tests: update SAN NUL fixtures and add parse-time rejection coverage

The dNSName NUL-rejection fix changes two test fixtures whose intent was to
verify runtime hostname matching against a NUL-containing SAN. Those certs
now fail to parse. Swap the NUL byte in the fixture for a printable byte to
keep the underflow and wildcard-matching tests meaningful, add an explicit
parse-time-rejection assertion, and retire the test-fails.conf entries that
used server-badaltnull.pem (cert load is now catastrophic for the server
so the cipher-suite harness path is no longer reachable).

Author: julek-wolfssl

tests/api/test_asn.c

@@ -969,7 +969,7 @@ int test_DecodeAltNames_length_underflow(void)
         0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x02, 0x30, 0x00,
         /* SAN extension: correct SEQUENCE length 0x06 */
         0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x11, 0x04, 0x08, 0x30, 0x06, 0x82,
-        0x04, 0x61, 0x2a, 0x00, 0x2a, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e,
+        0x04, 0x61, 0x2a, 0x62, 0x2a, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e,
         0x04, 0x16, 0x04, 0x14, 0x92, 0x6a, 0x1e, 0x52, 0x3a, 0x1a, 0x57, 0x9f,
         0xc9, 0x82, 0x9a, 0xce, 0xc8, 0xc0, 0xa9, 0x51, 0x9d, 0x2f, 0xc7, 0x72,
         0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80,
@@ -1025,6 +1025,16 @@ int test_DecodeAltNames_length_underflow(void)
         WC_NO_ERR_TRACE(ASN_PARSE_E));
     wc_FreeDecodedCert(&cert);
 
+    /* NUL in dNSName SAN must be rejected per RFC 5280 4.2.1.6. */
+    XMEMCPY(bad_san_cert, good_san_cert, sizeof(good_san_cert));
+    bad_san_cert[SAN_SEQ_LEN_OFFSET + 5] = 0x00;
+
+    wc_InitDecodedCert(&cert, bad_san_cert, (word32)sizeof(bad_san_cert),
+        NULL);
+    ExpectIntEQ(wc_ParseCert(&cert, CERT_TYPE, NO_VERIFY, NULL),
+        WC_NO_ERR_TRACE(ASN_PARSE_E));
+    wc_FreeDecodedCert(&cert);
+
 #endif /* !NO_CERTS && !NO_RSA && !NO_ASN */
     return EXPECT_RESULT();
 }

tests/api/test_ossl_x509.c

@@ -1136,7 +1136,7 @@ int test_wolfSSL_X509_bad_altname(void)
         0xf5, 0xe5, 0x09, 0x02, 0x01, 0x03, 0xa3, 0x61, 0x30, 0x5f, 0x30, 0x0c,
         0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x02, 0x30, 0x00,
         0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x11, 0x04, 0x08, 0x30, 0x06, 0x82,
-        0x04, 0x61, 0x2a, 0x00, 0x2a, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e,
+        0x04, 0x61, 0x2a, 0x62, 0x2a, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e,
         0x04, 0x16, 0x04, 0x14, 0x92, 0x6a, 0x1e, 0x52, 0x3a, 0x1a, 0x57, 0x9f,
         0xc9, 0x82, 0x9a, 0xce, 0xc8, 0xc0, 0xa9, 0x51, 0x9d, 0x2f, 0xc7, 0x72,
         0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80,
@@ -1175,8 +1175,7 @@ int test_wolfSSL_X509_bad_altname(void)
     ExpectNotNull(x509 = wolfSSL_X509_load_certificate_buffer(
         malformed_alt_name_cert, certSize, SSL_FILETYPE_ASN1));
 
-    /* malformed_alt_name_cert has a malformed alternative
-     * name of "a*\0*". Ensure that it does not match "aaaaa" */
+    /* SAN "a*b*" must not match "aaaaa" under any wildcard flag. */
     ExpectIntNE(wolfSSL_X509_check_host(x509, name, nameLen,
         WOLFSSL_ALWAYS_CHECK_SUBJECT, NULL), 1);
 

tests/test-fails.conf

@@ -14,21 +14,6 @@
 -m
 -x
 
-# server bad certificate alternate name has null
--v 3
--l ECDHE-RSA-AES128-GCM-SHA256
--k ./certs/server-key.pem
--c ./certs/test/server-badaltnull.pem
--d
-
-# client bad certificate alternate name has null
--v 3
--l ECDHE-RSA-AES128-GCM-SHA256
--h localhost
--A ./certs/test/server-badaltnull.pem
--m
--x
-
 # server nomatch common name
 -v 3
 -l ECDHE-RSA-AES128-GCM-SHA256