walk up cert chain and call ConfirmNameConstraints() for each ancestor cert

rlm2002 · rlm2002 · commit 710e37622e28 · 2026-06-16T13:09:19.000-06:00
Add to Signer struct to retrieve AKID data in NC cert walk
diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
@@ -23156,6 +23156,11 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm,
     int    idx = 0;
 #endif
     byte*  sce_tsip_encRsaKeyIdx;
+#ifndef IGNORE_NAME_CONSTRAINTS
+    int ncDepth = 0;
+    Signer* ncAncestor = NULL;
+    Signer* ncParent = NULL;
+#endif
     (void)extraCAList;
 
     if (cert == NULL) {
@@ -23788,18 +23793,6 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm,
                 }
             #endif /* WOLFSSL_DUAL_ALG_CERTS */
             }
-        #ifndef IGNORE_NAME_CONSTRAINTS
-            if (verify == VERIFY || verify == VERIFY_OCSP ||
-                        verify == VERIFY_NAME || verify == VERIFY_SKIP_DATE) {
-                /* check that this cert's name is permitted by the signer's
-                 * name constraints */
-                if (!ConfirmNameConstraints(cert->ca, cert)) {
-                    WOLFSSL_MSG("Confirm name constraint failed");
-                    WOLFSSL_ERROR_VERBOSE(ASN_NAME_INVALID_E);
-                    return ASN_NAME_INVALID_E;
-                }
-            }
-        #endif /* IGNORE_NAME_CONSTRAINTS */
         } /* cert->ca */
 #ifdef WOLFSSL_CERT_REQ
         else if (type == CERTREQ_TYPE) {
@@ -23881,6 +23874,60 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm,
         }
     } /* verify != NO_VERIFY && type != CA_TYPE && type != TRUSTED_PEER_TYPE */
 
+#ifndef IGNORE_NAME_CONSTRAINTS
+    /* Apply each ancestor CA's name constraints to this cert. */
+    if ((verify == VERIFY || verify == VERIFY_OCSP ||
+         verify == VERIFY_NAME || verify == VERIFY_SKIP_DATE) &&
+         type != TRUSTED_PEER_TYPE && type != CA_TYPE &&
+         (!cert->selfSigned || type == CERT_TYPE) && cert->ca != NULL) {
+        ncAncestor = cert->ca;
+        while (ncAncestor != NULL && ncDepth < WOLFSSL_MAX_PATH_LEN) {
+            if (!ConfirmNameConstraints(ncAncestor, cert)) {
+                WOLFSSL_MSG("Confirm name constraint failed");
+                WOLFSSL_ERROR_VERBOSE(ASN_NAME_INVALID_E);
+                return ASN_NAME_INVALID_E;
+            }
+            /* Stop at trust anchor (self-issued). */
+            if (XMEMCMP(ncAncestor->subjectNameHash,
+                        ncAncestor->issuerNameHash,
+                        SIGNER_DIGEST_SIZE) == 0)
+                break;
+            ncParent = NULL;
+        #ifndef NO_SKID
+            /* Prefer AKID->SKID lookup: more specific than name and
+             * resistant to same-DN CA collisions in the CM. */
+            if (ncAncestor->authKeyIdSet) {
+                ncParent = GetCA(cm, ncAncestor->authKeyIdHash);
+                if (ncParent != NULL &&
+                        XMEMCMP(ncParent->subjectNameHash,
+                                ncAncestor->issuerNameHash,
+                                SIGNER_DIGEST_SIZE) != 0) {
+                    ncParent = NULL;
+                }
+            }
+            if (ncParent == NULL) {
+                ncParent = GetCAByName(cm, ncAncestor->issuerNameHash);
+            }
+        #else
+            /* NO_SKID: name-only lookup. A same-DN sibling CA loaded into
+             * the CM (different key, weaker or absent NCs) can shadow the
+             * real signer and bypass the ancestor NC walk. NO_SKID builds
+             * cannot disambiguate without SKID. */
+            ncParent = GetCA(cm, ncAncestor->issuerNameHash);
+        #endif
+        #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2
+            if (ncParent == NULL && extraCAList != NULL) {
+                ncParent = findSignerByName(extraCAList,
+                                            ncAncestor->issuerNameHash);
+            }
+        #endif
+            if (ncParent == NULL || ncParent == ncAncestor)
+                break;
+            ncAncestor = ncParent;
+            ncDepth++;
+        }
+    }
+#endif /* IGNORE_NAME_CONSTRAINTS */
 #if defined(WOLFSSL_NO_TRUSTED_CERTS_VERIFY) && !defined(NO_SKID)
 exit_pcr:
 #endif
@@ -23959,10 +24006,18 @@ int FillSigner(Signer* signer, DecodedCert* cert, int type, DerBuffer *der)
     #ifndef NO_SKID
         XMEMCPY(signer->subjectKeyIdHash, cert->extSubjKeyId,
                 SIGNER_DIGEST_SIZE);
+    #ifndef IGNORE_NAME_CONSTRAINTS
+        if (cert->extAuthKeyIdSet) {
+            XMEMCPY(signer->authKeyIdHash, cert->extAuthKeyId,
+                    SIGNER_DIGEST_SIZE);
+            signer->authKeyIdSet = 1;
+        }
+    #endif
     #endif
         XMEMCPY(signer->subjectNameHash, cert->subjectHash,
                 SIGNER_DIGEST_SIZE);
-    #if defined(HAVE_OCSP) || defined(HAVE_CRL) || defined(WOLFSSL_AKID_NAME)
+    #if defined(HAVE_OCSP) || defined(HAVE_CRL) || \
+        defined(WOLFSSL_AKID_NAME) || !defined(IGNORE_NAME_CONSTRAINTS)
         XMEMCPY(signer->issuerNameHash, cert->issuerHash,
                 SIGNER_DIGEST_SIZE);
     #endif
diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h
@@ -2207,6 +2207,11 @@ struct Signer {
      */
     WC_BITFIELD extNameConstraintCrit:1;
     WC_BITFIELD extNameConstraintHasUnsupported:1;
+#ifndef NO_SKID
+    /* True when this cert had an AKID extension and authKeyIdHash was
+     * copied from it. */
+    WC_BITFIELD authKeyIdSet:1;
+#endif
 #endif
     const byte* publicKey;
     int     nameLen;
@@ -2218,15 +2223,22 @@ struct Signer {
 #endif
     byte    subjectNameHash[SIGNER_DIGEST_SIZE];
                                      /* sha hash of names in certificate */
-#if defined(HAVE_OCSP) || defined(HAVE_CRL) || defined(WOLFSSL_AKID_NAME)
+#if defined(HAVE_OCSP) || defined(HAVE_CRL) || defined(WOLFSSL_AKID_NAME) || \
+    !defined(IGNORE_NAME_CONSTRAINTS)
     byte    issuerNameHash[SIGNER_DIGEST_SIZE];
                                     /* sha hash of issuer names in certificate.
-                                    * Used in OCSP to check for authorized
-                                    * responders. */
+                                    * Used for OCSP authorized responder checks
+                                    * and name constraint ancestor walk. */
 #endif
 #ifndef NO_SKID
     byte    subjectKeyIdHash[SIGNER_DIGEST_SIZE];
                                     /* sha hash of key in certificate */
+#ifndef IGNORE_NAME_CONSTRAINTS
+    byte    authKeyIdHash[SIGNER_DIGEST_SIZE];
+                                    /* AKID keyId from this cert; used to
+                                     * locate the actual signer during the
+                                     * name-constraint ancestor walk. */
+#endif
 #endif
 #ifdef HAVE_OCSP
     byte subjectKeyHash[KEYID_SIZE];
