-
Notifications
You must be signed in to change notification settings - Fork 165
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix name constraints check #226
base: main
Are you sure you want to change the base?
Conversation
Looking at the first bytes of the Name Constraints field in ca.der:
I'm confused why openssl would a) generate such a certificate, and b) parse it okay. @briansmith Can you tell me if I'm on the right track here? |
I was mistaken. https://tools.ietf.org/html/rfc5280#section-4.2.1.10 says it's a |
Possibly related to #20 |
There were two bugs. webpki didn't: 1. read the X.509 Name Constraints field in its entirety, nor 2. check the certificate subject against the constraints correctly (1) is a simple fix, (2) requires reading the Common Name from the certificate. Closes briansmith#20, briansmith#134.
Figured it out, updated the pull request with a fix. @briansmith Please review, thanks. @est31 Can you confirm that this fixes your issue as well? |
@bnoordhuis it seems to fix #135, but it still gives me an UnknownIssuer error when I try it on my rcgen test. Even if I don't pass the empty |
@briansmith You mentioned on May 2 in briansmith/ring#1265 that you had a fix in the works. Has that landed yet? (And if so, where? Here or there?) |
Hello, |
+1 researching issues I'm facing with corporate certs lead me here. Any news? |
@bnoordhuis there is now a fork in the rustls org. Would you be interested in resubmitting your changes there so we can review it? We will consider publishing the next version of rustls with a dependency on our forked rustls-webpki. |
@djc I can do that but some changes to ring are also needed (briansmith/ring#1265) and it looks like you didn't fork that? I suppose I could open-code it but that's kind of horrible. |
The test validates the end entity certificate against the self-signed
CA from the Web Platform Tests (WPT) conformance suite.
The certificates are somewhat unusual in that they have really long
"Name Constraints" and "Subject Alternative Name" fields but other
libraries parse them just fine.
webpki doesn't seem able to handle the "Name Constraints" field in the
CA certificate. The
der::nested()
call in `parse_subtrees() insrc/name/verify.rs expects its closure to consume all input but it
consumes only the first item on the list.
I wanted to fix the issue but I wasn't sure what the best way forward was and figured putting up this PR would be a good conversation starter.