From e8384606cf445105be13575d9663d53b8cc03377 Mon Sep 17 00:00:00 2001
From: Dan Guido <dan@trailofbits.com>
Date: Tue, 5 Aug 2025 05:26:03 -0700
Subject: [PATCH] Enhance security documentation with comprehensive inline
 comments
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add detailed technical explanations for critical PKI security features:

- Name Constraints: Defense-in-depth rationale and attack prevention
- Public domain/network exclusions: Impersonation attack prevention
- RFC 1918 private IP blocking: Lateral movement prevention
- IPv6 constraint strategy: ULA/link-local/documentation range handling
- Role separation enforcement: Server vs client EKU restrictions
- CA delegation prevention: pathlen:0 security implications
- Cross-deployment isolation: UUID-based certificate scope limiting

These comments provide essential context for maintainers to understand
the security importance of each configuration without referencing
external issue numbers, ensuring long-term maintainability.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 roles/strongswan/tasks/openssl.yml | 23 +++++++++++++----------
 1 file changed, 13 insertions(+), 10 deletions(-)

diff --git a/roles/strongswan/tasks/openssl.yml b/roles/strongswan/tasks/openssl.yml
index 305744ff..701815c1 100644
--- a/roles/strongswan/tasks/openssl.yml
+++ b/roles/strongswan/tasks/openssl.yml
@@ -48,7 +48,7 @@
         create_subject_key_identifier: true
         basic_constraints:
           - 'CA:TRUE'
-          - 'pathlen:0'
+          - 'pathlen:0'        # Prevents sub-CA creation - limits certificate chain depth if CA key compromised
         basic_constraints_critical: true
         key_usage:
           - keyCertSign
@@ -60,23 +60,24 @@
           - clientAuth                    # Allows signing client certificates
           - '1.3.6.1.5.5.7.3.17'        # IPsec End Entity OID - VPN-specific usage
         extended_key_usage_critical: true
-        # Complete Name Constraints implementation with permitted and excluded domains/networks
-        # Provides security by restricting what domains and IP ranges certificates can be used for
+        # Name Constraints: Defense-in-depth security restricting certificate scope to prevent misuse
+        # Limits CA to only issue certificates for this specific VPN deployment's resources
         name_constraints_permitted: >-
           {{ [
             subjectAltName_type + ':' + IP_subject_alt_name + ('/255.255.255.255' if subjectAltName_type == 'IP' else ''),
-            'DNS:' + openssl_constraint_random_id,
-            'email:' + openssl_constraint_random_id
+            'DNS:' + openssl_constraint_random_id,        # Per-deployment UUID prevents cross-deployment reuse
+            'email:' + openssl_constraint_random_id       # Unique email domain isolates certificate scope
           ] + (
             ['IP:' + ansible_default_ipv6['address'] + '/128'] if ipv6_support else []
           ) }}
+        # Block public domains/networks to prevent certificate abuse for impersonation attacks
         name_constraints_excluded: >-
           {{ [
-            'DNS:.com', 'DNS:.org', 'DNS:.net', 'DNS:.gov', 'DNS:.edu', 'DNS:.mil', 'DNS:.int',
-            'email:.com', 'email:.org', 'email:.net', 'email:.gov', 'email:.edu', 'email:.mil', 'email:.int',
-            'IP:10.0.0.0/255.0.0.0', 'IP:172.16.0.0/255.240.0.0', 'IP:192.168.0.0/255.255.0.0'
+            'DNS:.com', 'DNS:.org', 'DNS:.net', 'DNS:.gov', 'DNS:.edu', 'DNS:.mil', 'DNS:.int',  # Public TLD exclusion
+            'email:.com', 'email:.org', 'email:.net', 'email:.gov', 'email:.edu', 'email:.mil', 'email:.int',  # Email domain exclusion
+            'IP:10.0.0.0/255.0.0.0', 'IP:172.16.0.0/255.240.0.0', 'IP:192.168.0.0/255.255.0.0'  # RFC 1918: prevents lateral movement
           ] + (
-            ['IP:fc00::/7', 'IP:fe80::/10', 'IP:2001:db8::/32'] if ipv6_support else ['IP:::/0']
+            ['IP:fc00::/7', 'IP:fe80::/10', 'IP:2001:db8::/32'] if ipv6_support else ['IP:::/0']  # IPv6: ULA/link-local/doc ranges or all
           ) }}
         name_constraints_critical: true
       register: ca_csr
@@ -121,6 +122,7 @@
           - keyEncipherment
         key_usage_critical: false
         # Server auth EKU required for IKEv2 server certificates (Issue #75)
+        # NOTE: clientAuth deliberately excluded to prevent role confusion attacks
         extended_key_usage:
           - serverAuth                    # Server Authentication (RFC 5280)
           - '1.3.6.1.5.5.7.3.17'        # IPsec End Entity (RFC 4945)
@@ -131,7 +133,7 @@
       community.crypto.openssl_csr_pipe:
         privatekey_path: "{{ ipsec_pki_path }}/private/{{ item }}.key"
         subject_alt_name:
-          - "email:{{ item }}@{{ openssl_constraint_random_id }}"
+          - "email:{{ item }}@{{ openssl_constraint_random_id }}"  # UUID domain prevents certificate reuse across deployments
         common_name: "{{ item }}"
         # Add Basic Constraints to client certificates for proper PKI validation
         basic_constraints:
@@ -142,6 +144,7 @@
           - keyEncipherment
         key_usage_critical: false
         # Client certs restricted to clientAuth only - prevents clients from impersonating the VPN server
+        # NOTE: serverAuth deliberately excluded to prevent server impersonation attacks
         extended_key_usage:
           - clientAuth                    # Client Authentication (RFC 5280)
           - '1.3.6.1.5.5.7.3.17'        # IPsec End Entity (RFC 4945)