Merge pull request #10169 from embhorn/zd21565

Fix for peer cert verify with IP address

Author: SparkiDev

certs/test/cn-ip-literal.der

@@ -229,6 +229,30 @@ generate_expired_certs expired/expired-cert ../server-key.pem
 
 generate_test_trusted_cert ossl-trusted-cert localhost "" 1
 
+# Generate CN-IP test certs (no SAN, CN contains IP literal or wildcard)
+# These are simple self-signed V1 certs with only a CN field, no extensions.
+# Used to test peer cert verification with IP address matching in CN.
+generate_cn_ip_cert() {
+    rm -f "$1".der "$1".pem
+
+    echo "step 1 create self-signed cert with CN=$2"
+    openssl req -new -x509 -days 3652 -sha256 \
+                -key ../server-key.pem \
+                -out "$1".pem \
+                -subj "/CN=$2"
+    check_result $?
+
+    echo "step 2 make binary der version"
+    openssl x509 -inform pem -in "$1".pem -outform der -out "$1".der
+    check_result $?
+
+    rm -f "$1".pem
+}
+
+generate_cn_ip_cert cn-ip-literal 127.0.0.1
+generate_cn_ip_cert cn-ip-wildcard "*.0.0.1"
+
+
 # Note on certs/empty-issuer-cert.pem:
 # OpenSSL did not like to generate this certificate with an empty CN in the
 # conf file.

certs/test/cn-ip-wildcard.der

@@ -164,6 +164,13 @@
         ["certs/sphincs/bench_sphincs_small_level5_key.der", "bench_sphincs_small_level5_key" ],
         );
 
+# CN-IP test certs (no SAN, CN contains IP literal or wildcard)
+# Used with OPENSSL_EXTRA && !NO_RSA
+my @fileList_cn_ip = (
+        [ "./certs/test/cn-ip-literal.der",  "cn_ip_literal_der" ],
+        [ "./certs/test/cn-ip-wildcard.der",  "cn_ip_wildcard_der" ],
+        );
+
 
 # ----------------------------------------------------------------------------
 
@@ -178,6 +185,7 @@
 my $num_sm2_der  = @fileList_sm2_der;
 my $num_falcon   = @fileList_falcon;
 my $num_sphincs  = @fileList_sphincs;
+my $num_cn_ip    = @fileList_cn_ip;
 
 # open our output file, "+>" creates and/or truncates
 open OUT_FILE, "+>", $outputFile  or die $!;
@@ -2236,6 +2244,23 @@
 print OUT_FILE "#endif /* USE_CERT_BUFFERS_25519 */\n\n";
 
 
+# convert and print CN-IP test certs
+print OUT_FILE "#if defined(OPENSSL_EXTRA) && !defined(NO_RSA)\n\n";
+for (my $i = 0; $i < $num_cn_ip; $i++) {
+
+    my $fname = $fileList_cn_ip[$i][0];
+    my $sname = $fileList_cn_ip[$i][1];
+
+    print OUT_FILE "/* $fname */\n";
+    print OUT_FILE "static const unsigned char $sname\[] =\n";
+    print OUT_FILE "{\n";
+    file_to_hex($fname);
+    print OUT_FILE "};\n";
+    print OUT_FILE "#define sizeof_$sname (sizeof($sname))\n\n"
+}
+print OUT_FILE "#endif /* OPENSSL_EXTRA && !NO_RSA */\n\n";
+
+
 print OUT_FILE "#endif /* WOLFSSL_CERTS_TEST_H */\n\n";
 
 # close certs_test.h file

certs/test/gen-testcerts.sh

@@ -13488,7 +13488,10 @@ int CheckHostName(DecodedCert* dCert, const char *domainName,
     }
 
 #ifndef WOLFSSL_HOSTNAME_VERIFY_ALT_NAME_ONLY
-    if (checkCN == 1) {
+    /* RFC 6125: IP address identities must appear in an iPAddress SAN and
+     * must never be matched against the Subject Common Name. Skip the CN
+     * fallback when verifying an IP address. */
+    if (checkCN == 1 && !isIP) {
         if (MatchDomainName(dCert->subjectCN, dCert->subjectCNLen,
                             domainName, (word32)domainNameLen, flags) == 1) {
             ret = 0;

gencertbuf.pl

@@ -1060,6 +1060,36 @@ int test_wolfSSL_X509_check_ip_asc(void)
     ExpectIntEQ(wolfSSL_X509_check_ip_asc(NULL, "0.0.0.0", 0), 0);
     ExpectIntEQ(wolfSSL_X509_check_ip_asc(empty, "127.128.0.255", 0), 0);
 
+    /* Regression test: a certificate with CN=<ip> and no SAN extension
+     * must NOT be accepted for IP verification. RFC 6125 requires that IP
+     * identities appear in an iPAddress SAN; the Subject CN must never be
+     * matched against an IP address. Likewise a CN of "*.0.0.1" must not
+     * wildcard-match "127.0.0.1" -- RFC 6125 Section 7.2 prohibits wildcard
+     * matching for IP addresses. */
+    {
+        WOLFSSL_X509 *cn_lit = NULL;
+        WOLFSSL_X509 *cn_wild = NULL;
+
+        ExpectNotNull(cn_lit = wolfSSL_X509_load_certificate_buffer(
+            cn_ip_literal_der, (int)sizeof(cn_ip_literal_der),
+            WOLFSSL_FILETYPE_ASN1));
+        ExpectNotNull(cn_wild = wolfSSL_X509_load_certificate_buffer(
+            cn_ip_wildcard_der, (int)sizeof(cn_ip_wildcard_der),
+            WOLFSSL_FILETYPE_ASN1));
+
+        /* CN=127.0.0.1 with no SAN must NOT match the IP "127.0.0.1". */
+        ExpectIntEQ(wolfSSL_X509_check_ip_asc(cn_lit, "127.0.0.1", 0), 0);
+        /* CN=*.0.0.1 with no SAN must NOT wildcard-match "127.0.0.1". */
+        ExpectIntEQ(wolfSSL_X509_check_ip_asc(cn_wild, "127.0.0.1", 0), 0);
+        /* CN-based hostname matching must still work for hostname checks
+         * (sanity check that the fix didn't over-correct). */
+        ExpectIntEQ(wolfSSL_X509_check_host(cn_wild, "1.0.0.1",
+            XSTRLEN("1.0.0.1"), 0, NULL), 1);
+
+        wolfSSL_X509_free(cn_wild);
+        wolfSSL_X509_free(cn_lit);
+    }
+
     wolfSSL_X509_free(empty);
     wolfSSL_X509_free(x509);
 #endif

src/internal.c

@@ -7069,5 +7069,160 @@ static const unsigned char x25519_pub_statickey_der[] =
 
 #endif /* USE_CERT_BUFFERS_25519 */
 
+#if defined(OPENSSL_EXTRA) && !defined(NO_RSA)
+
+/* ./certs/test/cn-ip-literal.der */
+static const unsigned char cn_ip_literal_der[] =
+{
+        0x30, 0x82, 0x02, 0xAF, 0x30, 0x82, 0x01, 0x97, 0x02, 0x14,
+        0x03, 0xE8, 0x5C, 0xB5, 0x56, 0x65, 0x58, 0xD4, 0xD9, 0x86,
+        0x9C, 0xE7, 0x5B, 0x71, 0xE9, 0xD3, 0x33, 0xE1, 0xA2, 0xDC,
+        0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D,
+        0x01, 0x01, 0x0B, 0x05, 0x00, 0x30, 0x14, 0x31, 0x12, 0x30,
+        0x10, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x09, 0x31, 0x32,
+        0x37, 0x2E, 0x30, 0x2E, 0x30, 0x2E, 0x31, 0x30, 0x1E, 0x17,
+        0x0D, 0x32, 0x36, 0x30, 0x34, 0x30, 0x38, 0x32, 0x30, 0x32,
+        0x35, 0x33, 0x33, 0x5A, 0x17, 0x0D, 0x33, 0x36, 0x30, 0x34,
+        0x30, 0x35, 0x32, 0x30, 0x32, 0x35, 0x33, 0x33, 0x5A, 0x30,
+        0x14, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x03,
+        0x0C, 0x09, 0x31, 0x32, 0x37, 0x2E, 0x30, 0x2E, 0x30, 0x2E,
+        0x31, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0D, 0x06, 0x09, 0x2A,
+        0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01, 0x05, 0x00,
+        0x03, 0x82, 0x01, 0x0F, 0x00, 0x30, 0x82, 0x01, 0x0A, 0x02,
+        0x82, 0x01, 0x01, 0x00, 0xB9, 0xCC, 0x99, 0xF7, 0xBF, 0x7C,
+        0x4F, 0xEC, 0x7F, 0xE6, 0x17, 0x4E, 0xE3, 0xD9, 0xE5, 0x25,
+        0x7D, 0xAB, 0xA8, 0x66, 0xB0, 0x4D, 0x41, 0x5C, 0x20, 0xD8,
+        0x67, 0xF5, 0xA3, 0xCD, 0x9E, 0x12, 0x7F, 0x09, 0x00, 0xEB,
+        0x6B, 0xFC, 0x7E, 0x14, 0x10, 0xA0, 0x10, 0x2E, 0x1F, 0xE8,
+        0xAD, 0xEC, 0xE8, 0x86, 0x54, 0xA2, 0xC4, 0x58, 0x65, 0x26,
+        0x95, 0x76, 0xA1, 0xE1, 0x02, 0x52, 0x81, 0xCB, 0x7E, 0x8E,
+        0xB2, 0x31, 0xC9, 0x58, 0x9A, 0xDC, 0x69, 0xAB, 0x8D, 0x23,
+        0xCD, 0x96, 0x19, 0x1C, 0x68, 0x69, 0xB5, 0x7D, 0x23, 0xE3,
+        0x58, 0xE6, 0x26, 0xCC, 0x05, 0x40, 0xD2, 0xA9, 0xB1, 0x09,
+        0x9C, 0xC8, 0x4A, 0xFC, 0x0A, 0x20, 0xBA, 0xC0, 0x12, 0x3B,
+        0x97, 0x44, 0x2B, 0x30, 0x50, 0x86, 0x0B, 0x27, 0x13, 0x76,
+        0xB5, 0xF7, 0x80, 0xF0, 0xF2, 0xF0, 0x93, 0x3B, 0x8D, 0xA8,
+        0x4F, 0xA3, 0xA9, 0xD2, 0xEA, 0xD3, 0xC3, 0xCB, 0xCC, 0x70,
+        0xA0, 0x0B, 0xC7, 0xC6, 0x3E, 0xC9, 0x27, 0x4C, 0xB5, 0x23,
+        0x35, 0x6C, 0xB0, 0x30, 0xA2, 0xC1, 0x6D, 0x07, 0xD0, 0x9B,
+        0x55, 0x6A, 0xF9, 0x18, 0xF0, 0x30, 0x74, 0x3F, 0xF6, 0x17,
+        0x85, 0xB7, 0xCF, 0xA5, 0xD4, 0x91, 0xAA, 0x54, 0x85, 0xEC,
+        0xAE, 0xC5, 0x32, 0xF2, 0xB0, 0x21, 0x5A, 0x90, 0x22, 0x66,
+        0x8B, 0x4B, 0x0D, 0xC3, 0x57, 0x81, 0x86, 0xF2, 0xBB, 0xD2,
+        0x3B, 0x8C, 0xFC, 0xEE, 0xBD, 0xED, 0xF0, 0xFB, 0xA5, 0xE1,
+        0x91, 0x5A, 0x68, 0x07, 0x60, 0x38, 0x38, 0xE7, 0x48, 0xE3,
+        0x83, 0xD6, 0xAF, 0xF0, 0x03, 0x7E, 0x2E, 0x95, 0x0C, 0x33,
+        0xCF, 0x13, 0xE9, 0xEC, 0xE7, 0xA4, 0x5E, 0xED, 0x02, 0xAE,
+        0xF2, 0x30, 0x6F, 0x3F, 0xC4, 0x1B, 0x3A, 0x0A, 0xE8, 0xD3,
+        0x66, 0x32, 0xD6, 0xFD, 0x58, 0x3A, 0x65, 0x93, 0x99, 0xC7,
+        0x02, 0x03, 0x01, 0x00, 0x01, 0x30, 0x0D, 0x06, 0x09, 0x2A,
+        0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00,
+        0x03, 0x82, 0x01, 0x01, 0x00, 0x3C, 0xA7, 0xDF, 0xD1, 0x44,
+        0xC5, 0x4D, 0x29, 0x38, 0x51, 0x9D, 0xF6, 0xEE, 0x2F, 0x0C,
+        0xA3, 0x8A, 0x2A, 0x7C, 0xA1, 0xB1, 0x26, 0x6D, 0xFB, 0x8B,
+        0x5D, 0xED, 0xDC, 0x1F, 0xF2, 0xF1, 0x99, 0x3C, 0xD8, 0x36,
+        0xCD, 0x48, 0xF5, 0x91, 0x5B, 0x42, 0x98, 0x89, 0x29, 0xBA,
+        0x46, 0xAD, 0x93, 0xEA, 0xEA, 0x53, 0x17, 0xE4, 0x6D, 0xB7,
+        0xDC, 0xB5, 0x4A, 0xD8, 0xED, 0x5C, 0x39, 0x0C, 0xF6, 0x1D,
+        0x19, 0xFB, 0x22, 0x5D, 0xE4, 0x3F, 0x07, 0x20, 0x6D, 0x2E,
+        0xDC, 0x92, 0xA5, 0x56, 0xB3, 0x92, 0x74, 0x05, 0xB2, 0x7C,
+        0xED, 0x73, 0x83, 0x70, 0x5F, 0x0E, 0x75, 0xE1, 0x71, 0x4C,
+        0xC5, 0xF0, 0x26, 0xC5, 0xA6, 0xD4, 0xB6, 0xB4, 0x79, 0x99,
+        0x54, 0xD9, 0x21, 0x48, 0x2F, 0x52, 0x6E, 0x47, 0x1D, 0x1C,
+        0x3A, 0x3B, 0x2A, 0x36, 0xA8, 0x88, 0x95, 0x47, 0x67, 0x59,
+        0xD5, 0xEE, 0xB6, 0xE9, 0x5B, 0x86, 0x1B, 0x8B, 0x6C, 0xA6,
+        0xB2, 0x91, 0x81, 0x0C, 0xCA, 0x91, 0x33, 0x32, 0xE5, 0x0D,
+        0x8F, 0xDA, 0xC7, 0x5B, 0xA6, 0x80, 0x3F, 0x71, 0x50, 0x56,
+        0xD2, 0x88, 0xFC, 0x53, 0xC5, 0x11, 0x45, 0x1E, 0x8A, 0xB7,
+        0x0A, 0x83, 0x9E, 0x89, 0x63, 0x24, 0x3E, 0x8C, 0xBD, 0xED,
+        0xEC, 0xF4, 0x19, 0x32, 0x13, 0xCF, 0xE7, 0xDD, 0xE6, 0x84,
+        0xED, 0xE7, 0xF7, 0xF9, 0x50, 0x2F, 0x7B, 0xAC, 0x7D, 0xF9,
+        0x0F, 0x61, 0xD1, 0xF7, 0x59, 0xF0, 0x91, 0x73, 0x26, 0x5A,
+        0xBA, 0x24, 0xC8, 0x49, 0x86, 0xC1, 0x1A, 0x42, 0x68, 0x70,
+        0xBF, 0x94, 0x69, 0xD0, 0xD5, 0x26, 0x7E, 0x3C, 0xA9, 0x69,
+        0x6F, 0xB1, 0xCC, 0xDF, 0x4D, 0xED, 0x91, 0x6D, 0xDF, 0x45,
+        0x71, 0xF0, 0x88, 0x69, 0x74, 0x49, 0x2C, 0x5E, 0x77, 0xED,
+        0x92, 0x36, 0x7F, 0x1A, 0x83, 0x36, 0x42, 0x17, 0x5A, 0xDA,
+        0x91
+};
+#define sizeof_cn_ip_literal_der (sizeof(cn_ip_literal_der))
+
+/* ./certs/test/cn-ip-wildcard.der */
+static const unsigned char cn_ip_wildcard_der[] =
+{
+        0x30, 0x82, 0x02, 0xAB, 0x30, 0x82, 0x01, 0x93, 0x02, 0x14,
+        0x3A, 0x4E, 0xFC, 0xF1, 0x5F, 0xCB, 0xE3, 0x6A, 0xAE, 0x7F,
+        0xD6, 0x79, 0xBD, 0x40, 0xC9, 0x64, 0x41, 0xC6, 0xF0, 0x56,
+        0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D,
+        0x01, 0x01, 0x0B, 0x05, 0x00, 0x30, 0x12, 0x31, 0x10, 0x30,
+        0x0E, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x07, 0x2A, 0x2E,
+        0x30, 0x2E, 0x30, 0x2E, 0x31, 0x30, 0x1E, 0x17, 0x0D, 0x32,
+        0x36, 0x30, 0x34, 0x30, 0x38, 0x32, 0x30, 0x32, 0x35, 0x33,
+        0x33, 0x5A, 0x17, 0x0D, 0x33, 0x36, 0x30, 0x34, 0x30, 0x35,
+        0x32, 0x30, 0x32, 0x35, 0x33, 0x33, 0x5A, 0x30, 0x12, 0x31,
+        0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x07,
+        0x2A, 0x2E, 0x30, 0x2E, 0x30, 0x2E, 0x31, 0x30, 0x82, 0x01,
+        0x22, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7,
+        0x0D, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0F,
+        0x00, 0x30, 0x82, 0x01, 0x0A, 0x02, 0x82, 0x01, 0x01, 0x00,
+        0xB9, 0xCC, 0x99, 0xF7, 0xBF, 0x7C, 0x4F, 0xEC, 0x7F, 0xE6,
+        0x17, 0x4E, 0xE3, 0xD9, 0xE5, 0x25, 0x7D, 0xAB, 0xA8, 0x66,
+        0xB0, 0x4D, 0x41, 0x5C, 0x20, 0xD8, 0x67, 0xF5, 0xA3, 0xCD,
+        0x9E, 0x12, 0x7F, 0x09, 0x00, 0xEB, 0x6B, 0xFC, 0x7E, 0x14,
+        0x10, 0xA0, 0x10, 0x2E, 0x1F, 0xE8, 0xAD, 0xEC, 0xE8, 0x86,
+        0x54, 0xA2, 0xC4, 0x58, 0x65, 0x26, 0x95, 0x76, 0xA1, 0xE1,
+        0x02, 0x52, 0x81, 0xCB, 0x7E, 0x8E, 0xB2, 0x31, 0xC9, 0x58,
+        0x9A, 0xDC, 0x69, 0xAB, 0x8D, 0x23, 0xCD, 0x96, 0x19, 0x1C,
+        0x68, 0x69, 0xB5, 0x7D, 0x23, 0xE3, 0x58, 0xE6, 0x26, 0xCC,
+        0x05, 0x40, 0xD2, 0xA9, 0xB1, 0x09, 0x9C, 0xC8, 0x4A, 0xFC,
+        0x0A, 0x20, 0xBA, 0xC0, 0x12, 0x3B, 0x97, 0x44, 0x2B, 0x30,
+        0x50, 0x86, 0x0B, 0x27, 0x13, 0x76, 0xB5, 0xF7, 0x80, 0xF0,
+        0xF2, 0xF0, 0x93, 0x3B, 0x8D, 0xA8, 0x4F, 0xA3, 0xA9, 0xD2,
+        0xEA, 0xD3, 0xC3, 0xCB, 0xCC, 0x70, 0xA0, 0x0B, 0xC7, 0xC6,
+        0x3E, 0xC9, 0x27, 0x4C, 0xB5, 0x23, 0x35, 0x6C, 0xB0, 0x30,
+        0xA2, 0xC1, 0x6D, 0x07, 0xD0, 0x9B, 0x55, 0x6A, 0xF9, 0x18,
+        0xF0, 0x30, 0x74, 0x3F, 0xF6, 0x17, 0x85, 0xB7, 0xCF, 0xA5,
+        0xD4, 0x91, 0xAA, 0x54, 0x85, 0xEC, 0xAE, 0xC5, 0x32, 0xF2,
+        0xB0, 0x21, 0x5A, 0x90, 0x22, 0x66, 0x8B, 0x4B, 0x0D, 0xC3,
+        0x57, 0x81, 0x86, 0xF2, 0xBB, 0xD2, 0x3B, 0x8C, 0xFC, 0xEE,
+        0xBD, 0xED, 0xF0, 0xFB, 0xA5, 0xE1, 0x91, 0x5A, 0x68, 0x07,
+        0x60, 0x38, 0x38, 0xE7, 0x48, 0xE3, 0x83, 0xD6, 0xAF, 0xF0,
+        0x03, 0x7E, 0x2E, 0x95, 0x0C, 0x33, 0xCF, 0x13, 0xE9, 0xEC,
+        0xE7, 0xA4, 0x5E, 0xED, 0x02, 0xAE, 0xF2, 0x30, 0x6F, 0x3F,
+        0xC4, 0x1B, 0x3A, 0x0A, 0xE8, 0xD3, 0x66, 0x32, 0xD6, 0xFD,
+        0x58, 0x3A, 0x65, 0x93, 0x99, 0xC7, 0x02, 0x03, 0x01, 0x00,
+        0x01, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7,
+        0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01,
+        0x00, 0x7F, 0x3A, 0xF8, 0x93, 0x41, 0x6F, 0xAA, 0xB7, 0xCA,
+        0x17, 0x81, 0xA7, 0x3E, 0x9F, 0x0C, 0x6D, 0x14, 0x7B, 0x6F,
+        0x13, 0xF8, 0xBF, 0x63, 0x6E, 0x28, 0x57, 0x0B, 0x9A, 0xC2,
+        0x2A, 0x88, 0xC0, 0x35, 0x4B, 0xE3, 0x77, 0x31, 0x61, 0xFF,
+        0xB4, 0x03, 0xE6, 0x11, 0x80, 0x1F, 0x35, 0x65, 0xF6, 0x47,
+        0x94, 0xE6, 0xB9, 0x60, 0x1E, 0xAE, 0x9C, 0x90, 0xE8, 0x53,
+        0x8A, 0x46, 0x61, 0x28, 0xFA, 0x4B, 0xE0, 0x71, 0x98, 0xF4,
+        0x9E, 0xC8, 0x31, 0x98, 0x27, 0x71, 0x6E, 0x3C, 0x85, 0x15,
+        0x6D, 0x56, 0x20, 0x3B, 0x16, 0xE7, 0x64, 0xB8, 0x51, 0x9A,
+        0x72, 0x75, 0xA1, 0xD2, 0x2F, 0xCF, 0x2B, 0x61, 0xA2, 0xA8,
+        0x8B, 0x59, 0x27, 0x4C, 0x18, 0x59, 0x33, 0xBF, 0x9E, 0x5C,
+        0xEF, 0xBE, 0x71, 0x62, 0x62, 0x20, 0xC8, 0xDC, 0xAF, 0x74,
+        0xAA, 0x7B, 0xAA, 0xAF, 0x37, 0x81, 0x65, 0xCA, 0xF1, 0x7D,
+        0xD4, 0x58, 0x11, 0xD7, 0x18, 0xF7, 0x50, 0xA2, 0xA8, 0x89,
+        0x90, 0x7C, 0x30, 0xDE, 0x2E, 0xF6, 0xBD, 0x3E, 0xBF, 0x14,
+        0x1E, 0xD4, 0x85, 0x8C, 0x38, 0x1C, 0xA4, 0x26, 0xB7, 0x86,
+        0xE5, 0x17, 0xFC, 0x67, 0x93, 0x86, 0x1C, 0x1F, 0x91, 0x6F,
+        0x8C, 0x99, 0xA6, 0x7F, 0x93, 0x92, 0xDB, 0x45, 0x75, 0xBB,
+        0xB0, 0x78, 0xA3, 0x8B, 0x67, 0xF7, 0x94, 0x26, 0xAC, 0xB9,
+        0x4A, 0xCA, 0x1F, 0x73, 0xFC, 0x52, 0x78, 0xB8, 0x14, 0x02,
+        0xBF, 0x69, 0x6F, 0x70, 0x21, 0xAE, 0xD4, 0x12, 0x4F, 0xD1,
+        0x9F, 0xE6, 0x56, 0x11, 0x80, 0x39, 0x66, 0xE0, 0xD4, 0x56,
+        0x5B, 0x32, 0xC6, 0x6C, 0xB8, 0xD2, 0xF4, 0x23, 0x7F, 0xBB,
+        0x62, 0x2F, 0x5D, 0x67, 0x37, 0x38, 0x74, 0xCA, 0xB3, 0x3F,
+        0x17, 0x53, 0x97, 0xA4, 0xBD, 0xDA, 0x26, 0x6A, 0xB3, 0xD9,
+        0x9F, 0xAC, 0xD2, 0x58, 0x4F, 0x24, 0x8C
+};
+#define sizeof_cn_ip_wildcard_der (sizeof(cn_ip_wildcard_der))
+
+#endif /* OPENSSL_EXTRA && !NO_RSA */
+
 #endif /* WOLFSSL_CERTS_TEST_H */