Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve name constraints testing and fix bugs found #18

Merged
merged 12 commits into from
Jan 10, 2023
Merged

Improve name constraints testing and fix bugs found #18

merged 12 commits into from
Jan 10, 2023

Commits on Jan 10, 2023

  1. dns_name: Update assert string to new API 

    We don't call anymore `presented_dns_id_matches_reference_dns_id`.
    @AlessandroBono @ctz
    AlessandroBono authored and ctz committed Jan 10, 2023
    Configuration menu
    Copy the full SHA
    29a112d View commit details
    Browse the repository at this point in the history

  2. dns_name: Add tests for presented_id_matches_constraint

    @AlessandroBono @ctz
    AlessandroBono authored and ctz committed Jan 10, 2023
    Configuration menu
    Copy the full SHA
    89569af View commit details
    Browse the repository at this point in the history

  3. ip_address: Add tests for presented_id_matches_constraint

    @AlessandroBono @ctz
    AlessandroBono authored and ctz committed Jan 10, 2023
    Configuration menu
    Copy the full SHA
    1536dba View commit details
    Browse the repository at this point in the history

  4. Fix name constraints check 

    There were two bugs. webpki didn't:

1. read the X.509 Name Constraints field in its entirety, nor

2. check the certificate subject against the constraints correctly

(1) is a simple fix, (2) requires reading the Common Name from the
certificate.

Requires lifting some DER parsing logic from ring to parse UTF8String
and Set fields. Ring doesn't support those and isn't likely to in the
near future, see briansmith/ring#1265.

Closes #3.
    @bnoordhuis @ctz
    bnoordhuis authored and ctz committed Jan 10, 2023
    Configuration menu
    Copy the full SHA
    53d7dc0 View commit details
    Browse the repository at this point in the history

  5. common_name: do not require a commonName to be present

    @ctz
    ctz committed Jan 10, 2023
    Configuration menu
    Copy the full SHA
    4b50a38 View commit details
    Browse the repository at this point in the history

  6. Generate tests for name constraints 

    This uses cryptography.io and can likely to be extended to test
other features.
    @ctz
    ctz committed Jan 10, 2023
    Configuration menu
    Copy the full SHA
    698daef View commit details
    Browse the repository at this point in the history

  7. Fix name constraints matching further 

    For -- and limited to -- server end-entity certificates, subject commonName
can be a DNS name that should be subject to DNS name constraints.  Name
constraints can and should have an impact on path building and certificate
validity, even if we don't actually use the commonName for name validation
after this.

This is annoying, though, because:

- not all end-entity certs have a commonName, because it's no longer required,
  and a missing one shouldn't be considered a name constraints strike.
- only server end-entity certs should be given this treatment: clients don't
  typically have DNS names (see: https://bugzilla.mozilla.org/show_bug.cgi?id=1523484)
    @ctz
    ctz committed Jan 10, 2023
    Configuration menu
    Copy the full SHA
    2b0105a View commit details
    Browse the repository at this point in the history

  8. Reject non-contiguous netmasks 

    Add a specific error for this, and avoid use of BadDER for
cases where the DER encoding is actually fine but the
syntax of the messages is incorrect.
    @ctz
    ctz committed Jan 10, 2023
    Configuration menu
    Copy the full SHA
    8f491a8 View commit details
    Browse the repository at this point in the history

  9. Document and test directoryName constraints not being implemented

    @ctz
    ctz committed Jan 10, 2023
    Configuration menu
    Copy the full SHA
    18d5c60 View commit details
    Browse the repository at this point in the history

  10. Clarify ip_address name constraint length checks

    @ctz
    ctz committed Jan 10, 2023
    Configuration menu
    Copy the full SHA
    5a09c07 View commit details
    Browse the repository at this point in the history

  11. Make Error non_exhaustive 

    This means adding new errors is not a breaking change, at the
cost of disabling exhaustive matching of all errors in downstream
code.
    @ctz
    ctz committed Jan 10, 2023
    Configuration menu
    Copy the full SHA
    9281ec5 View commit details
    Browse the repository at this point in the history

  12. Add changelog items for this branch.

    @ctz
    ctz committed Jan 10, 2023
    Configuration menu
    Copy the full SHA
    8e9de6e View commit details
    Browse the repository at this point in the history