Comments (7)
Thank you, I'm hoping for it to be fixed in Go stdlib.
from cli.
@BenjaminHae Name Constraints have recently been discussed amongst some members working on the Go crypto packages. There's some movement in Web PKI and requiring those to be handled. I haven't familiarized myself with the exact specifics yet, but I'll check if I can find something. Adding full support is on the radar and might land in Go 1.22. It could be later, though.
from cli.
Hey @BenjaminHae,
Thank you for opening the issue. Name constraints should already be supported, but there are limitations in the implementation.
As a TLS client, we rely on the Go stdlib, and the error originates from that. Can you share some details on the type(s) of name constraints you're using? Are you using constraints on the DN, by any chance? If I'm correct, the Go stdlib doesn't support constraints on all name types. Relevant issue: golang/go#15196 (and there are some more to be found).
from cli.
I've set it up like this:
X509v3 Name Constraints: critical
Permitted:
othername:<unsupported>
email:mydomain
DNS:.mydomain
DirName:
URI:.mydomain
IP:XXX.YY.0.0/255.255.0.0
So it probably is indeed DirName...
from cli.
Hi @BenjaminHae,
We've discussed this issue in our open source triage. We're not big fans of having to implement a workaround for this, because ideally we would like the Go stdlib to be fixed. A potential workaround could be to ignore certain, user-specified, OIDs when validating a certificate in the CLI. This would have to be plugged into the default TLS validation code path, which makes it more complex and in return we don't get a lot of value. At the moment it's unlikely we'll build something for this, but if more similar use cases pop up, we may reconsider.
You could of course reissue your intermediate without the DN constraint as a workaround too and if you feel that's "safe enough" for your use case.
from cli.
@BenjaminHae I'll reach out to someone close to the Go crypto libraries to see what we can do about this 🙂
from cli.
@BenjaminHae Name Constraints have recently been discussed amongst some members working on the Go crypto packages. There's some movement in Web PKI and requiring those to be handled. I haven't familiarized myself with the exact specifics yet, but I'll check if I can find something. Adding full support is on the radar and might land in Go 1.22. It could be later, though.
@hslatman , there is a pending patch at https://go-review.googlesource.com/c/go/+/238362 that fixes this issue.
@BenjaminHae , you can pick one of these branches (Since 1.14) that includes the fix (I've been doing this for some time):
https://github.com/luizluca/go/tree/1.14/nameconstraint
https://github.com/luizluca/go/tree/1.15/nameconstraint
...
https://github.com/luizluca/go/tree/1.20/nameconstraint
https://github.com/luizluca/go/tree/1.21/nameconstraint
from cli.
Related Issues (20)
- [Bug]: Windows Chrome version 123.0.6312.59 (Official Build) (64-bit) incompatibility HOT 9
- [Bug]: Version number mismatch between downloaded deb package and installed HOT 4
- Sign the winget packages published for Windows clients HOT 2
- question: did you move the 0.26.0 tag? HOT 1
- [Bug]: step cli has problems parsing certificate if there is any extra data appended to the file HOT 1
- Allow duplicate `step ssh config --set` keys HOT 2
- [Bug]: `step certificate inspect` no longer works for stdin HOT 1
- [Bug]: CN not added as SAN HOT 2
- [Bug]: `step certificate inspect` no longer supports reading cert from piped out put HOT 3
- Support installing a root cert via URL with step certificate install HOT 1
- Allow certificate lifetimes to be given in d,mo,y as well as hours.
- Allow `step certificate p12` to specify a friendly name/alias HOT 2
- Support parsing of the ssh config file on Windows so step-ssh can use multiple ssh agents
- allow the creation of an "inline" certificate.
- [Bug]: Rekeying a JWK provisioner fails HOT 1
- [Bug]: `--profile`/`--context` has no effect on `step ssh config --host --roots`
- JWT signing with ed25519 key fails when using ssh-agent HOT 1
- `make`-ing requires bootstrapping, which globally installs various Go tools
- [Bug]: `make install` fails on macOS due to missing `install -D` flag
- [Bug]: `make install` should install to /usr/local/bin, /usr/bin
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cli.