constraints: Use a more specific FQDN/email name constraint matching
authorMartin Willi <martin@revosec.ch>
Wed, 15 Oct 2014 10:10:54 +0000 (12:10 +0200)
committerMartin Willi <martin@revosec.ch>
Thu, 30 Oct 2014 10:40:47 +0000 (11:40 +0100)
commit7e80995c5928b9d22def845b198fcdf10ca5a784
tree1cfedd64fe29494fd821b587561e2ae9ab3c1258
parent6733109d0ed0a6e6ecce4b07fe24a2b0c220d3bf
constraints: Use a more specific FQDN/email name constraint matching

While RFC 5280 is not very specific about the matching rules of subjectAltNames,
it has some examples how to match email and FQDN constraints. We try to follow
these examples, and restrict DNS names to subdomain matching and email to
full email, host or domain matching.
src/libstrongswan/plugins/constraints/constraints_validator.c