Cherry-pick #14542 (#14543)

* Further restrict DNS wildcards in name constraint matching (#14542)

* Further restruct DNS wildcards in name constraint matching

Signed-off-by: William Woodruff <william@yossarian.net>

* Bump limbo

Signed-off-by: William Woodruff <william@yossarian.net>

---------

Signed-off-by: William Woodruff <william@yossarian.net>

* CHANGELOG: record changes

Signed-off-by: William Woodruff <william@yossarian.net>

* Bump version to 46.0.6

Signed-off-by: William Woodruff <william@yossarian.net>

* Bump x509-limbo and/or wycheproof in CI (#14127)

* Bump x509-limbo and/or wycheproof in CI

* Skip 9 cabf::cn testcases

Signed-off-by: William Woodruff <william@yossarian.net>

---------

Signed-off-by: William Woodruff <william@yossarian.net>
Co-authored-by: pyca-boringbot[bot] <pyca-boringbot[bot]+106132319@users.noreply.github.com>

* Add credit to CHANGELOG

Signed-off-by: William Woodruff <william@yossarian.net>

---------

Signed-off-by: William Woodruff <william@yossarian.net>
Co-authored-by: pyca-boringbot[bot] <pyca-boringbot[bot]+106132319@users.noreply.github.com>

Author: woodruffw

.github/actions/fetch-vectors/action.yml

@@ -9,14 +9,14 @@ runs:
       with:
         repository: "C2SP/wycheproof"
         path: "wycheproof"
-        # Latest commit on the wycheproof main branch, as of Sep 16, 2025.
-        ref: "999222b8cce3c271eb1d1924f8c053a766ac8d2a" # wycheproof-ref
+        # Latest commit on the wycheproof main branch, as of Jan 09, 2026.
+        ref: "fca0d3ba9f1286c3af57801ace39c633e29a88f1" # wycheproof-ref
         persist-credentials: false
 
     - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
         repository: "C2SP/x509-limbo"
         path: "x509-limbo"
-        # Latest commit on the x509-limbo main branch, as of Sep 16, 2025.
-        ref: "28e6162b6f78ee5052b6a1011f812317d01db101" # x509-limbo-ref
+        # Latest commit on the x509-limbo main branch, as of Mar 25, 2026.
+        ref: "23a7ab348f27efef72d429f4faa92a3d8c23f720" # x509-limbo-ref
         persist-credentials: false

CHANGELOG.rst

@@ -3,6 +3,15 @@ Changelog
 
 .. _v46-0-5:
 
+46.0.6 - 2026-03-25
+~~~~~~~~~~~~~~~~~~~
+
+* **SECURITY ISSUE**: Fixed a bug where name constraints were not applied
+  to peer names during verification when the leaf certificate contains a
+  wildcard DNS SAN. Ordinary X.509 topologies are not affected by this bug,
+  including those used by the Web PKI. Credit to **Oleh Konko (1seal)** for
+  reporting the issue. **CVE-2026-34073**
+
 46.0.5 - 2026-02-10
 ~~~~~~~~~~~~~~~~~~~
 

pyproject.toml

@@ -16,7 +16,7 @@ build-backend = "maturin"
 
 [project]
 name = "cryptography"
-version = "46.0.5"
+version = "46.0.6"
 authors = [
     { name = "The Python Cryptographic Authority and individual contributors", email = "cryptography-dev@python.org" },
 ]
@@ -70,7 +70,7 @@ ssh = ["bcrypt >=3.1.5"]
 # All the following are used for our own testing.
 nox = ["nox[uv] >=2024.04.15"]
 test = [
-    "cryptography_vectors==46.0.5",
+    "cryptography_vectors==46.0.6",
     "pytest >=7.4.0",
     "pytest-benchmark >=4.0",
     "pytest-cov >=2.10.1",

src/cryptography/__about__.py

@@ -10,7 +10,7 @@
     "__version__",
 ]
 
-__version__ = "46.0.5"
+__version__ = "46.0.6"
 
 
 __author__ = "The Python Cryptographic Authority and individual contributors"

src/rust/cryptography-x509-verification/src/lib.rs

@@ -162,9 +162,7 @@ impl<'a, 'chain> NameChain<'a, 'chain> {
                 // match exactly one subdomain of `foo.com`. Therefore, the NC's matching
                 // set is a strict superset of any possible wildcard SAN pattern.
                 match (DNSConstraint::new(constraint.0), DNSPattern::new(name.0)) {
-                    (Some(constraint), Some(name)) => {
-                        Ok(Applied(constraint.matches(name.inner_name())))
-                    }
+                    (Some(constraint), Some(name)) => Ok(Applied(constraint.matches(&name))),
                     (_, None) => Err(ValidationError::new(ValidationErrorKind::Other(format!(
                         "unsatisfiable DNS name constraint: malformed SAN {}",
                         name.0

src/rust/cryptography-x509-verification/src/types.rs

@@ -138,19 +138,6 @@ impl<'a> DNSPattern<'a> {
             },
         }
     }
-
-    /// Returns the inner `DNSName` within this `DNSPattern`, e.g.
-    /// `foo.com` for `*.foo.com` or `example.com` for `example.com`.
-    ///
-    /// This API must not be used to bypass pattern matching; it exists
-    /// solely to enable checks that only require the inner name, such
-    /// as Name Constraint checks.
-    pub fn inner_name(&self) -> &DNSName<'a> {
-        match self {
-            DNSPattern::Exact(dnsname) => dnsname,
-            DNSPattern::Wildcard(dnsname) => dnsname,
-        }
-    }
 }
 
 /// A `DNSConstraint` represents a DNS name constraint as defined in [RFC 5280 4.2.1.10].
@@ -163,35 +150,45 @@ impl<'a> DNSConstraint<'a> {
         DNSName::new(pattern).map(Self)
     }
 
-    /// Returns true if this `DNSConstraint` matches the given name.
+    /// Returns true if this `DNSConstraint` matches the given `DNSPattern`.
     ///
     /// Constraint matching is defined by RFC 5280: any DNS name that can
     /// be constructed by simply adding zero or more labels to the left-hand
     /// side of the name satisfies the name constraint.
     ///
-    /// ```rust
-    /// # use cryptography_x509_verification::types::{DNSConstraint, DNSName};
-    /// let example_com = DNSName::new("example.com").unwrap();
-    /// let badexample_com = DNSName::new("badexample.com").unwrap();
-    /// let foo_example_com = DNSName::new("foo.example.com").unwrap();
-    /// assert!(DNSConstraint::new(example_com.as_str()).unwrap().matches(&example_com));
-    /// assert!(DNSConstraint::new(example_com.as_str()).unwrap().matches(&foo_example_com));
-    /// assert!(!DNSConstraint::new(example_com.as_str()).unwrap().matches(&badexample_com));
-    /// ```
-    pub fn matches(&self, name: &DNSName<'_>) -> bool {
-        // NOTE: This may seem like an obtuse way to perform label matching,
-        // but it saves us a few allocations: doing a substring check instead
-        // would require us to clone each string and do case normalization.
-        // Note also that we check the length in advance: Rust's zip
-        // implementation terminates with the shorter iterator, so we need
-        // to first check that the candidate name is at least as long as
-        // the constraint it's matching against.
-        name.as_str().len() >= self.0.as_str().len()
-            && self
-                .0
-                .rlabels()
-                .zip(name.rlabels())
-                .all(|(a, o)| a.eq_ignore_ascii_case(o))
+    /// On top of what RFC 5280 specifies, we define behavior for wildcard
+    /// patterns (which are not covered by RFC 5280): a wildcard pattern
+    /// matches a constraint if the pattern matches the constraint's inner name,
+    /// _or_ if the pattern's inner name matches the constraint.
+    /// This allows us to reject DNS names like `*.example.com` when
+    /// the constraint is `example.com` or `bar.example.com`.
+    pub fn matches(&self, name: &DNSPattern<'_>) -> bool {
+        match name {
+            DNSPattern::Exact(name) => {
+                // NOTE: This may seem like an obtuse way to perform label matching,
+                // but it saves us a few allocations: doing a substring check instead
+                // would require us to clone each string and do case normalization.
+                // Note also that we check the length in advance: Rust's zip
+                // implementation terminates with the shorter iterator, so we need
+                // to first check that the candidate name is at least as long as
+                // the constraint it's matching against.
+                name.as_str().len() >= self.0.as_str().len()
+                    && self
+                        .0
+                        .rlabels()
+                        .zip(name.rlabels())
+                        .all(|(a, o)| a.eq_ignore_ascii_case(o))
+            }
+            DNSPattern::Wildcard(inner) => {
+                // NOTE: This check is not as simple as a single pattern match,
+                // since we need two subtly distinct cases here:
+                // 1. Constraint `bar.example.com` on `*.example.com`
+                // 2. Constraint `example.com` on `*.example.com`
+                // The first cases is handled by `DNSPattern::matches`, and the second is handled
+                // by `DNSConstraint::matches`.
+                name.matches(&self.0) || self.matches(&DNSPattern::Exact(inner.clone()))
+            }
+        }
     }
 }
 
@@ -597,14 +594,33 @@ mod tests {
         let example_com = DNSConstraint::new("example.com").unwrap();
 
         // Exact domain and arbitrary subdomains match.
-        assert!(example_com.matches(&DNSName::new("example.com").unwrap()));
-        assert!(example_com.matches(&DNSName::new("foo.example.com").unwrap()));
-        assert!(example_com.matches(&DNSName::new("foo.bar.baz.quux.example.com").unwrap()));
+        assert!(example_com.matches(&DNSPattern::new("example.com").unwrap()));
+        assert!(example_com.matches(&DNSPattern::new("foo.example.com").unwrap()));
+        assert!(example_com.matches(&DNSPattern::new("foo.bar.baz.quux.example.com").unwrap()));
 
         // Parent domains, distinct domains, and substring domains do not match.
-        assert!(!example_com.matches(&DNSName::new("com").unwrap()));
-        assert!(!example_com.matches(&DNSName::new("badexample.com").unwrap()));
-        assert!(!example_com.matches(&DNSName::new("wrong.com").unwrap()));
+        assert!(!example_com.matches(&DNSPattern::new("com").unwrap()));
+        assert!(!example_com.matches(&DNSPattern::new("badexample.com").unwrap()));
+        assert!(!example_com.matches(&DNSPattern::new("wrong.com").unwrap()));
+    }
+
+    #[test]
+    fn test_dnsconstraint_matches_wildcard() {
+        let com = DNSConstraint::new("com").unwrap();
+        let example_com = DNSConstraint::new("example.com").unwrap();
+        let bar_example_com = DNSConstraint::new("bar.example.com").unwrap();
+        let baz_bar_example_com = DNSConstraint::new("baz.bar.example.com").unwrap();
+        let any_example_com = DNSPattern::new("*.example.com").unwrap();
+
+        assert!(com.matches(&any_example_com));
+        assert!(example_com.matches(&any_example_com));
+        assert!(bar_example_com.matches(&any_example_com));
+
+        // A constraint on `baz.bar.example.com` doesn't match `*.example.com`,
+        // since `baz.bar.example.com` matches zero or more sublabels of
+        // `baz.bar.example.com` while `*.example.com` matches exactly one
+        // sublabel of `example.com`.
+        assert!(!baz_bar_example_com.matches(&any_example_com));
     }
 
     #[test]

tests/x509/verification/test_limbo.py

@@ -85,6 +85,16 @@
     # with what webpki and rustls do, but inconsistent with Go and OpenSSL.
     "rfc5280::ca-as-leaf",
     "pathlen::validation-ignores-pathlen-in-leaf",
+    # These CABF SAN/CN mismatch tests are pretty niche.
+    "webpki::cn::ipv4-hex-mismatch",
+    "webpki::cn::ipv4-leading-zeros-mismatch",
+    "webpki::cn::ipv6-uppercase-mismatch",
+    "webpki::cn::ipv6-uncompressed-mismatch",
+    "webpki::cn::ipv6-non-rfc5952-mismatch",
+    "webpki::cn::punycode-not-in-san",
+    "webpki::cn::utf8-vs-punycode-mismatch",
+    "webpki::cn::not-in-san",
+    "webpki::cn::case-mismatch",
 }
 
 

vectors/cryptography_vectors/__about__.py

@@ -6,4 +6,4 @@
     "__version__",
 ]
 
-__version__ = "46.0.5"
+__version__ = "46.0.6"

vectors/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "uv_build"
 
 [project]
 name = "cryptography_vectors"
-version = "46.0.5"
+version = "46.0.6"
 authors = [
     {name = "The Python Cryptographic Authority and individual contributors", email = "cryptography-dev@python.org"}
 ]