Add name constraints to CA #14206
Add name constraints to CA #14206
Conversation
|
Thanks @franziskuskiefer! @jgraham @gsnedders @jugglinmike would you be willing to iterate on this further? |
|
@gsnedders, I assigned to you since #11075 is on our list of important infra issues. |
|
We recently received a feature request to support arbitrary subdomains. We're not doing that (yet), but it might be wise to account for the possibility in this patch by relaxing the constraints a bit. As far as I know (which is not very far), it will be no less secure to constrain to:
Though now I'm wondering if we could simply constrain to |
I'd strongly oppose this, given I (and probably others) have other local dev environments served on |
|
I don't think the arbitary subdomains thing needs to be considered here; if we change the range of supported hosts it will in any case be necessary to update the SAN line on the certs so there is barely any advantage in preempting that change for the constraints line only. |
|
Ping @gsnedders for review. |
There was a problem hiding this comment.
@foolip I actually started on this yesterday, but couldn't figure out why it wasn't working. :)
@jgraham @franziskuskiefer This PR should probably also update tools/certs, preferably also providing some documentation on how to update them!
| else: | ||
| san_line = "subjectAltName = %s" % make_alt_names(hosts) | ||
| constraints_line = "nameConstraints = " + make_name_constraints(hosts) |
There was a problem hiding this comment.
This will lead to trying to put nameConstraints on the server cert, rather than the CA cert.
From _generate_ca we call get_config with hosts=None:
web-platform-tests/tools/wptserve/wptserve/sslutils/openssl.py(399)_generate_host_cert()
-> self._generate_ca()
web-platform-tests/tools/wptserve/wptserve/sslutils/openssl.py(342)_generate_ca()
-> with self._config_openssl(None) as openssl:
web-platform-tests/tools/wptserve/wptserve/sslutils/openssl.py(43)__enter__()
-> f.write(get_config(self.base_path, self.hosts, self.duration))
(interestingly pdb seems to be omitting _config_openssl in that!)
As such, this doesn't actually fix the underlying issue! I think we need to have a is_ca arg here?
There was a problem hiding this comment.
This now puts both nameConstraints and subjectAltName in the config for both certs, which leads to having both on the CA cert and only the latter on the non-CA cert. I think this behaviour is fine?
|
@jgraham what do I need to do to update |
|
Updating the certs is a bit of a black art at the moment. You need to change the wptserve config to use openssl as the config type and add a duration key to the openssl part of the config with the desired duration. Then if you run the server you can copy the generated files out of the temporary location and into the irectory containing the pregenerated certs. |
|
This PR is blocked on the required "Travis CI - Pull Request" check after #14499. In order to trigger it, I will close and reopen this PR. |
tools/certs/.gitignore
Outdated
| @@ -0,0 +1,3 @@ | |||
| /0*.pem | |||
There was a problem hiding this comment.
Add this to the root .gitignore please (some tooling we have only works with the root).
Something like this should fix issue #11075 (fixes #11075).
I don't know how to run this so I can't tell for sure. But adding something of the form
nameConstraints=permitted;DNS:.example.com,permitted;DNS:.example.orgwill give you what you want.