JCE: throw InvalidAlgorithmParameterException if TrustAnchors have name constraints in PKIXCertPathValidator

Author: cconlon

README_JCE.md

@@ -520,6 +520,17 @@ the current system time by wolfSSL. This means that preloaded OCSP responses
 thisUpdate and nextUpdate dates. Historical OCSP responses with expired dates
 cannot be used, even with a date override.
 
+#### TrustAnchor Name Constraints
+
+Name constraints specified directly on a TrustAnchor (via the
+`TrustAnchor(X509Certificate, byte[])` constructor) are not supported.
+wolfJCE throws `InvalidAlgorithmParameterException` if any TrustAnchor in
+PKIXParameters has name constraints set. This matches SunJCE behavior.
+
+Applications should use TrustAnchors without explicit name constraints; if
+name constraint enforcement is needed, the constraints should be embedded in
+the trust anchor certificate itself.
+
 ### Behavior Discrepancies with SunJCE
 ---------
 

src/main/java/com/wolfssl/provider/jce/WolfCryptPKIXCertPathValidator.java

@@ -926,6 +926,18 @@ public CertPathValidatorResult engineValidate(
 
         pkixParams = (PKIXParameters)params;
 
+        /* Check if any TrustAnchors have name constraints. Native wolfSSL
+         * does not apply TrustAnchor name constraints during chain
+         * verification, only name constraints from certificates in the
+         * chain. To match SunJCE behavior, throw InvalidAlgorithmParameter
+         * Exception if TrustAnchors have name constraints. */
+        for (TrustAnchor anchor : pkixParams.getTrustAnchors()) {
+            if (anchor.getNameConstraints() != null) {
+                throw new InvalidAlgorithmParameterException(
+                    "TrustAnchors with name constraints are not supported");
+            }
+        }
+
         /* If we are in FIPS mode, verify wolfJCE is the Signature provider
          * to help maintain FIPS compliance */
         if (Fips.enabled && pkixParams.getSigProvider() != "wolfJCE") {