Investigate whether crosssignnameconstraint works with CryptoAPI root certs - Githubissues

namecoin / certinject

Inject certificates into Windows CryptoAPI trust store, with EKU and name constraints.

https://www.namecoin.org/

GNU General Public License v3.0

2 stars 5 forks source link

Investigate whether crosssignnameconstraint works with CryptoAPI root certs #11

Open JeremyRand opened 4 years ago

JeremyRand commented 4 years ago

We should investigate whether crosssignnameconstraint works well with CryptoAPI. The workflow would look like this:

For each $cert in AuthRoot system store:
1. Add $cert to Disallowed enterprise store.
2. Run $cert's DER value through crosssignnameconstraint, result is $constrained.
3. Add $constrained to Root/CA enterprise store, with all non-DER properties copied from $cert.
4. Add magic value to the newly added cert keys, to indicate that these were added by Namecoin.
Repeat this whenever AuthRoot gets updated.

Things to test:

Does cert pinning yield unexpected errors, either via ECP or Chromium static pinning, because the root CA's don't match anymore?
Does cert pinning get disabled because the root CA's are user-defined? (If so, does moving from enterprise to system store help?)
Do EV certs still display as expected? (Some TLS implementations hardcode the root CA's that can do EV.)