nameConstraints fixes

roles/strongswan/defaults/main.yml

@@ -10,10 +10,25 @@ algo_ondemand_wifi_exclude: '_null'
 algo_dns_adblocking: false
 ipv6_support: false
 dns_encryption: true
-domain: false
 openssl_constraint_random_id: "{{ IP_subject_alt_name | to_uuid }}.algo"
-subjectAltName_IP: "{{ 'DNS:' if IP_subject_alt_name|regex_search('[a-z]') else 'IP:' }}{{ IP_subject_alt_name }}"
+subjectAltName_type: "{{ 'DNS' if IP_subject_alt_name|regex_search('[a-z]') else 'IP' }}"
+subjectAltName: >-
+  {{ subjectAltName_type }}:{{ IP_subject_alt_name }}
+  {%- if ipv6_support -%},IP:{{ ansible_default_ipv6['address'] }}{%- endif -%}
 subjectAltName_USER: "email:{{ item }}@{{ openssl_constraint_random_id }}"
+nameConstraints: >-
+  permitted;{{ subjectAltName_type }}:{{ IP_subject_alt_name }}{{- '/255.255.255.255' if subjectAltName_type == 'IP' else '' -}}
+  {%- if subjectAltName_type == 'IP' -%}
+  ,permitted;DNS:{{ openssl_constraint_random_id }}
+  {%- else -%}
+  ,excluded;IP:0.0.0.0/0.0.0.0
+  {%- endif -%}
+  ,permitted;email:{{ openssl_constraint_random_id }}
+  {%- if ipv6_support -%}
+  ,permitted;IP:{{ ansible_default_ipv6['address'] }}/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+  {%- else -%}
+  ,excluded;IP:0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0
+  {%- endif -%}
 openssl_bin: openssl
 strongswan_enabled_plugins:
   - aes

roles/strongswan/tasks/openssl.yml

@@ -1,13 +1,5 @@
 ---
 - block:
-  - name: Set subjectAltName as a fact
-    set_fact:
-      subjectAltName: >-
-        {{ subjectAltName_IP }}
-        {%- if ipv6_support -%},IP:{{ ansible_default_ipv6['address'] }}{%- endif -%}
-        {%- if domain and subjectAltName_DNS -%},DNS:{{ subjectAltName_DNS }}{%- endif -%}
-    tags: always
-
   - debug: var=subjectAltName
 
   - name: Ensure the pki directory does not exist

roles/strongswan/templates/openssl.cnf.j2

@@ -120,7 +120,8 @@ subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid:always,issuer:always
 
 basicConstraints = critical,CA:true,pathlen:0
-nameConstraints = critical,permitted;{{ subjectAltName_IP }}/255.255.255.255{{ ',permitted;IP:' + ansible_default_ipv6['address'] + '/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff' if ipv6_support else '' }}{{ ',permitted;DNS:' + subjectAltName_DNS if domain and subjectAltName_DNS else '' }},permitted;DNS:{{ openssl_constraint_random_id }},permitted;email:{{ openssl_constraint_random_id }}
+nameConstraints = {{ nameConstraints }}
+
 
 # Limit key usage to CA tasks. If you really want to use the generated pair as
 # a self-signed cert, comment this out.