auth-cfg: Add support for identity based CA authentication constraints
authorMartin Willi <martin@strongswan.org>
Thu, 28 Nov 2019 07:14:59 +0000 (08:14 +0100)
committerTobias Brunner <tobias@strongswan.org>
Fri, 6 Dec 2019 09:07:46 +0000 (10:07 +0100)
commitc70201f1e3c85badecfbb83092e1983e50ed25e9
treeb9db114fc184c038ede8773158e716420eeb8faf
parent7035340b213f3826d3d08c6081091806a175966c
auth-cfg: Add support for identity based CA authentication constraints

Enforcing CA based constraints previously required the CA certificate file
to be locally installed. This is problematic from a maintencance perspective
when having many intermediate CAs, and is actually redundant if the client
sends its intermediate cert in the request.

The alternative was to use Distinguished Name matching in the subject
identity to indirectly check for the issuing CA by some RDN field, such as OU.
However, this requires trust in the intermediate CA to issue only certificates
with legitime subject identities.

This new approach checks for an intermediate CA by comparing the issuing
identity. This does not require trust in the intermediate, as long as
a path len constraint prevents that intermediate to issue further
intermediate certificates.
src/libstrongswan/credentials/auth_cfg.c
src/libstrongswan/credentials/auth_cfg.h