Can't have multiple "allow" or "deny" stanzas in an x509 policy

[spacekitteh]

Hello!

• Vote on this issue by adding a 👍 reaction
• If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

I'd like to be able to restrict certain dns names to certain IPs. E.g., home.arpa to 192.168.0.1/32, and *.iot.home.arpa to 192.168.100.1/24.

Why is this needed?

So that I don't allow the possibility of an IoT device grabbing a certificate for my default gateway.

[hslatman]

Hi @spacekitteh, thank you for opening this issue 🙂

The current implementation in open source is working as intended. We made the decision to keep the implementation simple, because it would require a more complete or full policy language implementation to express the type of allow/deny decision you are looking for. It's not unthinkable, and has been proposed in the past (e.g. #1003), but it's not something we're actively looking into doing at the moment.

My suggestion for this type of allow/deny decision would be to look into our webhooks support: https://smallstep.com/docs/step-ca/webhooks. It's possible to implement the logic in a webhook receiver. An example is provided here: https://github.com/smallstep/webhooks.