Skip to content

Add X.509 Name Constraints extension support for certificate validation #316

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
cconlon wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add X.509 Name Constraints extension support for certificate validation #316

cconlon wants to merge 1 commit into from

Conversation

@cconlon
Copy link
Member

@cconlon cconlon commented Jan 23, 2026
edited
Loading

This PR adds WolfSSLNameConstraints and WolfSSLGeneralName classes to extract and validate X.509 Name Constraints extension (OID 2.5.29.30) from certificates. Includes JNI implementation wrapping native wolfSSL NAME_CONSTRAINTS structure.

  • WolfSSLNameConstraints class wrapping native WOLFSSL_NAME_CONSTRAINTS
  • WolfSSLGeneralName class for GeneralName type/value pairs
  • WolfSSLCertificate.getNameConstraints() to extract NC extension
  • WolfSSL.NameConstraintsEnabled() for feature detection
  • RFC 5280 compliant name checking for DNS, email, IP, and URI constraints
  • Unit tests covering permitted/excluded subtrees
  • Test certificates with various name constraint configurations
  • Update IDE project files (Android CMakeLists.txt, Windows vcxproj)
  • Update update-certs.sh to include name constraint test certs

Wraps new wolfSSL functionality introduced in wolfSSL/wolfssl#9705.

This new functionality relies on WOLFSSL_VERSION_HEX to detect if native wolfSSL support will be available. Since native wolfSSL version hex is still matching last stable version (5.8.4), if building wolfssljni against master wolfssl, you will need to define WOLFSSL_PR9705_PATCH_APPLIED when running ./java.sh:

CFLAGS="-DWOLFSSL_PR9705_PATCH_APPLIED" ./java.sh

@cconlon cconlon self-assigned this Jan 23, 2026
@cconlon cconlon requested a review from Copilot January 23, 2026 00:54
@cconlon cconlon mentioned this pull request Jan 23, 2026
Open
4 tasks
Copilot AI reviewed Jan 23, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

@cconlon cconlon requested a review from Copilot January 23, 2026 17:44
Copilot AI reviewed Jan 23, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 22 out of 22 changed files in this pull request and generated 6 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@cconlon cconlon force-pushed the nameConstraints branch 2 times, most recently from 18a8a4d to 4572d4e Compare January 23, 2026 18:37
@cconlon cconlon requested a review from Copilot January 23, 2026 18:38
Copilot AI reviewed Jan 23, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 22 out of 22 changed files in this pull request and generated 3 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@cconlon cconlon

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@cconlon