Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incorporate “imposed” name constraints from NSS #7

Closed
briansmith opened this issue Apr 28, 2017 · 9 comments
Closed

Incorporate “imposed” name constraints from NSS #7

briansmith opened this issue Apr 28, 2017 · 9 comments

Comments

@briansmith
Copy link
Contributor

See https://hg.mozilla.org/projects/nss/rev/1fefea6530e1.

AFAICT these kinds of name constraints aren't applied to roots included in this set. The webpki crate provides a way to add the imposed constraints but currently the webpki-roots build script doesn't know how to find the imposed constraints. It seems like this might have to be done by manual intervention?
@ctz
Copy link
Member

ctz commented Apr 30, 2017

This is done, such that the new Turkish root has its name constraint applied.

However, I can't actually find a site which uses this root to test. The official test server doesn't support reasonably modern TLS; others do but send incomplete certificate chains.

@ctz ctz closed this as completed Apr 30, 2017
@briansmith
Copy link
Contributor Author

There are two problems with testing: Finding a cert chain that should succeed, and finding one that should fail.

To find one that should succeed, I believe you can just use Google Chrome or MSIE or anything but Firefox to connect to the test server, and then export the chain that that browser constructs. (It will use AIA fetching to complete the chain.) And/or find one in CT logs.

To find one that should fail, I think the best shot would be to search the CT logs.

@ctz
Copy link
Member

ctz commented May 1, 2017

To find one that should succeed ...

Good point, thanks. I did that and put the result into a test; which fails. Though it passes if I take the constraint off the relevant root. More investigation needed, so reopening this.

From CT it appears nothing has been issued outside the name constraints.

@ctz ctz reopened this May 1, 2017
@briansmith
Copy link
Contributor Author

I probably made the name constraint implementation in webpki too strict, and/or broke it, when I simplified it. I will look at it.

@ctz
Copy link
Member

ctz commented May 1, 2017

The test is here 65282d9 if that's useful.

@briansmith briansmith mentioned this issue May 1, 2017
Open
@est31
Copy link
Member

est31 commented Jun 29, 2020

@ctz none of the certs added by the commit you mentioned has a name constraints extension

@est31
Copy link
Member

est31 commented Jun 29, 2020

root

intermediary

subject

No name constraints extensions. Only certificate policy extensions, but those aren't the same.

@est31
Copy link
Member

est31 commented Jun 29, 2020

Oh nevermind, I've misunderstood. The name constraints are imposed from the outside.

@djc djc mentioned this issue Aug 8, 2023
Merged
@cpu
Copy link
Member

cpu commented Aug 10, 2023

As of #41 we're including the imposed name constraints from CCADB automatically. There may be future work required to adjust to upstream data format changes but the one root with imposed name constraints has a correctly generated webpki encoded name constraints value.

@cpu cpu closed this as completed Aug 10, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@briansmith @cpu @ctz @est31