You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The current X509 decoder and data model does not attempt to handle the Name Constraints extension value. This means that any certificate which contains the extension marked as critical will not be decodable by mbedtls, and the CA/Browser Baseline Requirements permit this behavior handling of name constraints so it is something that will appear in the wild.
System information
Mbed TLS version (number or commit id):
Operating system and version: Ubuntu 22.04
Configuration (if not default, please attach mbedtls_config.h): default
Compiler and options (if you used a pre-built binary, please indicate how you obtained it): gcc
Additional environment information:
Expected behavior
The Name Constraints extension should at least be decoded and have permitted and excluded GeneralName values kept with the certificate data.
Actual behavior
The certificate fails to load properly at all, making CAs that use Name Constraints fail to operate with mbedtls.
Steps to reproduce
Attempt to load a CA certificate with a Name Constraints extension value. For example the attached cert-with-name-constraints.txt
Additional information
Based on the restrictions in RFC 5280 and in the CA Browser Baseline Requirements, it is possible to reduce the permitted and excluded lists to have the same internal form as the Subject Alternative Name extension. I am doing some prototyping on this now and it appears to be handled properly.
The text was updated successfully, but these errors were encountered:
Summary
The current X509 decoder and data model does not attempt to handle the Name Constraints extension value. This means that any certificate which contains the extension marked as critical will not be decodable by mbedtls, and the CA/Browser Baseline Requirements permit this behavior handling of name constraints so it is something that will appear in the wild.
System information
Mbed TLS version (number or commit id):
Operating system and version: Ubuntu 22.04
Configuration (if not default, please attach
mbedtls_config.h
): defaultCompiler and options (if you used a pre-built binary, please indicate how you obtained it): gcc
Additional environment information:
Expected behavior
The Name Constraints extension should at least be decoded and have permitted and excluded
GeneralName
values kept with the certificate data.Actual behavior
The certificate fails to load properly at all, making CAs that use Name Constraints fail to operate with mbedtls.
Steps to reproduce
Attempt to load a CA certificate with a Name Constraints extension value. For example the attached
cert-with-name-constraints.txt
Additional information
Based on the restrictions in RFC 5280 and in the CA Browser Baseline Requirements, it is possible to reduce the permitted and excluded lists to have the same internal form as the Subject Alternative Name extension. I am doing some prototyping on this now and it appears to be handled properly.
The text was updated successfully, but these errors were encountered: