Enhance security documentation with comprehensive inline comments

Add detailed technical explanations for critical PKI security features: - Name Constraints: Defense-in-depth rationale and attack prevention - Public domain/network exclusions: Impersonation attack prevention - RFC 1918 private IP blocking: Lateral movement prevention - IPv6 constraint strategy: ULA/link-local/documentation range handling - Role separation enforcement: Server vs client EKU restrictions - CA delegation prevention: pathlen:0 security implications - Cross-deployment isolation: UUID-based certificate scope limiting These comments provide essential context for maintainers to understand the security importance of each configuration without referencing external issue numbers, ensuring long-term maintainability. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-09-03 10:33:13 +02:00 · 2025-08-05 05:26:03 -07:00 · 2025-08-05 05:26:03 -07:00 · e8384606cf
commit e8384606cf
parent c72ebf3da9
1 changed files with 13 additions and 10 deletions
--- a/roles/strongswan/tasks/openssl.yml
+++ b/roles/strongswan/tasks/openssl.yml
@ -48,7 +48,7 @@
        create_subject_key_identifier: true
        basic_constraints:
          - 'CA:TRUE'
-          - 'pathlen:0'
+          - 'pathlen:0'        # Prevents sub-CA creation - limits certificate chain depth if CA key compromised
        basic_constraints_critical: true
        key_usage:
          - keyCertSign
@ -60,23 +60,24 @@
          - clientAuth                    # Allows signing client certificates
          - '1.3.6.1.5.5.7.3.17'        # IPsec End Entity OID - VPN-specific usage
        extended_key_usage_critical: true
-        # Complete Name Constraints implementation with permitted and excluded domains/networks
-        # Provides security by restricting what domains and IP ranges certificates can be used for
+        # Name Constraints: Defense-in-depth security restricting certificate scope to prevent misuse
+        # Limits CA to only issue certificates for this specific VPN deployment's resources
        name_constraints_permitted: >-
          {{ [
            subjectAltName_type + ':' + IP_subject_alt_name + ('/255.255.255.255' if subjectAltName_type == 'IP' else ''),
-            'DNS:' + openssl_constraint_random_id,
-            'email:' + openssl_constraint_random_id
+            'DNS:' + openssl_constraint_random_id,        # Per-deployment UUID prevents cross-deployment reuse
+            'email:' + openssl_constraint_random_id       # Unique email domain isolates certificate scope
          ] + (
            ['IP:' + ansible_default_ipv6['address'] + '/128'] if ipv6_support else []
          ) }}
+        # Block public domains/networks to prevent certificate abuse for impersonation attacks
        name_constraints_excluded: >-
          {{ [
-            'DNS:.com', 'DNS:.org', 'DNS:.net', 'DNS:.gov', 'DNS:.edu', 'DNS:.mil', 'DNS:.int',
-            'email:.com', 'email:.org', 'email:.net', 'email:.gov', 'email:.edu', 'email:.mil', 'email:.int',
-            'IP:10.0.0.0/255.0.0.0', 'IP:172.16.0.0/255.240.0.0', 'IP:192.168.0.0/255.255.0.0'
+            'DNS:.com', 'DNS:.org', 'DNS:.net', 'DNS:.gov', 'DNS:.edu', 'DNS:.mil', 'DNS:.int',  # Public TLD exclusion
+            'email:.com', 'email:.org', 'email:.net', 'email:.gov', 'email:.edu', 'email:.mil', 'email:.int',  # Email domain exclusion
+            'IP:10.0.0.0/255.0.0.0', 'IP:172.16.0.0/255.240.0.0', 'IP:192.168.0.0/255.255.0.0'  # RFC 1918: prevents lateral movement
          ] + (
-            ['IP:fc00::/7', 'IP:fe80::/10', 'IP:2001:db8::/32'] if ipv6_support else ['IP:::/0']
+            ['IP:fc00::/7', 'IP:fe80::/10', 'IP:2001:db8::/32'] if ipv6_support else ['IP:::/0']  # IPv6: ULA/link-local/doc ranges or all
          ) }}
        name_constraints_critical: true
      register: ca_csr
@ -121,6 +122,7 @@
          - keyEncipherment
        key_usage_critical: false
        # Server auth EKU required for IKEv2 server certificates (Issue #75)
+        # NOTE: clientAuth deliberately excluded to prevent role confusion attacks
        extended_key_usage:
          - serverAuth                    # Server Authentication (RFC 5280)
          - '1.3.6.1.5.5.7.3.17'        # IPsec End Entity (RFC 4945)
@ -131,7 +133,7 @@
      community.crypto.openssl_csr_pipe:
        privatekey_path: "{{ ipsec_pki_path }}/private/{{ item }}.key"
        subject_alt_name:
-          - "email:{{ item }}@{{ openssl_constraint_random_id }}"
+          - "email:{{ item }}@{{ openssl_constraint_random_id }}"  # UUID domain prevents certificate reuse across deployments
        common_name: "{{ item }}"
        # Add Basic Constraints to client certificates for proper PKI validation
        basic_constraints:
@ -142,6 +144,7 @@
          - keyEncipherment
        key_usage_critical: false
        # Client certs restricted to clientAuth only - prevents clients from impersonating the VPN server
+        # NOTE: serverAuth deliberately excluded to prevent server impersonation attacks
        extended_key_usage:
          - clientAuth                    # Client Authentication (RFC 5280)
          - '1.3.6.1.5.5.7.3.17'        # IPsec End Entity (RFC 4945)