Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

IP address name constraint masks must be representable in CIDR notation #216

Open
briansmith opened this issue Jun 4, 2020 · 1 comment

Comments

@briansmith
Copy link

briansmith commented Jun 4, 2020

Chromium enforces that the masks in IP address name constraints are representable in CIDR notations: i.e. zero or more 1 bits followed by all 0 bits, with no 0 bits after the first 1 bit. An IP address name constraint that doesn't match this pattern should be considered malformed, i.e. mis-issued. Since RFC 5280 isn't clear about this, the PKI policy should call this out specifically.

briansmith/webpki#130 has more context. This was pointed out by Gregor Kopf for Cure53.

@CBonnell
Copy link
Contributor

RFC 5280, section 4.2.1.10 says:

The syntax of iPAddress MUST be as described in Section 4.2.1.6 with
the following additions specifically for name constraints. For IPv4
addresses, the iPAddress field of GeneralName MUST contain eight (8)
octets, encoded in the style of RFC 4632 (CIDR) to represent an
address range [RFC4632].

"in the style of RFC 4632" is a MUST-level encoding rule, so I think 5280 is clear that address ranges must be CIDR-representable, and it is a profile violation otherwise. I'd be interested to hear differing interpretations to see how this can be further clarified.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants