]> granicus.if.org Git - openssl/commit
projects / openssl / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: fda29b6) | patch
OpenSSL is able to generate a certificate with name constraints with any possible
authorLuiz Angelo Daros de Luca <luizluca@tre-sc.gov.br>
Fri, 23 May 2014 22:05:38 +0000 (23:05 +0100)
committerMatt Caswell <matt@openssl.org>
Fri, 23 May 2014 22:05:38 +0000 (23:05 +0100)
commitdd36fce023a64d90058b8fefbd95dadaca98f9ca
tree9a90ff015508a9ff5cc30a4b211df673e70b4736tree | snapshot
parentfda29b6db038716e4409068798646c6db042e552commit | diff
OpenSSL is able to generate a certificate with name constraints with any possible
subjectAltName field. The Name Contraint example in x509v3_config(5) even use IP
as an example:

nameConstraints=permitted;IP:192.168.0.0/255.255.0.0

However, until now, the verify code for IP name contraints did not exist. Any
check with a IP Address Name Constraint results in a "unsupported name constraint
type" error.

This patch implements support for IP Address Name Constraint (v4 and v6). This code
validaded correcly certificates with multiple IPv4/IPv6 address checking against
a CA certificate with these constraints:

permitted;IP.1=10.9.0.0/255.255.0.0
permitted;IP.2=10.48.0.0/255.255.0.0
permitted;IP.3=10.148.0.0/255.255.0.0
permitted;IP.4=fdc8:123f:e31f::/ffff:ffff:ffff::

Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
crypto/x509v3/v3_ncons.c diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.