git.ipfire.org Git - thirdparty/strongswan.git/commit

author	Tobias Brunner <tobias@strongswan.org>
	Fri, 23 Feb 2024 16:44:44 +0000 (17:44 +0100)
committer	Tobias Brunner <tobias@strongswan.org>
	Tue, 12 Mar 2024 08:14:44 +0000 (09:14 +0100)
commit	b29be6029e6e172e370488dc36027de2e8ff2ec2
tree	e56935d24e0edb6cd92810fdc43bc080b44b3010	tree
parent	ea6a6344d37db564d925bbbf6f669a5eef5118d0	commit \| diff

constraints: Properly validate name constraints according to RFC 5280

The previous code was in a way too simple which resulted in it being too
strict.  For instance, it enforced that intermediate CA certificates
inherited the name constraints of their parents.  That's not required by
RFC 5280 and prevented e.g. adding constraints in an intermediate CA
certificate that's followed by another that doesn't contain any
name constraints.  That's perfectly fine as the set of constraints
specified by the parent continue to apply to that CA certificate and
the children it issues.

Name constraints were previously also applied to all identities of a
matching type, which is way too strict except for some very simple
cases.  It basically prevented multiple constraints of the same type
as e.g. an intermediate CA certificate that has permitted name constraints
for example.org and example.com couldn't issue acceptable certificates
because any SAN with one domain would get rejected by the other
constraint.  According to RFC 5280 matching one constraint is enough.

Also fixed is an issue with name constraints for IP addresses which were
previously only supported for a single level.

src/libstrongswan/plugins/constraints/constraints_validator.c		diff \| blob \| blame \| history
src/libstrongswan/tests/suites/test_certnames.c		diff \| blob \| blame \| history