Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

verification: forbid unsupported NCs #10570

Merged
merged 3 commits into from
Mar 12, 2024

Conversation

woodruffw
Copy link
Contributor

...rather than silently ignoring them.

Needs coverage, which I'll add with C2SP/x509-limbo#228 once I merge that.

...rather than silently ignoring them.

Signed-off-by: William Woodruff <william@yossarian.net>
Signed-off-by: William Woodruff <william@yossarian.net>
@alex
Copy link
Member

alex commented Mar 11, 2024

Do we only want to reject matching pairs, or reject all validations with an other name constraint?

@woodruffw
Copy link
Contributor Author

Do we only want to reject matching pairs, or reject all validations with an other name constraint?

I think just matching pairs: RFC 5280 says that NCs only need to be evaluated if a subject of the name form appears, so rejecting any cert that has an OtherName NC could (in practice, unlikely) prematurely exclude certs/chains that don't actually have any OtherName SANs.

@woodruffw
Copy link
Contributor Author

woodruffw commented Mar 11, 2024

I suppose that means I should add a testcase for "validator doesn't reject chain with an OtherName constraint when there's no OtherName SANs" 🙂

Edit: C2SP/x509-limbo#229

@alex
Copy link
Member

alex commented Mar 11, 2024 via email

Signed-off-by: William Woodruff <william@yossarian.net>
@woodruffw
Copy link
Contributor Author

Merged both new testcases and the CI is green, so this should be good to go 🙂

@alex alex merged commit fe82ffa into pyca:main Mar 12, 2024
56 checks passed
@woodruffw woodruffw deleted the ww/forbid-unsupported-ncs branch March 12, 2024 04:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

2 participants