Executive Summary

This vulnerability involves the wolfSSL library's handling of URI nameConstraints in certificate chains. Specifically, URI nameConstraints from constrained intermediate Certificate Authorities (CAs) are parsed but not enforced during certificate chain verification in the wolfcrypt/src/asn.c component.

As a result, a compromised or malicious subordinate CA could issue leaf certificates containing URI Subject Alternative Name (SAN) entries that violate the nameConstraints set by the issuing CA, and wolfSSL would still accept these certificates as valid.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow a malicious or compromised sub-CA to issue certificates with unauthorized URI entries that should have been restricted by nameConstraints.

Because wolfSSL does not enforce these constraints properly, it may accept such certificates as valid, potentially enabling unauthorized access, man-in-the-middle attacks, or other security breaches where trust in the certificate chain is critical.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows a compromised or malicious sub-CA to issue leaf certificates with URI SAN entries that violate the nameConstraints of the issuing CA, and wolfSSL would accept them as valid.

Such a flaw in certificate validation could undermine the trustworthiness of secure communications and identity verification processes.

As a result, organizations relying on wolfSSL for certificate validation might face increased risk of unauthorized access or data breaches, potentially impacting compliance with standards and regulations like GDPR and HIPAA that require strong security controls to protect sensitive data.

Useful 0 Not Useful 0