Skip to content

refactor X509PrintSubjAltName #9238

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
dgarske merged 1 commit into from
Oct 2, 2025
Merged

refactor X509PrintSubjAltName #9238

dgarske merged 1 commit into from
Oct 2, 2025

Conversation

@effbiae
Copy link
Contributor

@effbiae effbiae commented Sep 24, 2025

Description

  • removed duplication of code
  • fixes @TODO entry->name in ASN1 syntax

Testing

./autogen.sh && ./configure && make check && ./configure --enable-all && make check

Checklist

  • added tests
  • updated/added doxygen
  • updated appropriate READMEs
  • Updated manual and documentation

@devin-ai-integration
Copy link
Contributor

devin-ai-integration bot commented Sep 24, 2025

🛟 Devin Lifeguard found 1 likely issues in this PR

  • pointer-null-check snippet: Restore a guard at the top of X509PrintSubjAltName:
    if (bio == NULL || x509 == NULL) return WOLFSSL_FAILURE;

@effbiae
please take a look at the above issues which Devin flagged. Devin will not fix these issues automatically.

@wolfSSL-Bot
Copy link

wolfSSL-Bot commented Sep 24, 2025

Can one of the admins verify this patch?

@effbiae effbiae force-pushed the X509PrintSubjAltName branch from 3f78890 to 5748993 Compare September 24, 2025 07:33
@dgarske
Copy link
Contributor

dgarske commented Sep 26, 2025

Okay to test

@effbiae effbiae force-pushed the X509PrintSubjAltName branch from 5748993 to 7c41395 Compare September 28, 2025 07:12
dgarske
dgarske requested changes Oct 1, 2025
View reviewed changes
Copy link
Contributor

@dgarske dgarske left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice cleanup.

@dgarske dgarske requested a review from kareem-wolfssl October 1, 2025 21:42
@dgarske dgarske removed their assignment Oct 1, 2025
kareem-wolfssl
kareem-wolfssl previously approved these changes Oct 1, 2025
View reviewed changes
@effbiae effbiae force-pushed the X509PrintSubjAltName branch from 7c41395 to c3c7b11 Compare October 2, 2025 05:38
@dgarske
Copy link
Contributor

dgarske commented Oct 2, 2025

Jenkins retest this please. Agentoffline and openssl.test failure

@dgarske
Copy link
Contributor

dgarske commented Oct 2, 2025

Jenkins retest this please: "FIPS ERROR: Checkout failed"

@dgarske dgarske requested a review from Copilot October 2, 2025 18:51
@dgarske
Copy link
Contributor

dgarske commented Oct 2, 2025

Merging with known Esp latest test failure. That's fixed in latest master.

@dgarske dgarske merged commit db6a4df into wolfSSL:master Oct 2, 2025
333 of 338 checks passed
Copilot AI reviewed Oct 2, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Refactors Subject Alternative Name (SAN) printing to remove duplicated formatting logic and reuse a single helper for both SAN and ACERT name printing, and implements actual DirName printing instead of a placeholder.

  • Consolidates name-entry printing into X509_print_name_entry and updates ACERT call sites.
  • Reworks X509PrintSubjAltName to delegate to the helper.
  • Replaces the "DirName:" placeholder with X509PrintDirType.

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

src/x509.c
Comment on lines +6568 to +6569
if (!x509 || !x509->altNames || !x509->subjAltNameSet)
return WOLFSSL_FAILURE;
Copy link

Copilot AI Oct 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The refactor changes behavior by returning WOLFSSL_FAILURE when no SAN is present (altNames is NULL or subjAltNameSet is false). Previously, the function treated absence of SAN as a no-op and returned success, which avoids failing overall certificate printing for a valid cert without SAN. Also, the prior implementation guarded against a NULL bio, which is no longer checked here. Suggest restoring prior semantics and input validation: return success when SAN isn't set/present, and fail early on NULL bio.

Suggested change
if (!x509 || !x509->altNames || !x509->subjAltNameSet)
return WOLFSSL_FAILURE;
if (bio == NULL)
return WOLFSSL_FAILURE;
if (!x509 || !x509->altNames || !x509->subjAltNameSet)
return WOLFSSL_SUCCESS; /* No SAN present, treat as no-op */

Copilot uses AI. Check for mistakes.
src/x509.c
Comment on lines 6242 to 6269
len = XSNPRINTF(scratch, MAX_WIDTH, "DNS:%s", entry->name);
if (len >= MAX_WIDTH) {
ret = WOLFSSL_FAILURE;
break;
}
}
#if defined(OPENSSL_ALL) || defined(WOLFSSL_IP_ALT_NAME)
else if (entry->type == ASN_IP_TYPE) {
len = XSNPRINTF(scratch, MAX_WIDTH, "IP Address:%s",
entry->ipString);
if (len >= MAX_WIDTH) {
ret = WOLFSSL_FAILURE;
break;
}
}
#endif /* OPENSSL_ALL || WOLFSSL_IP_ALT_NAME */
else if (entry->type == ASN_RFC822_TYPE) {
len = XSNPRINTF(scratch, MAX_WIDTH, "email:%s",
entry->name);
if (len >= MAX_WIDTH) {
ret = WOLFSSL_FAILURE;
break;
}
}
else if (entry->type == ASN_DIR_TYPE) {
len = X509PrintDirType(scratch, MAX_WIDTH, entry);
if (len >= MAX_WIDTH) {
ret = WOLFSSL_FAILURE;
break;
}
}
else if (entry->type == ASN_URI_TYPE) {
len = XSNPRINTF(scratch, MAX_WIDTH, "URI:%s",
entry->name);
if (len >= MAX_WIDTH) {
ret = WOLFSSL_FAILURE;
break;
}
}
#if defined(OPENSSL_ALL)
else if (entry->type == ASN_RID_TYPE) {
len = XSNPRINTF(scratch, MAX_WIDTH, "Registered ID:%s",
entry->ridString);
if (len >= MAX_WIDTH) {
ret = WOLFSSL_FAILURE;
break;
}
}
#endif
else if (entry->type == ASN_OTHER_TYPE) {
len = XSNPRINTF(scratch, MAX_WIDTH,
"othername <unsupported>");
Copy link

Copilot AI Oct 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The previous bounds checks for truncation (len >= MAX_WIDTH) after each formatting call were removed, which silently allows truncated output. To keep behavior robust without duplicating checks, add a single post-selection check like: if (len < 0 || len >= MAX_WIDTH) { ret = WOLFSSL_FAILURE; break; } before writing to the BIO.

Copilot uses AI. Check for mistakes.
@effbiae effbiae deleted the X509PrintSubjAltName branch October 7, 2025 02:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@dgarske dgarske dgarske approved these changes

@kareem-wolfssl kareem-wolfssl kareem-wolfssl left review comments

Assignees

@wolfSSL-Bot wolfSSL-Bot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@effbiae @wolfSSL-Bot @dgarske @kareem-wolfssl