Anchor

Respect name constraints

Bug #1492905 reported by Stanislaw Pitucha
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Anchor
New
Undecided
Unassigned

Bug Description

When signing with the built-in CA, respect the CA certificate's name constraints.

Revision history for this message
Robert Clark (robert-clark) wrote :

Can you provide a little bit more detail please?

Revision history for this message
Stanislaw Pitucha (stanislaw-pitucha) wrote :

If Anchor uses a CA with NameConstraints extension that specifies it's valid for ".example.com", then it should sign "name.example.com", but refuse "name.example.net". The ".net" certificate wouldn't be valid anyway, so this should be independent of what the user-defined validators say.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to anchor (master)

Reviewed: https://review.openstack.org/222021
Committed: https://git.openstack.org/cgit/openstack/anchor/commit/?id=bac7dd3552d72570da5251cba480b504ca6fa715
Submitter: Jenkins
Branch: master

commit bac7dd3552d72570da5251cba480b504ca6fa715
Author: Stanisław Pitucha <email address hidden>
Date: Wed Sep 9 16:13:24 2015 +1000

    Add NameConstraints extension support

    NameConstraints is one of the extensions which MUST be recognised
    (RFC5280)

    Change-Id: I5ffd192101cd9b53d9000df4767be55295322ddc
    Partial-bug: 1492905

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.