ignore invalid value validating dns name list (#69)

src/subject_name/verify.rs

@@ -42,7 +42,7 @@ pub(crate) fn verify_cert_dns_name(
             if let GeneralName::DnsName(presented_id) = name {
                 match dns_name::presented_id_matches_reference_id(presented_id, dns_name) {
                     Ok(true) => return NameIteration::Stop(Ok(())),
-                    Ok(false) => (),
+                    Ok(false) | Err(Error::MalformedDnsIdentifier) => (),
                     Err(e) => return NameIteration::Stop(Err(e)),
                 }
             }

tests/generate.py

@@ -514,6 +514,17 @@ def name_constraints() -> None:
             ],
         )
 
+        generate_name_constraints_test(
+            output,
+            "invalid_dns_name_matching",
+            valid_names=["dns.example.com"],
+            subject_common_name="subject.example.com",
+            sans=[
+                x509.DNSName("{invalid}.example.com"),
+                x509.DNSName("dns.example.com"),
+            ],
+        )
+
 
 def signatures() -> None:
     rsa_pub_exponent: int = 0x10001

tests/name_constraints.rs

@@ -351,3 +351,10 @@ fn exclude_directory_name_not_implemented() {
         Err(webpki::Error::UnknownIssuer)
     );
 }
+
+#[test]
+fn invalid_dns_name_matching() {
+    let ee = include_bytes!("name_constraints/invalid_dns_name_matching.ee.der");
+    let ca = include_bytes!("name_constraints/invalid_dns_name_matching.ca.der");
+    assert_eq!(check_cert(ee, ca, &["dns.example.com"], &[]), Ok(()));
+}