[Help-gnutls] Re: How to restrict certification path length

[Simon Josefsson]

Sascha Ziemann <sascha.ziemann at secunet.com> writes:

> Hi,
>
> is it possible to specify the maximum certification path length in a
> configuration file for certtool? Internet explorer reports the path
> length of certificates made by certtool as unlimited.
>
> I have a Root CA, which signs an Issuer CA, and an Issuer CA , which
> signs client and server certificates. I would like to restrict the path
> length of the Root CA to two and the path length of the issuer CA to one
> in order to avoid any hacks made with the client or server certificates.

Hi!  This is not possible today, but I implemented this in CVS.
Thanks for the suggestion!  You can try CVS now, or tomorrow's daily
snapshot.  Please let me know if/how it works.  Here are the NEWS
entries:

** Certtool now print the value of the pathLenConstraints field for certs.

** Certtool now query for path length constraints when generating CA certs.
For batch uses, the certtool configuration name is "path_len".
Suggested by Sascha Ziemann <sascha.ziemann at secunet.com>.

** Add new API to get/set pathLenConstraint in the Basic Constraints.
The new functions gnutls_x509_crt_get_basic_constraints and
gnutls_x509_crt_set_basic_constraints provide a superset of the
functionality in the old gnutls_x509_crt_get_ca_status and
gnutls_x509_crt_set_ca_status (respectively), but the old functions
will continue to be supported.

** API and ABI modifications:
gnutls_x509_crt_get_basic_constraints: ADD.
gnutls_x509_crt_set_basic_constraints: ADD.

/Simon