#2922 Name Constraints: Using a Netmask produces an odd entry in a certifcate
Closed: fixed 5 years ago Opened 6 years ago by ftweedal.

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1538311.

Description of problem:
we are able to see the following when using one of their profiles:

Issuing a cert off this profile translates a 192.168.1.1/24
to what looks like a ipv6 address
so that to c0a8:1c8:ffff:ffff:000:000:000:000

  Identifier: Name Constraints - 2.5.29.30
                     Critical: yes
                     GeneralSubtrees:
                     Permitted:                           
                         GeneralSubtree: [
                         GeneralName: IPAddress: c0a8:1c8:ffff:ffff:000:000:000:000
                          Minimum: 0
                          Maximum: undefined]
                       Excluded:                           
                        GeneralSubtree: [
                        GeneralName: IPAddress: c0a8:101:ffff:ffff:000:000:000:000
                           Minimum: 0
                           Maximum: undefined]

and openssl 1.0.2k-fips sees:

X509v3 Name Constraints: critical
                 Permitted:
                   IP:IP Address:<invalid>
                 Excluded:
                   IP:IP Address:<invalid>

And according to RFC 5280 it should be the octect string... well at least for the SAN (subject alternate name). I presume same would apply for the Naming Constraints


Metadata Update from @ftweedal:
- Issue assigned to ftweedal

6 years ago

Metadata Update from @ftweedal:
- Custom field component adjusted to None
- Custom field feature adjusted to None
- Custom field origin adjusted to None
- Custom field proposedmilestone adjusted to None
- Custom field proposedpriority adjusted to None
- Custom field reviewer adjusted to None
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1538311
- Custom field type adjusted to None
- Custom field version adjusted to None

6 years ago

Metadata Update from @mharmsen:
- Issue set to the milestone: 0.0 NEEDS_TRIAGE

6 years ago

Metadata Update from @mharmsen:
- Issue set to the milestone: 10.5 (was: 0.0 NEEDS_TRIAGE)

6 years ago

Pushed to master:

  • 628ace0c9 IPAddressName: refactoring
  • ab401936d Check validity of Subject/Issuer Alt Names and Name Constraints
  • c8ca22a55 GeneralNameInterface: methods for checking name validity
  • 93d6af74e parseGeneralName: properly parse iPAddress GN with netmask
  • 67059fae6 IPAddressName: remove unused getLength method

Metadata Update from @ftweedal:
- Issue close_status updated to: fixed
- Issue set to the milestone: 10.6.0 (was: 10.5)

6 years ago

Pushed to DOGTAG_10_5_BRANCH:

  • f14d46f0a IPAddressName: refactoring
  • 180b76c98 Check validity of Subject/Issuer Alt Names and Name Constraints
  • 487097a4d GeneralNameInterface: methods for checking name validity
  • 58658a75a parseGeneralName: properly parse iPAddress GN with netmask
  • fca1cbda2 IPAddressName: remove unused getLength method

Metadata Update from @mharmsen:
- Issue set to the milestone: 10.5.7 (was: 10.6.0)

6 years ago

Metadata Update from @mharmsen:
- Issue priority set to: critical

6 years ago

re-opening to fix another issue

Metadata Update from @mharmsen:
- Issue set to the milestone: 10.5 (was: 10.5.7)
- Issue status updated to: Open (was: Closed)

5 years ago

Metadata Update from @mharmsen:
- Issue priority set to: blocker (was: critical)

5 years ago

More commits, to fix issues discovered during QE, have been pushed to
upstream master:

  • 2ea0bd67171145a2013181ee75f0223aee2ddced IPAddressName: fix toString method
  • 6ff2dfc3dcf3322653646ac7afcead9ab7b94080 Handle empty NameConstraints subtrees when reading extension

Closing FIXED (again).

Metadata Update from @ftweedal:
- Issue close_status updated to: fixed

5 years ago

Metadata Update from @mharmsen:
- Issue set to the milestone: 10.5.9 (was: 10.5)

5 years ago

Re-opening (again -_-) to fix another issue.

Gerrit reviews:
- master: https://review.gerrithub.io/c/dogtagpki/pki/+/415271
- DOGTAG_10_5_BRANCH: https://review.gerrithub.io/c/dogtagpki/pki/+/415273

Metadata Update from @ftweedal:
- Issue status updated to: Open (was: Closed)

5 years ago

commit a85486cfc7644b6a1caac6f5a2b34c4516ea1288
Author: Fraser Tweedale ftweedal@redhat.com
Date: Fri Jun 15 00:28:43 2018 +1000

IPAddressName: fix construction from String

The IPAddressName(String) constructor (the non-netmask case) was
broken by commit 628ace0c90073a8a1d90e96fae0aab9e43903fd6.  Fix it,
and rename one of the helper methods to clarify its behaviour.

Fixes: https://pagure.io/dogtagpki/issue/2922
Change-Id: I711cf6845496f54c86b10d2d01368912084f96ea

Metadata Update from @mharmsen:
- Custom field fixedinversion adjusted to pki-core-10.5.10-1.fc27
- Issue close_status updated to: fixed
- Issue set to the milestone: 10.5.10 (was: 10.5.9)
- Issue status updated to: Closed (was: Open)

5 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/3040

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Login to comment on this ticket.

Metadata