Skip to content

Commit 3e7efe8

Browse files
JacobBarthelmehJacobBarthelmeh
authored
Merge pull request #9705 from cconlon/nameConstraints
Support for extracting and validating X.509 Name Constraints extensions
2 parents eeaa3a7 + 610d530 commit 3e7efe8

19 files changed

Lines changed: 1721 additions & 27 deletions

certs/test/cert-ext-nc-combined.der

1.09 KB
Binary file not shown.

certs/test/cert-ext-nc-combined.pem

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,26 @@
1+
-----BEGIN CERTIFICATE-----
2+
MIIEWjCCA0KgAwIBAgIUVxNILYrtvic5fahe1thKz5+9MBkwDQYJKoZIhvcNAQEL
3+
BQAwezELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0Jv
4+
emVtYW4xFDASBgNVBAoMC3dvbGZTU0wgSW5jMRgwFgYDVQQLDA9EZXYgYW5kIFRl
5+
c3RpbmcxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTAeFw0yNjAxMjIyMTE4MjJa
6+
Fw0yODEwMTgyMTE4MjJaMHsxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5h
7+
MRAwDgYDVQQHDAdCb3plbWFuMRQwEgYDVQQKDAt3b2xmU1NMIEluYzEYMBYGA1UE
8+
CwwPRGV2IGFuZCBUZXN0aW5nMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20wggEi
9+
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDAlQjhV0HycW230kVBJwFlxkWu
10+
8rwkMLiVzi9O1vYciLx8n/uoZ3/+XJxRdfeKygfnNS+P4b17wC98q2SoF/zKXXu6
11+
4CHlci5vLobYlXParBtTuV8/1xkNJU/hY2NRiwtkP61DuKUcXDSzrgCgY8X2fwtZ
12+
aHhzpowYqQJtr8MZAS64EOPGzEC0aaNGM2mHbsS7F6bz6N2tc7x7LyG1/WZRDL1U
13+
s+FtXxy8I3PRCQOJFNIQuWTDKtChlkq84dQaW8egwMFjeA9ENzAyloAyI5Whd7oT
14+
0pdz4l0lyWoNwzlgpLSwaUJCCenYCLwzILNYIqeq68Th5mGDxdKW39nQT63XAgMB
15+
AAGjgdUwgdIwHQYDVR0OBBYEFLMRMsmSmITiyfjQO24DQsofDo48MB8GA1UdIwQY
16+
MBaAFLMRMsmSmITiyfjQO24DQsofDo48MBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYD
17+
VR0PAQH/BAQDAgGGMC4GA1UdHgEB/wQkMCKgIDAOhgwud29sZnNzbC5jb20wDoIM
18+
LndvbGZzc2wuY29tMDwGCWCGSAGG+EIBDQQvFi1UZXN0aW5nIGNvbWJpbmVkIFVS
19+
SSBhbmQgRE5TIG5hbWUgY29uc3RyYWludHMwDQYJKoZIhvcNAQELBQADggEBAKA5
20+
4xPLP6RVWnOSkHYi+Cr6KegUOQNxmPVoaAwph+QMR8Z2sdLKIWt9U1xL4lkH6L51
21+
S54kLMH/jnv2WD9bYvDe+CjWZEM97Nm+YURHDv5QAoqxY9gw9Y8TMGi8xOC5cubR
22+
JXpjN4U60N/mdHbxMQbcuHJLowjXSlCp3q6S+iz2Bh7TaP8w7EoTR6pQEK6nMo6L
23+
C/CRztvpaFgOZ4ia8O8C3EHBaBSECWWtPMyh6WappneKkT2p9wh8LdMB58AjKqoJ
24+
/Zg6lp0Qj+NOhpVYXiT2+RlxVkttZJmLv3DIYH9LMsS8jhnTriIXpx2DaS56dEVn
25+
aFzrG/ecf3YLPUrKgHw=
26+
-----END CERTIFICATE-----

certs/test/cert-ext-ncdns.pem

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,25 @@
1+
-----BEGIN CERTIFICATE-----
2+
MIIEQzCCAyugAwIBAgIUBd10yS05H9xt7w0qR43nO7q47hUwDQYJKoZIhvcNAQEL
3+
BQAwezELMAkGA1UEBhMCQVUxEzARBgNVBAgMClF1ZWVuc2xhbmQxETAPBgNVBAcM
4+
CEJyaXNiYW5lMRQwEgYDVQQKDAt3b2xmU1NMIEluYzEUMBIGA1UECwwLRW5naW5l
5+
ZXJpbmcxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTAeFw0yNjAxMjIyMTE4MjJa
6+
Fw0yODEwMTgyMTE4MjJaMHsxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApRdWVlbnNs
7+
YW5kMREwDwYDVQQHDAhCcmlzYmFuZTEUMBIGA1UECgwLd29sZlNTTCBJbmMxFDAS
8+
BgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20wggEi
9+
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDAlQjhV0HycW230kVBJwFlxkWu
10+
8rwkMLiVzi9O1vYciLx8n/uoZ3/+XJxRdfeKygfnNS+P4b17wC98q2SoF/zKXXu6
11+
4CHlci5vLobYlXParBtTuV8/1xkNJU/hY2NRiwtkP61DuKUcXDSzrgCgY8X2fwtZ
12+
aHhzpowYqQJtr8MZAS64EOPGzEC0aaNGM2mHbsS7F6bz6N2tc7x7LyG1/WZRDL1U
13+
s+FtXxy8I3PRCQOJFNIQuWTDKtChlkq84dQaW8egwMFjeA9ENzAyloAyI5Whd7oT
14+
0pdz4l0lyWoNwzlgpLSwaUJCCenYCLwzILNYIqeq68Th5mGDxdKW39nQT63XAgMB
15+
AAGjgb4wgbswHQYDVR0OBBYEFLMRMsmSmITiyfjQO24DQsofDo48MB8GA1UdIwQY
16+
MBaAFLMRMsmSmITiyfjQO24DQsofDo48MBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYD
17+
VR0PAQH/BAQDAgGGMCwGA1UdHgEB/wQiMCCgHjANggt3b2xmc3NsLmNvbTANggtl
18+
eGFtcGxlLmNvbTAnBglghkgBhvhCAQ0EGhYYVGVzdGluZyBuYW1lIGNvbnN0cmFp
19+
bnRzMA0GCSqGSIb3DQEBCwUAA4IBAQCkCFJl/uWp3JinCS01T3vxZF8UT71w165B
20+
Fqz49w4UScy3wStJ/fcP/+M1mxbClvGmfBhNW7l8BNixPU4L9OYs+5/rWsMh6No+
21+
ZbPjWfkkHRWlmGKVNmk+C9OD7vVOAGVuPhdQGZfs9rYD3AqPk+CYC7AE/o3T97C9
22+
tGzfpt4ccEjyFV5liDnxr2SvMuG2KBIJovX2+QYXsb4u4tinKyOyvA9PF8nGLYvA
23+
mQk0ZQy+vnYjWv3luU5ZEBBPrRlC9Ph5sOzNKBaKdZ+GAy6UCqMYlFHSzq+0GsnO
24+
I1zCNn1XgpvX6V/31AVYPgiAQj6qMHuYxJR0pQG5kTeN3v+FdXR3
25+
-----END CERTIFICATE-----

certs/test/cert-ext-ncip.der

1.05 KB
Binary file not shown.

certs/test/cert-ext-ncip.pem

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,25 @@
1+
-----BEGIN CERTIFICATE-----
2+
MIIENDCCAxygAwIBAgIUNQdk2FntK/mSUrXLLySPJwId8FowDQYJKoZIhvcNAQEL
3+
BQAwezELMAkGA1UEBhMCQVUxEzARBgNVBAgMClF1ZWVuc2xhbmQxETAPBgNVBAcM
4+
CEJyaXNiYW5lMRQwEgYDVQQKDAt3b2xmU1NMIEluYzEUMBIGA1UECwwLRW5naW5l
5+
ZXJpbmcxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTAeFw0yNjAxMjAyMjQ2MTFa
6+
Fw0yODEwMTYyMjQ2MTFaMHsxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApRdWVlbnNs
7+
YW5kMREwDwYDVQQHDAhCcmlzYmFuZTEUMBIGA1UECgwLd29sZlNTTCBJbmMxFDAS
8+
BgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20wggEi
9+
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDAlQjhV0HycW230kVBJwFlxkWu
10+
8rwkMLiVzi9O1vYciLx8n/uoZ3/+XJxRdfeKygfnNS+P4b17wC98q2SoF/zKXXu6
11+
4CHlci5vLobYlXParBtTuV8/1xkNJU/hY2NRiwtkP61DuKUcXDSzrgCgY8X2fwtZ
12+
aHhzpowYqQJtr8MZAS64EOPGzEC0aaNGM2mHbsS7F6bz6N2tc7x7LyG1/WZRDL1U
13+
s+FtXxy8I3PRCQOJFNIQuWTDKtChlkq84dQaW8egwMFjeA9ENzAyloAyI5Whd7oT
14+
0pdz4l0lyWoNwzlgpLSwaUJCCenYCLwzILNYIqeq68Th5mGDxdKW39nQT63XAgMB
15+
AAGjga8wgawwHQYDVR0OBBYEFLMRMsmSmITiyfjQO24DQsofDo48MB8GA1UdIwQY
16+
MBaAFLMRMsmSmITiyfjQO24DQsofDo48MBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYD
17+
VR0PAQH/BAQDAgGGMBoGA1UdHgEB/wQQMA6gDDAKhwjAqAEA////ADAqBglghkgB
18+
hvhCAQ0EHRYbVGVzdGluZyBJUCBuYW1lIGNvbnN0cmFpbnRzMA0GCSqGSIb3DQEB
19+
CwUAA4IBAQCOpK6M3RK5jcp2E3CaH9bTQfbcbppXJwFHdUG85sjf/K5i6c3/hr3X
20+
eKihdD+h62KgiUZFPrGzEDCLD26EWwiJJCkxakhjtY45r9luLXj3kpUMXQ3aeqXC
21+
M5rtW80w+9Hz0WEkK4UkaKEultWX8mnrF7dH/MHctyyLDcy28qbH5SwAhVqE1XAZ
22+
0j/1Mw0MsQd8ycpbmONhQEgXTVlHspvn/vBcKvGS6oimeTlgO+Ghlnt9eeQfFRT0
23+
y7MacpE2kULmzy8qzXxqVvQI2V66wz7xC/8BYzj/KBYGwi7e2LeGKU5eEV4622sR
24+
QtT99fpv0XMKNPMTI5Iz9l/ZPWvZgXJE
25+
-----END CERTIFICATE-----

certs/test/cert-ext-ncmulti.der

1.15 KB
Binary file not shown.

certs/test/cert-ext-ncmulti.pem

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,27 @@
1+
-----BEGIN CERTIFICATE-----
2+
MIIEljCCA36gAwIBAgIUL0V4sh34dBCPx7JGnW1VkkjOB4wwDQYJKoZIhvcNAQEL
3+
BQAwezELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0Jv
4+
emVtYW4xFDASBgNVBAoMC3dvbGZTU0wgSW5jMRgwFgYDVQQLDA9EZXYgYW5kIFRl
5+
c3RpbmcxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTAeFw0yNjAxMjIyMTE4MjJa
6+
Fw0yODEwMTgyMTE4MjJaMHsxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5h
7+
MRAwDgYDVQQHDAdCb3plbWFuMRQwEgYDVQQKDAt3b2xmU1NMIEluYzEYMBYGA1UE
8+
CwwPRGV2IGFuZCBUZXN0aW5nMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20wggEi
9+
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDAlQjhV0HycW230kVBJwFlxkWu
10+
8rwkMLiVzi9O1vYciLx8n/uoZ3/+XJxRdfeKygfnNS+P4b17wC98q2SoF/zKXXu6
11+
4CHlci5vLobYlXParBtTuV8/1xkNJU/hY2NRiwtkP61DuKUcXDSzrgCgY8X2fwtZ
12+
aHhzpowYqQJtr8MZAS64EOPGzEC0aaNGM2mHbsS7F6bz6N2tc7x7LyG1/WZRDL1U
13+
s+FtXxy8I3PRCQOJFNIQuWTDKtChlkq84dQaW8egwMFjeA9ENzAyloAyI5Whd7oT
14+
0pdz4l0lyWoNwzlgpLSwaUJCCenYCLwzILNYIqeq68Th5mGDxdKW39nQT63XAgMB
15+
AAGjggEQMIIBDDAdBgNVHQ4EFgQUsxEyyZKYhOLJ+NA7bgNCyh8OjjwwHwYDVR0j
16+
BBgwFoAUsxEyyZKYhOLJ+NA7bgNCyh8OjjwwEgYDVR0TAQH/BAgwBgEB/wIBADAO
17+
BgNVHQ8BAf8EBAMCAYYwYAYDVR0eAQH/BFYwVKAgMA6CDC5leGFtcGxlLmNvbTAO
18+
gQwuZXhhbXBsZS5jb22hMDAWghQuYmxvY2tlZC5leGFtcGxlLmNvbTAWgRQuYmxv
19+
Y2tlZC5leGFtcGxlLmNvbTBEBglghkgBhvhCAQ0ENxY1VGVzdGluZyBtaXhlZCBw
20+
ZXJtaXR0ZWQgYW5kIGV4Y2x1ZGVkIG5hbWUgY29uc3RyYWludHMwDQYJKoZIhvcN
21+
AQELBQADggEBAEULvBMSjm5ENjZ7WNDnSPXwKm3ka1eK7AUCTmZdMl3Op1ge/yqq
22+
rdkG2xvX4cfAe8iPOUDMyvh/Jf9B8T2njOGnpUTueslRzDvOs7qBo/0VYRalkye9
23+
Qw0ysgKcvvnevMHMnErGCkLEvL0VmTTmSR9HA8YxRih962fBrv38GZytqmFw/TEm
24+
s0KMQRumxQWPHHAQ/AbWbzCIXZo0kOsZlIZV3geCf9M0klDhG/XLgFJqihwGDeT4
25+
Yvy1mtqJu87LduC03UKKqbMR0ltTOkoCm5xTjKQuTbHxPBw2q8UVZ7Ud2iE47UXi
26+
c4Zd4IxO9TTO5SCQaZLPq0dhp3SxjgtZ3tw=
27+
-----END CERTIFICATE-----

certs/test/gen-ext-certs.sh

Lines changed: 65 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -81,7 +81,7 @@ rm -f ./certs/test/cert-ext-mnc.pem
8181

8282

8383
OUT=certs/test/cert-ext-ncdns
84-
KEYFILE=certs/test/cert-ext-nc-key.der
84+
KEYFILE=certs/test/cert-ext-ncdns-key.der
8585
CONFIG=certs/test/cert-ext-ncdns.cfg
8686
tee >$CONFIG <<EOF
8787
[ req ]
@@ -108,11 +108,68 @@ nsComment = "Testing name constraints"
108108
EOF
109109
gen_cert
110110
rm -f ./certs/test/cert-ext-ncdns.cfg
111-
rm -f ./certs/test/cert-ext-ncdns.pem
112111

113-
OUT=certs/test/cert-ext-ncmixed
114-
KEYFILE=certs/test/cert-ext-ncmixed-key.der
115-
CONFIG=certs/test/cert-ext-ncmixed.cfg
112+
OUT=certs/test/cert-ext-nc-combined
113+
KEYFILE=certs/test/cert-ext-nc-combined-key.der
114+
CONFIG=certs/test/cert-ext-nc-combined.cfg
115+
tee >$CONFIG <<EOF
116+
[ req ]
117+
distinguished_name = req_distinguished_name
118+
prompt = no
119+
x509_extensions = v3_ca
120+
121+
[ req_distinguished_name ]
122+
C = US
123+
ST = Montana
124+
L = Bozeman
125+
O = wolfSSL Inc
126+
OU = Dev and Testing
127+
CN = www.wolfssl.com
128+
129+
[ v3_ca ]
130+
subjectKeyIdentifier = hash
131+
authorityKeyIdentifier = keyid:always,issuer
132+
basicConstraints = critical, CA:true, pathlen:0
133+
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
134+
nameConstraints = critical,permitted;URI:.wolfssl.com,permitted;DNS:.wolfssl.com
135+
nsComment = "Testing combined URI and DNS name constraints"
136+
137+
EOF
138+
gen_cert
139+
rm -f ./certs/test/cert-ext-nc-combined.cfg
140+
141+
OUT=certs/test/cert-ext-ncmulti
142+
KEYFILE=certs/test/cert-ext-ncmulti-key.der
143+
CONFIG=certs/test/cert-ext-ncmulti.cfg
144+
tee >$CONFIG <<EOF
145+
[ req ]
146+
distinguished_name = req_distinguished_name
147+
prompt = no
148+
x509_extensions = v3_ca
149+
150+
[ req_distinguished_name ]
151+
C = US
152+
ST = Montana
153+
L = Bozeman
154+
O = wolfSSL Inc
155+
OU = Dev and Testing
156+
CN = www.wolfssl.com
157+
158+
[ v3_ca ]
159+
subjectKeyIdentifier = hash
160+
authorityKeyIdentifier = keyid:always,issuer
161+
basicConstraints = critical, CA:true, pathlen:0
162+
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
163+
nameConstraints = critical,permitted;DNS:.example.com,permitted;email:.example.com,excluded;DNS:.blocked.example.com,excluded;email:.blocked.example.com
164+
nsComment = "Testing mixed permitted and excluded name constraints"
165+
166+
EOF
167+
gen_cert
168+
rm -f ./certs/test/cert-ext-ncmulti.cfg
169+
170+
OUT=certs/test/cert-ext-ncip
171+
KEYFILE=certs/test/cert-ext-ncip-key.der
172+
CONFIG=certs/test/cert-ext-ncip.cfg
116173
tee >$CONFIG <<EOF
117174
[ req ]
118175
distinguished_name = req_distinguished_name
@@ -132,13 +189,12 @@ subjectKeyIdentifier = hash
132189
authorityKeyIdentifier = keyid:always,issuer
133190
basicConstraints = critical, CA:true, pathlen:0
134191
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
135-
nameConstraints = critical,permitted;DNS:example, permitted;email:.wolfssl.com
136-
nsComment = "Testing name constraints"
192+
nameConstraints = critical,permitted;IP:192.168.1.0/255.255.255.0
193+
nsComment = "Testing IP name constraints"
137194
138195
EOF
139196
gen_cert
140-
rm -f ./certs/test/cert-ext-ncmixed.cfg
141-
rm -f ./certs/test/cert-ext-ncmixed.pem
197+
rm -f ./certs/test/cert-ext-ncip.cfg
142198

143199
OUT=certs/test/cert-ext-ia
144200
KEYFILE=certs/test/cert-ext-ia-key.der

certs/test/include.am

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,14 @@ EXTRA_DIST += \
99
certs/test/cert-ext-nc.cfg \
1010
certs/test/cert-ext-nc.der \
1111
certs/test/cert-ext-nc.pem \
12+
certs/test/cert-ext-nc-combined.der \
13+
certs/test/cert-ext-nc-combined.pem \
14+
certs/test/cert-ext-ncip.der \
15+
certs/test/cert-ext-ncip.pem \
1216
certs/test/cert-ext-ncdns.der \
17+
certs/test/cert-ext-ncdns.pem \
18+
certs/test/cert-ext-ncmulti.der \
19+
certs/test/cert-ext-ncmulti.pem \
1320
certs/test/cert-ext-ncmixed.der \
1421
certs/test/cert-ext-mnc.der \
1522
certs/test/cert-ext-nct.cfg \

src/internal.c

Lines changed: 83 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4894,6 +4894,16 @@ void FreeX509(WOLFSSL_X509* x509)
48944894
FreeAltNames(x509->altNames, x509->heap);
48954895
x509->altNames = NULL;
48964896
}
4897+
#ifndef IGNORE_NAME_CONSTRAINTS
4898+
if (x509->permittedNames) {
4899+
FreeNameSubtrees(x509->permittedNames, x509->heap);
4900+
x509->permittedNames = NULL;
4901+
}
4902+
if (x509->excludedNames) {
4903+
FreeNameSubtrees(x509->excludedNames, x509->heap);
4904+
x509->excludedNames = NULL;
4905+
}
4906+
#endif
48974907

48984908
#ifdef WOLFSSL_DUAL_ALG_CERTS
48994909
XFREE(x509->sapkiDer, x509->heap, DYNAMIC_TYPE_X509_EXT);
@@ -13391,6 +13401,62 @@ static void AddSessionCertToChain(WOLFSSL_X509_CHAIN* chain,
1339113401
* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL ||
1339213402
* WOLFSSL_ACERT */
1339313403

13404+
#if (defined(KEEP_PEER_CERT) || defined(SESSION_CERTS) || \
13405+
defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)) && \
13406+
!defined(IGNORE_NAME_CONSTRAINTS)
13407+
/* Duplicate a Base_entry */
13408+
static Base_entry* BaseEntryDup(Base_entry* from, void* heap)
13409+
{
13410+
Base_entry* entry;
13411+
13412+
if (from == NULL) {
13413+
return NULL;
13414+
}
13415+
13416+
entry = (Base_entry*)XMALLOC(sizeof(Base_entry), heap,
13417+
DYNAMIC_TYPE_ALTNAME);
13418+
if (entry == NULL) {
13419+
return NULL;
13420+
}
13421+
XMEMSET(entry, 0, sizeof(Base_entry));
13422+
13423+
entry->name = (char*)XMALLOC((word32)from->nameSz + 1, heap,
13424+
DYNAMIC_TYPE_ALTNAME);
13425+
if (entry->name == NULL) {
13426+
XFREE(entry, heap, DYNAMIC_TYPE_ALTNAME);
13427+
return NULL;
13428+
}
13429+
XMEMCPY(entry->name, from->name, (word32)from->nameSz);
13430+
entry->name[from->nameSz] = '\0';
13431+
entry->nameSz = from->nameSz;
13432+
entry->type = from->type;
13433+
13434+
return entry;
13435+
}
13436+
13437+
/* Copy a Base_entry list */
13438+
static int CopyBaseEntry(Base_entry** to, Base_entry* from, void* heap)
13439+
{
13440+
Base_entry** next = to;
13441+
13442+
if (to == NULL) {
13443+
return BAD_FUNC_ARG;
13444+
}
13445+
13446+
for (; from != NULL; from = from->next) {
13447+
Base_entry* entry = BaseEntryDup(from, heap);
13448+
if (entry == NULL) {
13449+
WOLFSSL_MSG("BaseEntryDup failed");
13450+
return MEMORY_E;
13451+
}
13452+
*next = entry;
13453+
next = &entry->next;
13454+
}
13455+
13456+
return 0;
13457+
}
13458+
#endif /* (KEEP_PEER_CERT || SESSION_CERTS || OPENSSL_EXTRA ||
13459+
* OPENSSL_EXTRA_X509_SMALL) && !IGNORE_NAME_CONSTRAINTS */
1339413460

1339513461
#if defined(KEEP_PEER_CERT) || defined(SESSION_CERTS) || \
1339613462
defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
@@ -13727,6 +13793,23 @@ int CopyDecodedToX509(WOLFSSL_X509* x509, DecodedCert* dCert)
1372713793
#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */
1372813794
x509->altNamesNext = x509->altNames; /* index hint */
1372913795

13796+
#ifndef IGNORE_NAME_CONSTRAINTS
13797+
/* copy name constraints from dCert to X509 */
13798+
if (dCert->permittedNames != NULL) {
13799+
if (CopyBaseEntry(&x509->permittedNames, dCert->permittedNames,
13800+
x509->heap) != 0) {
13801+
return MEMORY_E;
13802+
}
13803+
}
13804+
if (dCert->excludedNames != NULL) {
13805+
if (CopyBaseEntry(&x509->excludedNames, dCert->excludedNames,
13806+
x509->heap) != 0) {
13807+
return MEMORY_E;
13808+
}
13809+
}
13810+
x509->nameConstraintCrit = dCert->extNameConstraintCrit;
13811+
#endif /* !IGNORE_NAME_CONSTRAINTS */
13812+
1373013813
x509->isCa = dCert->isCA;
1373113814
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
1373213815
x509->basicConstCrit = dCert->extBasicConstCrit;

0 commit comments

Comments
 (0)