Skip to content

NAME_CONSTRAINTS_check

NAME

NAME_CONSTRAINTS_check, NAME_CONSTRAINTS_check_CN - check a certificate's names against a name constraints extension

SYNOPSIS

#include <openssl/x509v3.h>

int NAME_CONSTRAINTS_check(const X509 *x, NAME_CONSTRAINTS *nc);
int NAME_CONSTRAINTS_check_CN(const X509 *x, NAME_CONSTRAINTS *nc);

DESCRIPTION

NAME_CONSTRAINTS_check() tests whether the names asserted by certificate x satisfy the name constraints nc. It implements the matching primitive of RFC 5280 section 4.2.1.10: given a constraint set (a NAME_CONSTRAINTS structure containing zero or more permittedSubtrees and excludedSubtrees) and a candidate certificate, decide whether the certificate's names fall within the permitted subtrees and outside the excluded subtrees.

The names considered by NAME_CONSTRAINTS_check() are:

  • The certificate's subject distinguished name, matched as a directoryName general-name type. The subject is considered only when it is nonempty.
  • Each emailAddress attribute appearing within the subject distinguished name, matched as an rfc822Name general-name type. These attributes are the historical, pre-SAN way of expressing an email address in a certificate's subject, and RFC 5280 requires that they be subjected to name-constraint checking.
  • Each entry in the certificate's subject alternative name extension, matched according to its declared general-name type.

NAME_CONSTRAINTS_check() implements matching for the following general-name types: directoryName, dNSName, rfc822Name, uniformResourceIdentifier, and iPAddress. The otherName form id-on-SmtpUTF8Mailbox (RFC 8398) is additionally matched against rfc822Name subtrees. Any other general-name type, including x400Address, ediPartyName, registeredID, and other otherName forms, yields X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE.

For each name considered, the function evaluates two conditions:

  • If nc contains at least one permittedSubtree of the same general-name type as the name, the name must match at least one of those permitted subtrees. If nc contains no permitted subtrees of that type, no permitted-subtrees test is imposed on names of that type.
  • The name must not match any excludedSubtree of the same general-name type in nc.

The function returns at the first violation encountered; it does not collect or report multiple failures.

For dNSName entries, matching follows the byte/label algorithm of RFC 5280 section 4.2.1.10, which RFC 5280 mandates when no protocol-specific matching rules apply. Because this match is performed without awareness of any specific higher-level protocol, additional matching rules defined by later or more specific protocols must be applied independently of this function to the certificate chain.

NAME_CONSTRAINTS_check() performs only the constraint match for a single certificate against a single constraint set. It does not perform the chain-wide enforcement of RFC 5280 section 6.1.4(g)-(j): callers wishing to enforce name constraints across an entire certification path must walk the chain themselves and apply each ancestor's constraint set to certificates lower in the chain, observing the usual exceptions (for example, self-issued intermediate certificates are exempt from constraints imposed by certificates above them, except when they are the leaf of the chain). For full RFC 5280 name-constraint enforcement integrated with chain validation, applications should use X509_verify_cert(3), which performs this internally.

NAME_CONSTRAINTS_check() enforces an implementation limit on the product of the certificate's name count and the constraint set's subtree count, to prevent computationally expensive matching on pathological input. If that limit is exceeded the function returns X509_V_ERR_UNSPECIFIED without performing any matching. The current limit is 2**20 (1,048,576) on the product of the name count (subject DN entries plus subjectAltName entries) and the subtree count (permittedSubtrees plus excludedSubtrees).

RETURN VALUES

NAME_CONSTRAINTS_check() returns X509_V_OK if every name considered satisfies the constraints. Otherwise it returns one of the following X509_V_ERR_* codes:

  • X509_V_ERR_PERMITTED_VIOLATION

    A name of a type for which nc contains at least one permitted subtree failed to match any of those subtrees.

  • X509_V_ERR_EXCLUDED_VIOLATION

    A name matched an excluded subtree.

  • X509_V_ERR_SUBTREE_MINMAX

    A subtree in nc specified a minimum other than 0 or a maximum at all. RFC 5280 requires that these GeneralSubtree fields not be used, and a constraint set that uses them cannot be processed.

  • X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE

    A general-name type for which matching is not implemented was encountered. The list of supported types is given in the DESCRIPTION above.

  • X509_V_ERR_UNSUPPORTED_NAME_SYNTAX

    A name in the certificate is encoded in a way that cannot be matched (for example, an emailAddress attribute in the subject that is not encoded as an IA5String).

  • X509_V_ERR_UNSPECIFIED

    The product of the certificate's name count and the constraint set's subtree count exceeded the implementation limit; no matching was performed.

Other X509_V_ERR_* codes may be returned by deeper name-matching helpers (for example, codes arising from individual general-name type comparisons). Callers should treat the return value as the authoritative success/failure signal and treat any value other than X509_V_OK as a failure, rather than enumerating the specific codes above.

NOTES

NAME_CONSTRAINTS_check() does not match the certificate's commonName against dNSName name constraints; that check is provided by a separate function, NAME_CONSTRAINTS_check_CN(). The commonName-as-DNS-identity practice is a legacy concern: modern certificates assert DNS identities through dNSName entries in the subject alternative name extension, which NAME_CONSTRAINTS_check() already covers. NAME_CONSTRAINTS_check_CN() is required only for older certificates that express a DNS identity through their commonName instead of, or in addition to, the SAN; for certificates conforming to modern profiles a call to NAME_CONSTRAINTS_check() alone is generally sufficient.

BUGS

RFC 9525's wildcard semantics apply only to presented-identifier matching for TLS service identity, and explicitly call out they are not valid for any other purpose; they do not define wildcard handling for name-constraint matching. NAME_CONSTRAINTS_check() therefore follows RFC 5280's requirements for when this is undefined, and treats the * character in a dNSName as a literal label component, per the RFC 5280 algorithm, which is often contrary to caller expectation.

Even if specified in the future, due to the "fallback implementation" nature of matching wildcards in SAN dNSName entries specified by RFC 5280, name constraint behaviour in the presence of wildcards should not be strictly relied upon across implementations and protocols. This matters most for the use of excluded names constraints, which should not be relied upon to reliably constrain signing certificates for a PKI in a security dependent manner unless the consumers of these certificates are themselves known to be constrained by other means to only use implementations that provide different semantics, or the PKI can be constrained by other means to ensure that wildcards are never issued from such signing certificates.

SEE ALSO

X509_verify_cert(3), X509_VERIFY_PARAM_set_flags(3)

HISTORY

NAME_CONSTRAINTS_check() was added in OpenSSL 1.0.0.

NAME_CONSTRAINTS_check_CN() was added in OpenSSL 1.1.0.

Copyright 2026 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at https://www.openssl.org/source/license.html.