From 41171af60f7ceb002c0f189d41c32c0d1675bbcb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tobias=20Frauenschl=C3=A4ger?= Date: Tue, 2 Jun 2026 15:24:18 +0200 Subject: [PATCH] Gating fix for SAN URI test --- tests/api/test_certman.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/tests/api/test_certman.c b/tests/api/test_certman.c index cf404524f5d..95bb491bfe7 100644 --- a/tests/api/test_certman.c +++ b/tests/api/test_certman.c @@ -2115,13 +2115,21 @@ int test_wolfSSL_X509_check_host_URI_SAN_not_DNS_match(void) #if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_RSA) && \ defined(OPENSSL_EXTRA) && defined(WOLFSSL_CERT_GEN) && \ defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_ALT_NAMES) && \ - !defined(NO_SHA256) + !defined(NO_SHA256) && \ + (defined(WOLFSSL_FPKI) || defined(WOLFSSL_NO_ASN_STRICT)) /* RFC 6125 Sec. 6.4 / RFC 9525 Sec. 6.3: DNS-ID reference identifiers * must be matched only against dNSName SANs, not uniformResourceIdentifier. * wolfSSL_X509_add_altname() is used to attach a bare-hostname URI SAN * (the misissue shape that can reach altNames when certificate parsing is * built without strict URI checks). URI SAN presence still suppresses CN - * fallback per RFC 6125 Sec. 6.4.4. */ + * fallback per RFC 6125 Sec. 6.4.4. + * + * This test requires WOLFSSL_FPKI or WOLFSSL_NO_ASN_STRICT: the URI SAN + * value used here is a bare hostname, which is not a valid absolute URI + * (no scheme). Under strict parsing (RFC 5280 Sec. 4.2.1.6) such a URI is + * rejected with ASN_ALT_NAME_E, so the constructed certificate would fail + * to re-parse in wolfSSL_X509_check_host and never reach CheckForAltNames' + * URI-skipping logic that this test exercises. */ WOLFSSL_EVP_PKEY *priv = NULL; WOLFSSL_X509_NAME* name = NULL; const char* server_cert = "./certs/test/server-goodcn.pem";