Support for extracting and validating X.509 Name Constraints extensions #9705
+1,784
−27
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
There was a problem hiding this comment.
Pull request overview
This pull request adds comprehensive support for extracting and validating X.509 Name Constraints extensions (OID 2.5.29.30) per RFC 5280. The implementation enables parsing name constraint extensions from CA certificates and validating names against permitted/excluded subtrees.
Changes:
- Adds new data structures (
WOLFSSL_GENERAL_SUBTREE,WOLFSSL_NAME_CONSTRAINTS) and API functions for name constraint handling - Implements validation for DNS, Email, IP Address, URI, and Directory Name constraint types
- Extends ASN.1 parsing to support IP address and URI name constraint types
- Adds comprehensive test coverage with 7 new test functions and 4 test certificates
Reviewed changes
Copilot reviewed 19 out of 22 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| wolfssl/ssl.h | Defines new structures for GENERAL_SUBTREE and NAME_CONSTRAINTS, adds API function declarations |
| wolfssl/openssl/x509v3.h | Adds OpenSSL compatibility layer macros and typedefs |
| wolfssl/wolfcrypt/asn.h | Declares IP subnet matching function for name constraint validation |
| wolfssl/internal.h | Adds name constraint storage fields to WOLFSSL_X509 structure and GENERAL_SUBTREE stack type |
| wolfcrypt/src/asn.c | Implements IP subnet matching, integrates IP and URI type support into constraint validation |
| src/x509.c | Implements NAME_CONSTRAINTS extraction from certificates, name validation API, and helper functions |
| src/ssl_sk.c | Extends stack operations to handle GENERAL_SUBTREE type |
| src/internal.c | Adds memory management for name constraint fields in X509 structure |
| tests/api/test_ossl_x509_ext.c | Adds 7 comprehensive test functions covering all constraint types and edge cases |
| tests/api/test_ossl_x509_ext.h | Declares new test functions |
| certs/test/ | Adds 4 new test certificates and configs for DNS, URI, IP, and mixed constraints |
| certs/test/gen-ext-certs.sh | Updates certificate generation script for new test certificates |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
cconlon
force-pushed
the
nameConstraints
branch
2 times, most recently
from
cb566c8 to
94ba174
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 19 out of 22 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
cconlon
force-pushed
the
nameConstraints
branch
3 times, most recently
from
553bbde to
83545f3
Compare
…) and wolfSSL_NAME_CONSTRAINTS_check_name()
cconlon
force-pushed
the
nameConstraints
branch
from
83545f3 to
4fa1f95
Compare
Member
Author
|
Retest this please Jenkins:
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This PR adds support for extracting and validating X.509 Name Constraints extensions (OID 2.5.29.30). Enables parsing name constraint extensions from CA certificates and validate names against permitted/excluded subtrees per RFC 5280.
New Structures (
wolfssl/ssl.h)WOLFSSL_GENERAL_SUBTREE- represents a GeneralSubtree containing a base GeneralNameWOLFSSL_NAME_CONSTRAINTS- contains permitted and excluded subtree stacksNew Functions
wolfSSL_NAME_CONSTRAINTS_free()- free NAME_CONSTRAINTS and all contentswolfSSL_NAME_CONSTRAINTS_check_name()- validate a name against constraintswolfSSL_sk_GENERAL_SUBTREE_num()- get count of subtrees in stackwolfSSL_sk_GENERAL_SUBTREE_value()- get subtree at index from stackwolfssl_local_MatchIpSubnet()- IP address subnet matching for constraintsOpenSSL Compatibility Macros (
wolfssl/openssl/x509v3.h)NAME_CONSTRAINTS,GENERAL_SUBTREEtypedefsNAME_CONSTRAINTS_free,sk_GENERAL_SUBTREE_num,sk_GENERAL_SUBTREE_valuemacrosSupported Name Constraint Types
GEN_DNS) - domain name matching with leading dot subdomain supportGEN_EMAIL) - RFC822 name matching with domain constraintsGEN_IPADD) - IPv4 and IPv6 subnet matching (IP + mask)GEN_URI) - host extraction with IPv6 literal supportGEN_DIRNAME) - X.500 distinguished name matchingNew Test Certificates
cert-ext-nc-combined.pem/der/cfg- Combined DNS and URI constraints (.wolfssl.com)cert-ext-ncip.pem/der/cfg- IP address constraint (192.168.1.0/255.255.255.0)cert-ext-ncdns.pem- DNS-only constraintcert-ext-ncmulti.pem/der/cfg- mixed permitted/excluded constraintsAssociated wolfssljni PR here, which wraps this functionality: wolfSSL/wolfssljni#316
Testing
Added new unit tests to test functionality. Also tested underneath wolfSSL JNI/JSSE (PR to open soon).
Checklist