Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

unhandled critical extension in client when ca has name constraints #961

Closed
BenjaminHae opened this issue Jun 13, 2023 · 7 comments
Closed

unhandled critical extension in client when ca has name constraints #961

BenjaminHae opened this issue Jun 13, 2023 · 7 comments
Assignees
@hslatman
Labels
enhancement needs triage Waiting for discussion / prioritization by team

Comments

@BenjaminHae
Copy link

BenjaminHae commented Jun 13, 2023
edited
Loading

Hello!

  • Vote on this issue by adding a 馃憤 reaction
  • If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

I've setup an intermediate-ca with name constraints. When using step ssh certificate against this CA, I receive this error:

x509: unhandled critical extension

I suggest supporting the "name constraint" extension.

Why is this needed?

Many people setup step-ca as an internal ca, limiting this ca to the internal domain name (using name constraints) reduces the impact of a compromised private key.
@BenjaminHae BenjaminHae added enhancement needs triage Waiting for discussion / prioritization by team labels Jun 13, 2023
@hslatman
Copy link
Member

hslatman commented Jun 13, 2023
edited
Loading

Hey @BenjaminHae,

Thank you for opening the issue. Name constraints should already be supported, but there are limitations in the implementation.

As a TLS client, we rely on the Go stdlib, and the error originates from that. Can you share some details on the type(s) of name constraints you're using? Are you using constraints on the DN, by any chance? If I'm correct, the Go stdlib doesn't support constraints on all name types. Relevant issue: golang/go#15196 (and there are some more to be found).

@BenjaminHae
Copy link
Author

I've set it up like this:

 X509v3 Name Constraints: critical
                Permitted:
                  othername:<unsupported>
                  email:mydomain
                  DNS:.mydomain
                  DirName:
                  URI:.mydomain
                  IP:XXX.YY.0.0/255.255.0.0

So it probably is indeed DirName...

@hslatman
Copy link
Member

Hi @BenjaminHae,

We've discussed this issue in our open source triage. We're not big fans of having to implement a workaround for this, because ideally we would like the Go stdlib to be fixed. A potential workaround could be to ignore certain, user-specified, OIDs when validating a certificate in the CLI. This would have to be plugged into the default TLS validation code path, which makes it more complex and in return we don't get a lot of value. At the moment it's unlikely we'll build something for this, but if more similar use cases pop up, we may reconsider.

You could of course reissue your intermediate without the DN constraint as a workaround too and if you feel that's "safe enough" for your use case.

@BenjaminHae
Copy link
Author

Thank you, I'm hoping for it to be fixed in Go stdlib.

@hslatman
Copy link
Member

@BenjaminHae I'll reach out to someone close to the Go crypto libraries to see what we can do about this 馃檪

@hslatman
Copy link
Member

@BenjaminHae Name Constraints have recently been discussed amongst some members working on the Go crypto packages. There's some movement in Web PKI and requiring those to be handled. I haven't familiarized myself with the exact specifics yet, but I'll check if I can find something. Adding full support is on the radar and might land in Go 1.22. It could be later, though.

@luizluca
Copy link

@BenjaminHae Name Constraints have recently been discussed amongst some members working on the Go crypto packages. There's some movement in Web PKI and requiring those to be handled. I haven't familiarized myself with the exact specifics yet, but I'll check if I can find something. Adding full support is on the radar and might land in Go 1.22. It could be later, though.

@hslatman , there is a pending patch at https://go-review.googlesource.com/c/go/+/238362 that fixes this issue.

@BenjaminHae , you can pick one of these branches (Since 1.14) that includes the fix (I've been doing this for some time):

https://github.com/luizluca/go/tree/1.14/nameconstraint
https://github.com/luizluca/go/tree/1.15/nameconstraint
...
https://github.com/luizluca/go/tree/1.20/nameconstraint
https://github.com/luizluca/go/tree/1.21/nameconstraint

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hslatman hslatman

Labels
enhancement needs triage Waiting for discussion / prioritization by team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@luizluca @hslatman @BenjaminHae