diff options
| author | Luiz Angelo Daros de Luca <luizluca@tre-sc.gov.br> | 2014-05-23 23:05:38 +0100 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2014-05-23 23:05:38 +0100 |
| commit | dd36fce023a64d90058b8fefbd95dadaca98f9ca (patch) | |
| tree | 9a90ff015508a9ff5cc30a4b211df673e70b4736 /apps/sess_id.c | |
| parent | fda29b6db038716e4409068798646c6db042e552 (diff) | |
| download | openssl-new-dd36fce023a64d90058b8fefbd95dadaca98f9ca.tar.gz | |
OpenSSL is able to generate a certificate with name constraints with any possible
subjectAltName field. The Name Contraint example in x509v3_config(5) even use IP
as an example:
nameConstraints=permitted;IP:192.168.0.0/255.255.0.0
However, until now, the verify code for IP name contraints did not exist. Any
check with a IP Address Name Constraint results in a "unsupported name constraint
type" error.
This patch implements support for IP Address Name Constraint (v4 and v6). This code
validaded correcly certificates with multiple IPv4/IPv6 address checking against
a CA certificate with these constraints:
permitted;IP.1=10.9.0.0/255.255.0.0
permitted;IP.2=10.48.0.0/255.255.0.0
permitted;IP.3=10.148.0.0/255.255.0.0
permitted;IP.4=fdc8:123f:e31f::/ffff:ffff:ffff::
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
Diffstat (limited to 'apps/sess_id.c')
0 files changed, 0 insertions, 0 deletions