@@ -17263,6 +17263,75 @@ int wolfssl_local_MatchBaseName(int type, const char* name, int nameSz,
1726317263 return 1;
1726417264}
1726517265
17266+ static int MatchUriNameConstraint(const char* uri, int uriSz, const char* base,
17267+ int baseSz)
17268+ {
17269+ const char* hostStart;
17270+ const char* hostEnd;
17271+ const char* p;
17272+ const char* uriEnd;
17273+ int hostSz;
17274+
17275+ if (uri == NULL || uriSz <= 0 || base == NULL || baseSz <= 0) {
17276+ return 0;
17277+ }
17278+
17279+ uriEnd = uri + uriSz;
17280+ hostStart = NULL;
17281+ for (p = uri; p < uriEnd - 2; p++) {
17282+ if (p[0] == ':' && p[1] == '/' && p[2] == '/') {
17283+ hostStart = p + 3;
17284+ break;
17285+ }
17286+ }
17287+ if (hostStart == NULL || hostStart >= uriEnd) {
17288+ return 0;
17289+ }
17290+
17291+ for (p = hostStart; p < uriEnd; p++) {
17292+ if (*p == '@') {
17293+ hostStart = p + 1;
17294+ break;
17295+ }
17296+ if (*p == '/' || *p == '?' || *p == '#') {
17297+ break;
17298+ }
17299+ if (*p == '[') {
17300+ break;
17301+ }
17302+ }
17303+ if (hostStart >= uriEnd) {
17304+ return 0;
17305+ }
17306+
17307+ if (*hostStart == '[') {
17308+ hostStart++;
17309+ hostEnd = hostStart;
17310+ while (hostEnd < uriEnd && *hostEnd != ']') {
17311+ hostEnd++;
17312+ }
17313+ if (hostEnd >= uriEnd) {
17314+ return 0;
17315+ }
17316+ hostSz = (int)(hostEnd - hostStart);
17317+ }
17318+ else {
17319+ hostEnd = hostStart;
17320+ while (hostEnd < uriEnd && *hostEnd != ':' && *hostEnd != '/' &&
17321+ *hostEnd != '?' && *hostEnd != '#') {
17322+ hostEnd++;
17323+ }
17324+ hostSz = (int)(hostEnd - hostStart);
17325+ }
17326+
17327+ if (hostSz <= 0) {
17328+ return 0;
17329+ }
17330+
17331+ return wolfssl_local_MatchBaseName(ASN_DNS_TYPE, hostStart, hostSz, base,
17332+ baseSz);
17333+ }
17334+
1726617335/* Check if IP address matches a name constraint.
1726717336 * IP name constraints contain IP address and subnet mask.
1726817337 * IPv4: ip is 4 bytes, constraint is 8 bytes (4 IP + 4 mask)
@@ -17326,6 +17395,13 @@ static int PermittedListOk(DNS_entry* name, Base_entry* dnsList, byte nameType)
1732617395 break;
1732717396 }
1732817397 }
17398+ else if (nameType == ASN_URI_TYPE) {
17399+ if (MatchUriNameConstraint(name->name, name->len,
17400+ current->name, current->nameSz)) {
17401+ match = 1;
17402+ break;
17403+ }
17404+ }
1732917405 else if (name->len >= current->nameSz &&
1733017406 wolfssl_local_MatchBaseName(nameType, name->name, name->len,
1733117407 current->name, current->nameSz)) {
@@ -17366,6 +17442,13 @@ static int IsInExcludedList(DNS_entry* name, Base_entry* dnsList, byte nameType)
1736617442 break;
1736717443 }
1736817444 }
17445+ else if (nameType == ASN_URI_TYPE) {
17446+ if (MatchUriNameConstraint(name->name, name->len,
17447+ current->name, current->nameSz)) {
17448+ ret = 1;
17449+ break;
17450+ }
17451+ }
1736917452 else if (name->len >= current->nameSz &&
1737017453 wolfssl_local_MatchBaseName(nameType, name->name, name->len,
1737117454 current->name, current->nameSz)) {
@@ -17383,7 +17466,7 @@ static int IsInExcludedList(DNS_entry* name, Base_entry* dnsList, byte nameType)
1738317466static int ConfirmNameConstraints(Signer* signer, DecodedCert* cert)
1738417467{
1738517468 const byte nameTypes[] = {ASN_RFC822_TYPE, ASN_DNS_TYPE, ASN_DIR_TYPE,
17386- ASN_IP_TYPE};
17469+ ASN_IP_TYPE, ASN_URI_TYPE };
1738717470 int i;
1738817471
1738917472 if (signer == NULL || cert == NULL)
@@ -17444,6 +17527,9 @@ static int ConfirmNameConstraints(Signer* signer, DecodedCert* cert)
1744417527 subjectDnsName.name = (char *)cert->subjectRaw;
1744517528 }
1744617529 break;
17530+ case ASN_URI_TYPE:
17531+ name = cert->altNames;
17532+ break;
1744717533 default:
1744817534 /* Other types of names are ignored for now.
1744917535 * Shouldn't it be rejected if it there is a altNamesByType[nameType]
0 commit comments