certificates icon indicating copy to clipboard operation
certificates copied to clipboard

Published 20 hours ago verified publisher icon smallstep

Enforce name constraints at cert issuance time

Open maraino opened this issue 3 years ago • 2 comments

Description

Enforce name constraints on X509 cert issuance. For example, if the intermediate has:

  • PermittedDNSDomains=example.com, then example.com and www.example.com will be permitted, but acme.com will not.
  • ExcludedDNSDomains=example.com, then acme.com will be permitted, but example.com or www.example.com will not.

See RFC5280 section 4.2.1.10.

maraino avatar Sep 20 '22 00:09 maraino

@maraino: this probably requires signing the certificate and then verifying the chain to see if it's valid, not returning the certificate if it fails? Or do you think we should extract the Go x509 implementation to do this without signing?

hslatman avatar Sep 20 '22 07:09 hslatman

@hslatman I've extracted the Go code, see verify.go on #1061

maraino avatar Sep 20 '22 17:09 maraino