Fix DecodeObjectId unknown ext parse

[embhorn]

Description

Fixes in DecodeObjectID:

• Moved the bounds check inside the y == 0 branch so that it checks *outSz < 2 before writing out[0] and out[1]. Previously the check y >= *outSz only validated one slot but the first-arc code writes two.
• Changed sizeof(decOid) to MAX_OID_SZ in both DumpOID() and the WC_ASN_UNKNOWN_EXT_CB code path, so DecodeObjectId receives the correct element count (32) rather than the byte count (64).

Fixes zd21392

Testing

Added test_wc_DecodeObjectId

Checklist

• added tests
• updated/added doxygen
• updated appropriate READMEs
• Updated manual and documentation

[Copilot]

Pull request overview

Fixes incorrect sizing and bounds-checking in OID decoding to prevent out-of-bounds writes and ensure correct arc decoding, and adds a regression test for DecodeObjectId.

Changes:

• Fix DecodeObjectId bounds check to require 2 output slots before writing the first two arcs.
• Pass element counts (not byte sizes) to DecodeObjectId from DumpOID() and unknown-extension callback path.
• Add API test coverage for DecodeObjectId, including the regression for the first-arc two-write case.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 6 comments.

File	Description
wolfssl/wolfcrypt/asn.h	Exposes DecodeObjectId to tests and adds an OpenSSL-compat macro alias.
wolfcrypt/src/asn.c	Fixes bounds-checking in DecodeObjectId and corrects decOidSz units at call sites.
tests/api/test_asn.h	Registers new test_wc_DecodeObjectId test case.
tests/api/test_asn.c	Adds DecodeObjectId unit/regression tests.

Comments suppressed due to low confidence (1)

wolfcrypt/src/asn.c:1

• The regression fix here is specifically about call sites passing the correct unit (element count vs byte size) into DecodeObjectId. The newly added test exercises DecodeObjectId directly, but doesn’t verify the corrected sizing behavior in DumpOID() (and similarly in the unknown-extension callback path). Consider adding a test that drives DumpOID()/ASN print (or a known unknown-extension callback invocation) far enough to ensure these call sites decode the full OID rather than failing/truncating due to an incorrect outSz.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The test’s compile guard doesn’t include OPENSSL_ALL, but the header enables the DecodeObjectId mapping/prototype under (HAVE_OID_DECODING || WOLFSSL_ASN_PRINT || OPENSSL_ALL). To avoid leaving this behavior untested in configurations where OPENSSL_ALL is set without the other two flags, align the test guard with the header condition.

[Copilot]

This test relies on truncation of the 113549 arc into word16, which makes the expected value less intuitive and ties the test to the current (potentially undesirable) width limitation rather than the decode logic you’re targeting. Consider switching to an OID where all arcs fit in word16 (while still exercising multi-byte base-128 decoding), so assertions remain exact and clearer (e.g., an OID with arcs like 840 and 10045 rather than 113549).