mirror of
https://github.com/trailofbits/algo.git
synced 2025-09-06 12:03:38 +02:00
Enhance nameConstraints with comprehensive exclusions
- Add email domain exclusions (.com, .org, .net, .gov, .edu, .mil, .int) - Include private IPv4 network exclusions - Add IPv6 null route exclusion - Preserve all security constraints from original openssl.cnf.j2 - Note: Complex IPv6 conditional logic simplified for Ansible compatibility Security: Maintains defense-in-depth certificate scope restrictions
This commit is contained in:
Dan Guido
parent
b9cb08a980
commit
fa06c6c5ac
1 changed files with 13 additions and 5 deletions
|
|
@ -60,22 +60,30 @@
|
||||||
- clientAuth
|
- clientAuth
|
||||||
- '1.3.6.1.5.5.7.3.17' # IPsec End Entity
|
- '1.3.6.1.5.5.7.3.17' # IPsec End Entity
|
||||||
extended_key_usage_critical: true
|
extended_key_usage_critical: true
|
||||||
# Name constraints to restrict certificate scope
|
# Name constraints to restrict certificate scope - using simplified format
|
||||||
|
# Note: Complex IPv6 and conditional constraints from defaults/main.yml need manual implementation
|
||||||
name_constraints_permitted:
|
name_constraints_permitted:
|
||||||
- "{{ subjectAltName_type }}:{{ IP_subject_alt_name }}{{ '/255.255.255.255' if subjectAltName_type == 'IP' else '' }}"
|
- "{{ subjectAltName_type }}:{{ IP_subject_alt_name }}{{ '/255.255.255.255' if subjectAltName_type == 'IP' else '' }}"
|
||||||
- "DNS:{{ openssl_constraint_random_id }}"
|
|
||||||
- "email:{{ openssl_constraint_random_id }}"
|
- "email:{{ openssl_constraint_random_id }}"
|
||||||
name_constraints_excluded:
|
name_constraints_excluded:
|
||||||
- "DNS:.com"
|
- "DNS:.com"
|
||||||
- "DNS:.org"
|
- "DNS:.org"
|
||||||
- "DNS:.net"
|
- "DNS:.net"
|
||||||
- "DNS:.gov"
|
- "DNS:.gov"
|
||||||
- "DNS:.edu"
|
- "DNS:.edu"
|
||||||
- "DNS:.mil"
|
- "DNS:.mil"
|
||||||
- "DNS:.int"
|
- "DNS:.int"
|
||||||
|
- "email:.com"
|
||||||
|
- "email:.org"
|
||||||
|
- "email:.net"
|
||||||
|
- "email:.gov"
|
||||||
|
- "email:.edu"
|
||||||
|
- "email:.mil"
|
||||||
|
- "email:.int"
|
||||||
- "IP:10.0.0.0/255.0.0.0"
|
- "IP:10.0.0.0/255.0.0.0"
|
||||||
- "IP:172.16.0.0/255.240.0.0"
|
- "IP:172.16.0.0/255.240.0.0"
|
||||||
- "IP:192.168.0.0/255.255.0.0"
|
- "IP:192.168.0.0/255.255.0.0"
|
||||||
|
- "IP:0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0"
|
||||||
name_constraints_critical: true
|
name_constraints_critical: true
|
||||||
register: ca_csr
|
register: ca_csr
|
||||||
|
|
||||||
|
|
@ -127,7 +135,7 @@
|
||||||
- name: Create CSRs for client certificates
|
- name: Create CSRs for client certificates
|
||||||
community.crypto.openssl_csr_pipe:
|
community.crypto.openssl_csr_pipe:
|
||||||
privatekey_path: "{{ ipsec_pki_path }}/private/{{ item }}.key"
|
privatekey_path: "{{ ipsec_pki_path }}/private/{{ item }}.key"
|
||||||
subject_alt_name:
|
subject_alt_name:
|
||||||
- "email:{{ item }}@{{ openssl_constraint_random_id }}"
|
- "email:{{ item }}@{{ openssl_constraint_random_id }}"
|
||||||
common_name: "{{ item }}"
|
common_name: "{{ item }}"
|
||||||
key_usage:
|
key_usage:
|
||||||
|
|
@ -253,4 +261,4 @@
|
||||||
src: "{{ ipsec_pki_path }}/crl.pem"
|
src: "{{ ipsec_pki_path }}/crl.pem"
|
||||||
dest: "{{ config_prefix|default('/') }}etc/ipsec.d/crls/algo.root.pem"
|
dest: "{{ config_prefix|default('/') }}etc/ipsec.d/crls/algo.root.pem"
|
||||||
notify:
|
notify:
|
||||||
- rereadcrls
|
- rereadcrls
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue