Skip to content

Add test cases for email namespace constraint wildcard handling #7

New issue
New issue
Open
Open
Add test cases for email namespace constraint wildcard handling#7
@jvdprng

Description

@jvdprng
jvdprng
opened on Nov 24, 2025

Context

RFC 5280 Section 4.2.1.10 specifies how name constraints apply to email addresses. A critical edge case involves the interpretation of patterns like *@example.com:

  • This should be treated as a literal mailbox named "*" at example.com
  • It should NOT be treated as a wildcard pattern matching all mailboxes at example.com

Incorrect wildcard interpretation can lead to overly permissive name constraints, allowing certificates for unintended email addresses.

Why this matters:

  • Security: prevents unintended email address authorization via constraint bypass
  • RFC 5280 compliance: email constraints don't support wildcard matching
  • Distinguishes from DNS name constraints which do support wildcards
  • Prevents confusion between different constraint types

Test Case Description

Create test certificates with email name constraints containing asterisks:

Literal Asterisk Interpretation:

  1. Name constraint *@example.com, certificate SAN *@example.com (should ACCEPT - exact match)
  2. Name constraint *@example.com, certificate SAN [email protected] (should REJECT - not a match)
  3. Name constraint *@example.com, certificate SAN *@subdomain.example.com (should REJECT - different domain)

Multiple Asterisk Patterns:

  1. Name constraint **@example.com (double asterisk) treated as literal (test matching behavior)
  2. Name constraint *[email protected] (asterisk in middle) treated as literal

Contrast with DNS Wildcards:

  1. DNS name constraint .example.com, DNS SAN *.example.com (should ACCEPT - valid DNS wildcard)
  2. To emphasize the difference in constraint type handling

Expected validation results: Asterisks in email constraints are literal characters, not wildcards

Implementation Requirements

Certificate Builder Modifications:

  • Add ability to create name constraints with literal asterisk characters in email addresses
  • Support both permitted and excluded email constraints with asterisks
  • Ensure certificate SANs can contain asterisk characters in email addresses

Test Harness:

  • Test cases should demonstrate literal asterisk matching
  • Test cases should show wildcard-style matching fails ([email protected] doesn't match *@example.com)
  • Compare behavior with DNS name constraint wildcards

Test Case Examples:

  • rfc5280::nc::email-literal-asterisk-exact-match
  • rfc5280::nc::email-literal-asterisk-not-wildcard
  • rfc5280::nc::email-asterisk-different-domain
  • rfc5280::nc::email-double-asterisk-literal

References

  • RFC 5280 Section 4.2.1.10: Name Constraints
  • RFC 5280 Section 4.2.1.6: Subject Alternative Name
  • Contrast with DNS wildcards: RFC 6125

Acceptance Criteria

  • Test cases created showing literal asterisk interpretation in email constraints
  • Test cases demonstrate wildcards do NOT work for email constraints
  • Test cases validate against x509-limbo schema
  • Test cases produce expected results in at least one harness
  • Documentation clearly explains email vs DNS constraint differences
  • Negative tests show [email protected] doesn't match *@example.com

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions