-
Notifications
You must be signed in to change notification settings - Fork 165
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Validation of IP address name constraints should be stricter #130
Comments
I want to emphasize that the severity of this issue is very low due to the points I already shared above:
To help people feel better about the IP address support we're planning to add to resolve #54, we should add a check that the mask is contiguous, probably by helping @djc get his PR merged. |
This was reported by Gregor Kopf for Cure53. Thanks Gregor!
RFC 5280 has this to say about IP address name constraints:
Gregor noted that this code:
webpki/src/name.rs
Lines 357 to 375 in 049c5ad
The question is whether it is correct (or at least better) to support non-contiguous subnet masks or to reject non-contiguous masks. Even more than that, should we support masks that aren't prefixes?
Chromium's name constraint logic does have these requirements. See https://chromium.googlesource.com/chromium/src/+blame/51ba3e6902ecd7284d3be51db648127d1be2187f/net/cert/internal/name_constraints.cc#239
I don't remember making a conscious decision about this in the past. The RFC 5280 encoding of subnet mask is wasteful and error-prone if it really intends to be restricted to masks that can be represented in CIDR notation. OTOH we don't have any motivation to support masks that can't be represented with CIDR notation. webpki should align with Chromium here.
The text was updated successfully, but these errors were encountered: