NameConstraints fixes#10638
Open
rizlik wants to merge 6 commits into
Open
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR tightens X.509 nameConstraints handling for URI GeneralNames so that when URI constraints are present, URIs whose host is not a DNS reg-name (e.g., IP-literals in brackets or IPv4address hosts) are rejected (“fail closed”), aligning with RFC 5280’s URI host requirements.
Changes:
- Add URI host extraction/type detection in
wolfcrypt/src/asn.cand expose an internal helper to detect whether a URI has a DNS reg-name host. - Enforce “fail closed” behavior when URI constraints exist but the presented URI host is not DNS (both in core verification and the OpenSSL-compat
wolfSSL_NAME_CONSTRAINTS_check_namepath). - Update/extend unit tests to cover trailing-dot FQDN normalization and the new rejection behavior for IP-literal/IPv4 hosts under URI constraints.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
wolfssl/wolfcrypt/asn.h |
Declares internal helper for determining whether a URI has a DNS reg-name host. |
wolfcrypt/src/asn.c |
Implements URI host parsing/type classification, applies DNS-host requirement when URI constraints are present, and normalizes trailing-dot behavior for exact-host URI constraints. |
src/x509.c |
Removes local URI host extraction and routes URI name constraint matching through wolfssl_local_MatchUriNameConstraint; adds fail-closed check for non-DNS URI hosts when URI constraints exist. |
tests/api/test_asn.c |
Expands URI name-constraint tests for trailing-dot equivalence and rejection of IP-literal/IPv4 hosts. |
tests/api.c |
Adds integration-style verification cases to ensure non-DNS URI hosts are rejected when URI constraints are applied (including excluded-only constraints). |
tests/api/test_ossl_x509_ext.c |
Updates test commentary to reflect DNS-host requirement for URI constraints. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Pull the URI host extraction (scheme skip, userinfo skip, IP-literal brackets, port/path delimiters) into a GetUriHost helper so it can be reused by other URI name-constraint checks. No functional change.
RFC 5280 4.2.1.10 defines URI name constraints in terms of a host that is a fully qualified domain name; RFC 3986 IP-literal ([...]) and IPv4address hosts are not DNS reg-names and cannot be meaningfully matched against a DNS-style constraint base. - Classify the host extracted by GetUriHost (IP-literal, IPv4address, reg-name) and validate that a reg-name has no empty labels. - wolfssl_local_MatchUriNameConstraint() no longer matches URIs whose host is an IP address. - ConfirmNameConstraints() fails closed: when URI constraints are present, a URI SAN without a DNS host is rejected. A plain non-match would otherwise let such names pass excluded-only constraints.
One trailing dot marks an absolute FQDN and is not part of the host:
"host.com." and "host.com" denote the same host. Strip it from the
URI host before classification (so "12.31.2.3." is still recognized
as an IPv4 address) and from the constraint base before the exact-match
comparison, mirroring what wolfssl_local_MatchBaseName() already does
for DNS name constraints. Only a single dot is the marker: an empty
last label ("host.com..") is rejected.
5bdb96c to
44a22af
Compare
Add wolfssl_local_MatchDnsNameConstraint() dispatching wildcard names to the subtree matcher and literal names to plain base-name matching, and use it for the ASN_DNS_TYPE branches of PermittedListOk() and IsInExcludedList(). This also drops the outer name->len >= base len byte-length guard for literal DNS names. That guard ran before MatchBaseName() could strip the absolute-FQDN trailing dot, so a constraint base like DNS:example.com. never matched the SAN example.com it denotes.
Replace ExtractHostFromUri() plus DNS-style base matching in MatchNameConstraint() with wolfssl_local_MatchUriNameConstraint(), and make wolfSSL_NAME_CONSTRAINTS_check_name() fail closed like ConfirmNameConstraints(): when URI subtrees are present, a URI name without a DNS host is rejected instead of passing excluded-only constraints as a plain non-match. This aligns the compat layer with RFC 5280 URI constraint semantics: a base without a leading dot now matches the host exactly instead of as a DNS subtree, and IP hosts no longer match at all.
MatchNameConstraint() compared wildcard DNS SANs literally, so *.example.com was not rejected by an excluded subtree covering foo.example.com. Route WOLFSSL_GEN_DNS through wolfssl_local_MatchDnsNameConstraint(), passing the subtree direction: permitted subtrees require every wildcard expansion to stay inside the subtree, excluded subtrees reject when any expansion can fall inside. This matches what ConfirmNameConstraints() already does.
|
retest this please |
|
dgarske
approved these changes
Jun 18, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description