crosssignnameconstraint

package module

v0.0.3 Latest Latest Go to latest Published: Sep 19, 2018 License: GPL-3.0 Imports: 14 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/Irioth/crosssignnameconstraint

Links

Open Source Insights

README ¶

crosssignnameconstraint

This tool applies a name constraint exclusion to a DER-encoded TLS trust anchor via cross-signing. The intended use case is to disallow a CA from issuing certificates for a domain name that it has no legitimate business issuing certificates for. For example:

Disallowing a public CA from issuing certificates for the .bit TLD used by Namecoin.
Disallowing a public CA from issuing certificates for a TLD controlled by your corporate intranet.
Disallowing your corporate intranet's CA from issuing certificates for a TLD allocated by ICANN.

It currently only supports a single DNS domain name exclusion (because that's all that Namecoin needed). Pull requests that add additional flexibility for the name constraints (e.g. multiple exclusions, permitted DNS domain names, or non-DNS domain names) would be happily accepted and appreciated (even if it breaks API backward-compatibility).

Requirements

crosssignnameconstraint requires Go 1.10.0 or higher. Please note that crosssignnameconstraint will build in Go 1.9.x, but will behave incorrectly (and we cannot guarantee that this incorrect behavior won't introduce security issues).

Projects who use crosssignnameconstraint

Send a pull request if you'd like to be included.

tlsrestrictnss

Licence

crosssignnameconstraint is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

crosssignnameconstraint is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with crosssignnameconstraint. If not, see https://www.gnu.org/licenses/.

Documentation ¶

Index ¶

func GetCrossSignedDER(rootCommonNamePrefix string, intermediateCommonNamePrefix string, ...) ([]byte, []byte, []byte, error)

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func GetCrossSignedDER ¶

func GetCrossSignedDER(rootCommonNamePrefix string,
	intermediateCommonNamePrefix string, excludedDomain string,
	originalDERBytes []byte) ([]byte, []byte, []byte, error)

GetCrossSignedDER generates and returns a root CA, intermediate CA, cross-signed CA, and error. The root CA and intermediate CA have a Subject CommonName obtained by prepending rootCommonNamePrefix and intermediateCommonNamePrefix to the Subject CommonName in the certificate encoded in originalDERBytes. The intermediate CA is signed by the root CA, and has a name constraint DNS name exclusion of excludedDomain. The cross-signed CA is signed by the intermediate CA, but is otherwise identical to the certificate encoded in originalDERBytes.

Types ¶

This section is empty.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
cross_sign_name_constraint_tool

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL