wip: name constraint fixes#10638
Draft
rizlik wants to merge 2 commits into
Draft
Conversation
wolfssl_local_MatchUriNameConstraint() compared the URI host against a no-leading-dot constraint with a raw length/byte check, so the absolute form "host.com." failed to match the constraint "host.com". Strip one trailing dot from both the extracted host and the base before the exact comparison, matching the existing DNS handling in wolfssl_local_MatchBaseName. Add regression cases to test_wolfssl_local_MatchUriNameConstraint.
Contributor
There was a problem hiding this comment.
Pull request overview
This PR tightens X.509 nameConstraints handling for URI GeneralNames so that when URI constraints are present, URIs whose host is not a DNS reg-name (e.g., IP-literals in brackets or IPv4address hosts) are rejected (“fail closed”), aligning with RFC 5280’s URI host requirements.
Changes:
- Add URI host extraction/type detection in
wolfcrypt/src/asn.cand expose an internal helper to detect whether a URI has a DNS reg-name host. - Enforce “fail closed” behavior when URI constraints exist but the presented URI host is not DNS (both in core verification and the OpenSSL-compat
wolfSSL_NAME_CONSTRAINTS_check_namepath). - Update/extend unit tests to cover trailing-dot FQDN normalization and the new rejection behavior for IP-literal/IPv4 hosts under URI constraints.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
wolfssl/wolfcrypt/asn.h |
Declares internal helper for determining whether a URI has a DNS reg-name host. |
wolfcrypt/src/asn.c |
Implements URI host parsing/type classification, applies DNS-host requirement when URI constraints are present, and normalizes trailing-dot behavior for exact-host URI constraints. |
src/x509.c |
Removes local URI host extraction and routes URI name constraint matching through wolfssl_local_MatchUriNameConstraint; adds fail-closed check for non-DNS URI hosts when URI constraints exist. |
tests/api/test_asn.c |
Expands URI name-constraint tests for trailing-dot equivalence and rejection of IP-literal/IPv4 hosts. |
tests/api.c |
Adds integration-style verification cases to ensure non-DNS URI hosts are rejected when URI constraints are applied (including excluded-only constraints). |
tests/api/test_ossl_x509_ext.c |
Updates test commentary to reflect DNS-host requirement for URI constraints. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
fails closed if URI constraints are present but a presented URI's host is not a DNS name
normalize traling dot so that host.com. and host.com denote the same host