Skip to content

Add opt-in support for ignoring URI name constraints #514

Description

@jmcguire98

As of release 0.103.12, which has the fix for GHSA-965h-392x-2mh5, a chain containing a URI name constraint is now rejected unconditionally, where previously the constraint was silently ignored.

This definitely makes sense as a default, but it's a breaking change for anyone whose CAs already carry URI name constraints. Webpki doesn't expose an API to assert URI names in the first place, so callers who care about URI name constraints may have been enforcing them themselves against the verified cert chain. For those callers the unconditional rejection short-circuits path validation before any other enforcement can run, and AFAICT there's no way to keep things working short of pinning a pre-0.103.12 version.

Is there any room for an opt-in (eg a flag on the verifier) that restores the old "ignore URI name constraints" behavior and leaves enforcement to the caller? Happy to submit a PR for this if there's interest.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions