Fix IPSAN and registeredID handling

[embhorn]

Description

This PR fixes name-constraint enforcement gaps by ensuring iPAddress and registeredID GeneralNames are always parsed/stored.

Fixes zd21725

Testing

Added element to ConfirmNameConstraints test and certman tests.

Checklist

• added tests
• updated/added doxygen
• updated appropriate READMEs
• Updated manual and documentation

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

This PR fixes name-constraint enforcement gaps by ensuring iPAddress and registeredID GeneralNames are always parsed/stored (even when their human-readable string helpers are disabled), and updates OpenSSL-compat APIs + tests accordingly.

Changes:

• Parse/store iPAddress and registeredID SANs unconditionally so ConfirmNameConstraints can enforce permitted/excluded subtrees.
• Extend name-constraint matching to include registeredID and ensure OpenSSL-compat SAN getters/printing remain safe when entries are raw bytes.
• Add regression tests and new test CA artifacts for RID/IP name-constraint enforcement and hostname-check CN fallback behavior.

Reviewed changes

Copilot reviewed 9 out of 10 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
wolfcrypt/src/asn_orig.c	Always parses IP/RID altNames; gates only human-readable string generation behind feature macros.
wolfcrypt/src/asn.c	Adds RID enforcement to name-constraints logic; always decodes IP/RID GeneralNames into altNames.
src/x509.c	Makes OPENSSL_EXTRA SAN conversion handle RID unconditionally; avoids returning raw-byte altNames as C strings; improves printing behavior.
src/internal.c	Preserves CN-fallback semantics when only non-matchable altNames (IP without IP matching, RID) are present.
tests/api/test_certman.h	Registers new regression tests in the certman test group.
tests/api/test_certman.c	Adds regression tests for IP/RID name constraints, RID SAN exposure via OpenSSL APIs, and IP-only SAN CN fallback.
certs/test/include.am	Ships new RID name-constraints CA cert files.
certs/test/gen-ext-certs.sh	Adds generation stanza for the RID name-constraints CA cert.
certs/test/cert-ext-ncrid.pem	Adds the RID name-constraints CA certificate used by tests.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

MemBrowse Memory Report

gcc-arm-cortex-m4

• FLASH: .rodata +8 B, .text +64 B (+0.0%, 197,569 B / 262,144 B, total: 75% used)

gcc-arm-cortex-m4-baremetal

• FLASH: .rodata +8 B, .text +128 B (+0.2%, 64,635 B / 262,144 B, total: 25% used)

gcc-arm-cortex-m4-min-ecc

• FLASH: .rodata +8 B, .text +64 B (+0.1%, 60,221 B / 262,144 B, total: 23% used)

gcc-arm-cortex-m4-tls12

• FLASH: .rodata +8 B, .text +128 B (+0.1%, 121,053 B / 262,144 B, total: 46% used)

[wolfSSL-Fenrir-bot]

Fenrir Automated Review — PR #10354

Scan targets checked: wolfcrypt-bugs, wolfcrypt-src, wolfssl-bugs, wolfssl-src

No new issues found in the changed files. ✅

[dgarske]

@embhorn please resolve merge conflicts. Thanks

[dgarske]

I am concerned about asn.c bloat for customers who are size constrained. Is it possible some of these new checks could be wrapped with WOLFSSL_NO_ASN_STRICT for them?