x509 attribute cert support

certs/acert/acert.pem

@@ -0,0 +1,23 @@
+-----BEGIN ATTRIBUTE CERTIFICATE-----
+MIID4zCCAssCAQEwOaA3MB+kHTAbMRkwFwYDVQQDDBBUUE0gTWFudWZhY3R1cmVy
+AhRADHoGLYO7i9GfV2Yz2rrlRFDPSqA6MDikNjA0MQswCQYDVQQGEwJVUzEUMBIG
+A1UECgwLZXhhbXBsZS5jb20xDzANBgNVBAsMBlBDVGVzdDANBgkqhkiG9w0BAQsF
+AAIBATAiGA8yMDE4MDEwMTA1MDAwMFoYDzIwMjgwMTAxMDUwMDAwWjCB7TALBgVn
+gQUCEzECMAAwHAYFZ4EFAhExEzARMAkCAQECAQMCARYEBAAAAAEwEgYFZ4EFAhkx
+CTAHBgVngQUIAjCBlQYHZ4EFBQEHAjGBiTCBhqBkMC8wDgYGZ4EFEgMBBAQAAgAB
+DBJYWVogQ29tcHV0aW5nIEluYy4MATGABkFCQzEyMzAxMA4GBmeBBRIDAQQEAAcA
+AgwNTm90IFNwZWNpZmllZAwDSEQxgAgxMjM0QUJDRIMB/6IeMBwMCHVuYW1lIC1y
+DBA2LjUuMC0xNS1nZW5lcmljMBQGBWeBBQIXMQswCQIBAQIBAQIBETCCAScwbwYD
+VR0jBGgwZoAUl46DRCrPD3GZndkBbbNDngf6ZHChOKQ2MDQxCzAJBgNVBAYTAlVT
+MRQwEgYDVQQKDAtleGFtcGxlLmNvbTEPMA0GA1UECwwGUENUZXN0ghRmuv6Ey2Ja
+dCAOFysMNOn9CiH45zBBBgNVHSAEOjA4MDYGAioDMDAwLgYIKwYBBQUHAgIwIgwg
+VENHIFRydXN0ZWQgUGxhdGZvcm0gRW5kb3JzZW1lbnQwcQYDVR0RBGowaKRmMGQx
+EzARBgZngQUFAQQMB01vZGVsIEExHjAcBgZngQUFAQEMElhZWiBDb21wdXRpbmcg
+SW5jLjEZMBcGBmeBBQUBBQwNTm90IFNwZWNpZmllZDESMBAGBmeBBQUBBgwGQUJD
+MTIzMA0GCSqGSIb3DQEBCwUAA4IBAQB2SdELM7Dqaq2mvT+IV3pCBN7qPzRL+sO4
+MZG6jpTbbblr124KM84g936zLVZxOJeAa+Ie7r0ET7GYI+zKtpLmIZrlqhZl4YkP
+3g65JsIVc5PvOogxv67IxVigHu/NFKHIbFPz85drTatEVCfA8ac8BwJXXwuESLNr
+cH+K/vdLWDgMhsijhco82RI8x11wBvzMXLPnM5OnkiG/0zaEW7mk1gH2tBS6oCc+
+0v8y9jQ5NqyPo0mNhLJhUMonmvaGdZ3iDEFyF+iNuDc3pP5PA1YDKk/BYGXt1NUE
+89mkuGoF8bwkU9uqLKQ3jpCKx/SZZ08IK5MPQyzsnwjyhrsrP3Qm
+-----END ATTRIBUTE CERTIFICATE-----

certs/acert/acert_ietf.pem

@@ -0,0 +1,15 @@
+-----BEGIN ATTRIBUTE CERTIFICATE-----
+MIICPTCCASUCAQEwN6AWMBGkDzANMQswCQYDVQQDDAJDQQIBAqEdpBswGTEXMBUG
+A1UEAwwOc2VydmVyLmV4YW1wbGWgLTArpCkwJzElMCMGA1UEAwwcQXR0cmlidXRl
+IENlcnRpZmljYXRlIElzc3VlcjANBgkqhkiG9w0BAQsFAAIUA7WQWQKiqrVAIUS4
+LE/ZgBtfV8IwIhgPMjAyMTA2MTUxMjM1MDBaGA8yMDMxMDYxMzEyMzUwMFowQTAj
+BggrBgEFBQcKBDEXMBWgCYYHVGVzdHZhbDAIDAZncm91cDEwGgYDVQRIMRMwEaEP
+gw1hZG1pbmlzdHJhdG9yMCwwHwYDVR0jBBgwFoAUYm7JaGdsZLtTgt0tqoCK2MrI
+i10wCQYDVR04BAIFADANBgkqhkiG9w0BAQsFAAOCAQEAlIOJ2Dj3TEUj6BIv6vUs
+GqFWms05i+d10XSzWrunlUTQPoJcUjYkifOWp/7RpZ2XnRl+6hH+nIbmwSmXWwBn
+ERw2bQMmw//nWuN4Qv9t7ltuovWC0pJX6VMT1IRTuTV4SxuZpFL37vkmnFlPBlb+
+mn3ESSxLTjThWFIq1tip4IaxE/i5Uh32GlJglatFHM1PCGoJtyLtYb6KHDlvknw6
+coDyjIcj0FZwtQw41jLwxI8jWNmrpt978wdpprB/URrRs+m02HmeQoiHFi/qvdv8
+d+5vHf3Pi/ulhz/+dvr0p1vEQSoFnYxLXuty2p5m3PJPZCFmT3gURgmgR3BN9d7A
+Bw==
+-----END ATTRIBUTE CERTIFICATE-----

certs/acert/acert_ietf_pubkey.pem

@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqvpigJZE2asRTFe63b3f
+xvh0swQuX+L4hW08E7mlm0NSQvBVs8yebELNnZLL738fvocvQMwAjf+8+Lyjb1fr
+FYMYvJpb6LmGA2Ysyt6Ny700dpiUValtd4mwtjSCH0/k4rCiaiCYWaN79Le9ZGwD
+pZ341kVX74JkNdaXs1EJ1tkUUoq6aIu5CWYncxjA4IufduHV1Eh/dpNq1tuLHjgY
+Y3NwYDJcotmN9mmIO+MAuZ1TzifhIy14tNGIspYpSZbn8j2RQpQOclhMVWeM5t0i
+TWgOO+jhJngptIJMXEaQQzKPiazv6pBhk8oamAZ0Nipr+DI8iDxvzHtyFDRVToOg
+1QIDAQAB
+-----END PUBLIC KEY-----

certs/acert/acert_pubkey.pem

@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArjl1VnpENuEfQCVm2E4q
+h28D62c0pX5IgN5F2RoS7siU2Oc9hsSz6Hj+9o0SRhUTEAxxrML2d7TM2SVoIJ/x
+CFrchA1fIZQm7FWJa7MDFpxkRc7cNUGrZ5oyVCHtK6IbKiU4y8B/vova6+dyy6bi
+j97ea0UDL8ztKNyDUH9ZntyFrHTltA/ZlEjmxGHQJQd4RBO6RdfM70R7l+YTGa2N
+PflyiRY2SKNXXx8cVUURJvkOXVfLCuRUzG+NnSS62WRuWOOD0ZjiJCnwkTJZQNw0
+qI+hLhWN+//05JeKOw6rNVVUHR/R0GgjPL6FIQ/+yF2Z8nCd8lVIIY+hQsM/1l/h
+2QIDAQAB
+-----END PUBLIC KEY-----

certs/acert/include.am

@@ -0,0 +1,13 @@
+# vim:ft=automake
+# All paths should be given relative to the root
+#
+
+EXTRA_DIST += \
+		certs/acert/acert.pem \
+		certs/acert/acert_ietf.pem \
+		certs/acert/acert_pubkey.pem \
+		certs/acert/acert_ietf_pubkey.pem \
+		certs/acert/rsa_pss/acert.pem \
+		certs/acert/rsa_pss/acert_ietf.pem \
+		certs/acert/rsa_pss/acert_pubkey.pem \
+		certs/acert/rsa_pss/acert_ietf_pubkey.pem

certs/acert/rsa_pss/acert.pem

@@ -0,0 +1,25 @@
+-----BEGIN ATTRIBUTE CERTIFICATE-----
+MIIESzCCAv8CAQEwOaA3MB+kHTAbMRkwFwYDVQQDDBBUUE0gTWFudWZhY3R1cmVy
+AhRADHoGLYO7i9GfV2Yz2rrlRFDPSqA6MDikNjA0MQswCQYDVQQGEwJVUzEUMBIG
+A1UECgwLZXhhbXBsZS5jb20xDzANBgNVBAsMBlBDVGVzdDBBBgkqhkiG9w0BAQow
+NKAPMA0GCWCGSAFlAwQCAQUAoRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAQUA
+ogMCASACAQEwIhgPMjAxODAxMDEwNTAwMDBaGA8yMDI4MDEwMTA1MDAwMFowge0w
+CwYFZ4EFAhMxAjAAMBwGBWeBBQIRMRMwETAJAgEBAgEDAgEWBAQAAAABMBIGBWeB
+BQIZMQkwBwYFZ4EFCAIwgZUGB2eBBQUBBwIxgYkwgYagZDAvMA4GBmeBBRIDAQQE
+AAIAAQwSWFlaIENvbXB1dGluZyBJbmMuDAExgAZBQkMxMjMwMTAOBgZngQUSAwEE
+BAAHAAIMDU5vdCBTcGVjaWZpZWQMA0hEMYAIMTIzNEFCQ0SDAf+iHjAcDAh1bmFt
+ZSAtcgwQNi41LjAtMTUtZ2VuZXJpYzAUBgVngQUCFzELMAkCAQECAQECAREwggEn
+MG8GA1UdIwRoMGaAFJeOg0Qqzw9xmZ3ZAW2zQ54H+mRwoTikNjA0MQswCQYDVQQG
+EwJVUzEUMBIGA1UECgwLZXhhbXBsZS5jb20xDzANBgNVBAsMBlBDVGVzdIIUZrr+
+hMtiWnQgDhcrDDTp/Qoh+OcwQQYDVR0gBDowODA2BgIqAzAwMC4GCCsGAQUFBwIC
+MCIMIFRDRyBUcnVzdGVkIFBsYXRmb3JtIEVuZG9yc2VtZW50MHEGA1UdEQRqMGik
+ZjBkMRMwEQYGZ4EFBQEEDAdNb2RlbCBBMR4wHAYGZ4EFBQEBDBJYWVogQ29tcHV0
+aW5nIEluYy4xGTAXBgZngQUFAQUMDU5vdCBTcGVjaWZpZWQxEjAQBgZngQUFAQYM
+BkFCQzEyMzBBBgkqhkiG9w0BAQowNKAPMA0GCWCGSAFlAwQCAQUAoRwwGgYJKoZI
+hvcNAQEIMA0GCWCGSAFlAwQCAQUAogMCASADggEBAH4FGu9CJJ/NraWxXoB+EuHu
+Ec95MPJDHnsDLea45z5TXkdxCd8Tb5EBuWYFCI6nkpWtkiF5UaLncQD/1ag0ECjZ
+duhmoaM01t8TERP1x2xOotpiS0nDGiAqn3twBS3NZlxgEDRMvW92tM49Vvlk7JwD
+Kxv9+qXidCXt62dcDNJoe1Uj9HXxuOO2NaO9OQHlPkY5GctKbcDBwaDUlEz40J9k
+PoXDNurLmI/nNgMDgicKdzdmhMT/BSXSt7Z228p7QcgROgJ5xTEVIMm+lGcBg1Sc
+RnWTVNjrIG+/nzYZENr+F40nrIKbkIIZTLCqwAN6fFFt/jNc44SdoJMNsKe1bTM=
+-----END ATTRIBUTE CERTIFICATE-----

certs/acert/rsa_pss/acert_ietf.pem

@@ -0,0 +1,17 @@
+-----BEGIN ATTRIBUTE CERTIFICATE-----
+MIICpTCCAVkCAQEwN6AWMBGkDzANMQswCQYDVQQDDAJDQQIBAqEdpBswGTEXMBUG
+A1UEAwwOc2VydmVyLmV4YW1wbGWgLTArpCkwJzElMCMGA1UEAwwcQXR0cmlidXRl
+IENlcnRpZmljYXRlIElzc3VlcjBBBgkqhkiG9w0BAQowNKAPMA0GCWCGSAFlAwQC
+AQUAoRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAQUAogMCASACFAO1kFkCoqq1
+QCFEuCxP2YAbX1fCMCIYDzIwMjEwNjE1MTIzNTAwWhgPMjAzMTA2MTMxMjM1MDBa
+MEEwIwYIKwYBBQUHCgQxFzAVoAmGB1Rlc3R2YWwwCAwGZ3JvdXAxMBoGA1UESDET
+MBGhD4MNYWRtaW5pc3RyYXRvcjAsMB8GA1UdIwQYMBaAFGJuyWhnbGS7U4LdLaqA
+itjKyItdMAkGA1UdOAQCBQAwQQYJKoZIhvcNAQEKMDSgDzANBglghkgBZQMEAgEF
+AKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIDAgEgA4IBAQCX18Lyj2CR
+AJL9JAwxYgWbk7fWif2mG5IiQ264Rd0W6ugqw1hYseKHnRI5LpxsRVF5kEaFs2ta
+FhwxxOtAo8YvbxMC4emuatbqwOlWQYwk9wPLbZb1nd1FItPtO98FK7/vF0263eJu
+A+UFxmDvLlao3SzP19mtCOcUjGsVxcJ2PN05wDUzITu2vGXuJAdjHcYX+s1UMLwk
+WMwHsz7EK2Al/FavI1MfZp0lVFi++CMOAdLIRbTjlACATDq6Q6kPc+bTqvMYoca2
+bGLw1jSig6T3DvGa3O/BwRMOhyqCtJNQYY7MYxcZhPR4Y0RLmyFnFiSzwypL6oMk
+QMaW0z/K5YO2
+-----END ATTRIBUTE CERTIFICATE-----

certs/acert/rsa_pss/acert_ietf_pubkey.pem

@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIDALBgkqhkiG9w0BAQoDggEPADCCAQoCggEBALg9nrRhxCl5zxFdE7Le9GXL
+9M8Rzx5xU3meu6yp9lFIc3+FxNoc5E8nk7HXUK82iuEChcSlqt0j0/y03YqM+O45
+N6A9OkEkjdyL8BaeQEgNxZY16/nvhhnH0Bzg4n7DMvy3sUPQvsAu9tpbfSd+WNDT
+vtO9Fe84HIBkYhRuaIv7ca1UYn7R2VQk1RXK0lfY4orCOrexmlfPciJaTJcR5Lyi
+pjUj7X5lruRHVibrMY+Z+8DtvPaDZ7HFiuXzpGPQ0W907Wt7zEJfmTMUyQoOMDMM
+4iSlq0ib3rdZt9y2obCggRTFAtMAFIJ29FOT9FYDagMYFSqhnrR3ohiTNzfpYNMC
+AwEAAQ==
+-----END PUBLIC KEY-----

certs/acert/rsa_pss/acert_pubkey.pem

@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIDALBgkqhkiG9w0BAQoDggEPADCCAQoCggEBAL0P9mcosJbMQavKMo6FvjK/
+vC5PZAFYxsbQnDiG3kb3gCsshI8HQzHNIuw4wN3waJrqnFmsmsUqMENtsC0J2Fty
+DOI5791Ma7JUKT31RW6f5eU2Gjx1+evNWtWs2WzupsZdPS3DlgEQJsTSw3Fs1q5w
+JVLVHhtOjCwdj2QO9Xr17Nt0ZOfKoJdqth3LAVujMnOw9gbyTbCrCB+z1Mkq+dK4
+K0v6IPZqY76LVhR42y/lyG+MZ8jswg4I4qAE+iIwPi/9Tz9UdNwMfSr3gdD13pa3
+VqnGZG83prqPLEHwsSNpWGdDx7pQxgBkAPztO+7LPrMd1ck8Uugsq36pusLjdQ0C
+AwEAAQ==
+-----END PUBLIC KEY-----

certs/include.am

@@ -148,4 +148,5 @@ include certs/rsapss/include.am
 include certs/dilithium/include.am
 include certs/sphincs/include.am
 include certs/rpk/include.am
+include certs/acert/include.am
 

configure.ac

@@ -3840,6 +3840,12 @@ then
     ENABLED_KEYGEN=yes
 fi
 
+# ATTRIBUTE CERTIFICATES
+AC_ARG_ENABLE([acert],
+    [AS_HELP_STRING([--enable-acert],[Enable attribute certificate support (default: disabled)])],
+    [ ENABLED_ACERT=$enableval ],
+    [ ENABLED_ACERT=no ]
+    )
 
 # CERT GENERATION
 AC_ARG_ENABLE([certgen],
@@ -9237,6 +9243,9 @@ AS_IF([test "x$ENABLED_ALTNAMES" = "xyes"],
 AS_IF([test "x$ENABLED_KEYGEN" = "xyes"],
       [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KEY_GEN"])
 
+AS_IF([test "x$ENABLED_ACERT" = "xyes"],
+      [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ACERT"])
+
 AS_IF([test "x$ENABLED_CERTREQ" = "xyes"],
       [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_REQ"])
 
@@ -10227,6 +10236,7 @@ echo "   * BLAKE2S:                    $ENABLED_BLAKE2S"
 echo "   * SipHash:                    $ENABLED_SIPHASH"
 echo "   * CMAC:                       $ENABLED_CMAC"
 echo "   * keygen:                     $ENABLED_KEYGEN"
+echo "   * acert:                      $ENABLED_ACERT"
 echo "   * certgen:                    $ENABLED_CERTGEN"
 echo "   * certreq:                    $ENABLED_CERTREQ"
 echo "   * certext:                    $ENABLED_CERTEXT"

src/internal.c

@@ -12640,6 +12640,45 @@ static void AddSessionCertToChain(WOLFSSL_X509_CHAIN* chain,
 }
 #endif
 
+#if defined(KEEP_PEER_CERT) || defined(SESSION_CERTS) || \
+    defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \
+    defined(WOLFSSL_ACERT)
+    static int CopyAltNames(DNS_entry** to, DNS_entry* from, int type, void* heap)
+{
+    /* Copy from to the beginning of to */
+    DNS_entry** prev_next = to;
+    DNS_entry* next;
+
+    if (to == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    next = *to;
+
+    for (; from != NULL; from = from->next) {
+        DNS_entry* dnsEntry;
+
+        if (type != -1 && from->type != type)
+            continue;
+
+        dnsEntry = AltNameDup(from, heap);
+        if (dnsEntry == NULL) {
+            WOLFSSL_MSG("\tOut of Memory");
+            return MEMORY_E;
+        }
+
+        dnsEntry->next = next;
+        *prev_next = dnsEntry;
+        prev_next = &dnsEntry->next;
+    }
+
+    return 0;
+}
+#endif /* KEEP_PEER_CERT || SESSION_CERTS ||
+        * OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL ||
+        * WOLFSSL_ACERT */
+
+
 #if defined(KEEP_PEER_CERT) || defined(SESSION_CERTS) || \
     defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
 void CopyDecodedName(WOLFSSL_X509_NAME* name, DecodedCert* dCert, int nameType)
@@ -12674,38 +12713,6 @@ void CopyDecodedName(WOLFSSL_X509_NAME* name, DecodedCert* dCert, int nameType)
     }
 }
 
-static int CopyAltNames(DNS_entry** to, DNS_entry* from, int type, void* heap)
-{
-    /* Copy from to the beginning of to */
-    DNS_entry** prev_next = to;
-    DNS_entry* next;
-
-    if (to == NULL) {
-        return BAD_FUNC_ARG;
-    }
-
-    next = *to;
-
-    for (; from != NULL; from = from->next) {
-        DNS_entry* dnsEntry;
-
-        if (type != -1 && from->type != type)
-            continue;
-
-        dnsEntry = AltNameDup(from, heap);
-        if (dnsEntry == NULL) {
-            WOLFSSL_MSG("\tOut of Memory");
-            return MEMORY_E;
-        }
-
-        dnsEntry->next = next;
-        *prev_next = dnsEntry;
-        prev_next = &dnsEntry->next;
-    }
-
-    return 0;
-}
-
 #ifdef WOLFSSL_CERT_REQ
 static int CopyREQAttributes(WOLFSSL_X509* x509, DecodedCert* dCert)
 {
@@ -13212,6 +13219,122 @@ int CopyDecodedToX509(WOLFSSL_X509* x509, DecodedCert* dCert)
 
 #endif /* KEEP_PEER_CERT || SESSION_CERTS */
 
+#if defined(WOLFSSL_ACERT)
+/* Copy a DecodedAcert structure to an X509_ACERT.
+ *
+ * @param [out]     x509        the dst X509 acert structure
+ * @param [in]      dAcert      the src decoded acert structure
+ *
+ * @return  0   on success
+ * @return  < 0 on error
+ * */
+int CopyDecodedAcertToX509(WOLFSSL_X509_ACERT* x509, DecodedAcert* dAcert)
+{
+    int ret = 0;
+
+    if (x509 == NULL || dAcert == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    /* Copy version and serial number. */
+    x509->version = dAcert->version + 1;
+
+    XMEMCPY(x509->serial, dAcert->serial, EXTERNAL_SERIAL_SIZE);
+    x509->serialSz = dAcert->serialSz;
+
+    if (dAcert->holderSerialSz > 0) {
+        /* This ACERT Holder field had a serial number. Copy it. */
+        XMEMCPY(x509->holderSerial, dAcert->holderSerial,
+                dAcert->holderSerialSz);
+        x509->holderSerialSz = dAcert->holderSerialSz;
+    }
+
+    /* Copy before and after dates. */
+    {
+        int minSz = 0;
+
+        if (dAcert->beforeDateLen > 0) {
+            minSz = (int)min(dAcert->beforeDate[1], MAX_DATE_SZ);
+            x509->notBefore.type = dAcert->beforeDate[0];
+            x509->notBefore.length = minSz;
+            XMEMCPY(x509->notBefore.data, &dAcert->beforeDate[2], minSz);
+        }
+        else {
+            x509->notBefore.length = 0;
+        }
+
+        if (dAcert->afterDateLen > 0) {
+            minSz = (int)min(dAcert->afterDate[1], MAX_DATE_SZ);
+            x509->notAfter.type = dAcert->afterDate[0];
+            x509->notAfter.length = minSz;
+            XMEMCPY(x509->notAfter.data, &dAcert->afterDate[2], minSz);
+        }
+        else {
+            x509->notAfter.length = 0;
+        }
+    }
+
+    /* Copy the signature. */
+    if (dAcert->signature != NULL && dAcert->sigLength != 0 &&
+            dAcert->sigLength <= MAX_ENCODED_SIG_SZ) {
+        x509->sig.buffer = (byte*)XMALLOC(
+                          dAcert->sigLength, x509->heap, DYNAMIC_TYPE_SIGNATURE);
+        if (x509->sig.buffer == NULL) {
+            ret = MEMORY_E;
+        }
+        else {
+            XMEMCPY(x509->sig.buffer, dAcert->signature, dAcert->sigLength);
+            x509->sig.length = dAcert->sigLength;
+            x509->sigOID = (int)dAcert->signatureOID;
+        }
+    }
+
+    /* if der contains original source buffer then store for potential
+     * retrieval */
+    if (dAcert->source != NULL && dAcert->maxIdx > 0) {
+        if (AllocDer(&x509->derCert, dAcert->maxIdx, CERT_TYPE, x509->heap)
+                                                                         == 0) {
+            XMEMCPY(x509->derCert->buffer, dAcert->source, dAcert->maxIdx);
+        }
+        else {
+            ret = MEMORY_E;
+        }
+    }
+
+    /* Copy holder and att cert issuer names if present. */
+    if (CopyAltNames(&x509->holderIssuerName, dAcert->holderIssuerName,
+                ASN_DIR_TYPE, x509->heap) != 0) {
+        return MEMORY_E;
+    }
+
+    if (CopyAltNames(&x509->holderEntityName, dAcert->holderEntityName,
+                ASN_DIR_TYPE, x509->heap) != 0) {
+        return MEMORY_E;
+    }
+
+    if (CopyAltNames(&x509->AttCertIssuerName, dAcert->AttCertIssuerName,
+                ASN_DIR_TYPE, x509->heap) != 0) {
+        return MEMORY_E;
+    }
+
+    if (dAcert->rawAttr && dAcert->rawAttrLen > 0) {
+        /* Allocate space for the raw Attributes field, then copy it in. */
+        x509->rawAttr = (byte*)XMALLOC(dAcert->rawAttrLen, x509->heap,
+                                       DYNAMIC_TYPE_X509_EXT);
+        if (x509->rawAttr != NULL) {
+            XMEMCPY(x509->rawAttr, dAcert->rawAttr, dAcert->rawAttrLen);
+            x509->rawAttrLen = dAcert->rawAttrLen;
+        }
+        else {
+            ret = MEMORY_E;
+        }
+    }
+
+    return ret;
+}
+#endif /* WOLFSSL_ACERT */
+
+
 #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) || \
      (defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) && !defined(WOLFSSL_NO_TLS12))
 static int ProcessCSR(WOLFSSL* ssl, byte* input, word32* inOutIdx,