in certViewer/cmd/web/constraints.go [57:116]
func IsTechnicallyConstrained(cert *x509.Certificate) bool {
// There must be Extended Key Usage flags
if len(cert.ExtKeyUsage) == 0 {
return false
}
// For certificates with a notBefore before 23 August 2016, the
// id-Netscape-stepUp OID (aka Netscape Server Gated Crypto ("nsSGC")) is
// treated as equivalent to id-kp-serverAuth.
nsSGCCutoff := time.Date(2016, time.August, 23, 0, 0, 0, 0, time.UTC)
stepUpEquivalentToServerAuth := cert.NotBefore.Before(nsSGCCutoff)
var hasServerAuth bool
var hasStepUp bool
for _, usage := range cert.ExtKeyUsage {
switch usage {
case x509.ExtKeyUsageAny:
// Do not permit ExtKeyUsageAny
return false
case x509.ExtKeyUsageServerAuth:
hasServerAuth = true
case x509.ExtKeyUsageNetscapeServerGatedCrypto:
hasStepUp = true
}
}
// Must be marked for Server Auth, or have StepUp and be from before the cutoff
if !(hasServerAuth || (stepUpEquivalentToServerAuth && hasStepUp)) {
return true
}
// For iPAddresses in excludedSubtrees, both IPv4 and IPv6 must be present
// and the constraints must cover the entire range (0.0.0.0/0 for IPv4 and
// ::0/0 for IPv6).
var excludesIPv4 bool
var excludesIPv6 bool
constraints, _ := GetConstraints(cert)
for _, cidr := range constraints.ExcludedIPRanges {
if cidr.IP.Equal(net.IPv4zero) && isAllZeros(cidr.Mask, net.IPv4len) {
excludesIPv4 = true
}
if cidr.IP.Equal(net.IPv6zero) && isAllZeros(cidr.Mask, net.IPv6len) {
excludesIPv6 = true
}
}
hasIPAddressInPermittedSubtrees := len(constraints.PermittedIPRanges) > 0
hasIPAddressesInExcludedSubtrees := excludesIPv4 && excludesIPv6
// There must be at least one DNSname constraint
hasDNSName := len(cert.PermittedDNSDomains) > 0 ||
len(constraints.ExcludedDNSDomains) > 0
if hasDNSName && (hasIPAddressInPermittedSubtrees ||
hasIPAddressesInExcludedSubtrees) {
return true
}
return false
}