projects / openssl.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: de9f5b3) | patch
Limit scope of CN name constraints
authorViktor Dukhovni <openssl-users@dukhovni.org>
Wed, 16 May 2018 03:41:20 +0000 (23:41 -0400)
committerViktor Dukhovni <openssl-users@dukhovni.org>
Wed, 23 May 2018 15:12:13 +0000 (11:12 -0400)
commitd02d80b2e80adfdde49f76cf7c7af4e013f45005
treee9e137e02f0751435765ff251b07d58f710213e0tree | snapshot
parentde9f5b3554274e27949941cbe74a07c8a5f25dbfcommit | diff
Limit scope of CN name constraints

Don't apply DNS name constraints to the subject CN when there's a
least one DNS-ID subjectAlternativeName.

Don't apply DNS name constraints to subject CN's that are sufficiently
unlike DNS names.  Checked name must have at least two labels, with
all labels non-empty, no trailing '.' and all hyphens must be
internal in each label.  In addition to the usual LDH characters,
we also allow "_", since some sites use these for hostnames despite
all the standards.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
15 files changed:
crypto/asn1/a_strex.c diff | blob | history
crypto/include/internal/asn1_int.h diff | blob | history
crypto/x509v3/v3_ncons.c diff | blob | history
test/certs/alt1-cert.pem diff | blob | history
test/certs/alt1-key.pem diff | blob | history
test/certs/badalt6-cert.pem diff | blob | history
test/certs/badalt6-key.pem diff | blob | history
test/certs/badalt7-cert.pem diff | blob | history
test/certs/badalt7-key.pem diff | blob | history
test/certs/badcn1-cert.pem [new file with mode: 0644] blob
test/certs/badcn1-key.pem [new file with mode: 0644] blob
test/certs/goodcn1-cert.pem [new file with mode: 0644] blob
test/certs/goodcn1-key.pem [new file with mode: 0644] blob
test/certs/setup.sh diff | blob | history
test/recipes/25-test_verify.t diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.