Skip to content

Add Support for IPv4 and IPv6 X.509 Certificate Name Constraints #2340

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 8 commits into
base: x509
Choose a base branch
from
Open

Add Support for IPv4 and IPv6 X.509 Certificate Name Constraints #2340

wants to merge 8 commits into from

Conversation

skmcgrail
Copy link
Member

@skmcgrail skmcgrail commented Apr 18, 2025
edited
Loading

Callouts

22afe5e is a cherry-pick from upstream that hardens textual parsing of IP addresses.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.

@skmcgrail skmcgrail requested a review from a team as a code owner April 18, 2025 18:24
@skmcgrail skmcgrail changed the title Add Support for IPv4 and IPv5 X.509 Certificate Name Constraints Add Support for IPv4 and IPv6 X.509 Certificate Name Constraints Apr 18, 2025
@skmcgrail
Copy link
Member Author

Need to dig into the nature of this issue and associated fix #487 because it's impacting being able to specify :: as an IPv6 address. (Which is a valid address where all 128-bits are zeros).

@codecov-commenter
Copy link

codecov-commenter commented Apr 22, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 95.54140% with 7 lines in your changes missing coverage. Please review.

Project coverage is 78.82%. Comparing base (e926e65) to head (10e7503).

Files with missing lines Patch % Lines
crypto/x509/v3_ncons.c 88.33% 7 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             x509    #2340      +/-   ##
==========================================
+ Coverage   78.78%   78.82%   +0.04%     
==========================================
  Files         622      622              
  Lines      107977   108101     +124     
  Branches    15337    15345       +8     
==========================================
+ Hits        85070    85216     +146     
+ Misses      22254    22232      -22     
  Partials      653      653

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

skmcgrail and others added 6 commits April 22, 2025 19:57
@skmcgrail
Support for IPv4 and IPv6 X.509 Name Constraints
14fb496
@davidben @skmcgrail
Reject invalid IPv4 addresses in ipv4_from_asc
2ab1a9d 
The old scanf-based parser accepted all kinds of invalid inputs like:
"1.2.3.4.5"
"1.2.3.4 "
"1.2.3. 4"
" 1.2.3.4"
"1.2.3.4."
"1.2.3.+4"
"1.2.3.4.example.test"
"1.2.3.01"
"1.2.3.0x1"

Thanks to Amir Mohamadi for pointing this out in
https://boringssl-review.googlesource.com/c/boringssl/+/68167. This is a
different implementation since patching sscanf doesn't quite catch all
the cases. Add a bunch of tests, some imported from Amr's patch to
OpenSSL upstream, plus a bunch of my own. (IPv6 parsing is complicated!)

Update-Note: The deprecated (and dangerous) string-based APIs for
configuring X.509 extensions will no longer silently misinterpret some
invalid inputs as IPv4 addresses. This was run through TGP internally
without any issue.

Change-Id: I66e223a466cc3e74df9f9ddc8aef3b6b6c790f7e
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/68567
Reviewed-by: Adam Langley <[email protected]>
Commit-Queue: David Benjamin <[email protected]>
Auto-Submit: David Benjamin <[email protected]>
(cherry picked from commit ba62c812f01fb379f49f94a08a2d1282ce46e678)
@skmcgrail
Add IPv4 and IPv6 name constraint tests
1285de7
@skmcgrail
Change return error
f6fe266
@skmcgrail
remove?
8c89fb1
@skmcgrail
Revert GCC-12 workarounds that don't seem to be required anymore
2e00c0a
@skmcgrail skmcgrail force-pushed the ip-name-constraints branch from 2b5fb50 to 2e00c0a Compare April 22, 2025 19:58
justsmth
justsmth reviewed Apr 24, 2025
View reviewed changes
@skmcgrail skmcgrail requested a review from justsmth April 24, 2025 21:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@samuel40791765 samuel40791765 Awaiting requested review from samuel40791765

@justsmth justsmth Awaiting requested review from justsmth

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@skmcgrail @codecov-commenter @justsmth @davidben