Skip to content

DNS name constraint fix#10837

Open
rlm2002 wants to merge 2 commits into
wolfSSL:masterfrom
rlm2002:zd-NameConstraints
Open

DNS name constraint fix#10837
rlm2002 wants to merge 2 commits into
wolfSSL:masterfrom
rlm2002:zd-NameConstraints

Conversation

@rlm2002

@rlm2002 rlm2002 commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Description

A certificate with no dNSName SAN but another SAN type present (e.g. registeredID or iPAddress) bypassed the Subject CN dNSName name-constraint check. The CN-as-DNS fallback was gated on cert->subjectCN != NULL && cert->altNames == NULL && !cert->isCA instead of "no dNSName SAN", so an out-of-scope CN was accepted. The fallback now fires whenever no dNSName SAN is present, (RFC 6125 6.4.4 ). A non-dNSName SAN no longer suppresses the check.

Fixes zd#22078

Testing

Adds additional cases to test_wolfSSL_CertManagerNameConstraint_DNS_CN()

./configure --enable-all && make check

Checklist

  • added tests
  • updated/added doxygen
  • updated appropriate READMEs
  • Updated manual and documentation

…s present. A non-dNSName SAN will not skip the CN dNSName name-constraint check now
@rlm2002 rlm2002 self-assigned this Jul 2, 2026
@rlm2002 rlm2002 force-pushed the zd-NameConstraints branch from 12be769 to a49f8b5 Compare July 2, 2026 18:42
@rlm2002 rlm2002 force-pushed the zd-NameConstraints branch from a49f8b5 to bd4c11a Compare July 2, 2026 18:43
@rlm2002 rlm2002 marked this pull request as ready for review July 2, 2026 18:51
@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown

retest this please

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown

MemBrowse Memory Report

gcc-arm-cortex-m0plus

  • FLASH: .text +8 B (+0.0%, 64,099 B / 262,144 B, total: 24% used)

gcc-arm-cortex-m3

  • FLASH: .text +12 B (+0.0%, 122,121 B / 262,144 B, total: 47% used)

gcc-arm-cortex-m4

  • FLASH: .text +64 B (+0.0%, 199,820 B / 262,144 B, total: 76% used)

gcc-arm-cortex-m4-baremetal

  • FLASH: .text +64 B (+0.1%, 66,763 B / 262,144 B, total: 25% used)

gcc-arm-cortex-m7-tls13

@wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fenrir Automated Review — PR #10837

Scan targets checked: wolfcrypt-bugs, wolfcrypt-src, wolfssl-bugs, wolfssl-src

No new issues found in the changed files. ✅

@rlm2002 rlm2002 assigned wolfSSL-Bot and unassigned rlm2002 Jul 2, 2026
@Pig-Tail

Pig-Tail commented Jul 3, 2026

Copy link
Copy Markdown

Thanks for putting this together, @rlm2002 — I verified the branch against my reproducer and the out-of-scope CN is now correctly rejected when only a non-dNSName SAN (registeredID/iPAddress) is present. The dnsSan == NULL gate is exactly right. 🙌

Since this restores the protection from CVE-2026-6731 for the RID/iPAddress SAN path, would it be worth tracking it with its own CVE/advisory once the fix lands in a release? It'd help downstream integrators that rely on DNS name constraints for sub-CA containment pick it up. No urgency — happy to review advisory text or provide anything else that's useful.

Thanks again for the quick fix.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants