Limit scope of CN name constraints
authorViktor Dukhovni <openssl-users@dukhovni.org>
Fri, 18 May 2018 13:09:51 +0000 (09:09 -0400)
committerViktor Dukhovni <openssl-users@dukhovni.org>
Wed, 23 May 2018 15:08:48 +0000 (11:08 -0400)
commitc2c2c7b3f1df94f9a447cc3cf8196579543cc57e
tree91415123b7573ed93beb6663cfa80f6a07028e61
parent1caa3bbf25796c1fb4dcfee1a3d5a554b8a161f9
Limit scope of CN name constraints

Don't apply DNS name constraints to the subject CN when there's a
least one DNS-ID subjectAlternativeName.

Don't apply DNS name constraints to subject CN's that are sufficiently
unlike DNS names.  Checked name must have at least two labels, with
all labels non-empty, no trailing '.' and all hyphens must be
internal in each label.  In addition to the usual LDH characters,
we also allow "_", since some sites use these for hostnames despite
all the standards.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
15 files changed:
crypto/asn1/a_strex.c
crypto/include/internal/asn1_int.h
crypto/x509v3/v3_ncons.c
test/certs/alt1-cert.pem
test/certs/alt1-key.pem
test/certs/badalt6-cert.pem
test/certs/badalt6-key.pem
test/certs/badalt7-cert.pem
test/certs/badalt7-key.pem
test/certs/badcn1-cert.pem [new file with mode: 0644]
test/certs/badcn1-key.pem [new file with mode: 0644]
test/certs/goodcn1-cert.pem [new file with mode: 0644]
test/certs/goodcn1-key.pem [new file with mode: 0644]
test/certs/setup.sh
test/recipes/25-test_verify.t