From e7b7fddacb4cc794e5dfc7693586d87a539f5aad Mon Sep 17 00:00:00 2001 From: Ruby Martin Date: Tue, 14 Apr 2026 12:39:34 -0600 Subject: [PATCH] Apply DNS constraints to subject CN when SAN is not available. --- wolfcrypt/src/asn.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 3198b4de07..55ab6ba415 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -17658,9 +17658,16 @@ static int ConfirmNameConstraints(Signer* signer, DecodedCert* cert) XMEMSET(&subjectDnsName, 0, sizeof(DNS_entry)); switch (nameType) { case ASN_DNS_TYPE: - /* Should it also consider CN in subject? It could use - * subjectDnsName too */ name = cert->altNames; + + /* When no SAN is present, apply DNS name constraints to the + * Subject CN. */ + if (cert->subjectCN != NULL && cert->altNames == NULL) { + subjectDnsName.next = NULL; + subjectDnsName.type = ASN_DNS_TYPE; + subjectDnsName.len = cert->subjectCNLen; + subjectDnsName.name = cert->subjectCN; + } break; case ASN_IP_TYPE: /* IP addresses are stored in altNames with type ASN_IP_TYPE */