Skip to content

Comments

Address PKIXNameConstraintValidator Bug#2260

Open
xSammyKang wants to merge 1 commit intobcgit:mainfrom
xSammyKang:patch-1
Open

Address PKIXNameConstraintValidator Bug#2260
xSammyKang wants to merge 1 commit intobcgit:mainfrom
xSammyKang:patch-1

Conversation

@xSammyKang
Copy link

@xSammyKang xSammyKang commented Feb 20, 2026

Addresses a bug in the intersectDNS function of PKIXNameConstraintValidator that treats DNS names with the same value as not within their domain. This leads to an issue where if there exist a certificate root and subordinate with the same name constraint, neither will be recognized.

@xSammyKang
Address PKIXNameConstraintValidator Bug
3ffaab4 
Addresses a bug in the intersectDNS function of PKIXNameConstraintValidator that treats DNS names with the same value as not within their domain.
This leads to an issue where if there exist a certificate root and subordinate with the same name constraint, neither will be recognized.
@xSammyKang
Copy link
Author

xSammyKang commented Feb 20, 2026

Currently, during the intersectDNS() call, withinDomain() is used to check whether incoming DNS name constraints are within the domain of existing naming constraints or vice versa. However, because the length of the arrays produced when split() is called will be the same for DNS names that are the same, both calls will return false.
The change adds a condition after the withinDomain() checks to add the dns name if they are equal.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@xSammyKang