Join Log in
Score:1
avatar Server

How to have "empty" for x509's nameConstraints extension subtree?

sd flag
gcb

I am signing x509 certificates that should only be used for CN under a specific domain, not for any IP/email/UPN.

the rfc5280 says that passing empty to a permitted value will allow all of those class, while to a excluded class will deny all of those class.

initial-permitted-subtrees, which indicates for each name type (e.g., X.500 distinguished names, email addresses, or IP addresses) a set of subtrees within which all subject names in every certificate in the certification path MUST fall. The initial-permitted-subtrees input includes a set for each name type. For each name type, the set may consist of a single subtree that includes all names of that name type or one or more subtrees that each specifies a subset of the names of that name type, or the set may be empty. If the set for a name type is empty, then the certification path will be considered invalid if any certificate in the certification path includes a name of that name type.

--- rfc5280 6.1.1(h)

First i learned there's no UPN class for this extension, so right from the start i already know this won't do. Continuing then for Email and IP.

I cannot find how to specify empty on openssl extension config file nor on general openssl config files. There is a single mention of a special case for one option that accepts EMPTY. but using both EMPTY or empty (as the powershell tools accept) results in a literal string on my certs for email, and Failure for IP.

$ grep namedConstraints cert.cfg
nameConstraints=permitted;DNS:01.org, excluded;IP:empty, excluded;email:empty
$ openssl x509 ... -extfile my-root-ca-br.cfg
40F784080B7F0000:error:11000076:X509 V3 routines:a2i_GENERAL_NAME:bad ip address:crypto/x509/v3_san.c:556:value=empty
40F784080B7F0000:error:11000080:X509 V3 routines:X509V3_EXT_nconf_int:error in extension:crypto/x509/v3_conf.c:48:section=...

$ grep namedConstraints cert2.cfg
nameConstraints=permitted;DNS:01.org, excluded;email:EMPTY
$ openssl x509 ... -extfile my-root-ca-br.cfg
$ openssl x509 -in crt -text
...
               Excluded:
                  email:EMPTY
...

$ grep namedConstraints cert2.cfg
nameConstraints=permitted;DNS:01.org, excluded;email:empty
$ openssl x509 ... -extfile my-root-ca-br.cfg
$ openssl x509 -in crt -text
...
               Excluded:
                  email:empty
...

...i don't think that looks right.

Edit: alternatively, how to specify ALL email/ips?

nameConstraints=critical,permitted... excluded;email:., excluded;IP:0.0.0.0/0.0.0.0, excluded;IP:::/::
...

                Excluded:
                  email:.
                  IP:0.0.0.0/0.0.0.0
                  IP:0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0

is this it?

62
0 + 3
dave_thompson_085 avatar
jp flag
dave_thompson_085
Your link is to 4.2.1.10 (the extension) but your quote is from 6.1.1 (the inputs to the validation algorithm); these are completely different things. The initial sets can be empty but the extension sets cannot; see the ASN.1. The 'exclude all' cases you show are definitely correct for v4 and v6 addrs; email looks good but I would have to test to be sure and you're already doing that.
0
Reply
sd flag
gcb
section 4.2.1.10 says "Restrictions are defined in terms of permitted or excluded name subtrees". I did not find any other definition of subtree other than 6.1.1, is there other i should look?
0
Reply
dave_thompson_085 avatar
jp flag
dave_thompson_085
The ASN.1 is as the end of 4.2.1.10, at the bottom of page 42 and top of page 43. Plus the prose statement at the end of the same paragraph you quoted, "either the permittedSubtrees field or the excludedSubtrees field MUST be present"; this expresses a constraint additional to the ASN.1 definition.
1
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.