[cabfpub] Name constrained certificate examples
Erwann Abalea
erwann.abalea at keynectis.com
Wed Jul 17 18:03:16 UTC 2013
In case someone wants to play with the certificates produced by Ben from
GlobalSign, they're attached to this mail.
--
Erwann ABALEA
Le 17/07/2013 19:52, Erwann Abalea a écrit :
> Bonjour,
>
> Reading the X.509 standard (8.4.2.2 and Annex G):
>
> * SSL1.cer is invalid because it has a SAN/dnsName containing
> "anything.example.com" and its issuer CA has a NameConstraints
> only allows dnsNames ending in "onlythis.com"; could you produce
> certificates with matching names ("google.com"/"onlythis.com")?
> * SSL2.cer is invalid for the same reason.
> * SSL3.cer is valid ("C=US, ST=MA, L=Boston, O=Example LLC,
> O=Google, CN=*.google.com" is a subordinate of "C=US, ST=MA,
> L=Boston, O=Example LLC", which is the only permitted
> directoryName form, and the EE cert doesn't contain a SAN extension).
>
> I tried to find equivalent tests in PKITS, with no luck (the closer I
> get is with a NC permitting a DN and an rfc822Name, and the EE has its
> email in the SAN, not in the subject).
>
>
> Testing with real browsers gives:
>
> * FF22.0, SSL1.cer, SSL2.cer, SSL3.cer: NOK
> L'autorité de certification pour ce certificat n'est pas autorisé
> à délivrer un certificat avec ce nom.
> (Code d'erreur : sec_error_cert_not_in_name_space)
> * IE8/XPSP3, SSL1.cer, SSL2.cer, SSL3.cer: NOK
> Le certificat de sécurité présenté par ce site Web a été émis pour
> une autre adresse de site Web.
> * I guess that Chrome and Safari will produce the same result on
> that platform.
> * Opera12.15/XPSP3, SSL1.cer, SSL2.cer: NOK
> Connexion sécurisée: erreur fatale (47)
> * Opera12.15/XPSP3, SSL3.cer: OK (owner is shown as "*.google.com,
> Example LLC, Google")
> * OpenSSL-based clients, SSL1.cer, SSL2.cer: NOK
> Verify return code: 47 (permitted subtree violation)
> * OpenSSL-based clients, SSL3.cer: OK
>
>
> It seems FF and CAPI (XPSP3) consider that the CN is to be validated
> as a dnsName and not part of the directoryName (whence, it's validated
> against NC.PermittedSubTrees.dnsName instead of
> NC.PermittedSubTrees.directoryName). This behaviour isn't mentioned in
> RFC5280 either, but it's logical (legacy use of email addresses in the
> subjectName is also mentioned in RFC5280, and the same kind of
> treatment regarding NC extension is proposed). However, I don't know
> if that behaviour is the result of heuristics (does the CN look like a
> FQDN?), and how all this will work with internationalized domain
> names. There's room for failures.
>
> Opera uses OpenSSL, clearly, and they both follow X.509 to the letter.
>
> I don't have anything more recent than XPSP3 as a VM, sorry.
>
> --
> Erwann ABALEA
>
> Le 17/07/2013 17:09, Ben Lightowler a écrit :
>>
>> Hi Erwann,
>>
>> Steve asked me to put together some example certificates based on
>> your concerns surrounding Name Constraints please find a zip attached
>> with a Root and Issuing CA, as well as three SSL certificate created
>> to your specifications in the examples you gave earlier.
>>
>> Hope this helps,
>>
>> *Ben Lightowler*
>>
>> Sales Engineer**
>>
>> **
>>
>> *GlobalSign*
>>
>> +44 (0) 1622 766766
>>
>> www.globalsign.co.uk <http://www.globalsign.co.uk/> |
>> www.globalsign.eu <http://www.globalsign.eu/>
>>
>> Description: Description: secured-by-globalsign.gif
>>
>> **
>>
>> Springfield House, Sandling Road, Maidstone, Kent, ME14 2LP, UK.
>>
>> Tel: +44 1622 766766 Fax: +44 1622 662255
>>
>> Description: Description: oneclick-2
>>
>
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130717/1fd37162/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 3627 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130717/1fd37162/attachment-0006.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 25835 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130717/1fd37162/attachment-0007.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Certificate Bundle.zip
Type: application/zip
Size: 13611 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130717/1fd37162/attachment-0003.zip>
More information about the Public
mailing list