DNS name constraint fix#10837
Conversation
…s present. A non-dNSName SAN will not skip the CN dNSName name-constraint check now
12be769 to
a49f8b5
Compare
… SAN cases update comments
a49f8b5 to
bd4c11a
Compare
|
retest this please |
|
wolfSSL-Fenrir-bot
left a comment
There was a problem hiding this comment.
Fenrir Automated Review — PR #10837
Scan targets checked: wolfcrypt-bugs, wolfcrypt-src, wolfssl-bugs, wolfssl-src
No new issues found in the changed files. ✅
|
Thanks for putting this together, @rlm2002 — I verified the branch against my reproducer and the out-of-scope CN is now correctly rejected when only a non-dNSName SAN (registeredID/iPAddress) is present. The dnsSan == NULL gate is exactly right. 🙌 Since this restores the protection from CVE-2026-6731 for the RID/iPAddress SAN path, would it be worth tracking it with its own CVE/advisory once the fix lands in a release? It'd help downstream integrators that rely on DNS name constraints for sub-CA containment pick it up. No urgency — happy to review advisory text or provide anything else that's useful. Thanks again for the quick fix. |
Description
A certificate with no dNSName SAN but another SAN type present (e.g. registeredID or iPAddress) bypassed the Subject CN dNSName name-constraint check. The CN-as-DNS fallback was gated on
cert->subjectCN != NULL && cert->altNames == NULL && !cert->isCAinstead of "no dNSName SAN", so an out-of-scope CN was accepted. The fallback now fires whenever no dNSName SAN is present, (RFC 6125 6.4.4 ). A non-dNSName SAN no longer suppresses the check.Fixes zd#22078
Testing
Adds additional cases to
test_wolfSSL_CertManagerNameConstraint_DNS_CN()./configure --enable-all && make checkChecklist