Add WolfSSLAltName class for extended SAN parsing and MS AD UPN support #313
Conversation
There was a problem hiding this comment.
Pull request overview
This PR adds comprehensive Subject Alternative Name (SAN) parsing support to wolfSSL JNI, including a new WolfSSLAltName class for type-safe access to all RFC 5280 GeneralName types and special support for Microsoft Active Directory User Principal Names (UPNs).
Key Changes:
- Introduces
WolfSSLAltNameclass with type-safe API for all SAN types (otherName, DNS, IP, email, URI, directoryName, registeredID) - Adds
getSubjectAltNamesArray(),getSubjectAltNamesExtended()methods toWolfSSLCertificate - Implements native JNI method
X509_get_subject_alt_names_full()with complete SAN parsing including otherName OID/value extraction
Reviewed changes
Copilot reviewed 21 out of 26 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
WolfSSLAltName.java |
New class providing type-safe SAN access with MS UPN detection and ASN.1 parsing |
WolfSSLCertificate.java |
Added three new SAN methods with caching and backward compatibility |
com_wolfssl_WolfSSLCertificate.c |
Native implementation parsing all SAN types with proper JNI object creation |
com_wolfssl_WolfSSLCertificate.h |
JNI header for new native method |
WolfSSLCertificateTest.java |
1700+ lines of comprehensive tests covering all SAN types and edge cases |
WolfSSLX509Test.java |
Updated test to compare SANs order-independently per RFC 5280 |
generate-san-test-certs.sh |
Script generating test certificates with various SAN combinations |
san-test/*.pem/*.der |
Test certificates for validation |
update-certs.sh |
Integrated SAN cert generation into build process |
infer.sh |
Added WolfSSLAltName to static analysis |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| derBuf = (unsigned char*)XMALLOC(derSz, NULL, | ||
| DYNAMIC_TYPE_TMP_BUFFER); | ||
|
|
||
| if (derBuf != NULL) { | ||
| unsigned char* derPtr = derBuf; | ||
| derSz = wolfSSL_i2d_ASN1_TYPE(valueType, &derPtr); |
There was a problem hiding this comment.
In the native C code, when allocating memory with XMALLOC at line 2097, there's no null check before dereferencing the returned pointer at line 2101. If the allocation fails and returns NULL, this will cause a null pointer dereference when creating derPtr.
| if (sans != null) { | ||
| for (WolfSSLAltName san : sans) { | ||
| Object[] entry = new Object[2]; | ||
| entry[0] = Integer.valueOf(san.getType()); |
There was a problem hiding this comment.
Using Integer.valueOf() for boxing is good practice and more efficient than new Integer(). However, consider using primitive int directly in the Object array since Java will autobox it automatically, which is cleaner and equivalent: entry[0] = san.getType(); instead of entry[0] = Integer.valueOf(san.getType());
| } | ||
|
|
||
| /* Validate IP address byte length (4 for IPv4, 16 for IPv6) */ | ||
| if (bytesValue.length != 4 && bytesValue.length != 16) { |
There was a problem hiding this comment.
The condition ipBytes.length == 4 || ipBytes.length == 16 validates IP address byte lengths correctly. However, the error handling returns null silently. Consider logging a debug message when an invalid IP byte length is encountered to aid troubleshooting, similar to the pattern used elsewhere with WolfSSLDebug.log().
| if (bytesValue.length != 4 && bytesValue.length != 16) { | |
| if (bytesValue.length != 4 && bytesValue.length != 16) { | |
| WolfSSLDebug.log("WolfSSLAltName: invalid iPAddress byte length: " | |
| + bytesValue.length); |
1 participant
This PR add a
WolfSSLAltNameclass for access to Subject Alternative Name entries and addsgetSubjectAltNamesArray()andgetSubjectAltNamesExtended()methods toWolfSSLCertificate.These changes support all RFC 5280 GeneralName types including
otherName(MS AD UPN),iPAddress, anddirectoryName.Includes JUnit tests for testing and regression prevention.