Skip to content
  1. Oct 31, 2018
  2. Oct 30, 2018
  3. Oct 29, 2018
  4. Oct 28, 2018
  5. Oct 27, 2018
    • Fraser Tweedale's avatar
      Support GeneralSubtrees with minimum = 0 · c23e497d
      Fraser Tweedale authored
      
      
      The Name Constraints extension contains GeneralSubtree values
      indicating included or excluded subtrees.  It is defined as:
      
        GeneralSubtree ::= SEQUENCE {
          base                    GeneralName,
          minimum         [0]     BaseDistance DEFAULT 0,
          maximum         [1]     BaseDistance OPTIONAL }
      
      RFC 5280 further specifies:
      
        Within this profile, the minimum and maximum fields are not used with
        any name forms, thus, the minimum MUST be zero, and maximum MUST be
        absent.
      
      Because the minimum fields has DEFAULT 0, and certificates should be
      encoded using DER, the situation where minimum = 0 occurs in a
      certificate should not arise.  Nevertheless, it does arise.  For
      example, I have seen certificates issued by Microsoft programs that
      contain GeneralSubtree values encoded thus.
      
      Enhance the Name Constraints matching routine to handle the case
      where minimum is specified.  If present, it must be zero.  The
      maximum field remains prohibited.
      
      Reviewed-by: default avatarPaul Yang <yang.yang@baishancloud.com>
      Reviewed-by: default avatarPaul Dale <paul.dale@oracle.com>
      (Merged from https://github.com/openssl/openssl/pull/7039)
      c23e497d