop(
+    WOLF_STACK_OF(WOLFSSL_ASN1_OBJECT)* sk)
+{
+    return (WOLFSSL_ASN1_OBJECT*)wolfssl_sk_pop_type(sk, STACK_TYPE_OBJ);
+}
+
+#endif /* OPENSSL_EXTRA && !NO_ASN */
+
+/*******************************************************************************
+ * ASN1_STRING APIs
+ ******************************************************************************/
+
+#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
+
+/* Create a new ASN.1 STRING object.
+ *
+ * @return  New ASN.1 STRING object on success.
+ * @return  NULL when dynamic memory allocation fails.
+ */
+WOLFSSL_ASN1_STRING* wolfSSL_ASN1_STRING_new(void)
+{
+    WOLFSSL_ASN1_STRING* asn1;
+
+#ifdef WOLFSSL_DEBUG_OPENSSL
+    WOLFSSL_ENTER("wolfSSL_ASN1_STRING_new");
+#endif
+
+    asn1 = (WOLFSSL_ASN1_STRING*)XMALLOC(sizeof(WOLFSSL_ASN1_STRING), NULL,
+        DYNAMIC_TYPE_OPENSSL);
+    if (asn1 != NULL) {
+        XMEMSET(asn1, 0, sizeof(WOLFSSL_ASN1_STRING));
+    }
+
+    return asn1;
+}
+
+/* Create a new ASN.1 STRING object.
+ *
+ * @param [in] type  Encoding type.
+ * @return  New ASN.1 STRING object on success.
+ * @return  NULL when dynamic memory allocation fails.
+ */
+WOLFSSL_ASN1_STRING* wolfSSL_ASN1_STRING_type_new(int type)
+{
+    WOLFSSL_ASN1_STRING* asn1;
+
+#ifdef WOLFSSL_DEBUG_OPENSSL
+    WOLFSSL_ENTER("wolfSSL_ASN1_STRING_type_new");
+#endif
+
+    asn1 = wolfSSL_ASN1_STRING_new();
+    if (asn1 != NULL) {
+        asn1->type = type;
+    }
+
+    return asn1;
+}
+
+/* Dispose of ASN.1 STRING object.
+ *
+ * @param [in, out] asn1  ASN.1 STRING object.
+ */
+void wolfSSL_ASN1_STRING_free(WOLFSSL_ASN1_STRING* asn1)
+{
+#ifdef WOLFSSL_DEBUG_OPENSSL
+    WOLFSSL_ENTER("wolfSSL_ASN1_STRING_free");
+#endif
+
+    /* Check we have an object to free. */
+    if (asn1 != NULL) {
+        /* Dispose of dynamic data. */
+        if ((asn1->length > 0) && asn1->isDynamic) {
+            XFREE(asn1->data, NULL, DYNAMIC_TYPE_OPENSSL);
+        }
+    }
+    /* Dispose of ASN.1 STRING object. */
+    XFREE(asn1, NULL, DYNAMIC_TYPE_OPENSSL);
+}
+
+/* Copy an ASN.1 STRING object from src into dest.
+ *
+ * @param [in, out] dest  ASN.1 STRING object to copy into.
+ * @param [in]      src   ASN.1 STRING object to copy from.
+ */
+int wolfSSL_ASN1_STRING_copy(WOLFSSL_ASN1_STRING* dest,
+    const WOLFSSL_ASN1_STRING* src)
+{
+    int ret = 1;
+
+    /* Validate parameters. */
+    if ((src == NULL) || (dest == NULL)) {
+        ret = 0;
+    }
+    /* Set the DER encoding. */
+    if ((ret == 1) && (wolfSSL_ASN1_STRING_set(dest, src->data, src->length) !=
+            1)) {
+        ret = 0;
+    }
+    if (ret == 1) {
+        /* Copy simple fields. */
+        dest->type  = src->type;
+        dest->flags = src->flags;
+    }
+
+    return ret;
+}
+
+/* Duplicate an ASN.1 STRING object.
+ *
+ * @param [in] asn1  ASN.1 STRING object to duplicate.
+ * @return  New ASN.1 STRING object on success.
+ * @return  NULL when asn1 is NULL or dynamic memory allocation fails.
+ */
+WOLFSSL_ASN1_STRING* wolfSSL_ASN1_STRING_dup(WOLFSSL_ASN1_STRING* asn1)
+{
+    WOLFSSL_ASN1_STRING* dupl = NULL;
+
+    WOLFSSL_ENTER("wolfSSL_ASN1_STRING_dup");
+
+    /* Check we have an object to duplicate. */
+    if (asn1 == NULL) {
+        WOLFSSL_MSG("Bad parameter");
+    }
+    else {
+        /* Create a new ASN.1 STRING object. */
+        dupl = wolfSSL_ASN1_STRING_new();
+        if (dupl == NULL) {
+            WOLFSSL_MSG("wolfSSL_ASN1_STRING_new error");
+        }
+    }
+
+    if (dupl != NULL) {
+        /* Copy the contents. */
+        if (wolfSSL_ASN1_STRING_copy(dupl, asn1) != 1) {
+            WOLFSSL_MSG("wolfSSL_ASN1_STRING_copy error");
+            /* Dispose of duplicate and return NULL. */
+            wolfSSL_ASN1_STRING_free(dupl);
+            dupl = NULL;
+        }
+    }
+
+    return dupl;
+}
+
+/* Compare two ASN.1 STRING objects.
+ *
+ * Compares type when data the same.
+ *
+ * @param [in] a  First ASN.1 STRING object.
+ * @param [in] b  Second ASN.1 STRING object.
+ * @return Negative value when a is less than b.
+ * @return 0 when a equals b.
+ * @return Positive value when a is greater than b.
+ * @return -1 when a or b is NULL.
+ */
+int wolfSSL_ASN1_STRING_cmp(const WOLFSSL_ASN1_STRING *a,
+    const WOLFSSL_ASN1_STRING *b)
+{
+    int ret;
+    WOLFSSL_ENTER("wolfSSL_ASN1_STRING_cmp");
+
+    /* Validate parameters. */
+    if ((a == NULL) || (b == NULL)) {
+        ret = -1;
+    }
+    /* Compare length of data. */
+    else if (a->length != b->length) {
+        ret = a->length - b->length;
+    }
+    /* Compare data. */
+    else if ((ret = XMEMCMP(a->data, b->data, a->length)) == 0) {
+        /* Compare ASN.1 types - wolfSSL_ASN1_STRING_type_new(). */
+        ret = a->type - b->type;
+    }
+
+    return ret;
+}
+
+#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */
+
+#if defined(OPENSSL_EXTRA)
+#if !defined(NO_CERTS)
+#ifndef NO_WOLFSSL_STUB
+WOLFSSL_ASN1_STRING* wolfSSL_d2i_DISPLAYTEXT(WOLFSSL_ASN1_STRING **asn,
+    const unsigned char **in, long len)
+{
+    WOLFSSL_STUB("d2i_DISPLAYTEXT");
+    (void)asn;
+    (void)in;
+    (void)len;
+    return NULL;
+}
+#endif
+#endif /* !NO_CERTS */
+#endif /* OPENSSL_EXTRA */
+
+#ifndef NO_ASN
+#if defined(OPENSSL_EXTRA)
+/* Convert ASN.1 STRING that is UniversalString type to PrintableString type.
+ *
+ * @param [in, out] s  ASN.1 STRING object to convert.
+ * @return  1 on success.
+ * @return  0 when s is NULL.
+ * @return  0 when type is not UniversalString or string is not of that format.
+ */
+int wolfSSL_ASN1_UNIVERSALSTRING_to_string(WOLFSSL_ASN1_STRING *s)
+{
+    int ret = 1;
+    char* p;
+    char* copy;
+
+    WOLFSSL_ENTER("wolfSSL_ASN1_UNIVERSALSTRING_to_string");
+
+    /* Validate parameter. */
+    if (s == NULL) {
+        WOLFSSL_MSG("Bad parameter");
+        ret = 0;
+    }
+
+    /* Check type of ASN.1 STRING. */
+    if ((ret == 1) && (s->type != V_ASN1_UNIVERSALSTRING)) {
+        WOLFSSL_MSG("Input is not a universal string");
+        ret = 0;
+    }
+
+    /* Check length is indicative of UNIVERSAL_STRING. */
+    if ((ret == 1) && ((s->length % 4) != 0)) {
+        WOLFSSL_MSG("Input string must be divisible by 4");
+        ret = 0;
+    }
+
+    if (ret == 1) {
+        /* Ensure each UniversalString character looks right. */
+        for (p = s->data; p < s->data + s->length; p += 4)
+            if ((p[0] != '\0') || (p[1] != '\0') || (p[2] != '\0'))
+                break;
+        /* Check whether we failed loop early. */
+        if (p != s->data + s->length) {
+            WOLFSSL_MSG("Wrong string format");
+            ret = 0;
+        }
+    }
+
+    if (ret == 1) {
+        /* Strip first three bytes of each four byte character. */
+        for (copy = p = s->data; p < s->data + s->length; p += 4) {
+            *copy++ = p[3];
+        }
+        /* Place NUL on end. */
+        *copy = '\0';
+        /* Update length and type. */
+        s->length /= 4;
+        s->type = V_ASN1_PRINTABLESTRING;
+    }
+
+    return ret;
+}
+#endif /* OPENSSL_EXTRA */
+
+#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
+/* Convert ASN.1 STRING to UTF8 encoding.
+ *
+ * Assumes stored encoding is UTF8.
+ * Returned buffer should be freed using OPENSSL_free().
+ *
+ * @param [out] out   Pointer to return allocated string.
+ * @param [in]  asn1  ASN.1 STRING object.
+ * @return  Length of string, excluding NUL, on success.
+ * @return  -1 when out or asn1 is NULL.
+ * @return  -1 when no data to return.
+ * @return  -1 dynamic memory allocation fails.
+ */
+int wolfSSL_ASN1_STRING_to_UTF8(unsigned char **out, WOLFSSL_ASN1_STRING *asn1)
+{
+    unsigned char* buf = NULL;
+    unsigned char* data = NULL;
+    int len = -1;
+
+    /* Validate parameters. */
+    if ((out != NULL) && (asn1 != NULL)) {
+        /* Get data and length. */
+        data = wolfSSL_ASN1_STRING_data(asn1);
+        len = wolfSSL_ASN1_STRING_length(asn1);
+        /* Check data and length are usable. */
+        if ((data == NULL) || (len < 0)) {
+            len = -1;
+        }
+    }
+    if (len != -1) {
+        /* Allocate buffer to hold string and NUL. */
+        buf = (unsigned char*)XMALLOC(len + 1, NULL, DYNAMIC_TYPE_OPENSSL);
+        if (buf == NULL) {
+            len = -1;
+        }
+    }
+    if (len != -1) {
+        /* Copy in string - NUL always put on end of stored string. */
+        XMEMCPY(buf, data, len + 1);
+        /* Return buffer. */
+        *out = buf;
+    }
+
+    return len;
+}
+#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */
+
+#if defined(OPENSSL_EXTRA)
+
+/* Encode ASN.1 STRING data as hex digits separated by colon.
+ *
+ * Assumes length is greater than 0.
+ *
+ * @param [in] s  ASN.1 STRING object.
+ * @return  Buffer cotaining string representation on success.
+ * @return  NULL when dynamic memory allocation fails.
+ * @return  NULL when encoding a character as hex fails.
+ */
+static char* wolfssl_asn1_string_to_hex_chars(const WOLFSSL_ASN1_STRING *s)
+{
+    char* tmp;
+    int tmpSz = s->length * 3;
+
+    tmp = (char*)XMALLOC(tmpSz, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    if (tmp == NULL) {
+        WOLFSSL_MSG("Memory Error");
+    }
+    else {
+        int i;
+        unsigned char* str = (unsigned char*)s->data;
+
+        /* Put out all but last character as a hex digit with ':'. */
+        for (i = 0; i < s->length; i++) {
+            /* Put in hex digit string at end of tmp. */
+            ByteToHexStr(str[i], tmp + i * 3);
+            /* Check not last character. */
+            if (i < s->length - 1) {
+                /* Put in separator: ':'. */
+                tmp[i * 3 + 2] = ':';
+            }
+            /* Last character. */
+            else {
+                /* Put in NUL to terminate string. */
+                tmp[i * 3 + 2] = '\0';
+            }
+        }
+    }
+
+    return tmp;
+}
+
+/* Create a string encoding of ASN.1 STRING object.
+ *
+ * @param [in] method  Method table. Unused.
+ * @param [in] s       ASN.1 STRING object.
+ * @return  Buffer containing string representation on success.
+ * @return  NULL when s or data is NULL.
+ * @return  NULL when dynamic memory allocation fails.
+ * @return  NULL when encoding a character as hex fails.
+ */
+char* wolfSSL_i2s_ASN1_STRING(WOLFSSL_v3_ext_method *method,
+    const WOLFSSL_ASN1_STRING *s)
+{
+    char* ret = NULL;
+
+    WOLFSSL_ENTER("wolfSSL_i2s_ASN1_STRING");
+    (void)method;
+
+    /* Validate parameters. */
+    if ((s == NULL) || (s->data == NULL)) {
+        WOLFSSL_MSG("Bad Function Argument");
+    }
+    /* Handle 0 length data separately. */
+    else if (s->length == 0) {
+        ret = XMALLOC(1, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+        if (ret != NULL) {
+            ret[0] = '\0';
+        }
+    }
+    else {
+        /* Convert unreadable strings to hexdecimal. */
+        ret = wolfssl_asn1_string_to_hex_chars(s);
+    }
+
+    return ret;
+}
+#endif /* OPENSSL_EXTRA */
+#endif /* NO_ASN */
+
+#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
+/* Get the type of encoding.
+ *
+ * @param [in] asn1  ASN.1 STRING object.
+ * @return  Encoding type on success.
+ * @return  0 when asn1 is NULL or no encoding set.
+ */
+int wolfSSL_ASN1_STRING_type(const WOLFSSL_ASN1_STRING* asn1)
+{
+    int type = 0;
+
+#ifdef WOLFSSL_DEBUG_OPENSSL
+    WOLFSSL_ENTER("wolfSSL_ASN1_STRING_type");
+#endif
+
+    if (asn1 != NULL) {
+        type = asn1->type;
+    }
+
+    return type;
+}
+
+#ifndef NO_CERTS
+/* Get the pointer that is the data.
+ *
+ * @param [in] asn  ASN.1 STRING object.
+ * @return  Buffer with string on success.
+ * @return  NULL when asn is NULL or no data set.
+ */
+const unsigned char* wolfSSL_ASN1_STRING_get0_data(
+    const WOLFSSL_ASN1_STRING* asn)
+{
+    char* data = NULL;
+
+    WOLFSSL_ENTER("wolfSSL_ASN1_STRING_get0_data");
+
+    if (asn != NULL) {
+        data = asn->data;
+    }
+
+    return (const unsigned char*)data;
+}
+
+/* Get the pointer that is the data.
+ *
+ * @param [in] asn  ASN.1 STRING object.
+ * @return  Buffer with string on success.
+ * @return  NULL when asn is NULL or no data set.
+ */
+unsigned char* wolfSSL_ASN1_STRING_data(WOLFSSL_ASN1_STRING* asn)
+{
+    char* data = NULL;
+
+#ifdef WOLFSSL_DEBUG_OPENSSL
+    WOLFSSL_ENTER("wolfSSL_ASN1_STRING_data");
+#endif
+
+    if (asn != NULL) {
+        data = asn->data;
+    }
+
+    return (unsigned char*)data;
+}
+
+/* Get the length of the data.
+ *
+ * @param [in] asn  ASN.1 STRING object.
+ * @return  String length on success.
+ * @return  0 when asn is NULL or no data set.
+ */
+int wolfSSL_ASN1_STRING_length(WOLFSSL_ASN1_STRING* asn)
+{
+    int len = 0;
+
+#ifdef WOLFSSL_DEBUG_OPENSSL
+    WOLFSSL_ENTER("wolfSSL_ASN1_STRING_length");
+#endif
+
+    if (asn) {
+        len = asn->length;
+    }
+
+    return len;
+}
+#endif /* !NO_CERTS */
+
+/* Set the string data.
+ *
+ * When sz is less than 0, the string length will be calculated using XSTRLEN.
+ *
+ * @param [in, out] asn1    ASN.1 STRING object.
+ * @param [in]      data    String data to set.
+ * @param [in]      sz      Length of data to set in bytes.
+ * @return  1 on success.
+ * @return  0 when asn1 is NULL or data is NULL and sz is not zero.
+ * @return  0 when dynamic memory allocation fails.
+ */
+int wolfSSL_ASN1_STRING_set(WOLFSSL_ASN1_STRING* asn1, const void* data, int sz)
+{
+    int ret = 1;
+
+#ifdef WOLFSSL_DEBUG_OPENSSL
+    WOLFSSL_ENTER("wolfSSL_ASN1_STRING_set");
+#endif
+
+    /* Validate parameters. */
+    if ((asn1 == NULL) || ((data == NULL) && (sz != 0))) {
+        ret = 0;
+    }
+
+    /* Calculate size from data if not passed in. */
+    if ((ret == 1) && (sz < 0)) {
+        sz = (int)XSTRLEN((const char*)data);
+        if (sz < 0) {
+            ret = 0;
+        }
+    }
+
+    if (ret == 1) {
+        /* Dispose of any existing dynamic data. */
+        if (asn1->isDynamic) {
+            XFREE(asn1->data, NULL, DYNAMIC_TYPE_OPENSSL);
+            asn1->data = NULL;
+        }
+
+        /* Check string will fit - including NUL. */
+        if (sz + 1 > CTC_NAME_SIZE) {
+            /* Allocate new buffer. */
+            asn1->data = (char*)XMALLOC(sz + 1, NULL, DYNAMIC_TYPE_OPENSSL);
+            if (asn1->data == NULL) {
+                ret = 0;
+            }
+            else {
+                /* Ensure buffer will be freed. */
+                asn1->isDynamic = 1;
+            }
+        }
+        else {
+            /* Clear out fixed array and use it for data. */
+            XMEMSET(asn1->strData, 0, CTC_NAME_SIZE);
+            asn1->data = asn1->strData;
+            asn1->isDynamic = 0;
+        }
+    }
+    if (ret == 1) {
+        /* Check if there is a string to copy. */
+        if (data != NULL) {
+            /* Copy string and append NUL. */
+            XMEMCPY(asn1->data, data, sz);
+            asn1->data[sz] = '\0';
+        }
+        /* Set size of string. */
+        asn1->length = sz;
+    }
+
+    return ret;
+}
+#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */
+
+#if (defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)) && \
+    !defined(WOLFCRYPT_ONLY)
+#ifndef NO_CERTS
+
+/* Make a UTF8 canonical version of ASN.1 STRING object's data.
+ *
+ * @param [in, out] asn  ASN.1 STRING to set.
+ */
+static void wolfssl_asn1_string_canonicalize(WOLFSSL_ASN1_STRING* asn)
+{
+    char* src = asn->data;
+    char* p = asn->data + asn->length - 1;
+    int len = asn->length;
+    int i;
+
+    /* Trim whitespace from the tail. */
+    for (; (len > 0) && (XISSPACE((unsigned char)*p)); len--) {
+        p--;
+    }
+    if (len > 0) {
+        /* Trim whitespace from the head. */
+        for (; XISSPACE((unsigned char)*src); len--) {
+            src++;
+        }
+    }
+
+    /* Output at the start. */
+    p = asn->data;
+    /* Process each character in string after trim. */
+    for (i = 0; i < len; p++, i++) {
+        /* Check for non-ascii character. */
+        if (!XISASCII(*src)) {
+            /* Keep non-ascii character as-is. */
+            *p = *src++;
+        }
+        /* Check for whitespace. */
+        else if (XISSPACE((unsigned char)*src)) {
+            /* Only use space character for whitespace. */
+            *p = 0x20;
+            /* Skip any succeeding whitespace characters. */
+            while (XISSPACE((unsigned char)*++src)) {
+                i++;
+            }
+        }
+        else {
+            /* Convert to lower case. */
+            *p = (char)XTOLOWER((unsigned char)*src++);
+        }
+    }
+    /* Set actual length after canonicalization. */
+    asn->length = (int)(p - asn->data);
+}
+
+/* Make a canonical version of ASN.1 STRING object in ASN.1 STRING object.
+ *
+ * @param [in, out] asn_out  ASN.1 STRING object to set.
+ * @param [in]      asn_in   ASN.1 STRING object to get data from.
+ * @return  1 on success.
+ * @return  BAD_FUNC_ARG when asn_out or asn_in is NULL.
+ * @return  0 when no data.
+ * @return  0 when dynamic memory allocation fails.
+ */
+int wolfSSL_ASN1_STRING_canon(WOLFSSL_ASN1_STRING* asn_out,
+    const WOLFSSL_ASN1_STRING* asn_in)
+{
+    int ret = 1;
+
+    WOLFSSL_ENTER("wolfSSL_ASN1_STRING_canon");
+
+    /* Validate parameters. */
+    if ((asn_out == NULL) || (asn_in == NULL)) {
+        WOLFSSL_MSG("invalid function arguments");
+        ret = BAD_FUNC_ARG;
+    }
+
+    if (ret == 1) {
+        switch (asn_in->type) {
+            case MBSTRING_UTF8:
+            case V_ASN1_PRINTABLESTRING:
+                /* Set type to UTF8. */
+                asn_out->type = MBSTRING_UTF8;
+                /* Dispose of any dynamic data already in asn_out. */
+                if (asn_out->isDynamic) {
+                    XFREE(asn_out->data, NULL, DYNAMIC_TYPE_OPENSSL);
+                    asn_out->data = NULL;
+                }
+                /* Make ASN.1 STRING into UTF8 buffer. */
+                asn_out->length = wolfSSL_ASN1_STRING_to_UTF8(
+                    (unsigned char**)&asn_out->data,
+                    (WOLFSSL_ASN1_STRING*)asn_in);
+                /* Check for error from creating UTF8 string. */
+                if (asn_out->length < 0) {
+                    ret = 0;
+                }
+                else {
+                    /* Data now dynamic after converting to UTF8. */
+                    asn_out->isDynamic = 1;
+                    /* Canonicalize the data. */
+                    wolfssl_asn1_string_canonicalize(asn_out);
+                    if (asn_out->length == 0) {
+                        /* Dispose of data if canonicalization removes all
+                         * characters. */
+                        XFREE(asn_out->data, NULL, DYNAMIC_TYPE_OPENSSL);
+                        asn_out->data = NULL;
+                        asn_out->isDynamic = 0;
+                    }
+                }
+                break;
+            default:
+                /* Unrecognized format - just copy. */
+                WOLFSSL_MSG("just copy string");
+                ret = wolfSSL_ASN1_STRING_copy(asn_out, asn_in);
+        }
+    }
+
+    return ret;
+}
+
+#endif /* !NO_CERTS */
+#endif /* (OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL) && !WOLFCRYPT_ONLY */
+
+#if defined(OPENSSL_EXTRA)
+
+#if !defined(NO_ASN)
+#ifndef NO_BIO
+/* Returns boolean indicating character is unprintable.
+ *
+ * @param [in] c  ASCII character.
+ * @return  1 when character is unprintable.
+ * @return  0 when character is printable.
+ */
+static int wolfssl_unprintable_char(char c)
+{
+    const unsigned char last_unprintable = 31;
+    const unsigned char LF = 10;               /* Line Feed */
+    const unsigned char CR = 13;               /* Carriage Return */
+
+    return (c <= last_unprintable) && (c != LF) && (c != CR);
+}
+
+/* Print ASN.1 STRING to BIO.
+ *
+ * TODO: Unprintable characters conversion is destructive.
+ *
+ * @param [in] bio  BIO to print to.
+ * @param [in] str  ASN.1 STRING to print.
+ * @return  Length of string written on success.
+ * @return  0 when bio or str is NULL.
+ * @return  0 when writing to BIO fails.
+ */
+int wolfSSL_ASN1_STRING_print(WOLFSSL_BIO *bio, WOLFSSL_ASN1_STRING *str)
+{
+    int len = 0;
+
+    WOLFSSL_ENTER("wolfSSL_ASN1_STRING_print");
+
+    /* Validate parameters. */
+    if ((bio != NULL) && (str != NULL)) {
+        int i;
+
+        len = str->length;
+        /* Convert all unprintable characters to '.'. */
+        for (i = 0; i < len; i++) {
+            if (wolfssl_unprintable_char(str->data[i])) {
+                str->data[i] = '.';
+            }
+        }
+        /* Write string to BIO. */
+        if (wolfSSL_BIO_write(bio, str->data, len) != len) {
+            len = 0;
+        }
+    }
+
+    return len;
+}
+#endif /* !NO_BIO */
+#endif /* !NO_ASN */
+
+/* Get a string for the ASN.1 tag.
+ *
+ * @param [in] tag  ASN.1 tag.
+ * @return  A string.
+ */
+const char* wolfSSL_ASN1_tag2str(int tag)
+{
+    static const char *const tag_label[31] = {
+        "EOC", "BOOLEAN", "INTEGER", "BIT STRING", "OCTET STRING", "NULL",
+        "OBJECT", "OBJECT DESCRIPTOR", "EXTERNAL", "REAL", "ENUMERATED",
+        "<ASN1 11>", "UTF8STRING", "<ASN1 13>", "<ASN1 14>", "<ASN1 15>",
+        "SEQUENCE", "SET", "NUMERICSTRING", "PRINTABLESTRING", "T61STRING",
+        "VIDEOTEXTSTRING", "IA5STRING", "UTCTIME", "GENERALIZEDTIME",
+        "GRAPHICSTRING", "VISIBLESTRING", "GENERALSTRING", "UNIVERSALSTRING",
+        "<ASN1 29>", "BMPSTRING"
+    };
+    const char* str = "(unknown)";
+
+    /* Clear negative flag. */
+    if ((tag == V_ASN1_NEG_INTEGER) || (tag == V_ASN1_NEG_ENUMERATED)) {
+        tag &= ~V_ASN1_NEG;
+    }
+    /* Check for known basic types. */
+    if ((tag >= 0) && (tag <= 30)) {
+        str = tag_label[tag];
+    }
+
+    return str;
+}
+
+#ifndef NO_BIO
+
+/* Print out ASN.1 tag for the ASN.1 STRING to the BIO.
+ *
+ * @param [in] bio  BIO to write to.
+ * @param [in] str  ASN.1 STRING object.
+ * @return  Number of characters written on success.
+ * @return  0 when BIO write fails.
+ */
+static int wolfssl_string_print_type(WOLFSSL_BIO *bio, WOLFSSL_ASN1_STRING *str)
+{
+    int type_len;
+    const char *tag;
+
+    /* Get tag and string length. */
+    tag = wolfSSL_ASN1_tag2str(str->type);
+    type_len = (int)XSTRLEN(tag);
+    /* Write tag to BIO. */
+    if (wolfSSL_BIO_write(bio, tag, type_len) != type_len){
+        type_len = 0;
+    }
+    /* Write colon after tag string. */
+    else if (wolfSSL_BIO_write(bio, ":", 1) != 1) {
+        type_len = 0;
+    }
+    else {
+        /* Written colon - update count. */
+        type_len++;
+    }
+
+    return type_len;
+}
+
+/* Dump hex digit representation of each string character to BIO.
+ *
+ * TODO: Assumes length is only one byte ie less than 128 characters long.
+ *
+ * @param [in] bio    BIO to write to.
+ * @param [in] str    ASN.1 STRING object.
+ * @param [in] asDer  Whether to write out as a DER encoding.
+ * @return  Number of characters written to BIO on success.
+ * @return  -1 when writing to BIO fails.
+ */
+static int wolfssl_asn1_string_dump_hex(WOLFSSL_BIO *bio,
+    WOLFSSL_ASN1_STRING *str, int asDer)
+{
+    const char* hash="#";
+    char hex_tmp[4];
+    char* p;
+    char* end;
+    int str_len = 1;
+
+    /* Write out hash character to indicate hex string. */
+    if (wolfSSL_BIO_write(bio, hash, 1) != 1) {
+        str_len = -1;
+    }
+    else {
+        /* Check if we are to write out DER header. */
+        if (asDer) {
+            /* Encode tag and length as hex into temporary. */
+            ByteToHexStr((byte)str->type, &hex_tmp[0]);
+            ByteToHexStr((byte)str->length, &hex_tmp[2]);
+            /* Update count of written characters: tag and length. */
+            str_len += 4;
+            /* Write out tag and length as hex digits. */
+            if (wolfSSL_BIO_write(bio, hex_tmp, 4) != 4) {
+                str_len = -1;
+            }
+        }
+    }
+
+    if (str_len != -1) {
+        /* Calculate end of string. */
+        end = str->data + str->length - 1;
+        for (p = str->data; p <= end; p++) {
+            /* Encode string characther as hex into temporary. */
+            ByteToHexStr((byte)*p, hex_tmp);
+            /* Update count of written characters. */
+            str_len += 2;
+            /* Write out character as hex digites. */
+            if (wolfSSL_BIO_write(bio, hex_tmp, 2) != 2) {
+                str_len = -1;
+                break;
+            }
+        }
+    }
+
+    return str_len;
+}
+
+/* Check whether character needs to be escaped.
+ *
+ * @param [in] c    Character to check for.
+ * @param [in] str  String to check.
+ * @return  1 when character found.
+ * @return  0 when characther not found.
+ */
+static int wolfssl_check_esc_char(char c)
+{
+    int ret = 0;
+    const char esc_ch[] = "+;<>\\";
+    const char* p = esc_ch;
+
+    /* Check if character matches any of those needing escaping. */
+    for (; (*p) != '\0'; p++) {
+        /* Check if character matches escape character. */
+        if (c == (*p)) {
+            ret = 1;
+            break;
+        }
+    }
+
+    return ret;
+}
+
+/* Print out string, with escaping for special characters, to BIO.
+ *
+ * @param [in] bio  BIO to write to.
+ * @param [in] str  ASN.1 STRING object.
+ * @return  Number of characters written to BIO on success.
+ * @return  -1 when writing to BIO fails.
+ */
+static int wolfssl_asn1_string_print_esc_2253(WOLFSSL_BIO *bio,
+    WOLFSSL_ASN1_STRING *str)
+{
+    char* p;
+    int str_len = 0;
+
+    /* Write all of string character by character. */
+    for (p = str->data; (*p) != '\0'; p++) {
+        /* Check if character needs escaping. */
+        if (wolfssl_check_esc_char(*p)){
+            /* Update count of written characters. */
+            str_len++;
+            /* Write out escaping character. */
+            if (wolfSSL_BIO_write(bio,"\\", 1) != 1) {
+                str_len = -1;
+                break;
+            }
+        }
+        /* Update count of written characters. */
+        str_len++;
+        /* Write out character. */
+        if (wolfSSL_BIO_write(bio, p, 1) != 1) {
+            str_len = -1;
+            break;
+        }
+    }
+
+    return str_len;
+}
+
+/* Extended print ASN.1 STRING to BIO.
+ *
+ * @param [in] bio    BIO to print to.
+ * @param [in] str    ASN.1 STRING to print.
+ * @param [in] flags  Flags describing output format.
+ * @return  Length of string written on success.
+ * @return  0 when bio or str is NULL.
+ * @return  0 when writing to BIO fails.
+ */
+int wolfSSL_ASN1_STRING_print_ex(WOLFSSL_BIO *bio, WOLFSSL_ASN1_STRING *str,
+    unsigned long flags)
+{
+    int err = 0;
+    int str_len = -1;
+    int type_len = 0;
+
+    WOLFSSL_ENTER("wolfSSL_ASN1_STRING_PRINT_ex");
+
+    /* Validate parameters. */
+    if ((bio == NULL) || (str == NULL)) {
+        err = 1;
+    }
+    /* Check if ASN.1 type is to be printed. */
+    if ((!err) && (flags & ASN1_STRFLGS_SHOW_TYPE)) {
+        /* Print type and colon to BIO. */
+        type_len = wolfssl_string_print_type(bio, str);
+        if (type_len == 0) {
+            err = 1;
+        }
+    }
+
+    if (!err) {
+        if (flags & ASN1_STRFLGS_DUMP_ALL) {
+            /* Dump hex. */
+            str_len = wolfssl_asn1_string_dump_hex(bio, str,
+                flags & ASN1_STRFLGS_DUMP_DER);
+        }
+        else if (flags & ASN1_STRFLGS_ESC_2253) {
+            /* Print out string with escaping. */
+            str_len = wolfssl_asn1_string_print_esc_2253(bio, str);
+        }
+        else {
+            /* Get number of characters to write. */
+            str_len = str->length;
+            /* Print out string as is. */
+            if (wolfSSL_BIO_write(bio, str->data, str_len) != str_len) {
+                err = 1;
+            }
+        }
+    }
+
+    if ((!err) && (str_len != -1)) {
+        /* Include any characters written for type. */
+        str_len += type_len;
+    }
+    else {
+        str_len = 0;
+    }
+
+    return str_len;
+}
+
+#endif /* !NO_BIO */
+
+#endif /* OPENSSL_EXTRA */
+
+/*******************************************************************************
+ * ASN1_GENERALIZEDTIME APIs
+ ******************************************************************************/
+
+#ifdef OPENSSL_EXTRA
+
+/* Free the static ASN.1 GENERALIZED TIME object.
+ *
+ * Not an OpenSSL compatibility API.
+ *
+ * @param [in] asn1Time  ASN.1 GENERALIZED TIME object.
+ */
+void wolfSSL_ASN1_GENERALIZEDTIME_free(WOLFSSL_ASN1_TIME* asn1Time)
+{
+    WOLFSSL_ENTER("wolfSSL_ASN1_GENERALIZEDTIME_free");
+    if (asn1Time != NULL) {
+        XMEMSET(asn1Time->data, 0, sizeof(asn1Time->data));
+    }
+}
+
+#ifndef NO_BIO
+/* Return the month as a string.
+ *
+ * Assumes n is '01'-'12'.
+ *
+ * @param [in] n  The number of the month as a two characters (1 based).
+ * @return  Month as a string.
+ */
+static WC_INLINE const char* MonthStr(const char* n)
+{
+    static const char monthStr[12][4] = {
+            "Jan", "Feb", "Mar", "Apr", "May", "Jun",
+            "Jul", "Aug", "Sep", "Oct", "Nov", "Dec" };
+    const char* month = "BAD";
+    int i;
+
+    i = (n[0] - '0') * 10 + (n[1] - '0') - 1;
+    /* Convert string to number and index table. */
+    if ((i >= 0) && (i <= 12)) {
+        month = monthStr[i];
+    }
+
+    return month;
+}
+
+/* Print an ASN.1 GENERALIZED TIME to a BIO.
+ *
+ * @param [in] bio      BIO to write to.
+ * @param [in] asnTime  ASN.1 GENERALIZED TIME object.
+ * @return  1 on success.
+ * @return  0 when ASN.1 GENERALIZED TIME type is invalid.
+ * @return  0 when writing to BIO fails.
+ * @return  BAD_FUNC_ARG when bio or asnTime is NULL.
+ */
+int wolfSSL_ASN1_GENERALIZEDTIME_print(WOLFSSL_BIO* bio,
+    const WOLFSSL_ASN1_GENERALIZEDTIME* asnTime)
+{
+    int ret = 1;
+    const char* p = NULL;
+    WOLFSSL_ENTER("wolfSSL_ASN1_GENERALIZEDTIME_print");
+
+    /* Validate parameters. */
+    if ((bio == NULL) || (asnTime == NULL)) {
+        ret = BAD_FUNC_ARG;
+    }
+    /* Check type is GENERALIZED TIME. */
+    if ((ret == 1) && (asnTime->type != V_ASN1_GENERALIZEDTIME)) {
+        WOLFSSL_MSG("Error, not GENERALIZED_TIME");
+        ret = 0;
+    }
+    if (ret == 1) {
+        /* Get the string. */
+        p = (const char *)(asnTime->data);
+
+        /* Print month as a 3 letter string. */
+        if (wolfSSL_BIO_write(bio, MonthStr(p + 4), 3) != 3) {
+            ret = 0;
+        }
+    }
+    /* Print space separator. */
+    if ((ret == 1) && (wolfSSL_BIO_write(bio, " ", 1) != 1)) {
+        ret = 0;
+    }
+
+    /* Print day. */
+    if ((ret == 1) && (wolfSSL_BIO_write(bio, p + 6, 2) != 2)) {
+        ret = 0;
+    }
+    /* Print space separator. */
+    if ((ret == 1) && (wolfSSL_BIO_write(bio, " ", 1) != 1)) {
+        ret = 0;
+    }
+
+    /* Print hour. */
+    if ((ret == 1) && (wolfSSL_BIO_write(bio, p + 8, 2) != 2)) {
+        ret = 0;
+    }
+    /* Print time separator - colon. */
+    if ((ret == 1) && (wolfSSL_BIO_write(bio, ":", 1) != 1)) {
+        ret = 0;
+    }
+
+    /* Print minutes. */
+    if ((ret == 1) && (wolfSSL_BIO_write(bio, p + 10, 2) != 2)) {
+        ret = 0;
+    }
+    /* Print time separator - colon. */
+    if ((ret == 1) && (wolfSSL_BIO_write(bio, ":", 1) != 1)) {
+        ret = 0;
+    }
+
+    /* Print seconds. */
+    if ((ret == 1) && (wolfSSL_BIO_write(bio, p + 12, 2) != 2)) {
+        ret = 0;
+    }
+    /* Print space separator. */
+    if ((ret == 1) && (wolfSSL_BIO_write(bio, " ", 1) != 1)) {
+        ret = 0;
+    }
+    /* Print year. */
+    if ((ret == 1) && (wolfSSL_BIO_write(bio, p, 4) != 4)) {
+        ret = 0;
+    }
+
+    return ret;
+}
+#endif /* !NO_BIO */
+
+#endif /* OPENSSL_EXTRA */
+
+/*******************************************************************************
+ * ASN1_TIME APIs
+ ******************************************************************************/
+
+#ifndef NO_ASN_TIME
+
+#ifdef OPENSSL_EXTRA
+/* Allocate a new ASN.1 TIME object.
+ *
+ * @return  New empty ASN.1 TIME object on success.
+ * @return  NULL when dynamic memory allocation fails.
+ */
+WOLFSSL_ASN1_TIME* wolfSSL_ASN1_TIME_new(void)
+{
+    WOLFSSL_ASN1_TIME* ret;
+
+    /* Allocate a new ASN.1 TYPE object. */
+    ret = (WOLFSSL_ASN1_TIME*)XMALLOC(sizeof(WOLFSSL_ASN1_TIME), NULL,
+        DYNAMIC_TYPE_OPENSSL);
+    if (ret != NULL) {
+        /* Clear out fields. */
+        XMEMSET(ret, 0, sizeof(WOLFSSL_ASN1_TIME));
+    }
+
+    return ret;
+}
+
+/* Dispose of ASN.1 TIME object.
+ *
+ * @param [in, out] t  ASN.1 TIME object.
+ */
+void wolfSSL_ASN1_TIME_free(WOLFSSL_ASN1_TIME* t)
+{
+    /* Dispose of ASN.1 TIME object. */
+    XFREE(t, NULL, DYNAMIC_TYPE_OPENSSL);
+}
+
+#ifndef NO_WOLFSSL_STUB
+/* Set the Unix time GMT into ASN.1 TIME object.
+ *
+ * Not implemented.
+ *
+ * @param [in, out] a   ASN.1 TIME object.
+ * @param [in]      t   Unix time GMT.
+ * @return  An ASN.1 TIME object.
+ */
+WOLFSSL_ASN1_TIME *wolfSSL_ASN1_TIME_set(WOLFSSL_ASN1_TIME *a, time_t t)
+{
+    WOLFSSL_STUB("wolfSSL_ASN1_TIME_set");
+    (void)a;
+    (void)t;
+    return a;
+}
+#endif /* !NO_WOLFSSL_STUB */
+
+/* Convert time to Unix time (GMT).
+ *
+ * @param [in] sec     Second in minute. 0-59.
+ * @param [in] minute  Minute in hour. 0-59.
+ * @param [in] hour    Hour in day. 0-23.
+ * @param [in] mday    Day of month. 1-31.
+ * @param [in] mon     Month of year. 0-11
+ * @param [in] year    Year including century. ie: 1991, 2023, 2048.
+ * @return  Seconds since 00:00:00 01/01/1970 for the time passed in.
+ */
+static long long wolfssl_time_to_unix_time(int sec, int minute, int hour,
+    int mday, int mon, int year)
+{
+    /* Number of cumulative days from the previous months, starting from
+     * beginning of January. */
+    static const int monthDaysCumulative [12] = {
+        0, 31, 59, 90, 120, 151, 181, 212, 243, 273, 304, 334
+    };
+    int leapDays = year;
+
+    /* Leap day at end of February. */
+    if (mon <= 1) {
+        --leapDays;
+    }
+    /* Calculate leap days. */
+    leapDays = leapDays / 4 - leapDays / 100 + leapDays / 400 - 1969 / 4 +
+               1969 / 100 - 1969 / 400;
+
+    /* Calculate number of seconds. */
+    return ((((long long) (year - 1970) * 365 + leapDays +
+           monthDaysCumulative[mon] + mday - 1) * 24 + hour) * 60 + minute) *
+           60 + sec;
+}
+
+/* Convert ASN.1 TIME object to Unix time (GMT).
+ *
+ * @param [in]  t     ASN.1 TIME object.
+ * @param [out] secs  Number of seconds since 00:00:00 01/01/1970.
+ * @return  1 on success.
+ * @return  0 when conversion of time fails.
+ */
+static int wolfssl_asn1_time_to_secs(const WOLFSSL_ASN1_TIME* t,
+    long long* secs)
+{
+    int ret = 1;
+    struct tm tm_s;
+    struct tm *tmGmt = &tm_s;
+
+    /* Convert ASN.1 TIME to broken-down time. NULL treated as current time. */
+    ret = wolfSSL_ASN1_TIME_to_tm(t, tmGmt);
+    if (ret != 1) {
+        WOLFSSL_MSG("Failed to convert from time to struct tm.");
+    }
+    else {
+        /* We use wolfssl_time_to_unix_time here instead of XMKTIME to avoid the
+         * Year 2038 problem on platforms where time_t is 32 bits. struct tm
+         * stores the year as years since 1900, so we add 1900 to the year. */
+        *secs = wolfssl_time_to_unix_time(tmGmt->tm_sec, tmGmt->tm_min,
+            tmGmt->tm_hour, tmGmt->tm_mday, tmGmt->tm_mon,
+            tmGmt->tm_year + 1900);
+    }
+
+    return ret;
+}
+
+/* Calculate difference in time of two ASN.1 TIME objects.
+ *
+ * @param [out] days  Number of whole days between from and to.
+ * @param [out] secs  Number of serconds less than a day between from and to.
+ * @param [in]  from  ASN.1 TIME object as start time.
+ * @param [in]  to    ASN.1 TIME object as end time.
+ * @return  1 on success.
+ * @return  0 when days or secs is NULL.
+ * @return  0 when conversion of time fails.
+ */
+int wolfSSL_ASN1_TIME_diff(int *days, int *secs, const WOLFSSL_ASN1_TIME *from,
+    const WOLFSSL_ASN1_TIME *to)
+{
+    int ret = 1;
+
+    WOLFSSL_ENTER("wolfSSL_ASN1_TIME_diff");
+
+    /* Validate parameters. */
+    if (days == NULL) {
+        WOLFSSL_MSG("days is NULL");
+        ret = 0;
+    }
+    if ((ret == 1) && (secs == NULL)) {
+        WOLFSSL_MSG("secs is NULL");
+        ret = 0;
+    }
+
+    if ((ret == 1) && ((from == NULL) && (to == NULL))) {
+        *days = 0;
+        *secs = 0;
+    }
+    else if (ret == 1) {
+        const int SECS_PER_DAY = 24 * 60 * 60;
+        long long fromSecs;
+        long long toSecs = 0;
+
+        ret = wolfssl_asn1_time_to_secs(from, &fromSecs);
+        if (ret == 1) {
+            ret = wolfssl_asn1_time_to_secs(to, &toSecs);
+        }
+        if (ret == 1) {
+            double diffSecs = (double)(toSecs - fromSecs);
+            *days = (int) (diffSecs / SECS_PER_DAY);
+            *secs = (int) (diffSecs - (((double)*days) * SECS_PER_DAY));
+        }
+    }
+
+    return ret;
+}
+
+/* Compare two ASN.1 TIME objects by comparing time value.
+ *
+ * @param [in] a  First ASN.1 TIME object.
+ * @param [in] b  Second ASN.1 TIME object.
+ * @return Negative value when a is less than b.
+ * @return 0 when a equals b.
+ * @return Positive value when a is greater than b.
+ * @return -2 when a or b is invalid.
+ */
+int wolfSSL_ASN1_TIME_compare(const WOLFSSL_ASN1_TIME *a,
+    const WOLFSSL_ASN1_TIME *b)
+{
+    int ret;
+    int days;
+    int secs;
+
+    WOLFSSL_ENTER("wolfSSL_ASN1_TIME_compare");
+
+    /* Calculate difference in time between a and b. */
+    if (wolfSSL_ASN1_TIME_diff(&days, &secs, a, b) != 1) {
+        WOLFSSL_MSG("Failed to get time difference.");
+        ret = -2;
+    }
+    else if (days == 0 && secs == 0) {
+        /* a and b are the same time. */
+        ret = 0;
+    }
+    else if (days >= 0 && secs >= 0) {
+        /* a is before b. */
+        ret = -1;
+    }
+    /* Assume wolfSSL_ASN1_TIME_diff creates coherent values. */
+    else {
+        ret = 1;
+    }
+
+    WOLFSSL_LEAVE("wolfSSL_ASN1_TIME_compare", ret);
+
+    return ret;
+}
+
+#if !defined(USER_TIME) && !defined(TIME_OVERRIDES)
+/* Adjust the time into an ASN.1 TIME object.
+ *
+ * @param [in] a           ASN.1 TIME object. May be NULL.
+ * @param [in] t           Time to offset.
+ * @param [in] offset_day  Number of days to offset. May be negative.
+ * @param [in] offset_sec  Number of seconds to offset. May be negative.
+ * @return  ASN.1 TIME object on success.
+ * @return  NULL when formatting time fails.
+ * @return  NULL when dynamic memory allocation fails.
+ */
+WOLFSSL_ASN1_TIME* wolfSSL_ASN1_TIME_adj(WOLFSSL_ASN1_TIME* a, time_t t,
+    int offset_day, long offset_sec)
+{
+    WOLFSSL_ASN1_TIME* ret = NULL;
+    const time_t sec_per_day = 24*60*60;
+    int time_get;
+    char time_str[MAX_TIME_STRING_SZ];
+    time_t offset_day_sec = offset_day * sec_per_day;
+    time_t t_adj          = t + offset_day_sec + offset_sec;
+
+    WOLFSSL_ENTER("wolfSSL_ASN1_TIME_adj");
+
+    /* Get time string as either UTC or GeneralizedTime. */
+    time_get = GetFormattedTime(&t_adj, (byte*)time_str, MAX_TIME_STRING_SZ);
+    if (time_get > 0) {
+        ret = a;
+        if (ret == NULL) {
+            ret = wolfSSL_ASN1_TIME_new();
+        }
+        /* Set the string into the ASN.1 TIME object. */
+        if ((wolfSSL_ASN1_TIME_set_string(ret, time_str) != 1) && (ret != a)) {
+            wolfSSL_ASN1_TIME_free(ret);
+            ret = NULL;
+        }
+    }
+
+    return ret;
+}
+#endif /* !USER_TIME && !TIME_OVERRIDES */
+
+/* Get the length of the ASN.1 TIME data.
+ *
+ * Not an OpenSSL function - ASN1_TIME is not opaque.
+ *
+ * @param [in] t  ASN.1 TIME object.
+ * @return  Length of data on success.
+ * @return  0 when t is NULL or no time set.
+ */
+int wolfSSL_ASN1_TIME_get_length(const WOLFSSL_ASN1_TIME *t)
+{
+    int len = 0;
+
+    WOLFSSL_ENTER("wolfSSL_ASN1_TIME_get_length");
+
+    if (t != NULL) {
+        len = t->length;
+    }
+
+    return len;
+}
+
+/* Get the data from the ASN.1 TIME object.
+ *
+ * Not an OpenSSL function - ASN1_TIME is not opaque.
+ *
+ * @param [in] t  ASN.1 TIME object.
+ * @return  Data buffer on success.
+ * @return  NULL when t is NULL.
+ */
+unsigned char* wolfSSL_ASN1_TIME_get_data(const WOLFSSL_ASN1_TIME *t)
+{
+    unsigned char* data = NULL;
+
+    WOLFSSL_ENTER("wolfSSL_ASN1_TIME_get_data");
+
+    if (t != NULL) {
+        data = (unsigned char*)t->data;
+    }
+
+    return data;
+}
+
+/* Check format of string in ASN.1 TIME object.
+ *
+ * @param [in] a  ASN.1 TIME object.
+ * @return  1 on success.
+ * @return  0 when format invalid.
+ */
+int wolfSSL_ASN1_TIME_check(const WOLFSSL_ASN1_TIME* a)
+{
+    int ret = 1;
+    char buf[MAX_TIME_STRING_SZ];
+
+    WOLFSSL_ENTER("wolfSSL_ASN1_TIME_check");
+
+    /* If can convert to human readable then format good. */
+    if (wolfSSL_ASN1_TIME_to_string((WOLFSSL_ASN1_TIME*)a, buf,
+            MAX_TIME_STRING_SZ) == NULL) {
+        ret = 0;
+    }
+
+    return ret;
+}
+
+/* Set the time as a string into ASN.1 TIME object.
+ *
+ * When t is NULL, str is checked only.
+ *
+ * @param [in, out] t    ASN.1 TIME object.
+ * @param [in]      str  Time as a string.
+ * @return  1 on success.
+ * @return  0 when str is NULL.
+ * @return  0 when str is not formatted correctly.
+ */
+int wolfSSL_ASN1_TIME_set_string(WOLFSSL_ASN1_TIME *t, const char *str)
+{
+    int ret = 1;
+    int slen = 0;
+
+    WOLFSSL_ENTER("wolfSSL_ASN1_TIME_set_string");
+
+    if (str == NULL) {
+        WOLFSSL_MSG("Bad parameter");
+        ret = 0;
+    }
+    if (ret == 1) {
+        /* Get length of string including NUL terminator. */
+        slen = (int)XSTRLEN(str) + 1;
+        if (slen > CTC_DATE_SIZE) {
+            WOLFSSL_MSG("Date string too long");
+            ret = 0;
+        }
+    }
+    if ((ret == 1) && (t != NULL)) {
+        /* Copy in string including NUL terminator. */
+        XMEMCPY(t->data, str, slen);
+        /* Do not include NUL terminator in length. */
+        t->length = slen - 1;
+        /* Set ASN.1 type based on string length. */
+        t->type = ((slen == ASN_UTC_TIME_SIZE) ? V_ASN1_UTCTIME :
+            V_ASN1_GENERALIZEDTIME);
+    }
+
+    return ret;
+}
+
+/* Convert ASN.1 TIME object to ASN.1 GENERALIZED TIME object.
+ *
+ * @param [in]      t    ASN.1 TIME object.
+ * @param [in, out] out  ASN.1 GENERALIZED TIME object.
+ * @return  ASN.1 GENERALIZED TIME object on success.
+ * @return  NULL when t is NULL or t has wrong ASN.1 type.
+ * @return  NULL when dynamic memory allocation fails.
+ */
+WOLFSSL_ASN1_TIME* wolfSSL_ASN1_TIME_to_generalizedtime(WOLFSSL_ASN1_TIME *t,
+    WOLFSSL_ASN1_TIME **out)
+{
+    WOLFSSL_ASN1_TIME *ret = NULL;
+
+    WOLFSSL_ENTER("wolfSSL_ASN1_TIME_to_generalizedtime");
+
+    /* Validate parameters. */
+    if (t == NULL) {
+        WOLFSSL_MSG("Invalid ASN_TIME value");
+    }
+    /* Ensure ASN.1 type is one that is supported. */
+    else if ((t->type != V_ASN1_UTCTIME) &&
+             (t->type != V_ASN1_GENERALIZEDTIME)) {
+        WOLFSSL_MSG("Invalid ASN_TIME type.");
+    }
+    /* Check for ASN.1 GENERALIZED TIME object being passed in. */
+    else if ((out != NULL) && (*out != NULL)) {
+        /* Copy into the passed in object. */
+        ret = *out;
+    }
+    else {
+        /* Create a new ASN.1 GENERALIZED TIME object. */
+        ret = wolfSSL_ASN1_TIME_new();
+        if (ret == NULL) {
+            WOLFSSL_MSG("memory alloc failed.");
+        }
+    }
+
+    if (ret != NULL) {
+        /* Set the ASN.1 type and length of string. */
+        ret->type = V_ASN1_GENERALIZEDTIME;
+        ret->length = ASN_GENERALIZED_TIME_SIZE;
+
+        if (t->type == V_ASN1_GENERALIZEDTIME) {
+            /* Just copy as data already appropriately formatted. */
+            XMEMCPY(ret->data, t->data, ASN_GENERALIZED_TIME_SIZE);
+        }
+        else {
+            /* Convert UTC TIME to GENERALIZED TIME. */
+            if (t->data[0] >= '5') {
+                /* >= 50 is 1900s.  */
+                ret->data[0] = '1'; ret->data[1] = '9';
+            }
+            else {
+                /* < 50 is 2000s.  */
+                ret->data[0] = '2'; ret->data[1] = '0';
+            }
+            /* Append rest of the data as it is the same. */
+            XMEMCPY(&ret->data[2], t->data, ASN_UTC_TIME_SIZE);
+        }
+
+        /* Check for pointer to return result through. */
+        if (out != NULL) {
+            *out = ret;
+        }
+    }
+
+    return ret;
+}
+
+#endif /* OPENSSL_EXTRA */
+
+#if defined(WOLFSSL_MYSQL_COMPATIBLE) || defined(OPENSSL_EXTRA)
+/* Get string from ASN.1 TIME object.
+ *
+ * Not an OpenSSL compatibility API.
+ *
+ * @param [in]      t    ASN.1 TIME object.
+ * @param [in, out] buf  Buffer to put string in.
+ * @param [in]      len  Length of buffer in bytes.
+ * @return  buf on success.
+ * @return  NULL when t or buf is NULL, or len is less than 5.
+ * @return  NULL when ASN.1 TIME length is larger than len.
+ * @return  NULL when internal time format not valid.
+ */
+char* wolfSSL_ASN1_TIME_to_string(WOLFSSL_ASN1_TIME* t, char* buf, int len)
+{
+    WOLFSSL_ENTER("wolfSSL_ASN1_TIME_to_string");
+
+    /* Validate parameters. */
+    if ((t == NULL) || (buf == NULL) || (len < 5)) {
+        WOLFSSL_MSG("Bad argument");
+        buf = NULL;
+    }
+
+    /* Check internal length against passed in length. */
+    if ((buf != NULL) && (t->length > len)) {
+        WOLFSSL_MSG("Length of date is longer then buffer");
+        buf = NULL;
+    }
+
+    /* Get time as human readable string. */
+    if ((buf != NULL) && !GetTimeString(t->data, t->type, buf, len)) {
+        buf = NULL;
+    }
+
+    return buf;
+}
+
+/* Number of characters in a UTC TIME string. */
+#define UTCTIME_LEN     13
+
+/* Get year from UTC TIME string.
+ *
+ * @param [in]  str   UTC TIME string.
+ * @param [in]  len   Length of string in bytes.
+ * @param [out] year  Year as extracted from string.
+ * @return  1 on success.
+ * @return  0 when length is too short for a UTC TIME.
+ * @return  0 when not ZULU time.
+ */
+static int wolfssl_utctime_year(const unsigned char* str, int len, int* year)
+{
+    int ret = 1;
+
+    /* Check minimal length for UTC TIME. */
+    if (len < UTCTIME_LEN) {
+        WOLFSSL_MSG("WOLFSSL_ASN1_TIME buffer length is invalid.");
+        ret = 0;
+    }
+    /* Only support ZULU time. */
+    if ((ret == 1) && (str[UTCTIME_LEN - 1] != 'Z')) {
+        WOLFSSL_MSG("Expecting UTC time.");
+        ret = 0;
+    }
+
+    if (ret == 1) {
+        int tm_year;
+        /* 2-digit year. */
+        tm_year =  (str[0] - '0') * 10;
+        tm_year +=  str[1] - '0';
+        /* Check for year being in the 2000s. */
+        if (tm_year < 50) {
+            tm_year += 100;
+        }
+        *year = tm_year;
+    }
+
+    return ret;
+}
+
+/* Number of characters in a GENERALIZED TIME string. */
+#define GENTIME_LEN     15
+
+/* Get year from GENERALIZED TIME string.
+ *
+ * @param [in]  str   GENERALIZED TIME string.
+ * @param [in]  len   Length of string in bytes.
+ * @param [out] year  Year as extracted from string.
+ * @return  1 on success.
+ * @return  0 when length is too short for a GENERALIZED TIME.
+ * @return  0 when not ZULU time.
+ */
+static int wolfssl_gentime_year(const unsigned char* str, int len, int* year)
+{
+    int ret = 1;
+
+    /* Check minimal length for GENERALIZED TIME. */
+    if (len < GENTIME_LEN) {
+        WOLFSSL_MSG("WOLFSSL_ASN1_TIME buffer length is invalid.");
+        ret = 0;
+    }
+    if ((ret == 1) && (str[GENTIME_LEN - 1] != 'Z')) {
+        WOLFSSL_MSG("Expecting Generalized time.");
+        ret = 0;
+    }
+
+    if (ret == 1) {
+        int tm_year;
+        /* 4-digit year. */
+        tm_year =  (str[0] - '0') * 1000;
+        tm_year += (str[1] - '0') * 100;
+        tm_year += (str[2] - '0') * 10;
+        tm_year +=  str[3] - '0';
+        /* Only need value to be years since 1900. */
+        tm_year -= 1900;
+        *year = tm_year;
+    }
+
+    return ret;
+}
+
+/* Convert an ASN.1 TIME to a struct tm.
+ *
+ * @param [in] asnTime  ASN.1 TIME object.
+ * @param [in] tm       Broken-down time. Must be non-NULL.
+ * @return  1 on success.
+ * @return  0 when string format is invalid.
+ */
+static int wolfssl_asn1_time_to_tm(const WOLFSSL_ASN1_TIME* asnTime,
+    struct tm* tm)
+{
+    int ret = 1;
+    const unsigned char* asn1TimeBuf;
+    int asn1TimeBufLen;
+    int i = 0;
+
+    /* Get the string buffer - fixed array, can't fail. */
+    asn1TimeBuf = wolfSSL_ASN1_TIME_get_data(asnTime);
+    /* Get the length of the string. */
+    asn1TimeBufLen = wolfSSL_ASN1_TIME_get_length(asnTime);
+    if (asn1TimeBufLen <= 0) {
+        WOLFSSL_MSG("Failed to get WOLFSSL_ASN1_TIME buffer length.");
+        ret = 0;
+    }
+    if (ret == 1) {
+        /* Zero out values in broken-down time. */
+        XMEMSET(tm, 0, sizeof(struct tm));
+
+        if (asnTime->type == V_ASN1_UTCTIME) {
+            /* Get year from UTC TIME string. */
+            if ((ret = wolfssl_utctime_year(asn1TimeBuf, asn1TimeBufLen,
+                    &tm->tm_year)) == 1) {
+                /* Month starts after year - 2 characters. */
+                i = 2;
+            }
+        }
+        else if (asnTime->type == V_ASN1_GENERALIZEDTIME) {
+            /* Get year from GENERALIZED TIME string. */
+            if ((ret = wolfssl_gentime_year(asn1TimeBuf, asn1TimeBufLen,
+                    &tm->tm_year)) == 1) {
+                /* Month starts after year - 4 characters. */
+                i = 4;
+            }
+        }
+        else {
+            /* No other time formats known. */
+            WOLFSSL_MSG("asnTime->type is invalid.");
+            ret = 0;
+        }
+     }
+     if (ret == 1) {
+        /* Fill in rest of broken-down time from string. */
+        /* January is 0 not 1 */
+        tm->tm_mon   = (asn1TimeBuf[i] - '0') * 10; i++;
+        tm->tm_mon  += (asn1TimeBuf[i] - '0') - 1;  i++;
+        tm->tm_mday  = (asn1TimeBuf[i] - '0') * 10; i++;
+        tm->tm_mday += (asn1TimeBuf[i] - '0');      i++;
+        tm->tm_hour  = (asn1TimeBuf[i] - '0') * 10; i++;
+        tm->tm_hour += (asn1TimeBuf[i] - '0');      i++;
+        tm->tm_min   = (asn1TimeBuf[i] - '0') * 10; i++;
+        tm->tm_min  += (asn1TimeBuf[i] - '0');      i++;
+        tm->tm_sec   = (asn1TimeBuf[i] - '0') * 10; i++;
+        tm->tm_sec  += (asn1TimeBuf[i] - '0');
+
+    #ifdef XMKTIME
+        /* Call XMKTIME on tm to get tm_wday and tm_yday fields populated. */
+        XMKTIME(tm);
+    #endif
+    }
+
+    return ret;
+}
+
+/* Get the current time into a broken-down time.
+ *
+ * @param [out] tm  Broken-time time.
+ * @return  1 on success.
+ * @return  0 when tm is NULL.
+ * @return  0 when get current time fails.
+ * @return  0 when converting Unix time to broken-down time fails.
+ */
+static int wolfssl_get_current_time_tm(struct tm* tm)
+{
+    int ret = 1;
+    time_t currentTime;
+    struct tm *tmpTs;
+#if defined(NEED_TMP_TIME)
+    /* for use with gmtime_r */
+    struct tm tmpTimeStorage;
+    tmpTs = &tmpTimeStorage;
+#else
+    tmpTs = NULL;
+#endif
+    (void)tmpTs;
+
+    /* Must have a pointer to return result into. */
+    if (tm == NULL) {
+        WOLFSSL_MSG("asnTime and tm are both NULL");
+        ret = 0;
+    }
+    if (ret == 1) {
+        /* Get current Unix Time GMT. */
+        currentTime = wc_Time(0);
+        if (currentTime <= 0) {
+            WOLFSSL_MSG("Failed to get current time.");
+            ret = 0;
+        }
+    }
+    if (ret == 1) {
+        /* Convert Unix Time GMT into broken-down time. */
+        tmpTs = XGMTIME(&currentTime, tmpTs);
+        if (tmpTs == NULL) {
+            WOLFSSL_MSG("Failed to convert current time to UTC.");
+            ret = 0;
+        }
+    }
+    if (ret == 1) {
+        /* Copy from the structure returned into parameter. */
+        XMEMCPY(tm, tmpTs, sizeof(*tm));
+    }
+
+    return ret;
+}
+
+/* Convert ASN.1 TIME object's time into broken-down representation.
+ *
+ * Internal time string is checked when tm is NULL.
+ *
+ * @param [in]  asnTime  ASN.1 TIME object.
+ * @param [out] tm       Broken-down time.
+ * @return  1 on success.
+ * @return  0 when asnTime is NULL and tm is NULL.
+ * @return  0 getting current time fails.
+ * @return  0 when internal time string is invalid.
+ */
+int wolfSSL_ASN1_TIME_to_tm(const WOLFSSL_ASN1_TIME* asnTime, struct tm* tm)
+{
+    int ret = 1;
+
+    WOLFSSL_ENTER("wolfSSL_ASN1_TIME_to_tm");
+
+    /* If asnTime is NULL, then the current time is converted. */
+    if (asnTime == NULL) {
+        ret = wolfssl_get_current_time_tm(tm);
+    }
+    /* If tm is NULL this function performs a format check on asnTime only. */
+    else if (tm == NULL) {
+        ret = wolfSSL_ASN1_TIME_check(asnTime);
+    }
+    else {
+        /* Convert ASN.1 TIME to broken-down time. */
+        ret = wolfssl_asn1_time_to_tm(asnTime, tm);
+    }
+
+    return ret;
+}
+
+#ifndef NO_BIO
+/* Print the ASN.1 TIME object as a string to BIO.
+ *
+ * @param [in] bio      BIO to write to.
+ * @param [in] asnTime  ASN.1 TIME object.
+ * @return  1 on success.
+ * @return  0 when bio or asnTime is NULL.
+ * @return  0 when creating human readable string fails.
+ * @return  0 when writing to BIO fails.
+ */
+int wolfSSL_ASN1_TIME_print(WOLFSSL_BIO* bio, const WOLFSSL_ASN1_TIME* asnTime)
+{
+    char buf[MAX_TIME_STRING_SZ];
+    int  ret = 1;
+
+    WOLFSSL_ENTER("wolfSSL_ASN1_TIME_print");
+
+    /* Validate parameters. */
+    if ((bio == NULL) || (asnTime == NULL)) {
+        WOLFSSL_MSG("NULL function argument");
+        ret = 0;
+    }
+
+    if (ret == 1) {
+        int len;
+
+        /* Create human readable string. */
+        if (wolfSSL_ASN1_TIME_to_string((WOLFSSL_ASN1_TIME*)asnTime, buf,
+                sizeof(buf)) == NULL) {
+            /* Write out something anyway but return error. */
+            XMEMSET(buf, 0, MAX_TIME_STRING_SZ);
+            XSTRNCPY(buf, "Bad time value", sizeof(buf)-1);
+            ret = 0;
+        }
+
+        /* Write out string. */
+        len = (int)XSTRLEN(buf);
+        if (wolfSSL_BIO_write(bio, buf, len) != len) {
+            WOLFSSL_MSG("Unable to write to bio");
+            ret = 0;
+        }
+    }
+
+    return ret;
+}
+#endif /* !NO_BIO */
+
+#endif /* WOLFSSL_MYSQL_COMPATIBLE || OPENSSL_EXTRA */
+
+#ifdef OPENSSL_EXTRA
+
+#ifndef NO_BIO
+/* Print the ASN.1 UTC TIME object as a string to BIO.
+ *
+ * @param [in] bio      BIO to write to.
+ * @param [in] asnTime  ASN.1 UTC TIME object.
+ * @return  1 on success.
+ * @return  0 when bio or asnTime is NULL.
+ * @return  0 when ASN.1 type is not UTC TIME.
+ * @return  0 when creating human readable string fails.
+ * @return  0 when writing to BIO fails.
+ */
+int wolfSSL_ASN1_UTCTIME_print(WOLFSSL_BIO* bio, const WOLFSSL_ASN1_UTCTIME* a)
+{
+    int ret = 1;
+
+    WOLFSSL_ENTER("wolfSSL_ASN1_UTCTIME_print");
+
+    /* Validate parameters. */
+    if ((bio == NULL) || (a == NULL)) {
+        ret = 0;
+    }
+    /* Validate ASN.1 UTC TIME object is of type UTC_TIME. */
+    if ((ret == 1) && (a->type != V_ASN1_UTCTIME)) {
+        WOLFSSL_MSG("Error, not UTC_TIME");
+        ret = 0;
+    }
+
+    if (ret == 1) {
+        /* Use generic time printing function to do work. */
+        ret = wolfSSL_ASN1_TIME_print(bio, a);
+    }
+
+    return ret;
+}
+#endif /* !NO_BIO */
+
+#endif /* OPENSSL_EXTRA */
+
+#endif /* !NO_ASN_TIME */
+
+/*******************************************************************************
+ * ASN1_TYPE APIs
+ ******************************************************************************/
+
+#ifdef OPENSSL_EXTRA
+
+/**
+ * Allocate a new ASN.1 TYPE object.
+ *
+ * @return  New empty ASN.1 TYPE object on success.
+ * @return  NULL when dynamic memory allocation fails.
+ */
+WOLFSSL_ASN1_TYPE* wolfSSL_ASN1_TYPE_new(void)
+{
+    WOLFSSL_ASN1_TYPE* ret;
+
+    /* Allocate a new ASN.1 TYPE object. */
+    ret = (WOLFSSL_ASN1_TYPE*)XMALLOC(sizeof(WOLFSSL_ASN1_TYPE), NULL,
+        DYNAMIC_TYPE_OPENSSL);
+    if (ret != NULL) {
+        /* Clear out fields. */
+        XMEMSET(ret, 0, sizeof(WOLFSSL_ASN1_TYPE));
+    }
+
+    return ret;
+}
+
+/* Free the ASN.1 TYPE object's value field.
+ *
+ * @param [in, out] at  ASN.1 TYPE object.
+ */
+static void wolfssl_asn1_type_free_value(WOLFSSL_ASN1_TYPE* at)
+{
+    switch (at->type) {
+        case V_ASN1_NULL:
+            break;
+        case V_ASN1_OBJECT:
+            wolfSSL_ASN1_OBJECT_free(at->value.object);
+            break;
+        case V_ASN1_UTCTIME:
+        #ifndef NO_ASN_TIME
+            wolfSSL_ASN1_TIME_free(at->value.utctime);
+        #endif
+            break;
+        case V_ASN1_GENERALIZEDTIME:
+        #ifndef NO_ASN_TIME
+            wolfSSL_ASN1_TIME_free(at->value.generalizedtime);
+        #endif
+            break;
+        case V_ASN1_UTF8STRING:
+        case V_ASN1_PRINTABLESTRING:
+        case V_ASN1_T61STRING:
+        case V_ASN1_IA5STRING:
+        case V_ASN1_UNIVERSALSTRING:
+        case V_ASN1_SEQUENCE:
+            wolfSSL_ASN1_STRING_free(at->value.asn1_string);
+            break;
+        default:
+            break;
+    }
+}
+
+/**
+ * Free ASN.1 TYPE object and its value.
+ *
+ * @param [in, out] at  ASN.1 TYPE object.
+ */
+void wolfSSL_ASN1_TYPE_free(WOLFSSL_ASN1_TYPE* at)
+{
+    if (at != NULL) {
+        /* Dispose of value in ASN.1 TYPE object. */
+        wolfssl_asn1_type_free_value(at);
+    }
+    /* Dispose of ASN.1 TYPE object. */
+    XFREE(at, NULL, DYNAMIC_TYPE_OPENSSL);
+}
+
+#endif /* OPENSSL_EXTRA */
+
+#if defined(OPENSSL_ALL) || defined(WOLFSSL_WPAS)
+/**
+ * Set ASN.1 TYPE object with a type and value.
+ *
+ * Type of value for different types:
+ *   V_ASN1_NULL            : Value should be NULL.
+ *   V_ASN1_OBJECT          : WOLFSSL_ASN1_OBJECT.
+ *   V_ASN1_UTCTIME         : WOLFSSL_ASN1_TIME.
+ *   V_ASN1_GENERALIZEDTIME : WOLFSSL_ASN1_TIME.
+ *   V_ASN1_UTF8STRING      : WOLFSSL_ASN1_STRING.
+ *   V_ASN1_PRINTABLESTRING : WOLFSSL_ASN1_STRING.
+ *   V_ASN1_T61STRING       : WOLFSSL_ASN1_STRING.
+ *   V_ASN1_IA5STRING       : WOLFSSL_ASN1_STRING.
+ *   V_ASN1_UNINVERSALSTRING: WOLFSSL_ASN1_STRING.
+ *   V_ASN1_SEQUENCE        : WOLFSSL_ASN1_STRING.
+ *
+ * @param [in, out] a      ASN.1 TYPE object to set.
+ * @param [in]      type   ASN.1 type of value.
+ * @param [in]      value  Value to store.
+ */
+void wolfSSL_ASN1_TYPE_set(WOLFSSL_ASN1_TYPE *a, int type, void *value)
+{
+    if (a != NULL) {
+        switch (type) {
+            case V_ASN1_NULL:
+                if (value != NULL) {
+                    WOLFSSL_MSG("NULL tag meant to be always empty!");
+                    /* No way to return error - value will not be used. */
+                }
+                /* fall-through */
+            case V_ASN1_OBJECT:
+            case V_ASN1_UTCTIME:
+            case V_ASN1_GENERALIZEDTIME:
+            case V_ASN1_UTF8STRING:
+            case V_ASN1_PRINTABLESTRING:
+            case V_ASN1_T61STRING:
+            case V_ASN1_IA5STRING:
+            case V_ASN1_UNIVERSALSTRING:
+            case V_ASN1_SEQUENCE:
+                /* Dispose of any value currently set. */
+                wolfssl_asn1_type_free_value(a);
+                /* Assign anonymously typed input to anonymously typed field. */
+                a->value.ptr = (char *)value;
+                /* Set the type required. */
+                a->type = type;
+                break;
+            default:
+                WOLFSSL_MSG("Unknown or unsupported ASN1_TYPE");
+                /* No way to return error. */
+        }
+    }
+}
+
+#endif /* OPENSSL_ALL || WOLFSSL_WPAS */
+
+#endif /* !WOLFSSL_SSL_ASN1_INCLUDED */
+

+ 29 - 0
src/ssl_bn.c

@@ -50,6 +50,35 @@
  * Constructor/Destructor/Initializer APIs
  ******************************************************************************/
 
+#if defined(OPENSSL_EXTRA) && !defined(NO_ASN)
+/* Set big number to be negative.
+ *
+ * @param [in, out] bn   Big number to make negative.
+ * @param [in]      neg  Whether number is negative.
+ * @return  1 on success.
+ * @return  -1 when bn or internal representation of bn is NULL.
+ */
+static int wolfssl_bn_set_neg(WOLFSSL_BIGNUM* bn, int neg)
+{
+    int ret = 1;
+
+    if (BN_IS_NULL(bn)) {
+        WOLFSSL_MSG("bn NULL error");
+        ret = -1;
+    }
+#if !defined(WOLFSSL_SP_MATH_ALL) || defined(WOLFSSL_SP_INT_NEGATIVE)
+    else if (neg) {
+        mp_setneg((mp_int*)bn->internal);
+    }
+    else {
+        ((mp_int*)bn->internal)->sign = MP_ZPOS;
+    }
+#endif
+
+    return ret;
+}
+#endif /* OPENSSL_EXTRA && !NO_ASN */
+
 #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
 /* Get the internal representation value into an MP integer.
  *

+ 0 - 5
src/x509.c

@@ -231,10 +231,6 @@ void wolfSSL_X509_EXTENSION_free(WOLFSSL_X509_EXTENSION* x)
         return;
 
     if (x->obj != NULL) {
-        if (x->obj->pathlen != NULL) {
-            wolfSSL_ASN1_INTEGER_free(x->obj->pathlen);
-            x->obj->pathlen = NULL;
-        }
         wolfSSL_ASN1_OBJECT_free(x->obj);
     }
 
@@ -10078,7 +10074,6 @@ int wolfSSL_i2d_X509_NAME_canon(WOLFSSL_X509_NAME* name, unsigned char** out)
                 return WOLFSSL_FATAL_ERROR;
             }
             totalBytes += ret;
-            wolfSSL_OPENSSL_free(cano_data->data);
             wolfSSL_ASN1_STRING_free(cano_data);
         }
     }

File diff suppressed because it is too large
+ 2343 - 0
tests/api.c


+ 67 - 58
wolfcrypt/src/asn.c

@@ -13657,31 +13657,27 @@ int GetFormattedTime(void* currTime, byte* buf, word32 len)
         if (ts->tm_year >= 50 && ts->tm_year < 100) {
             year = ts->tm_year;
         }
-        else if (ts->tm_year >= 100 && ts->tm_year < 150) {
-            year = ts->tm_year - 100;
-        }
         else {
-            WOLFSSL_MSG("unsupported year range");
-            return BAD_FUNC_ARG;
+            year = ts->tm_year - 100;
         }
         mon  = ts->tm_mon + 1;
         day  = ts->tm_mday;
         hour = ts->tm_hour;
         mini = ts->tm_min;
         sec  = ts->tm_sec;
-        #if defined(WOLF_C89)
-            if (len < 14) {
-                WOLFSSL_MSG("buffer for GetFormattedTime is too short.");
-                return BUFFER_E;
-            }
-            ret = XSPRINTF((char*)buf,
+    #if defined(WOLF_C89)
+        if (len < ASN_UTC_TIME_SIZE) {
+            WOLFSSL_MSG("buffer for GetFormattedTime is too short.");
+            return BUFFER_E;
+        }
+        ret = XSPRINTF((char*)buf,
                         "%02d%02d%02d%02d%02d%02dZ", year, mon, day,
                         hour, mini, sec);
-        #else
-            ret = XSNPRINTF((char*)buf, len,
+    #else
+        ret = XSNPRINTF((char*)buf, len,
                         "%02d%02d%02d%02d%02d%02dZ", year, mon, day,
                         hour, mini, sec);
-        #endif
+    #endif
     }
     else {
         /* GeneralizedTime */
@@ -13691,19 +13687,19 @@ int GetFormattedTime(void* currTime, byte* buf, word32 len)
         hour = ts->tm_hour;
         mini = ts->tm_min;
         sec  = ts->tm_sec;
-        #if defined(WOLF_C89)
-            if (len < 16) {
-                WOLFSSL_MSG("buffer for GetFormattedTime is too short.");
-                return BUFFER_E;
-            }
-            ret = XSPRINTF((char*)buf,
+    #if defined(WOLF_C89)
+        if (len < ASN_GENERALIZED_TIME_SIZE) {
+            WOLFSSL_MSG("buffer for GetFormattedTime is too short.");
+            return BUFFER_E;
+        }
+        ret = XSPRINTF((char*)buf,
                         "%4d%02d%02d%02d%02d%02dZ", year, mon, day,
                         hour, mini, sec);
-        #else
-            ret = XSNPRINTF((char*)buf, len,
+    #else
+        ret = XSNPRINTF((char*)buf, len,
                         "%4d%02d%02d%02d%02d%02dZ", year, mon, day,
                         hour, mini, sec);
-        #endif
+    #endif
     }
 
     return ret;
@@ -14630,48 +14626,58 @@ word32 SetAlgoID(int algoOID, byte* output, int type, int curveSz)
     int sz;
     int ret = 0;
     int o = 0;
+    const byte* algoName = 0;
+    word32 algoSz = 0;
 
     CALLOC_ASNSETDATA(dataASN, algoIdASN_Length, ret, NULL);
 
-    /* Set the OID and OID type to encode. */
-    SetASN_OID(&dataASN[ALGOIDASN_IDX_OID], algoOID, type);
-    /* Hashes, signatures not ECC and keys not RSA put put NULL tag. */
-    if (!(type == oidHashType ||
-             (type == oidSigType && !IsSigAlgoECC(algoOID)) ||
-             (type == oidKeyType && algoOID == RSAk))) {
-        /* Don't put out NULL DER item. */
-        dataASN[ALGOIDASN_IDX_NULL].noOut = 1;
-    }
-    if (algoOID == DSAk) {
-        /* Don't include SEQUENCE for DSA keys. */
-        o = 1;
-    }
-    else if (curveSz > 0) {
-        /* Don't put out NULL DER item. */
-        dataASN[ALGOIDASN_IDX_NULL].noOut = 0;
-        /* Include space for extra data of length curveSz.
-         * Subtract 1 for sequence and 1 for length encoding. */
-        SetASN_Buffer(&dataASN[ALGOIDASN_IDX_NULL], NULL, curveSz - 2);
+    algoName = OidFromId(algoOID, type, &algoSz);
+    if (algoName == NULL) {
+        WOLFSSL_MSG("Unknown Algorithm");
     }
+    else {
+        /* Set the OID and OID type to encode. */
+        SetASN_OID(&dataASN[ALGOIDASN_IDX_OID], algoOID, type);
+        /* Hashes, signatures not ECC and keys not RSA output NULL tag. */
+        if (!(type == oidHashType ||
+                 (type == oidSigType && !IsSigAlgoECC(algoOID)) ||
+                 (type == oidKeyType && algoOID == RSAk))) {
+            /* Don't put out NULL DER item. */
+            dataASN[ALGOIDASN_IDX_NULL].noOut = 1;
+        }
+        if (algoOID == DSAk) {
+            /* Don't include SEQUENCE for DSA keys. */
+            o = 1;
+        }
+        else if (curveSz > 0) {
+            /* Don't put out NULL DER item. */
+            dataASN[ALGOIDASN_IDX_NULL].noOut = 0;
+            /* Include space for extra data of length curveSz.
+             * Subtract 1 for sequence and 1 for length encoding. */
+            SetASN_Buffer(&dataASN[ALGOIDASN_IDX_NULL], NULL, curveSz - 2);
+        }
 
-    /* Calculate size of encoding. */
-    ret = SizeASN_Items(algoIdASN + o, dataASN + o, algoIdASN_Length - o, &sz);
-    if (ret == 0 && output != NULL) {
-        /* Encode into buffer. */
-        SetASN_Items(algoIdASN + o, dataASN + o, algoIdASN_Length - o, output);
-        if (curveSz > 0) {
-            /* Return size excluding curve data. */
-            sz = dataASN[o].offset - dataASN[ALGOIDASN_IDX_NULL].offset;
+        /* Calculate size of encoding. */
+        ret = SizeASN_Items(algoIdASN + o, dataASN + o, algoIdASN_Length - o,
+            &sz);
+        if (ret == 0 && output != NULL) {
+            /* Encode into buffer. */
+            SetASN_Items(algoIdASN + o, dataASN + o, algoIdASN_Length - o,
+                output);
+            if (curveSz > 0) {
+                /* Return size excluding curve data. */
+                sz = dataASN[o].offset - dataASN[ALGOIDASN_IDX_NULL].offset;
+            }
         }
-    }
 
-    if (ret == 0) {
-        /* Return encoded size. */
-        ret = sz;
-    }
-    else {
-        /* Unsigned return type so 0 indicates error. */
-        ret = 0;
+        if (ret == 0) {
+            /* Return encoded size. */
+            ret = sz;
+        }
+        else {
+            /* Unsigned return type so 0 indicates error. */
+            ret = 0;
+        }
     }
 
     FREE_ASNSETDATA(dataASN, NULL);
@@ -35913,6 +35919,9 @@ end:
     word32 lastDateSz = MAX_DATE_SIZE;
     word32 nextDateSz = MAX_DATE_SIZE;
 
+    /* When NO_ASN_TIME is defined, verify not used. */
+    (void)verify;
+
     WOLFSSL_MSG("ParseCRL");
 
     CALLOC_ASNGETDATA(dataASN, crlASN_Length, ret, dcrl->heap);

+ 5 - 0
wolfssl/internal.h

@@ -6249,6 +6249,11 @@ WOLFSSL_LOCAL int CreateCookieExt(const WOLFSSL* ssl, byte* hash,
 
 WOLFSSL_LOCAL int TranslateErrorToAlert(int err);
 
+#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL)
+void* wolfssl_sk_pop_type(WOLFSSL_STACK* sk, WOLF_STACK_TYPE type);
+WOLFSSL_STACK* wolfssl_sk_new_type(WOLF_STACK_TYPE type);
+#endif
+
 #ifdef __cplusplus
     }  /* extern "C" */
 #endif

+ 6 - 7
wolfssl/ssl.h

@@ -228,7 +228,7 @@ typedef struct WOLFSSL_DIST_POINT WOLFSSL_DIST_POINT;
 
 typedef struct WOLFSSL_CONF_CTX     WOLFSSL_CONF_CTX;
 
-#if defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL)
+#if defined(OPENSSL_EXTRA)
 
 struct WOLFSSL_OBJ_NAME {
     int type;
@@ -245,7 +245,7 @@ struct WOLFSSL_BASIC_CONSTRAINTS {
     WOLFSSL_ASN1_INTEGER *pathlen;
 };
 
-#endif /* OPENSSL_ALL || OPENSSL_EXTRA*/
+#endif /* OPENSSL_EXTRA*/
 
 #define WOLFSSL_ASN1_UTCTIME          WOLFSSL_ASN1_TIME
 #define WOLFSSL_ASN1_GENERALIZEDTIME  WOLFSSL_ASN1_TIME
@@ -326,8 +326,7 @@ struct WOLFSSL_ASN1_OBJECT {
     int    grp;  /* type of OID, i.e. oidCertPolicyType */
     int    nid;
     unsigned int  objSz;
-#if defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL) || defined(WOLFSSL_QT) || \
-    defined(WOLFSSL_APACHE_HTTPD)
+#if defined(OPENSSL_EXTRA)
     int ca;
     WOLFSSL_ASN1_INTEGER *pathlen;
 #endif
@@ -342,7 +341,7 @@ struct WOLFSSL_ASN1_OBJECT {
         WOLFSSL_ASN1_STRING* dNSName;
         WOLFSSL_ASN1_STRING  ia5_internal;
         WOLFSSL_ASN1_STRING* ia5; /* points to ia5_internal */
-#if defined(WOLFSSL_QT) || defined(OPENSSL_ALL)
+#if defined(OPENSSL_ALL)
         WOLFSSL_ASN1_STRING* uniformResourceIdentifier;
         WOLFSSL_ASN1_STRING  iPAddress_internal;
         WOLFSSL_ASN1_OTHERNAME* otherName; /* added for Apache httpd */
@@ -5032,8 +5031,8 @@ WOLFSSL_API void wolfSSL_EC_POINT_dump(const char *msg, const WOLFSSL_EC_POINT *
 WOLFSSL_API const char *wolfSSL_ASN1_tag2str(int tag);
 WOLFSSL_API int wolfSSL_ASN1_STRING_print_ex(WOLFSSL_BIO *out, WOLFSSL_ASN1_STRING *str, unsigned long flags);
 WOLFSSL_API int wolfSSL_ASN1_STRING_print(WOLFSSL_BIO *out, WOLFSSL_ASN1_STRING *str);
-WOLFSSL_API int wolfSSL_ASN1_TIME_get_length(WOLFSSL_ASN1_TIME *t);
-WOLFSSL_API unsigned char* wolfSSL_ASN1_TIME_get_data(WOLFSSL_ASN1_TIME *t);
+WOLFSSL_API int wolfSSL_ASN1_TIME_get_length(const WOLFSSL_ASN1_TIME *t);
+WOLFSSL_API unsigned char* wolfSSL_ASN1_TIME_get_data(const WOLFSSL_ASN1_TIME *t);
 WOLFSSL_API WOLFSSL_ASN1_TIME *wolfSSL_ASN1_TIME_to_generalizedtime(WOLFSSL_ASN1_TIME *t,
                                                                 WOLFSSL_ASN1_TIME **out);
 WOLFSSL_API int wolfSSL_i2c_ASN1_INTEGER(WOLFSSL_ASN1_INTEGER *a, unsigned char **pp);

+ 1 - 0
wolfssl/wolfcrypt/asn.h

@@ -116,6 +116,7 @@ enum ASN_Tags {
     ASN_APPLICATION       = 0x40,
     ASN_CONTEXT_SPECIFIC  = 0x80,
     ASN_PRIVATE           = 0xC0,
+    ASN_CLASS_MASK        = 0xC0,
 
     CRL_EXTENSIONS        = 0xa0,
     ASN_EXTENSIONS        = 0xa3,

+ 2 - 2
wolfssl/wolfcrypt/asn_public.h

@@ -315,8 +315,8 @@ typedef struct WOLFSSL_ASN1_INTEGER {
     unsigned int   dataMax;   /* max size of data buffer */
     unsigned int   isDynamic:1; /* flag for if data pointer dynamic (1 is yes 0 is no) */
 
-    int length;
-    int type;
+    int length;   /* Length of DER encoding. */
+    int type;     /* ASN.1 type. Includes negative flag. */
 } WOLFSSL_ASN1_INTEGER;
 
 

+ 7 - 0
wolfssl/wolfcrypt/settings.h

@@ -2700,6 +2700,13 @@ extern void uITRON4_free(void *p) ;
     #define NO_SESSION_CACHE
 #endif
 
+#if defined(NO_ASN_TIME) && !defined(WOLFSSL_NO_DEF_TICKET_ENC_CB)
+    #define WOLFSSL_NO_DEF_TICKET_ENC_CB
+#endif
+#if defined(NO_ASN_TIME) && defined(HAVE_SESSION_TICKET)
+    #undef HAVE_SESSION_TICKET
+#endif
+
 /* Use static ECC structs for Position Independent Code (PIC) */
 #if defined(__IAR_SYSTEMS_ICC__) && defined(__ROPI__)
     #define WOLFSSL_ECC_CURVE_STATIC

Some files were not shown because too many files changed in this diff