From 1e1e34ce8cb0b870d655477baff600d8740ec76e Mon Sep 17 00:00:00 2001
From: Eric Blankenhorn <eric@wolfssl.com>
Date: Wed, 8 Apr 2026 15:47:57 -0500
Subject: [PATCH 1/3] Fix for peer cert verify with IP address

---
 src/internal.c             |   5 +-
 tests/api/test_ossl_x509.c | 162 +++++++++++++++++++++++++++++++++++++
 2 files changed, 166 insertions(+), 1 deletion(-)

diff --git a/src/internal.c b/src/internal.c
index ad1587e0f6..36203b8eab 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -13488,7 +13488,10 @@ int CheckHostName(DecodedCert* dCert, const char *domainName,
     }
 
 #ifndef WOLFSSL_HOSTNAME_VERIFY_ALT_NAME_ONLY
-    if (checkCN == 1) {
+    /* RFC 6125: IP address identities must appear in an iPAddress SAN and
+     * must never be matched against the Subject Common Name. Skip the CN
+     * fallback when verifying an IP address. */
+    if (checkCN == 1 && !isIP) {
         if (MatchDomainName(dCert->subjectCN, dCert->subjectCNLen,
                             domainName, (word32)domainNameLen, flags) == 1) {
             ret = 0;
diff --git a/tests/api/test_ossl_x509.c b/tests/api/test_ossl_x509.c
index b918a1f143..7209dc02ae 100644
--- a/tests/api/test_ossl_x509.c
+++ b/tests/api/test_ossl_x509.c
@@ -1060,6 +1060,168 @@ int test_wolfSSL_X509_check_ip_asc(void)
     ExpectIntEQ(wolfSSL_X509_check_ip_asc(NULL, "0.0.0.0", 0), 0);
     ExpectIntEQ(wolfSSL_X509_check_ip_asc(empty, "127.128.0.255", 0), 0);
 
+    /* Regression test: a certificate with CN=<ip> and no SAN extension
+     * must NOT be accepted for IP verification. RFC 6125 requires that IP
+     * identities appear in an iPAddress SAN; the Subject CN must never be
+     * matched against an IP address. Likewise a CN of "*.0.0.1" must not
+     * wildcard-match "127.0.0.1" -- RFC 6125 Section 7.2 prohibits wildcard
+     * matching for IP addresses. */
+    {
+        /* Self-signed cert, Subject CN="127.0.0.1", no extensions. */
+        static const unsigned char cn_ip_literal_der[] = {
+          0x30, 0x82, 0x02, 0xaf, 0x30, 0x82, 0x01, 0x97, 0x02, 0x14, 0x03,
+          0xe8, 0x5c, 0xb5, 0x56, 0x65, 0x58, 0xd4, 0xd9, 0x86, 0x9c, 0xe7,
+          0x5b, 0x71, 0xe9, 0xd3, 0x33, 0xe1, 0xa2, 0xdc, 0x30, 0x0d, 0x06,
+          0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
+          0x00, 0x30, 0x14, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04,
+          0x03, 0x0c, 0x09, 0x31, 0x32, 0x37, 0x2e, 0x30, 0x2e, 0x30, 0x2e,
+          0x31, 0x30, 0x1e, 0x17, 0x0d, 0x32, 0x36, 0x30, 0x34, 0x30, 0x38,
+          0x32, 0x30, 0x32, 0x35, 0x33, 0x33, 0x5a, 0x17, 0x0d, 0x33, 0x36,
+          0x30, 0x34, 0x30, 0x35, 0x32, 0x30, 0x32, 0x35, 0x33, 0x33, 0x5a,
+          0x30, 0x14, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x03,
+          0x0c, 0x09, 0x31, 0x32, 0x37, 0x2e, 0x30, 0x2e, 0x30, 0x2e, 0x31,
+          0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48,
+          0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01,
+          0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00,
+          0xb9, 0xcc, 0x99, 0xf7, 0xbf, 0x7c, 0x4f, 0xec, 0x7f, 0xe6, 0x17,
+          0x4e, 0xe3, 0xd9, 0xe5, 0x25, 0x7d, 0xab, 0xa8, 0x66, 0xb0, 0x4d,
+          0x41, 0x5c, 0x20, 0xd8, 0x67, 0xf5, 0xa3, 0xcd, 0x9e, 0x12, 0x7f,
+          0x09, 0x00, 0xeb, 0x6b, 0xfc, 0x7e, 0x14, 0x10, 0xa0, 0x10, 0x2e,
+          0x1f, 0xe8, 0xad, 0xec, 0xe8, 0x86, 0x54, 0xa2, 0xc4, 0x58, 0x65,
+          0x26, 0x95, 0x76, 0xa1, 0xe1, 0x02, 0x52, 0x81, 0xcb, 0x7e, 0x8e,
+          0xb2, 0x31, 0xc9, 0x58, 0x9a, 0xdc, 0x69, 0xab, 0x8d, 0x23, 0xcd,
+          0x96, 0x19, 0x1c, 0x68, 0x69, 0xb5, 0x7d, 0x23, 0xe3, 0x58, 0xe6,
+          0x26, 0xcc, 0x05, 0x40, 0xd2, 0xa9, 0xb1, 0x09, 0x9c, 0xc8, 0x4a,
+          0xfc, 0x0a, 0x20, 0xba, 0xc0, 0x12, 0x3b, 0x97, 0x44, 0x2b, 0x30,
+          0x50, 0x86, 0x0b, 0x27, 0x13, 0x76, 0xb5, 0xf7, 0x80, 0xf0, 0xf2,
+          0xf0, 0x93, 0x3b, 0x8d, 0xa8, 0x4f, 0xa3, 0xa9, 0xd2, 0xea, 0xd3,
+          0xc3, 0xcb, 0xcc, 0x70, 0xa0, 0x0b, 0xc7, 0xc6, 0x3e, 0xc9, 0x27,
+          0x4c, 0xb5, 0x23, 0x35, 0x6c, 0xb0, 0x30, 0xa2, 0xc1, 0x6d, 0x07,
+          0xd0, 0x9b, 0x55, 0x6a, 0xf9, 0x18, 0xf0, 0x30, 0x74, 0x3f, 0xf6,
+          0x17, 0x85, 0xb7, 0xcf, 0xa5, 0xd4, 0x91, 0xaa, 0x54, 0x85, 0xec,
+          0xae, 0xc5, 0x32, 0xf2, 0xb0, 0x21, 0x5a, 0x90, 0x22, 0x66, 0x8b,
+          0x4b, 0x0d, 0xc3, 0x57, 0x81, 0x86, 0xf2, 0xbb, 0xd2, 0x3b, 0x8c,
+          0xfc, 0xee, 0xbd, 0xed, 0xf0, 0xfb, 0xa5, 0xe1, 0x91, 0x5a, 0x68,
+          0x07, 0x60, 0x38, 0x38, 0xe7, 0x48, 0xe3, 0x83, 0xd6, 0xaf, 0xf0,
+          0x03, 0x7e, 0x2e, 0x95, 0x0c, 0x33, 0xcf, 0x13, 0xe9, 0xec, 0xe7,
+          0xa4, 0x5e, 0xed, 0x02, 0xae, 0xf2, 0x30, 0x6f, 0x3f, 0xc4, 0x1b,
+          0x3a, 0x0a, 0xe8, 0xd3, 0x66, 0x32, 0xd6, 0xfd, 0x58, 0x3a, 0x65,
+          0x93, 0x99, 0xc7, 0x02, 0x03, 0x01, 0x00, 0x01, 0x30, 0x0d, 0x06,
+          0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
+          0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x3c, 0xa7, 0xdf, 0xd1, 0x44,
+          0xc5, 0x4d, 0x29, 0x38, 0x51, 0x9d, 0xf6, 0xee, 0x2f, 0x0c, 0xa3,
+          0x8a, 0x2a, 0x7c, 0xa1, 0xb1, 0x26, 0x6d, 0xfb, 0x8b, 0x5d, 0xed,
+          0xdc, 0x1f, 0xf2, 0xf1, 0x99, 0x3c, 0xd8, 0x36, 0xcd, 0x48, 0xf5,
+          0x91, 0x5b, 0x42, 0x98, 0x89, 0x29, 0xba, 0x46, 0xad, 0x93, 0xea,
+          0xea, 0x53, 0x17, 0xe4, 0x6d, 0xb7, 0xdc, 0xb5, 0x4a, 0xd8, 0xed,
+          0x5c, 0x39, 0x0c, 0xf6, 0x1d, 0x19, 0xfb, 0x22, 0x5d, 0xe4, 0x3f,
+          0x07, 0x20, 0x6d, 0x2e, 0xdc, 0x92, 0xa5, 0x56, 0xb3, 0x92, 0x74,
+          0x05, 0xb2, 0x7c, 0xed, 0x73, 0x83, 0x70, 0x5f, 0x0e, 0x75, 0xe1,
+          0x71, 0x4c, 0xc5, 0xf0, 0x26, 0xc5, 0xa6, 0xd4, 0xb6, 0xb4, 0x79,
+          0x99, 0x54, 0xd9, 0x21, 0x48, 0x2f, 0x52, 0x6e, 0x47, 0x1d, 0x1c,
+          0x3a, 0x3b, 0x2a, 0x36, 0xa8, 0x88, 0x95, 0x47, 0x67, 0x59, 0xd5,
+          0xee, 0xb6, 0xe9, 0x5b, 0x86, 0x1b, 0x8b, 0x6c, 0xa6, 0xb2, 0x91,
+          0x81, 0x0c, 0xca, 0x91, 0x33, 0x32, 0xe5, 0x0d, 0x8f, 0xda, 0xc7,
+          0x5b, 0xa6, 0x80, 0x3f, 0x71, 0x50, 0x56, 0xd2, 0x88, 0xfc, 0x53,
+          0xc5, 0x11, 0x45, 0x1e, 0x8a, 0xb7, 0x0a, 0x83, 0x9e, 0x89, 0x63,
+          0x24, 0x3e, 0x8c, 0xbd, 0xed, 0xec, 0xf4, 0x19, 0x32, 0x13, 0xcf,
+          0xe7, 0xdd, 0xe6, 0x84, 0xed, 0xe7, 0xf7, 0xf9, 0x50, 0x2f, 0x7b,
+          0xac, 0x7d, 0xf9, 0x0f, 0x61, 0xd1, 0xf7, 0x59, 0xf0, 0x91, 0x73,
+          0x26, 0x5a, 0xba, 0x24, 0xc8, 0x49, 0x86, 0xc1, 0x1a, 0x42, 0x68,
+          0x70, 0xbf, 0x94, 0x69, 0xd0, 0xd5, 0x26, 0x7e, 0x3c, 0xa9, 0x69,
+          0x6f, 0xb1, 0xcc, 0xdf, 0x4d, 0xed, 0x91, 0x6d, 0xdf, 0x45, 0x71,
+          0xf0, 0x88, 0x69, 0x74, 0x49, 0x2c, 0x5e, 0x77, 0xed, 0x92, 0x36,
+          0x7f, 0x1a, 0x83, 0x36, 0x42, 0x17, 0x5a, 0xda, 0x91
+        };
+        /* Self-signed cert, Subject CN="*.0.0.1", no extensions. */
+        static const unsigned char cn_ip_wildcard_der[] = {
+          0x30, 0x82, 0x02, 0xab, 0x30, 0x82, 0x01, 0x93, 0x02, 0x14, 0x3a,
+          0x4e, 0xfc, 0xf1, 0x5f, 0xcb, 0xe3, 0x6a, 0xae, 0x7f, 0xd6, 0x79,
+          0xbd, 0x40, 0xc9, 0x64, 0x41, 0xc6, 0xf0, 0x56, 0x30, 0x0d, 0x06,
+          0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
+          0x00, 0x30, 0x12, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04,
+          0x03, 0x0c, 0x07, 0x2a, 0x2e, 0x30, 0x2e, 0x30, 0x2e, 0x31, 0x30,
+          0x1e, 0x17, 0x0d, 0x32, 0x36, 0x30, 0x34, 0x30, 0x38, 0x32, 0x30,
+          0x32, 0x35, 0x33, 0x33, 0x5a, 0x17, 0x0d, 0x33, 0x36, 0x30, 0x34,
+          0x30, 0x35, 0x32, 0x30, 0x32, 0x35, 0x33, 0x33, 0x5a, 0x30, 0x12,
+          0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x07,
+          0x2a, 0x2e, 0x30, 0x2e, 0x30, 0x2e, 0x31, 0x30, 0x82, 0x01, 0x22,
+          0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
+          0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82,
+          0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xb9, 0xcc, 0x99, 0xf7,
+          0xbf, 0x7c, 0x4f, 0xec, 0x7f, 0xe6, 0x17, 0x4e, 0xe3, 0xd9, 0xe5,
+          0x25, 0x7d, 0xab, 0xa8, 0x66, 0xb0, 0x4d, 0x41, 0x5c, 0x20, 0xd8,
+          0x67, 0xf5, 0xa3, 0xcd, 0x9e, 0x12, 0x7f, 0x09, 0x00, 0xeb, 0x6b,
+          0xfc, 0x7e, 0x14, 0x10, 0xa0, 0x10, 0x2e, 0x1f, 0xe8, 0xad, 0xec,
+          0xe8, 0x86, 0x54, 0xa2, 0xc4, 0x58, 0x65, 0x26, 0x95, 0x76, 0xa1,
+          0xe1, 0x02, 0x52, 0x81, 0xcb, 0x7e, 0x8e, 0xb2, 0x31, 0xc9, 0x58,
+          0x9a, 0xdc, 0x69, 0xab, 0x8d, 0x23, 0xcd, 0x96, 0x19, 0x1c, 0x68,
+          0x69, 0xb5, 0x7d, 0x23, 0xe3, 0x58, 0xe6, 0x26, 0xcc, 0x05, 0x40,
+          0xd2, 0xa9, 0xb1, 0x09, 0x9c, 0xc8, 0x4a, 0xfc, 0x0a, 0x20, 0xba,
+          0xc0, 0x12, 0x3b, 0x97, 0x44, 0x2b, 0x30, 0x50, 0x86, 0x0b, 0x27,
+          0x13, 0x76, 0xb5, 0xf7, 0x80, 0xf0, 0xf2, 0xf0, 0x93, 0x3b, 0x8d,
+          0xa8, 0x4f, 0xa3, 0xa9, 0xd2, 0xea, 0xd3, 0xc3, 0xcb, 0xcc, 0x70,
+          0xa0, 0x0b, 0xc7, 0xc6, 0x3e, 0xc9, 0x27, 0x4c, 0xb5, 0x23, 0x35,
+          0x6c, 0xb0, 0x30, 0xa2, 0xc1, 0x6d, 0x07, 0xd0, 0x9b, 0x55, 0x6a,
+          0xf9, 0x18, 0xf0, 0x30, 0x74, 0x3f, 0xf6, 0x17, 0x85, 0xb7, 0xcf,
+          0xa5, 0xd4, 0x91, 0xaa, 0x54, 0x85, 0xec, 0xae, 0xc5, 0x32, 0xf2,
+          0xb0, 0x21, 0x5a, 0x90, 0x22, 0x66, 0x8b, 0x4b, 0x0d, 0xc3, 0x57,
+          0x81, 0x86, 0xf2, 0xbb, 0xd2, 0x3b, 0x8c, 0xfc, 0xee, 0xbd, 0xed,
+          0xf0, 0xfb, 0xa5, 0xe1, 0x91, 0x5a, 0x68, 0x07, 0x60, 0x38, 0x38,
+          0xe7, 0x48, 0xe3, 0x83, 0xd6, 0xaf, 0xf0, 0x03, 0x7e, 0x2e, 0x95,
+          0x0c, 0x33, 0xcf, 0x13, 0xe9, 0xec, 0xe7, 0xa4, 0x5e, 0xed, 0x02,
+          0xae, 0xf2, 0x30, 0x6f, 0x3f, 0xc4, 0x1b, 0x3a, 0x0a, 0xe8, 0xd3,
+          0x66, 0x32, 0xd6, 0xfd, 0x58, 0x3a, 0x65, 0x93, 0x99, 0xc7, 0x02,
+          0x03, 0x01, 0x00, 0x01, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48,
+          0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01,
+          0x01, 0x00, 0x7f, 0x3a, 0xf8, 0x93, 0x41, 0x6f, 0xaa, 0xb7, 0xca,
+          0x17, 0x81, 0xa7, 0x3e, 0x9f, 0x0c, 0x6d, 0x14, 0x7b, 0x6f, 0x13,
+          0xf8, 0xbf, 0x63, 0x6e, 0x28, 0x57, 0x0b, 0x9a, 0xc2, 0x2a, 0x88,
+          0xc0, 0x35, 0x4b, 0xe3, 0x77, 0x31, 0x61, 0xff, 0xb4, 0x03, 0xe6,
+          0x11, 0x80, 0x1f, 0x35, 0x65, 0xf6, 0x47, 0x94, 0xe6, 0xb9, 0x60,
+          0x1e, 0xae, 0x9c, 0x90, 0xe8, 0x53, 0x8a, 0x46, 0x61, 0x28, 0xfa,
+          0x4b, 0xe0, 0x71, 0x98, 0xf4, 0x9e, 0xc8, 0x31, 0x98, 0x27, 0x71,
+          0x6e, 0x3c, 0x85, 0x15, 0x6d, 0x56, 0x20, 0x3b, 0x16, 0xe7, 0x64,
+          0xb8, 0x51, 0x9a, 0x72, 0x75, 0xa1, 0xd2, 0x2f, 0xcf, 0x2b, 0x61,
+          0xa2, 0xa8, 0x8b, 0x59, 0x27, 0x4c, 0x18, 0x59, 0x33, 0xbf, 0x9e,
+          0x5c, 0xef, 0xbe, 0x71, 0x62, 0x62, 0x20, 0xc8, 0xdc, 0xaf, 0x74,
+          0xaa, 0x7b, 0xaa, 0xaf, 0x37, 0x81, 0x65, 0xca, 0xf1, 0x7d, 0xd4,
+          0x58, 0x11, 0xd7, 0x18, 0xf7, 0x50, 0xa2, 0xa8, 0x89, 0x90, 0x7c,
+          0x30, 0xde, 0x2e, 0xf6, 0xbd, 0x3e, 0xbf, 0x14, 0x1e, 0xd4, 0x85,
+          0x8c, 0x38, 0x1c, 0xa4, 0x26, 0xb7, 0x86, 0xe5, 0x17, 0xfc, 0x67,
+          0x93, 0x86, 0x1c, 0x1f, 0x91, 0x6f, 0x8c, 0x99, 0xa6, 0x7f, 0x93,
+          0x92, 0xdb, 0x45, 0x75, 0xbb, 0xb0, 0x78, 0xa3, 0x8b, 0x67, 0xf7,
+          0x94, 0x26, 0xac, 0xb9, 0x4a, 0xca, 0x1f, 0x73, 0xfc, 0x52, 0x78,
+          0xb8, 0x14, 0x02, 0xbf, 0x69, 0x6f, 0x70, 0x21, 0xae, 0xd4, 0x12,
+          0x4f, 0xd1, 0x9f, 0xe6, 0x56, 0x11, 0x80, 0x39, 0x66, 0xe0, 0xd4,
+          0x56, 0x5b, 0x32, 0xc6, 0x6c, 0xb8, 0xd2, 0xf4, 0x23, 0x7f, 0xbb,
+          0x62, 0x2f, 0x5d, 0x67, 0x37, 0x38, 0x74, 0xca, 0xb3, 0x3f, 0x17,
+          0x53, 0x97, 0xa4, 0xbd, 0xda, 0x26, 0x6a, 0xb3, 0xd9, 0x9f, 0xac,
+          0xd2, 0x58, 0x4f, 0x24, 0x8c
+        };
+        WOLFSSL_X509 *cn_lit = NULL;
+        WOLFSSL_X509 *cn_wild = NULL;
+
+        ExpectNotNull(cn_lit = wolfSSL_X509_load_certificate_buffer(
+            cn_ip_literal_der, (int)sizeof(cn_ip_literal_der),
+            WOLFSSL_FILETYPE_ASN1));
+        ExpectNotNull(cn_wild = wolfSSL_X509_load_certificate_buffer(
+            cn_ip_wildcard_der, (int)sizeof(cn_ip_wildcard_der),
+            WOLFSSL_FILETYPE_ASN1));
+
+        /* CN=127.0.0.1 with no SAN must NOT match the IP "127.0.0.1". */
+        ExpectIntEQ(wolfSSL_X509_check_ip_asc(cn_lit, "127.0.0.1", 0), 0);
+        /* CN=*.0.0.1 with no SAN must NOT wildcard-match "127.0.0.1". */
+        ExpectIntEQ(wolfSSL_X509_check_ip_asc(cn_wild, "127.0.0.1", 0), 0);
+        /* CN-based hostname matching must still work for hostname checks
+         * (sanity check that the fix didn't over-correct). */
+        ExpectIntEQ(wolfSSL_X509_check_host(cn_wild, "1.0.0.1",
+            XSTRLEN("1.0.0.1"), 0, NULL), 1);
+
+        wolfSSL_X509_free(cn_wild);
+        wolfSSL_X509_free(cn_lit);
+    }
+
     wolfSSL_X509_free(empty);
     wolfSSL_X509_free(x509);
 #endif

From 4d79d1efd9e434db9e397f20a01c99424e40bf02 Mon Sep 17 00:00:00 2001
From: Eric Blankenhorn <eric@wolfssl.com>
Date: Thu, 9 Apr 2026 16:24:12 -0500
Subject: [PATCH 2/3] Improve tests

---
 gencertbuf.pl              |  25 ++++++
 tests/api/test_ossl_x509.c | 132 -------------------------------
 wolfssl/certs_test.h       | 155 +++++++++++++++++++++++++++++++++++++
 3 files changed, 180 insertions(+), 132 deletions(-)

diff --git a/gencertbuf.pl b/gencertbuf.pl
index e8fbd3f46c..6699c9f2ad 100755
--- a/gencertbuf.pl
+++ b/gencertbuf.pl
@@ -164,6 +164,13 @@
         ["certs/sphincs/bench_sphincs_small_level5_key.der", "bench_sphincs_small_level5_key" ],
         );
 
+# CN-IP test certs (no SAN, CN contains IP literal or wildcard)
+# Used with OPENSSL_EXTRA && !NO_RSA
+my @fileList_cn_ip = (
+        [ "./certs/test/cn-ip-literal.der",  "cn_ip_literal_der" ],
+        [ "./certs/test/cn-ip-wildcard.der",  "cn_ip_wildcard_der" ],
+        );
+
 
 # ----------------------------------------------------------------------------
 
@@ -178,6 +185,7 @@
 my $num_sm2_der  = @fileList_sm2_der;
 my $num_falcon   = @fileList_falcon;
 my $num_sphincs  = @fileList_sphincs;
+my $num_cn_ip    = @fileList_cn_ip;
 
 # open our output file, "+>" creates and/or truncates
 open OUT_FILE, "+>", $outputFile  or die $!;
@@ -2236,6 +2244,23 @@
 print OUT_FILE "#endif /* USE_CERT_BUFFERS_25519 */\n\n";
 
 
+# convert and print CN-IP test certs
+print OUT_FILE "#if defined(OPENSSL_EXTRA) && !defined(NO_RSA)\n\n";
+for (my $i = 0; $i < $num_cn_ip; $i++) {
+
+    my $fname = $fileList_cn_ip[$i][0];
+    my $sname = $fileList_cn_ip[$i][1];
+
+    print OUT_FILE "/* $fname */\n";
+    print OUT_FILE "static const unsigned char $sname\[] =\n";
+    print OUT_FILE "{\n";
+    file_to_hex($fname);
+    print OUT_FILE "};\n";
+    print OUT_FILE "#define sizeof_$sname (sizeof($sname))\n\n"
+}
+print OUT_FILE "#endif /* OPENSSL_EXTRA && !NO_RSA */\n\n";
+
+
 print OUT_FILE "#endif /* WOLFSSL_CERTS_TEST_H */\n\n";
 
 # close certs_test.h file
diff --git a/tests/api/test_ossl_x509.c b/tests/api/test_ossl_x509.c
index 7209dc02ae..ce8546dc24 100644
--- a/tests/api/test_ossl_x509.c
+++ b/tests/api/test_ossl_x509.c
@@ -1067,138 +1067,6 @@ int test_wolfSSL_X509_check_ip_asc(void)
      * wildcard-match "127.0.0.1" -- RFC 6125 Section 7.2 prohibits wildcard
      * matching for IP addresses. */
     {
-        /* Self-signed cert, Subject CN="127.0.0.1", no extensions. */
-        static const unsigned char cn_ip_literal_der[] = {
-          0x30, 0x82, 0x02, 0xaf, 0x30, 0x82, 0x01, 0x97, 0x02, 0x14, 0x03,
-          0xe8, 0x5c, 0xb5, 0x56, 0x65, 0x58, 0xd4, 0xd9, 0x86, 0x9c, 0xe7,
-          0x5b, 0x71, 0xe9, 0xd3, 0x33, 0xe1, 0xa2, 0xdc, 0x30, 0x0d, 0x06,
-          0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
-          0x00, 0x30, 0x14, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04,
-          0x03, 0x0c, 0x09, 0x31, 0x32, 0x37, 0x2e, 0x30, 0x2e, 0x30, 0x2e,
-          0x31, 0x30, 0x1e, 0x17, 0x0d, 0x32, 0x36, 0x30, 0x34, 0x30, 0x38,
-          0x32, 0x30, 0x32, 0x35, 0x33, 0x33, 0x5a, 0x17, 0x0d, 0x33, 0x36,
-          0x30, 0x34, 0x30, 0x35, 0x32, 0x30, 0x32, 0x35, 0x33, 0x33, 0x5a,
-          0x30, 0x14, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x03,
-          0x0c, 0x09, 0x31, 0x32, 0x37, 0x2e, 0x30, 0x2e, 0x30, 0x2e, 0x31,
-          0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48,
-          0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01,
-          0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00,
-          0xb9, 0xcc, 0x99, 0xf7, 0xbf, 0x7c, 0x4f, 0xec, 0x7f, 0xe6, 0x17,
-          0x4e, 0xe3, 0xd9, 0xe5, 0x25, 0x7d, 0xab, 0xa8, 0x66, 0xb0, 0x4d,
-          0x41, 0x5c, 0x20, 0xd8, 0x67, 0xf5, 0xa3, 0xcd, 0x9e, 0x12, 0x7f,
-          0x09, 0x00, 0xeb, 0x6b, 0xfc, 0x7e, 0x14, 0x10, 0xa0, 0x10, 0x2e,
-          0x1f, 0xe8, 0xad, 0xec, 0xe8, 0x86, 0x54, 0xa2, 0xc4, 0x58, 0x65,
-          0x26, 0x95, 0x76, 0xa1, 0xe1, 0x02, 0x52, 0x81, 0xcb, 0x7e, 0x8e,
-          0xb2, 0x31, 0xc9, 0x58, 0x9a, 0xdc, 0x69, 0xab, 0x8d, 0x23, 0xcd,
-          0x96, 0x19, 0x1c, 0x68, 0x69, 0xb5, 0x7d, 0x23, 0xe3, 0x58, 0xe6,
-          0x26, 0xcc, 0x05, 0x40, 0xd2, 0xa9, 0xb1, 0x09, 0x9c, 0xc8, 0x4a,
-          0xfc, 0x0a, 0x20, 0xba, 0xc0, 0x12, 0x3b, 0x97, 0x44, 0x2b, 0x30,
-          0x50, 0x86, 0x0b, 0x27, 0x13, 0x76, 0xb5, 0xf7, 0x80, 0xf0, 0xf2,
-          0xf0, 0x93, 0x3b, 0x8d, 0xa8, 0x4f, 0xa3, 0xa9, 0xd2, 0xea, 0xd3,
-          0xc3, 0xcb, 0xcc, 0x70, 0xa0, 0x0b, 0xc7, 0xc6, 0x3e, 0xc9, 0x27,
-          0x4c, 0xb5, 0x23, 0x35, 0x6c, 0xb0, 0x30, 0xa2, 0xc1, 0x6d, 0x07,
-          0xd0, 0x9b, 0x55, 0x6a, 0xf9, 0x18, 0xf0, 0x30, 0x74, 0x3f, 0xf6,
-          0x17, 0x85, 0xb7, 0xcf, 0xa5, 0xd4, 0x91, 0xaa, 0x54, 0x85, 0xec,
-          0xae, 0xc5, 0x32, 0xf2, 0xb0, 0x21, 0x5a, 0x90, 0x22, 0x66, 0x8b,
-          0x4b, 0x0d, 0xc3, 0x57, 0x81, 0x86, 0xf2, 0xbb, 0xd2, 0x3b, 0x8c,
-          0xfc, 0xee, 0xbd, 0xed, 0xf0, 0xfb, 0xa5, 0xe1, 0x91, 0x5a, 0x68,
-          0x07, 0x60, 0x38, 0x38, 0xe7, 0x48, 0xe3, 0x83, 0xd6, 0xaf, 0xf0,
-          0x03, 0x7e, 0x2e, 0x95, 0x0c, 0x33, 0xcf, 0x13, 0xe9, 0xec, 0xe7,
-          0xa4, 0x5e, 0xed, 0x02, 0xae, 0xf2, 0x30, 0x6f, 0x3f, 0xc4, 0x1b,
-          0x3a, 0x0a, 0xe8, 0xd3, 0x66, 0x32, 0xd6, 0xfd, 0x58, 0x3a, 0x65,
-          0x93, 0x99, 0xc7, 0x02, 0x03, 0x01, 0x00, 0x01, 0x30, 0x0d, 0x06,
-          0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
-          0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x3c, 0xa7, 0xdf, 0xd1, 0x44,
-          0xc5, 0x4d, 0x29, 0x38, 0x51, 0x9d, 0xf6, 0xee, 0x2f, 0x0c, 0xa3,
-          0x8a, 0x2a, 0x7c, 0xa1, 0xb1, 0x26, 0x6d, 0xfb, 0x8b, 0x5d, 0xed,
-          0xdc, 0x1f, 0xf2, 0xf1, 0x99, 0x3c, 0xd8, 0x36, 0xcd, 0x48, 0xf5,
-          0x91, 0x5b, 0x42, 0x98, 0x89, 0x29, 0xba, 0x46, 0xad, 0x93, 0xea,
-          0xea, 0x53, 0x17, 0xe4, 0x6d, 0xb7, 0xdc, 0xb5, 0x4a, 0xd8, 0xed,
-          0x5c, 0x39, 0x0c, 0xf6, 0x1d, 0x19, 0xfb, 0x22, 0x5d, 0xe4, 0x3f,
-          0x07, 0x20, 0x6d, 0x2e, 0xdc, 0x92, 0xa5, 0x56, 0xb3, 0x92, 0x74,
-          0x05, 0xb2, 0x7c, 0xed, 0x73, 0x83, 0x70, 0x5f, 0x0e, 0x75, 0xe1,
-          0x71, 0x4c, 0xc5, 0xf0, 0x26, 0xc5, 0xa6, 0xd4, 0xb6, 0xb4, 0x79,
-          0x99, 0x54, 0xd9, 0x21, 0x48, 0x2f, 0x52, 0x6e, 0x47, 0x1d, 0x1c,
-          0x3a, 0x3b, 0x2a, 0x36, 0xa8, 0x88, 0x95, 0x47, 0x67, 0x59, 0xd5,
-          0xee, 0xb6, 0xe9, 0x5b, 0x86, 0x1b, 0x8b, 0x6c, 0xa6, 0xb2, 0x91,
-          0x81, 0x0c, 0xca, 0x91, 0x33, 0x32, 0xe5, 0x0d, 0x8f, 0xda, 0xc7,
-          0x5b, 0xa6, 0x80, 0x3f, 0x71, 0x50, 0x56, 0xd2, 0x88, 0xfc, 0x53,
-          0xc5, 0x11, 0x45, 0x1e, 0x8a, 0xb7, 0x0a, 0x83, 0x9e, 0x89, 0x63,
-          0x24, 0x3e, 0x8c, 0xbd, 0xed, 0xec, 0xf4, 0x19, 0x32, 0x13, 0xcf,
-          0xe7, 0xdd, 0xe6, 0x84, 0xed, 0xe7, 0xf7, 0xf9, 0x50, 0x2f, 0x7b,
-          0xac, 0x7d, 0xf9, 0x0f, 0x61, 0xd1, 0xf7, 0x59, 0xf0, 0x91, 0x73,
-          0x26, 0x5a, 0xba, 0x24, 0xc8, 0x49, 0x86, 0xc1, 0x1a, 0x42, 0x68,
-          0x70, 0xbf, 0x94, 0x69, 0xd0, 0xd5, 0x26, 0x7e, 0x3c, 0xa9, 0x69,
-          0x6f, 0xb1, 0xcc, 0xdf, 0x4d, 0xed, 0x91, 0x6d, 0xdf, 0x45, 0x71,
-          0xf0, 0x88, 0x69, 0x74, 0x49, 0x2c, 0x5e, 0x77, 0xed, 0x92, 0x36,
-          0x7f, 0x1a, 0x83, 0x36, 0x42, 0x17, 0x5a, 0xda, 0x91
-        };
-        /* Self-signed cert, Subject CN="*.0.0.1", no extensions. */
-        static const unsigned char cn_ip_wildcard_der[] = {
-          0x30, 0x82, 0x02, 0xab, 0x30, 0x82, 0x01, 0x93, 0x02, 0x14, 0x3a,
-          0x4e, 0xfc, 0xf1, 0x5f, 0xcb, 0xe3, 0x6a, 0xae, 0x7f, 0xd6, 0x79,
-          0xbd, 0x40, 0xc9, 0x64, 0x41, 0xc6, 0xf0, 0x56, 0x30, 0x0d, 0x06,
-          0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
-          0x00, 0x30, 0x12, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04,
-          0x03, 0x0c, 0x07, 0x2a, 0x2e, 0x30, 0x2e, 0x30, 0x2e, 0x31, 0x30,
-          0x1e, 0x17, 0x0d, 0x32, 0x36, 0x30, 0x34, 0x30, 0x38, 0x32, 0x30,
-          0x32, 0x35, 0x33, 0x33, 0x5a, 0x17, 0x0d, 0x33, 0x36, 0x30, 0x34,
-          0x30, 0x35, 0x32, 0x30, 0x32, 0x35, 0x33, 0x33, 0x5a, 0x30, 0x12,
-          0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x07,
-          0x2a, 0x2e, 0x30, 0x2e, 0x30, 0x2e, 0x31, 0x30, 0x82, 0x01, 0x22,
-          0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
-          0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82,
-          0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xb9, 0xcc, 0x99, 0xf7,
-          0xbf, 0x7c, 0x4f, 0xec, 0x7f, 0xe6, 0x17, 0x4e, 0xe3, 0xd9, 0xe5,
-          0x25, 0x7d, 0xab, 0xa8, 0x66, 0xb0, 0x4d, 0x41, 0x5c, 0x20, 0xd8,
-          0x67, 0xf5, 0xa3, 0xcd, 0x9e, 0x12, 0x7f, 0x09, 0x00, 0xeb, 0x6b,
-          0xfc, 0x7e, 0x14, 0x10, 0xa0, 0x10, 0x2e, 0x1f, 0xe8, 0xad, 0xec,
-          0xe8, 0x86, 0x54, 0xa2, 0xc4, 0x58, 0x65, 0x26, 0x95, 0x76, 0xa1,
-          0xe1, 0x02, 0x52, 0x81, 0xcb, 0x7e, 0x8e, 0xb2, 0x31, 0xc9, 0x58,
-          0x9a, 0xdc, 0x69, 0xab, 0x8d, 0x23, 0xcd, 0x96, 0x19, 0x1c, 0x68,
-          0x69, 0xb5, 0x7d, 0x23, 0xe3, 0x58, 0xe6, 0x26, 0xcc, 0x05, 0x40,
-          0xd2, 0xa9, 0xb1, 0x09, 0x9c, 0xc8, 0x4a, 0xfc, 0x0a, 0x20, 0xba,
-          0xc0, 0x12, 0x3b, 0x97, 0x44, 0x2b, 0x30, 0x50, 0x86, 0x0b, 0x27,
-          0x13, 0x76, 0xb5, 0xf7, 0x80, 0xf0, 0xf2, 0xf0, 0x93, 0x3b, 0x8d,
-          0xa8, 0x4f, 0xa3, 0xa9, 0xd2, 0xea, 0xd3, 0xc3, 0xcb, 0xcc, 0x70,
-          0xa0, 0x0b, 0xc7, 0xc6, 0x3e, 0xc9, 0x27, 0x4c, 0xb5, 0x23, 0x35,
-          0x6c, 0xb0, 0x30, 0xa2, 0xc1, 0x6d, 0x07, 0xd0, 0x9b, 0x55, 0x6a,
-          0xf9, 0x18, 0xf0, 0x30, 0x74, 0x3f, 0xf6, 0x17, 0x85, 0xb7, 0xcf,
-          0xa5, 0xd4, 0x91, 0xaa, 0x54, 0x85, 0xec, 0xae, 0xc5, 0x32, 0xf2,
-          0xb0, 0x21, 0x5a, 0x90, 0x22, 0x66, 0x8b, 0x4b, 0x0d, 0xc3, 0x57,
-          0x81, 0x86, 0xf2, 0xbb, 0xd2, 0x3b, 0x8c, 0xfc, 0xee, 0xbd, 0xed,
-          0xf0, 0xfb, 0xa5, 0xe1, 0x91, 0x5a, 0x68, 0x07, 0x60, 0x38, 0x38,
-          0xe7, 0x48, 0xe3, 0x83, 0xd6, 0xaf, 0xf0, 0x03, 0x7e, 0x2e, 0x95,
-          0x0c, 0x33, 0xcf, 0x13, 0xe9, 0xec, 0xe7, 0xa4, 0x5e, 0xed, 0x02,
-          0xae, 0xf2, 0x30, 0x6f, 0x3f, 0xc4, 0x1b, 0x3a, 0x0a, 0xe8, 0xd3,
-          0x66, 0x32, 0xd6, 0xfd, 0x58, 0x3a, 0x65, 0x93, 0x99, 0xc7, 0x02,
-          0x03, 0x01, 0x00, 0x01, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48,
-          0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01,
-          0x01, 0x00, 0x7f, 0x3a, 0xf8, 0x93, 0x41, 0x6f, 0xaa, 0xb7, 0xca,
-          0x17, 0x81, 0xa7, 0x3e, 0x9f, 0x0c, 0x6d, 0x14, 0x7b, 0x6f, 0x13,
-          0xf8, 0xbf, 0x63, 0x6e, 0x28, 0x57, 0x0b, 0x9a, 0xc2, 0x2a, 0x88,
-          0xc0, 0x35, 0x4b, 0xe3, 0x77, 0x31, 0x61, 0xff, 0xb4, 0x03, 0xe6,
-          0x11, 0x80, 0x1f, 0x35, 0x65, 0xf6, 0x47, 0x94, 0xe6, 0xb9, 0x60,
-          0x1e, 0xae, 0x9c, 0x90, 0xe8, 0x53, 0x8a, 0x46, 0x61, 0x28, 0xfa,
-          0x4b, 0xe0, 0x71, 0x98, 0xf4, 0x9e, 0xc8, 0x31, 0x98, 0x27, 0x71,
-          0x6e, 0x3c, 0x85, 0x15, 0x6d, 0x56, 0x20, 0x3b, 0x16, 0xe7, 0x64,
-          0xb8, 0x51, 0x9a, 0x72, 0x75, 0xa1, 0xd2, 0x2f, 0xcf, 0x2b, 0x61,
-          0xa2, 0xa8, 0x8b, 0x59, 0x27, 0x4c, 0x18, 0x59, 0x33, 0xbf, 0x9e,
-          0x5c, 0xef, 0xbe, 0x71, 0x62, 0x62, 0x20, 0xc8, 0xdc, 0xaf, 0x74,
-          0xaa, 0x7b, 0xaa, 0xaf, 0x37, 0x81, 0x65, 0xca, 0xf1, 0x7d, 0xd4,
-          0x58, 0x11, 0xd7, 0x18, 0xf7, 0x50, 0xa2, 0xa8, 0x89, 0x90, 0x7c,
-          0x30, 0xde, 0x2e, 0xf6, 0xbd, 0x3e, 0xbf, 0x14, 0x1e, 0xd4, 0x85,
-          0x8c, 0x38, 0x1c, 0xa4, 0x26, 0xb7, 0x86, 0xe5, 0x17, 0xfc, 0x67,
-          0x93, 0x86, 0x1c, 0x1f, 0x91, 0x6f, 0x8c, 0x99, 0xa6, 0x7f, 0x93,
-          0x92, 0xdb, 0x45, 0x75, 0xbb, 0xb0, 0x78, 0xa3, 0x8b, 0x67, 0xf7,
-          0x94, 0x26, 0xac, 0xb9, 0x4a, 0xca, 0x1f, 0x73, 0xfc, 0x52, 0x78,
-          0xb8, 0x14, 0x02, 0xbf, 0x69, 0x6f, 0x70, 0x21, 0xae, 0xd4, 0x12,
-          0x4f, 0xd1, 0x9f, 0xe6, 0x56, 0x11, 0x80, 0x39, 0x66, 0xe0, 0xd4,
-          0x56, 0x5b, 0x32, 0xc6, 0x6c, 0xb8, 0xd2, 0xf4, 0x23, 0x7f, 0xbb,
-          0x62, 0x2f, 0x5d, 0x67, 0x37, 0x38, 0x74, 0xca, 0xb3, 0x3f, 0x17,
-          0x53, 0x97, 0xa4, 0xbd, 0xda, 0x26, 0x6a, 0xb3, 0xd9, 0x9f, 0xac,
-          0xd2, 0x58, 0x4f, 0x24, 0x8c
-        };
         WOLFSSL_X509 *cn_lit = NULL;
         WOLFSSL_X509 *cn_wild = NULL;
 
diff --git a/wolfssl/certs_test.h b/wolfssl/certs_test.h
index b4aeff3f68..efd4c1bd28 100644
--- a/wolfssl/certs_test.h
+++ b/wolfssl/certs_test.h
@@ -7069,5 +7069,160 @@ static const unsigned char x25519_pub_statickey_der[] =
 
 #endif /* USE_CERT_BUFFERS_25519 */
 
+#if defined(OPENSSL_EXTRA) && !defined(NO_RSA)
+
+/* ./certs/test/cn-ip-literal.der */
+static const unsigned char cn_ip_literal_der[] =
+{
+        0x30, 0x82, 0x02, 0xAF, 0x30, 0x82, 0x01, 0x97, 0x02, 0x14,
+        0x03, 0xE8, 0x5C, 0xB5, 0x56, 0x65, 0x58, 0xD4, 0xD9, 0x86,
+        0x9C, 0xE7, 0x5B, 0x71, 0xE9, 0xD3, 0x33, 0xE1, 0xA2, 0xDC,
+        0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D,
+        0x01, 0x01, 0x0B, 0x05, 0x00, 0x30, 0x14, 0x31, 0x12, 0x30,
+        0x10, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x09, 0x31, 0x32,
+        0x37, 0x2E, 0x30, 0x2E, 0x30, 0x2E, 0x31, 0x30, 0x1E, 0x17,
+        0x0D, 0x32, 0x36, 0x30, 0x34, 0x30, 0x38, 0x32, 0x30, 0x32,
+        0x35, 0x33, 0x33, 0x5A, 0x17, 0x0D, 0x33, 0x36, 0x30, 0x34,
+        0x30, 0x35, 0x32, 0x30, 0x32, 0x35, 0x33, 0x33, 0x5A, 0x30,
+        0x14, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x03,
+        0x0C, 0x09, 0x31, 0x32, 0x37, 0x2E, 0x30, 0x2E, 0x30, 0x2E,
+        0x31, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0D, 0x06, 0x09, 0x2A,
+        0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01, 0x05, 0x00,
+        0x03, 0x82, 0x01, 0x0F, 0x00, 0x30, 0x82, 0x01, 0x0A, 0x02,
+        0x82, 0x01, 0x01, 0x00, 0xB9, 0xCC, 0x99, 0xF7, 0xBF, 0x7C,
+        0x4F, 0xEC, 0x7F, 0xE6, 0x17, 0x4E, 0xE3, 0xD9, 0xE5, 0x25,
+        0x7D, 0xAB, 0xA8, 0x66, 0xB0, 0x4D, 0x41, 0x5C, 0x20, 0xD8,
+        0x67, 0xF5, 0xA3, 0xCD, 0x9E, 0x12, 0x7F, 0x09, 0x00, 0xEB,
+        0x6B, 0xFC, 0x7E, 0x14, 0x10, 0xA0, 0x10, 0x2E, 0x1F, 0xE8,
+        0xAD, 0xEC, 0xE8, 0x86, 0x54, 0xA2, 0xC4, 0x58, 0x65, 0x26,
+        0x95, 0x76, 0xA1, 0xE1, 0x02, 0x52, 0x81, 0xCB, 0x7E, 0x8E,
+        0xB2, 0x31, 0xC9, 0x58, 0x9A, 0xDC, 0x69, 0xAB, 0x8D, 0x23,
+        0xCD, 0x96, 0x19, 0x1C, 0x68, 0x69, 0xB5, 0x7D, 0x23, 0xE3,
+        0x58, 0xE6, 0x26, 0xCC, 0x05, 0x40, 0xD2, 0xA9, 0xB1, 0x09,
+        0x9C, 0xC8, 0x4A, 0xFC, 0x0A, 0x20, 0xBA, 0xC0, 0x12, 0x3B,
+        0x97, 0x44, 0x2B, 0x30, 0x50, 0x86, 0x0B, 0x27, 0x13, 0x76,
+        0xB5, 0xF7, 0x80, 0xF0, 0xF2, 0xF0, 0x93, 0x3B, 0x8D, 0xA8,
+        0x4F, 0xA3, 0xA9, 0xD2, 0xEA, 0xD3, 0xC3, 0xCB, 0xCC, 0x70,
+        0xA0, 0x0B, 0xC7, 0xC6, 0x3E, 0xC9, 0x27, 0x4C, 0xB5, 0x23,
+        0x35, 0x6C, 0xB0, 0x30, 0xA2, 0xC1, 0x6D, 0x07, 0xD0, 0x9B,
+        0x55, 0x6A, 0xF9, 0x18, 0xF0, 0x30, 0x74, 0x3F, 0xF6, 0x17,
+        0x85, 0xB7, 0xCF, 0xA5, 0xD4, 0x91, 0xAA, 0x54, 0x85, 0xEC,
+        0xAE, 0xC5, 0x32, 0xF2, 0xB0, 0x21, 0x5A, 0x90, 0x22, 0x66,
+        0x8B, 0x4B, 0x0D, 0xC3, 0x57, 0x81, 0x86, 0xF2, 0xBB, 0xD2,
+        0x3B, 0x8C, 0xFC, 0xEE, 0xBD, 0xED, 0xF0, 0xFB, 0xA5, 0xE1,
+        0x91, 0x5A, 0x68, 0x07, 0x60, 0x38, 0x38, 0xE7, 0x48, 0xE3,
+        0x83, 0xD6, 0xAF, 0xF0, 0x03, 0x7E, 0x2E, 0x95, 0x0C, 0x33,
+        0xCF, 0x13, 0xE9, 0xEC, 0xE7, 0xA4, 0x5E, 0xED, 0x02, 0xAE,
+        0xF2, 0x30, 0x6F, 0x3F, 0xC4, 0x1B, 0x3A, 0x0A, 0xE8, 0xD3,
+        0x66, 0x32, 0xD6, 0xFD, 0x58, 0x3A, 0x65, 0x93, 0x99, 0xC7,
+        0x02, 0x03, 0x01, 0x00, 0x01, 0x30, 0x0D, 0x06, 0x09, 0x2A,
+        0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00,
+        0x03, 0x82, 0x01, 0x01, 0x00, 0x3C, 0xA7, 0xDF, 0xD1, 0x44,
+        0xC5, 0x4D, 0x29, 0x38, 0x51, 0x9D, 0xF6, 0xEE, 0x2F, 0x0C,
+        0xA3, 0x8A, 0x2A, 0x7C, 0xA1, 0xB1, 0x26, 0x6D, 0xFB, 0x8B,
+        0x5D, 0xED, 0xDC, 0x1F, 0xF2, 0xF1, 0x99, 0x3C, 0xD8, 0x36,
+        0xCD, 0x48, 0xF5, 0x91, 0x5B, 0x42, 0x98, 0x89, 0x29, 0xBA,
+        0x46, 0xAD, 0x93, 0xEA, 0xEA, 0x53, 0x17, 0xE4, 0x6D, 0xB7,
+        0xDC, 0xB5, 0x4A, 0xD8, 0xED, 0x5C, 0x39, 0x0C, 0xF6, 0x1D,
+        0x19, 0xFB, 0x22, 0x5D, 0xE4, 0x3F, 0x07, 0x20, 0x6D, 0x2E,
+        0xDC, 0x92, 0xA5, 0x56, 0xB3, 0x92, 0x74, 0x05, 0xB2, 0x7C,
+        0xED, 0x73, 0x83, 0x70, 0x5F, 0x0E, 0x75, 0xE1, 0x71, 0x4C,
+        0xC5, 0xF0, 0x26, 0xC5, 0xA6, 0xD4, 0xB6, 0xB4, 0x79, 0x99,
+        0x54, 0xD9, 0x21, 0x48, 0x2F, 0x52, 0x6E, 0x47, 0x1D, 0x1C,
+        0x3A, 0x3B, 0x2A, 0x36, 0xA8, 0x88, 0x95, 0x47, 0x67, 0x59,
+        0xD5, 0xEE, 0xB6, 0xE9, 0x5B, 0x86, 0x1B, 0x8B, 0x6C, 0xA6,
+        0xB2, 0x91, 0x81, 0x0C, 0xCA, 0x91, 0x33, 0x32, 0xE5, 0x0D,
+        0x8F, 0xDA, 0xC7, 0x5B, 0xA6, 0x80, 0x3F, 0x71, 0x50, 0x56,
+        0xD2, 0x88, 0xFC, 0x53, 0xC5, 0x11, 0x45, 0x1E, 0x8A, 0xB7,
+        0x0A, 0x83, 0x9E, 0x89, 0x63, 0x24, 0x3E, 0x8C, 0xBD, 0xED,
+        0xEC, 0xF4, 0x19, 0x32, 0x13, 0xCF, 0xE7, 0xDD, 0xE6, 0x84,
+        0xED, 0xE7, 0xF7, 0xF9, 0x50, 0x2F, 0x7B, 0xAC, 0x7D, 0xF9,
+        0x0F, 0x61, 0xD1, 0xF7, 0x59, 0xF0, 0x91, 0x73, 0x26, 0x5A,
+        0xBA, 0x24, 0xC8, 0x49, 0x86, 0xC1, 0x1A, 0x42, 0x68, 0x70,
+        0xBF, 0x94, 0x69, 0xD0, 0xD5, 0x26, 0x7E, 0x3C, 0xA9, 0x69,
+        0x6F, 0xB1, 0xCC, 0xDF, 0x4D, 0xED, 0x91, 0x6D, 0xDF, 0x45,
+        0x71, 0xF0, 0x88, 0x69, 0x74, 0x49, 0x2C, 0x5E, 0x77, 0xED,
+        0x92, 0x36, 0x7F, 0x1A, 0x83, 0x36, 0x42, 0x17, 0x5A, 0xDA,
+        0x91
+};
+#define sizeof_cn_ip_literal_der (sizeof(cn_ip_literal_der))
+
+/* ./certs/test/cn-ip-wildcard.der */
+static const unsigned char cn_ip_wildcard_der[] =
+{
+        0x30, 0x82, 0x02, 0xAB, 0x30, 0x82, 0x01, 0x93, 0x02, 0x14,
+        0x3A, 0x4E, 0xFC, 0xF1, 0x5F, 0xCB, 0xE3, 0x6A, 0xAE, 0x7F,
+        0xD6, 0x79, 0xBD, 0x40, 0xC9, 0x64, 0x41, 0xC6, 0xF0, 0x56,
+        0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D,
+        0x01, 0x01, 0x0B, 0x05, 0x00, 0x30, 0x12, 0x31, 0x10, 0x30,
+        0x0E, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x07, 0x2A, 0x2E,
+        0x30, 0x2E, 0x30, 0x2E, 0x31, 0x30, 0x1E, 0x17, 0x0D, 0x32,
+        0x36, 0x30, 0x34, 0x30, 0x38, 0x32, 0x30, 0x32, 0x35, 0x33,
+        0x33, 0x5A, 0x17, 0x0D, 0x33, 0x36, 0x30, 0x34, 0x30, 0x35,
+        0x32, 0x30, 0x32, 0x35, 0x33, 0x33, 0x5A, 0x30, 0x12, 0x31,
+        0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x07,
+        0x2A, 0x2E, 0x30, 0x2E, 0x30, 0x2E, 0x31, 0x30, 0x82, 0x01,
+        0x22, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7,
+        0x0D, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0F,
+        0x00, 0x30, 0x82, 0x01, 0x0A, 0x02, 0x82, 0x01, 0x01, 0x00,
+        0xB9, 0xCC, 0x99, 0xF7, 0xBF, 0x7C, 0x4F, 0xEC, 0x7F, 0xE6,
+        0x17, 0x4E, 0xE3, 0xD9, 0xE5, 0x25, 0x7D, 0xAB, 0xA8, 0x66,
+        0xB0, 0x4D, 0x41, 0x5C, 0x20, 0xD8, 0x67, 0xF5, 0xA3, 0xCD,
+        0x9E, 0x12, 0x7F, 0x09, 0x00, 0xEB, 0x6B, 0xFC, 0x7E, 0x14,
+        0x10, 0xA0, 0x10, 0x2E, 0x1F, 0xE8, 0xAD, 0xEC, 0xE8, 0x86,
+        0x54, 0xA2, 0xC4, 0x58, 0x65, 0x26, 0x95, 0x76, 0xA1, 0xE1,
+        0x02, 0x52, 0x81, 0xCB, 0x7E, 0x8E, 0xB2, 0x31, 0xC9, 0x58,
+        0x9A, 0xDC, 0x69, 0xAB, 0x8D, 0x23, 0xCD, 0x96, 0x19, 0x1C,
+        0x68, 0x69, 0xB5, 0x7D, 0x23, 0xE3, 0x58, 0xE6, 0x26, 0xCC,
+        0x05, 0x40, 0xD2, 0xA9, 0xB1, 0x09, 0x9C, 0xC8, 0x4A, 0xFC,
+        0x0A, 0x20, 0xBA, 0xC0, 0x12, 0x3B, 0x97, 0x44, 0x2B, 0x30,
+        0x50, 0x86, 0x0B, 0x27, 0x13, 0x76, 0xB5, 0xF7, 0x80, 0xF0,
+        0xF2, 0xF0, 0x93, 0x3B, 0x8D, 0xA8, 0x4F, 0xA3, 0xA9, 0xD2,
+        0xEA, 0xD3, 0xC3, 0xCB, 0xCC, 0x70, 0xA0, 0x0B, 0xC7, 0xC6,
+        0x3E, 0xC9, 0x27, 0x4C, 0xB5, 0x23, 0x35, 0x6C, 0xB0, 0x30,
+        0xA2, 0xC1, 0x6D, 0x07, 0xD0, 0x9B, 0x55, 0x6A, 0xF9, 0x18,
+        0xF0, 0x30, 0x74, 0x3F, 0xF6, 0x17, 0x85, 0xB7, 0xCF, 0xA5,
+        0xD4, 0x91, 0xAA, 0x54, 0x85, 0xEC, 0xAE, 0xC5, 0x32, 0xF2,
+        0xB0, 0x21, 0x5A, 0x90, 0x22, 0x66, 0x8B, 0x4B, 0x0D, 0xC3,
+        0x57, 0x81, 0x86, 0xF2, 0xBB, 0xD2, 0x3B, 0x8C, 0xFC, 0xEE,
+        0xBD, 0xED, 0xF0, 0xFB, 0xA5, 0xE1, 0x91, 0x5A, 0x68, 0x07,
+        0x60, 0x38, 0x38, 0xE7, 0x48, 0xE3, 0x83, 0xD6, 0xAF, 0xF0,
+        0x03, 0x7E, 0x2E, 0x95, 0x0C, 0x33, 0xCF, 0x13, 0xE9, 0xEC,
+        0xE7, 0xA4, 0x5E, 0xED, 0x02, 0xAE, 0xF2, 0x30, 0x6F, 0x3F,
+        0xC4, 0x1B, 0x3A, 0x0A, 0xE8, 0xD3, 0x66, 0x32, 0xD6, 0xFD,
+        0x58, 0x3A, 0x65, 0x93, 0x99, 0xC7, 0x02, 0x03, 0x01, 0x00,
+        0x01, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7,
+        0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01,
+        0x00, 0x7F, 0x3A, 0xF8, 0x93, 0x41, 0x6F, 0xAA, 0xB7, 0xCA,
+        0x17, 0x81, 0xA7, 0x3E, 0x9F, 0x0C, 0x6D, 0x14, 0x7B, 0x6F,
+        0x13, 0xF8, 0xBF, 0x63, 0x6E, 0x28, 0x57, 0x0B, 0x9A, 0xC2,
+        0x2A, 0x88, 0xC0, 0x35, 0x4B, 0xE3, 0x77, 0x31, 0x61, 0xFF,
+        0xB4, 0x03, 0xE6, 0x11, 0x80, 0x1F, 0x35, 0x65, 0xF6, 0x47,
+        0x94, 0xE6, 0xB9, 0x60, 0x1E, 0xAE, 0x9C, 0x90, 0xE8, 0x53,
+        0x8A, 0x46, 0x61, 0x28, 0xFA, 0x4B, 0xE0, 0x71, 0x98, 0xF4,
+        0x9E, 0xC8, 0x31, 0x98, 0x27, 0x71, 0x6E, 0x3C, 0x85, 0x15,
+        0x6D, 0x56, 0x20, 0x3B, 0x16, 0xE7, 0x64, 0xB8, 0x51, 0x9A,
+        0x72, 0x75, 0xA1, 0xD2, 0x2F, 0xCF, 0x2B, 0x61, 0xA2, 0xA8,
+        0x8B, 0x59, 0x27, 0x4C, 0x18, 0x59, 0x33, 0xBF, 0x9E, 0x5C,
+        0xEF, 0xBE, 0x71, 0x62, 0x62, 0x20, 0xC8, 0xDC, 0xAF, 0x74,
+        0xAA, 0x7B, 0xAA, 0xAF, 0x37, 0x81, 0x65, 0xCA, 0xF1, 0x7D,
+        0xD4, 0x58, 0x11, 0xD7, 0x18, 0xF7, 0x50, 0xA2, 0xA8, 0x89,
+        0x90, 0x7C, 0x30, 0xDE, 0x2E, 0xF6, 0xBD, 0x3E, 0xBF, 0x14,
+        0x1E, 0xD4, 0x85, 0x8C, 0x38, 0x1C, 0xA4, 0x26, 0xB7, 0x86,
+        0xE5, 0x17, 0xFC, 0x67, 0x93, 0x86, 0x1C, 0x1F, 0x91, 0x6F,
+        0x8C, 0x99, 0xA6, 0x7F, 0x93, 0x92, 0xDB, 0x45, 0x75, 0xBB,
+        0xB0, 0x78, 0xA3, 0x8B, 0x67, 0xF7, 0x94, 0x26, 0xAC, 0xB9,
+        0x4A, 0xCA, 0x1F, 0x73, 0xFC, 0x52, 0x78, 0xB8, 0x14, 0x02,
+        0xBF, 0x69, 0x6F, 0x70, 0x21, 0xAE, 0xD4, 0x12, 0x4F, 0xD1,
+        0x9F, 0xE6, 0x56, 0x11, 0x80, 0x39, 0x66, 0xE0, 0xD4, 0x56,
+        0x5B, 0x32, 0xC6, 0x6C, 0xB8, 0xD2, 0xF4, 0x23, 0x7F, 0xBB,
+        0x62, 0x2F, 0x5D, 0x67, 0x37, 0x38, 0x74, 0xCA, 0xB3, 0x3F,
+        0x17, 0x53, 0x97, 0xA4, 0xBD, 0xDA, 0x26, 0x6A, 0xB3, 0xD9,
+        0x9F, 0xAC, 0xD2, 0x58, 0x4F, 0x24, 0x8C
+};
+#define sizeof_cn_ip_wildcard_der (sizeof(cn_ip_wildcard_der))
+
+#endif /* OPENSSL_EXTRA && !NO_RSA */
+
 #endif /* WOLFSSL_CERTS_TEST_H */
 

From 1e40b15551ce1e6c1b2ab98a7bbe3f7fe057632a Mon Sep 17 00:00:00 2001
From: Eric Blankenhorn <eric@wolfssl.com>
Date: Fri, 10 Apr 2026 13:46:48 -0500
Subject: [PATCH 3/3] Fix from review

---
 certs/test/cn-ip-literal.der  | Bin 0 -> 691 bytes
 certs/test/cn-ip-wildcard.der | Bin 0 -> 687 bytes
 certs/test/gen-testcerts.sh   |  24 ++++++++++++++++++++++++
 3 files changed, 24 insertions(+)
 create mode 100644 certs/test/cn-ip-literal.der
 create mode 100644 certs/test/cn-ip-wildcard.der

diff --git a/certs/test/cn-ip-literal.der b/certs/test/cn-ip-literal.der
new file mode 100644
index 0000000000000000000000000000000000000000..3da73c8468220f063315ad1aeb8c3b554ec80117
GIT binary patch
literal 691
zcmXqLVp?y|#5kQvg!x6x*09uwD>vKbJdZAXdD-~kqB{n>Y@Awc9&O)w85y}*84N@W
zg$xAPm_u2Zc{mM?%=HX_(9l3moY%<Az{J49$iT?d*f>g@*BHb#g>rG|YGPDEHlC4{
zfw_s1p8@C?E~X|%MuwedW`5sa<Nv1qnYiEMn@?41SFcFh;OiKpa3lTe;<NLF>Ny!+
zXaA`a5m+FgC;wvYn-^^%i;hI3s!c6h_>d{6@pN6^Cc~2vv+iWB?o~cJO;RQ!b8D^g
z<A`T!XILFBt=z~t=Y-cEE`?nOgsi8#Xd48yajOfLZT;Tx;nRo7*1aqI7q7hZ>hj^!
zX9^Z@A3tVyQr%~(vT4o+gGC2(*)Plv&H5?v!Jx$cn|SN?^GmNxTouy#X5CSvPa71Y
zCMczKd-EO+Z*2Rt`;v9fpLcuTe)zrg;l!v6_5=%y=N^xnudV;UT&Fjc$N0SP%Qw%L
z#Jy!&_sJmN{)n^{*Ne+(M%VsESfx&$d7O!vk%198gn$tM3?W7ao8|W}x*YY@v<RI0
z?VUc);x4V4g&Wm!e|N{ey(9nW<4l_yW@kOVPK<V%(W$x1ZSCY&uY$#&<Zi#S)$7LF
z7)zdSvXZ}*VxQQvE9C0knY1))^Q02iO*L<en+xLkN*@;b9Q~knblH_{TPkOU+*I_?
z56W|wm9etcGF#Cx)jd7(>bq?(quZprbCzwI*vNBgqOs9a-u_$1qn9<<7Y2k~>i83U
zRM1tfYdcr-yv}45yPmyo-+YlY5<dU@?z5J+&%gf+(63%o`;$NM;`hi86N}ZNcB!23
zY&$6Blu@vMO6G;DYIQa%GxIl|x$paSV(xv{!VevpC7wEQ<!>jM)k`&-If+Nzng{@+
Cz%K#-

literal 0
HcmV?d00001

diff --git a/certs/test/cn-ip-wildcard.der b/certs/test/cn-ip-wildcard.der
new file mode 100644
index 0000000000000000000000000000000000000000..8be0d3be757f83b86134b13b71cfabe9aa84b81c
GIT binary patch
literal 687
zcmXqLVp?s`#5kEr#LDl_$N1Bav)0vLtK92wGR5)OhcE+PHcqWJkGAi;jEvl@3<g4m
z0tS3+%%LpIJnUL}20&<NAScdiWM*JuU}0onWNK_2CC+OM;+jIaSoJh9Dj^%q$jZRn
z#K_M8bO;wy6C)$T&NDN=@2~NHQ~yld@A1v2s<o?Eq;2qZj8V9e{&n%$c|!G^46n2Q
z)QJcz5YUr<vG&c2wva_fB2v|+mMwh96x4XSu5Xj!$%t8ZGFSI1pPeQtlaaZ#R{3$n
zGqp3U4wqJL<eYQD>kpU0t^-2W(_OR;0@}FMh0C^nZ}{-(!({8;75<A?UV3%;@aZ!J
z3%HLTvpcEovsKwNXM@3_gSqS%W`}0|l=xs!V*gFNb^H0HS0=6sX??TqsL`hlicu4k
z(z?BQ4~I9lecFA=y64Zky>CDKUixriR0ey3g~fA^$IaK)e_*cDo62K+Uijsk=S$+=
zGOhb$kZ*rP+KTJN<us#fe<Q3?C(k_2#LURRh#W$|zz2p9BSXE_kI9bttG1sKZ(MFS
zpC?zOI$!w5{^UH3aPC=$v^ox$dOt2VO#Huv`I%sYylLt;_bJbICdjRuGvP&Wms_I7
zFYgD1Grr6_VK_s*Fwdq{G&fAaTI_ksj=)((r3)|VpVv-Yw4ysw-A5wQc>lbZ_xlQy
zk`zwdSzofMdewUK#?(_EYp+BIUYGbDuxLf+gc^f;df)ci?H7@|(%NGovqWus+f(sB
z>66=J<R|9$%v@GKdD3my(%l;>7I&wApQ5&Ar`IX@;y*zZJ4BfFXXY0uuDc@Se{ue^
zFu?}Pv<FwhqK%H_?6~wrxqf$&er&qAMaikn_Ts_Qm+ZZzmbLlj{56*%{8f4Yf(9u)

literal 0
HcmV?d00001

diff --git a/certs/test/gen-testcerts.sh b/certs/test/gen-testcerts.sh
index 453f8022b3..8219d27c97 100755
--- a/certs/test/gen-testcerts.sh
+++ b/certs/test/gen-testcerts.sh
@@ -229,6 +229,30 @@ generate_expired_certs expired/expired-cert ../server-key.pem
 
 generate_test_trusted_cert ossl-trusted-cert localhost "" 1
 
+# Generate CN-IP test certs (no SAN, CN contains IP literal or wildcard)
+# These are simple self-signed V1 certs with only a CN field, no extensions.
+# Used to test peer cert verification with IP address matching in CN.
+generate_cn_ip_cert() {
+    rm -f "$1".der "$1".pem
+
+    echo "step 1 create self-signed cert with CN=$2"
+    openssl req -new -x509 -days 3652 -sha256 \
+                -key ../server-key.pem \
+                -out "$1".pem \
+                -subj "/CN=$2"
+    check_result $?
+
+    echo "step 2 make binary der version"
+    openssl x509 -inform pem -in "$1".pem -outform der -out "$1".der
+    check_result $?
+
+    rm -f "$1".pem
+}
+
+generate_cn_ip_cert cn-ip-literal 127.0.0.1
+generate_cn_ip_cert cn-ip-wildcard "*.0.0.1"
+
+
 # Note on certs/empty-issuer-cert.pem:
 # OpenSSL did not like to generate this certificate with an empty CN in the
 # conf file.