Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

webpki does not validate certificates with name constraints #3

Closed
olix0r opened this issue Aug 31, 2022 · 3 comments
Closed

webpki does not validate certificates with name constraints #3

olix0r opened this issue Aug 31, 2022 · 3 comments

Comments

@olix0r
Copy link

olix0r commented Aug 31, 2022

We (Linkerd) have recently noticed a bug (linkerd/linkerd2#9299) that prevents webpki from validating certificates that include name constraints. We can probably produce a smaller reproduction outside of Linkerd, but our testing indicates that this applies to any certificate issued by a CA that uses name constraints. briansmith/webpki#20 suggests that this issue has existed for quite a while.

Last year, the folks at Deno ran into this issue (denoland/deno#10312) and @bnoordhuis kindly put together a PR (briansmith/webpki#226). We have not yet confirmed that this PR fixes the bugs that we encountered, but it would be great to find a path forward for name constraint support.

@hawkw
Copy link
Contributor

hawkw commented Sep 23, 2022

It looks like simply opening @bnoordhuis' change against this fork is blocked on an upstream change to ring (briansmith/webpki#226 (comment)) which looks like it may not be going to happen (briansmith/ring#1265).

It's possible there's an alternative solution that doesn't require ring changes?

@bnoordhuis
Copy link
Contributor

I've opened #7. It copies a few bits from ring. Not great but the least worst solution I could come up with.

@hawkw
Copy link
Contributor

hawkw commented Sep 24, 2022

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants