-
Notifications
You must be signed in to change notification settings - Fork 46
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Incorporate “imposed” name constraints from NSS #7
Comments
This is done, such that the new Turkish root has its name constraint applied. However, I can't actually find a site which uses this root to test. The official test server doesn't support reasonably modern TLS; others do but send incomplete certificate chains. |
There are two problems with testing: Finding a cert chain that should succeed, and finding one that should fail. To find one that should succeed, I believe you can just use Google Chrome or MSIE or anything but Firefox to connect to the test server, and then export the chain that that browser constructs. (It will use AIA fetching to complete the chain.) And/or find one in CT logs. To find one that should fail, I think the best shot would be to search the CT logs. |
Good point, thanks. I did that and put the result into a test; which fails. Though it passes if I take the constraint off the relevant root. More investigation needed, so reopening this. From CT it appears nothing has been issued outside the name constraints. |
I probably made the name constraint implementation in webpki too strict, and/or broke it, when I simplified it. I will look at it. |
The test is here 65282d9 if that's useful. |
@ctz none of the certs added by the commit you mentioned has a name constraints extension |
No name constraints extensions. Only certificate policy extensions, but those aren't the same. |
Oh nevermind, I've misunderstood. The name constraints are imposed from the outside. |
As of #41 we're including the imposed name constraints from CCADB automatically. There may be future work required to adjust to upstream data format changes but the one root with imposed name constraints has a correctly generated webpki encoded name constraints value. |
See https://hg.mozilla.org/projects/nss/rev/1fefea6530e1.
AFAICT these kinds of name constraints aren't applied to roots included in this set. The webpki crate provides a way to add the imposed constraints but currently the webpki-roots build script doesn't know how to find the imposed constraints. It seems like this might have to be done by manual intervention?
The text was updated successfully, but these errors were encountered: