43 lines
1.3 KiB
ReStructuredText
43 lines
1.3 KiB
ReStructuredText
Extension support
|
|
=================
|
|
|
|
Extensions in Anchor are supported on 3 levels:
|
|
|
|
* CSR parser (deciding what OIDs are recognised and the what is the interface
|
|
to extensions)
|
|
* validators / fixups which operate on extensions
|
|
* signing backends which operate on extensions
|
|
|
|
Anchor needs to parse the extension to use it in a validator or a fixup. That's
|
|
not the case of the signing backends however - external backends may add/update
|
|
extensions according to their own configuration.
|
|
|
|
Anchor can parse and analyse the following extensions:
|
|
|
|
* Basic Constraints
|
|
* Key Usage
|
|
* Extended Key Usage
|
|
* Name Constraints
|
|
* Subject Alternative Name
|
|
|
|
The following extensions are listed as required or preferred, but due to
|
|
Anchor's main purpose (ephemeral certificates) they will be either ignored (if
|
|
they're not critical), or will prevent signing (if they are):
|
|
|
|
* Certificate Policies
|
|
* Policy Mappings
|
|
* Inhibit anyPolicy
|
|
* CRL Distribution Points
|
|
* Freshest CRL
|
|
|
|
Other extensions will be added to the implementation when they're needed for
|
|
validation / fixups.
|
|
|
|
Extension limitations
|
|
=====================
|
|
Due to how Anchor relies on short-term certificates, issuing a CA certificate
|
|
from Anchor doesn't really make sense. Certificates which do have a CA flag set
|
|
will be rejected unconditionally.
|
|
|
|
Key usage related to CA status will be treated in a similar way.
|