Skip to content

NameConstraints: support wildcard SAN#10549

Open
rizlik wants to merge 1 commit into
wolfSSL:masterfrom
rizlik:nc_dns_wildcards
Open

NameConstraints: support wildcard SAN#10549
rizlik wants to merge 1 commit into
wolfSSL:masterfrom
rizlik:nc_dns_wildcards

Conversation

@rizlik
Copy link
Copy Markdown
Contributor

@rizlik rizlik commented May 28, 2026

Description

Proper NameConstraint checking in case of wildcard in the SAN DNS types

Copilot AI review requested due to automatic review settings May 28, 2026 09:30
@rizlik rizlik self-assigned this May 28, 2026
Copilot AI reviewed May 28, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds correct RFC 5280 nameConstraints handling for wildcard DNS SANs and fixes URI host constraint semantics so constraints without a leading . are treated as exact-host matches (not subtrees), strengthening certificate verification behavior.

Changes:

  • Normalize trailing-dot DNS names for nameConstraints comparisons and add label-wise wildcard DNS SAN vs subtree matching.
  • Update URI nameConstraint matching to apply DNS-subtree behavior only for constraints that begin with .; otherwise require exact host match.
  • Add unit tests for the new matchers plus an end-to-end chain-verification regression test covering DNS/URI wildcard scenarios.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
wolfssl/wolfcrypt/asn.h Exposes new local test-visible helpers for URI constraints and wildcard DNS constraint matching.
wolfcrypt/src/asn.c Implements trailing-dot normalization for DNS constraints, exports URI constraint matcher, and adds wildcard-aware DNS subtree matching logic.
tests/api/test_asn.h Registers new ASN matcher unit tests.
tests/api/test_asn.c Adds targeted unit tests for DNS wildcard constraint matching and URI host constraint semantics.
tests/api.c Adds an end-to-end regression test verifying DNS/URI nameConstraints enforcement via real chain verification.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread wolfcrypt/src/asn.c
Comment thread tests/api/test_asn.c Outdated
@rizlik rizlik force-pushed the nc_dns_wildcards branch from 8274aa1 to c4b4e6c Compare May 28, 2026 13:19
@rizlik rizlik marked this pull request as ready for review May 28, 2026 13:44
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 28, 2026

retest this please

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@rizlik rizlik

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rizlik