[compat] implement nameConstraints verification

OpenSSL checks nameConstraints (RFC 5280 Section 4.2.1.10) during
chain verification, rejecting certs whose subject DN or SANs violate
permitted/excluded subtrees. JRuby was treating nameConstraints as an
unhandled critical extension, rejecting ALL certs from constrained CAs.

Implementation uses BouncyCastle's PKIXNameConstraintValidator which
supports DNS, email, IP, URI, directoryName, and otherName matching.
Walks the chain from trust anchor to leaf, accumulating constraints
from each CA and checking each non-self-issued cert against them.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: kares

src/main/java/org/jruby/ext/openssl/x509store/StoreContext.java

@@ -45,11 +45,20 @@
 
 import org.bouncycastle.asn1.ASN1InputStream;
 import org.bouncycastle.asn1.ASN1Integer;
+import org.bouncycastle.asn1.ASN1OctetString;
 import org.bouncycastle.asn1.ASN1Sequence;
+import org.bouncycastle.asn1.x500.X500Name;
+import org.bouncycastle.asn1.x509.GeneralName;
+import org.bouncycastle.asn1.x509.GeneralNames;
+import org.bouncycastle.asn1.x509.GeneralSubtree;
+import org.bouncycastle.asn1.x509.NameConstraints;
+import org.bouncycastle.asn1.x509.PKIXNameConstraintValidator;
+import org.bouncycastle.asn1.x509.NameConstraintValidatorException;
 import org.jruby.ext.openssl.OpenSSL;
 import org.jruby.ext.openssl.SecurityHelper;
 import org.jruby.util.SafePropertyAccessor;
 
+import static org.jruby.ext.openssl.OpenSSL.debugStackTrace;
 import static org.jruby.ext.openssl.x509store.X509Error.addError;
 import static org.jruby.ext.openssl.x509store.X509Utils.*;
 
@@ -972,7 +981,8 @@ int verify_chain_legacy() throws Exception {
         int ok = checkChainExtensions();
         if ( ok == 0 ) return ok;
 
-        /* TODO: Check name constraints (from 1.0.0) */
+        ok = checkNameConstraints();
+        if ( ok == 0 ) return ok;
 
         // The chain extensions are OK: check trust
         if ( verifyParameter.trust > 0 ) ok = checkTrust();
@@ -1031,8 +1041,8 @@ int verify_chain() throws Exception {
         ok = verify != null ? verify.call(this) : internal_verify();
         if (ok == 0) return ok;
 
-        //if ((ok = check_name_constraints(ctx)) == 0)
-        //    return ok;
+        if ((ok = checkNameConstraints()) == 0)
+            return ok;
 
         /* If we get this far evaluate policies */
         if ((getParam().flags & V_FLAG_POLICY_CHECK) != 0) {
@@ -1359,12 +1369,98 @@ private X509AuxCertificate find_issuer(List<X509AuxCertificate> sk, X509AuxCerti
         return rv;
     }
 
+    private static final String OID_NAME_CONSTRAINTS = "2.5.29.30";
+    private static final String OID_SUBJECT_ALT_NAME = "2.5.29.17";
+
+    /**
+     * c: check_name_constraints
+     *
+     * Checks that each certificate's subject DN and SANs are within the
+     * name constraints (permitted/excluded subtrees) of all CA certificates
+     * higher in the chain. Uses BouncyCastle's PKIXNameConstraintValidator
+     * which implements RFC 5280 Section 4.2.1.10.
+     */
+    private int checkNameConstraints() throws Exception {
+        final int num = chain.size();
+
+        for (int i = num - 1; i >= 0; i--) {
+            final X509AuxCertificate x = chain.get(i);
+
+            // Skip self-issued intermediates (not the leaf)
+            if (i != 0 && (x.getExFlags() & EXFLAG_SI) != 0) continue;
+
+            // Check x against nameConstraints from every cert higher in the chain
+            for (int j = i + 1; j < num; j++) {
+                final X509AuxCertificate issuer = chain.get(j);
+                final byte[] ncBytes = issuer.getExtensionValue(OID_NAME_CONSTRAINTS);
+                if (ncBytes == null) continue;
+
+                final NameConstraints nc;
+                try {
+                    // Extension value is OCTET STRING wrapping the actual ASN.1
+                    ASN1OctetString oct = ASN1OctetString.getInstance(ncBytes);
+                    nc = NameConstraints.getInstance(ASN1Sequence.getInstance(oct.getOctets()));
+                } catch (Exception e) {
+                    if (verify_cb_cert(x, i, V_ERR_UNSPECIFIED) == 0) return 0;
+                    continue;
+                }
+
+                final PKIXNameConstraintValidator validator = new PKIXNameConstraintValidator();
+                GeneralSubtree[] permitted = nc.getPermittedSubtrees();
+                if (permitted != null) {
+                    validator.intersectPermittedSubtree(permitted);
+                }
+                GeneralSubtree[] excluded = nc.getExcludedSubtrees();
+                if (excluded != null) {
+                    for (GeneralSubtree sub : excluded) {
+                        validator.addExcludedSubtree(sub);
+                    }
+                }
+
+                // Check subject DN as directoryName
+                try {
+                    javax.security.auth.x500.X500Principal subj = x.getSubjectX500Principal();
+                    if (subj != null && subj.getEncoded().length > 2) {
+                        X500Name dn = X500Name.getInstance(subj.getEncoded());
+                        GeneralName dnName = new GeneralName(GeneralName.directoryName, dn);
+                        validator.checkPermitted(dnName);
+                        validator.checkExcluded(dnName);
+                    }
+                } catch (NameConstraintValidatorException e) {
+                    int err = e.getMessage() != null && e.getMessage().contains("excluded")
+                            ? V_ERR_EXCLUDED_VIOLATION : V_ERR_PERMITTED_VIOLATION;
+                    if (verify_cb_cert(x, i, err) == 0) return 0;
+                }
+
+                // Check all Subject Alternative Names
+                try {
+                    byte[] sanBytes = x.getExtensionValue(OID_SUBJECT_ALT_NAME);
+                    if (sanBytes != null) {
+                        ASN1OctetString sanOct = ASN1OctetString.getInstance(sanBytes);
+                        GeneralNames sans = GeneralNames.getInstance(sanOct.getOctets());
+                        for (GeneralName san : sans.getNames()) {
+                            validator.checkPermitted(san);
+                            validator.checkExcluded(san);
+                        }
+                    }
+                } catch (NameConstraintValidatorException e) {
+                    debugStackTrace(e);
+                    int err = e.getMessage() != null && e.getMessage().contains("excluded")
+                            ? V_ERR_EXCLUDED_VIOLATION : V_ERR_PERMITTED_VIOLATION;
+                    if (verify_cb_cert(x, i, err) == 0) return 0;
+                }
+            }
+        }
+        return 1;
+    }
+
     private final static Set<String> CRITICAL_EXTENSIONS = new HashSet<String>(8);
     static {
         CRITICAL_EXTENSIONS.add("2.16.840.1.113730.1.1"); // netscape cert type, NID 71
         CRITICAL_EXTENSIONS.add("2.5.29.15"); // key usage, NID 83
-        CRITICAL_EXTENSIONS.add("2.5.29.17"); // subject alt name, NID 85
+        CRITICAL_EXTENSIONS.add(OID_SUBJECT_ALT_NAME); // subject alt name, NID 85
         CRITICAL_EXTENSIONS.add("2.5.29.19"); // basic constraints, NID 87
+        CRITICAL_EXTENSIONS.add(OID_NAME_CONSTRAINTS); // name constraints, NID 666
         CRITICAL_EXTENSIONS.add("2.5.29.37"); // ext key usage, NID 126
         CRITICAL_EXTENSIONS.add("1.3.6.1.5.5.7.1.14"); // proxy cert info, NID 661
     }

src/main/java/org/jruby/ext/openssl/x509store/X509Utils.java

@@ -191,6 +191,12 @@ public static String verifyCertificateErrorString(final int error) {
                 return("invalid or inconsistent certificate policy extension");
             case V_ERR_NO_EXPLICIT_POLICY:
                 return("no explicit policy");
+            case V_ERR_PERMITTED_VIOLATION:
+                return("permitted subtree violation");
+            case V_ERR_EXCLUDED_VIOLATION:
+                return("excluded subtree violation");
+            case V_ERR_SUBTREE_MINMAX:
+                return("name constraints minimum and maximum not supported");
             case V_ERR_APPLICATION_VERIFICATION:
                 return("application verification failure");
             case V_ERR_PATH_LOOP:
@@ -421,6 +427,10 @@ else if (maybeCertFile != null && new File(maybeCertFile).exists()) {
     public static final int	V_ERR_INVALID_POLICY_EXTENSION = 42;
     public static final int	V_ERR_NO_EXPLICIT_POLICY = 43;
 
+    public static final int	V_ERR_PERMITTED_VIOLATION = 47;
+    public static final int	V_ERR_EXCLUDED_VIOLATION = 48;
+    public static final int	V_ERR_SUBTREE_MINMAX = 49;
+
     public static final int	V_ERR_APPLICATION_VERIFICATION = 50;
 
     /* Another issuer check debug option */

src/test/ruby/x509/test_x509store.rb

@@ -592,4 +592,119 @@ def test_v_flag_partial_chain
     assert_equal OpenSSL::X509::V_OK, store2.error
   end
 
+  # Helper: build a proper ASN.1 nameConstraints extension since
+  # JRuby's create_extension doesn't encode nameConstraints correctly yet.
+  private
+
+  def build_name_constraints_ext(permitted_dns: nil, excluded_dns: nil)
+    subtrees = []
+    if permitted_dns
+      dns_names = Array(permitted_dns).map do |name|
+        dns = OpenSSL::ASN1::IA5String.new(name, 2, :IMPLICIT, :CONTEXT_SPECIFIC)
+        OpenSSL::ASN1::Sequence.new([dns])
+      end
+      subtrees << OpenSSL::ASN1::Sequence.new(dns_names, 0, :IMPLICIT, :CONTEXT_SPECIFIC)
+    end
+    if excluded_dns
+      dns_names = Array(excluded_dns).map do |name|
+        dns = OpenSSL::ASN1::IA5String.new(name, 2, :IMPLICIT, :CONTEXT_SPECIFIC)
+        OpenSSL::ASN1::Sequence.new([dns])
+      end
+      subtrees << OpenSSL::ASN1::Sequence.new(dns_names, 1, :IMPLICIT, :CONTEXT_SPECIFIC)
+    end
+    nc = OpenSSL::ASN1::Sequence.new(subtrees)
+    OpenSSL::X509::Extension.new("nameConstraints", nc.to_der, true)
+  end
+
+  def build_cert_with_san(name, serial, san_dns, issuer_cert, issuer_key)
+    key = OpenSSL::PKey::RSA.new(2048)
+    cert = OpenSSL::X509::Certificate.new
+    cert.version = 2; cert.serial = serial
+    cert.subject = OpenSSL::X509::Name.parse("/CN=#{name}")
+    cert.issuer = issuer_cert.subject
+    cert.not_before = Time.now - 3600; cert.not_after = Time.now + 3600
+    cert.public_key = key.public_key
+    ef = OpenSSL::X509::ExtensionFactory.new
+    ef.subject_certificate = cert; ef.issuer_certificate = issuer_cert
+    cert.add_extension(ef.create_extension("subjectAltName", "DNS:#{san_dns}"))
+    cert.sign(issuer_key, "SHA256")
+    cert
+  end
+
+  public
+
+  # jruby/jruby#3502: nameConstraints verification
+  def test_name_constraints_permitted_dns
+    now = Time.now
+    ca_key = OpenSSL::PKey::RSA.new(2048)
+    ca_cert = issue_cert(OpenSSL::X509::Name.parse("/CN=CA"), ca_key, 1,
+      [["basicConstraints","CA:TRUE",true],["keyUsage","cRLSign,keyCertSign",true]],
+      nil, nil, not_before: now, not_after: now + 3600)
+    ca_cert.add_extension(build_name_constraints_ext(permitted_dns: [".example.com"]))
+    ca_cert.sign(ca_key, "SHA256")  # re-sign after adding extension
+
+    good = build_cert_with_san("good", 10, "good.example.com", ca_cert, ca_key)
+    bad = build_cert_with_san("bad", 11, "evil.attacker.com", ca_cert, ca_key)
+
+    store = OpenSSL::X509::Store.new; store.add_cert(ca_cert)
+    assert_equal true, store.verify(good), "cert within permitted DNS subtree should verify"
+    assert_equal OpenSSL::X509::V_OK, store.error
+
+    assert_equal false, store.verify(bad), "cert outside permitted DNS subtree should fail"
+    assert_equal OpenSSL::X509::V_ERR_PERMITTED_VIOLATION, store.error
+  end
+
+  def test_name_constraints_excluded_dns
+    now = Time.now
+    ca_key = OpenSSL::PKey::RSA.new(2048)
+    ca_cert = issue_cert(OpenSSL::X509::Name.parse("/CN=CA"), ca_key, 1,
+      [["basicConstraints","CA:TRUE",true],["keyUsage","cRLSign,keyCertSign",true]],
+      nil, nil, not_before: now, not_after: now + 3600)
+    ca_cert.add_extension(build_name_constraints_ext(excluded_dns: [".evil.com"]))
+    ca_cert.sign(ca_key, "SHA256")
+
+    good = build_cert_with_san("good", 10, "good.example.com", ca_cert, ca_key)
+    bad = build_cert_with_san("bad", 11, "bad.evil.com", ca_cert, ca_key)
+
+    store = OpenSSL::X509::Store.new; store.add_cert(ca_cert)
+    assert_equal true, store.verify(good), "cert not in excluded subtree should verify"
+
+    assert_equal false, store.verify(bad), "cert in excluded DNS subtree should fail"
+    assert_equal OpenSSL::X509::V_ERR_EXCLUDED_VIOLATION, store.error
+  end
+
+  def test_name_constraints_no_constraints_passes
+    now = Time.now
+    ca_key = OpenSSL::PKey::RSA.new(2048)
+    ca_cert = issue_cert(OpenSSL::X509::Name.parse("/CN=CA"), ca_key, 1,
+      [["basicConstraints","CA:TRUE",true],["keyUsage","cRLSign,keyCertSign",true]],
+      nil, nil, not_before: now, not_after: now + 3600)
+    # No nameConstraints at all
+    leaf = build_cert_with_san("leaf", 10, "anything.example.com", ca_cert, ca_key)
+
+    store = OpenSSL::X509::Store.new; store.add_cert(ca_cert)
+    assert_equal true, store.verify(leaf), "cert without name constraints should verify"
+  end
+
+  def test_name_constraints_permitted_and_excluded_combined
+    now = Time.now
+    ca_key = OpenSSL::PKey::RSA.new(2048)
+    ca_cert = issue_cert(OpenSSL::X509::Name.parse("/CN=CA"), ca_key, 1,
+      [["basicConstraints","CA:TRUE",true],["keyUsage","cRLSign,keyCertSign",true]],
+      nil, nil, not_before: now, not_after: now + 3600)
+    # Permit .example.com but exclude .bad.example.com
+    ca_cert.add_extension(build_name_constraints_ext(
+      permitted_dns: [".example.com"], excluded_dns: [".bad.example.com"]))
+    ca_cert.sign(ca_key, "SHA256")
+
+    good = build_cert_with_san("good", 10, "good.example.com", ca_cert, ca_key)
+    bad = build_cert_with_san("bad", 11, "test.bad.example.com", ca_cert, ca_key)
+    outside = build_cert_with_san("outside", 12, "other.org", ca_cert, ca_key)
+
+    store = OpenSSL::X509::Store.new; store.add_cert(ca_cert)
+    assert_equal true, store.verify(good)
+    assert_equal false, store.verify(bad)
+    assert_equal false, store.verify(outside)
+  end
+
 end