NameConstraints: support wildcard SAN#10549
Conversation
There was a problem hiding this comment.
Pull request overview
Adds correct RFC 5280 nameConstraints handling for wildcard DNS SANs and fixes URI host constraint semantics so constraints without a leading . are treated as exact-host matches (not subtrees), strengthening certificate verification behavior.
Changes:
- Normalize trailing-dot DNS names for nameConstraints comparisons and add label-wise wildcard DNS SAN vs subtree matching.
- Update URI nameConstraint matching to apply DNS-subtree behavior only for constraints that begin with
.; otherwise require exact host match. - Add unit tests for the new matchers plus an end-to-end chain-verification regression test covering DNS/URI wildcard scenarios.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
wolfssl/wolfcrypt/asn.h |
Exposes new local test-visible helpers for URI constraints and wildcard DNS constraint matching. |
wolfcrypt/src/asn.c |
Implements trailing-dot normalization for DNS constraints, exports URI constraint matcher, and adds wildcard-aware DNS subtree matching logic. |
tests/api/test_asn.h |
Registers new ASN matcher unit tests. |
tests/api/test_asn.c |
Adds targeted unit tests for DNS wildcard constraint matching and URI host constraint semantics. |
tests/api.c |
Adds an end-to-end regression test verifying DNS/URI nameConstraints enforcement via real chain verification. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
retest this please |
wolfSSL-Fenrir-bot
left a comment
wolfSSL-Fenrir-bot
left a comment
There was a problem hiding this comment.
Fenrir Automated Review — PR #10549
Scan targets checked: wolfcrypt-bugs, wolfcrypt-rs-bugs, wolfcrypt-src, wolfssl-bugs, wolfssl-src
Findings: 1
1 finding(s) posted as inline comments (see file-level comments below)
This review was generated automatically by Fenrir. Findings are non-blocking.
| } | ||
| else { | ||
| int i; | ||
| if (hostSz != baseSz) { |
There was a problem hiding this comment.
🟠 [Medium] URI exact-host constraints skip trailing-dot normalization · X.509 and ASN.1 parsing vulnerabilities
wolfssl_local_MatchUriNameConstraint() performs exact URI-host matching before stripping the DNS absolute-name trailing dot, so https://host.com./ does not match an excluded host.com constraint and the chain is accepted.
Fix: Normalize one trailing dot from both hostStart/hostSz and base/baseSz before the exact-host length and byte comparison.
Description
Proper NameConstraint checking in case of wildcard in the SAN DNS types